Stealth and Real-time Program Execution Monitoring
Navy SBIR 2011.1 - Topic N111-081
ONR - Mrs. Tracy Frost - email@example.com
Opens: December 13, 2010 - Closes: January 12, 2011
N111-081 TITLE: Stealth and Real-time Program Execution Monitoring
TECHNOLOGY AREAS: Information Systems
RESTRICTION ON PERFORMANCE BY FOREIGN CITIZENS (i.e., those holding non-U.S. Passports): This topic is "ITAR Restricted." The information and materials provided pursuant to or resulting from this topic are restricted under the International Traffic in Arms Regulations (ITAR), 22 CFR Parts 120 - 130, which control the export of defense-related material and services, including the export of sensitive technical data. Foreign Citizens may perform work under an award resulting from this topic only if they hold the "Permanent Resident Card", or are designated as "Protected Individuals" as defined by 8 U.S.C. 1324b(a)(3). If a proposal for this topic contains participation by a foreign citizen who is not in one of the above two categories, the proposal will be rejected.
OBJECTIVE: Develop a data acquisition subsystem for a stealthy, fine grained active program execution monitoring system for modern computing system, and real-time embedded systems, with minimal implementation impact in term of monitored eventís latency and overall system load.
DESCRIPTION: Achieving information dominance requires The Navy to provide information assurance within its information infrastructures. COTS based hardware and software in our computing systems and the network are large, complex and hence inherently insecure. These insecure systems are vulnerable to breaches that take advantage of the architecture, protocol and implementation weaknesses and flaws. Execution monitoring system capable of observing the behavior and state of the system components and applications can be used to enhance the systemís security. A stealthy and comprehensive monitoring system stands the best chance in dealing with intelligent adversarial intrusions.
Essential to this system is a data acquisition subsystem, to bring out the internal states of a process at a fine granularity, in real-time. One of the approach often used in this case is based on virtual machine technology . However, the use of virtual machine monitoring approach is inherently not stealthy . Other approach based on program instrumentation via binary re-write , may generate an even higher load. Techniques such as dynamic taint analysis , System call monitoring , dynamic information flow tracking , automaton , are proposed for detecting security breaches. Each of them has their own advantages, weaknesses and costs. Each of them by itself may not provide comprehensive vulnerability coverage. It is desirable to have a data acquisition subsystem which can support a set of selected intrusion detection techniques for providing comprehensive vulnerability coverage, while maintaining low additional latency and system load, and hence undetectable by the adversarial intruders. Said subsystem can be build as hardware assisted approach or software only approach. Said real time and stealthy data acquisition subsystem provides a solid foundation on which an intelligent self-aware system can be developed.
PHASE I: Develop overall system design that includes specification for the real-time data acquisition subsystem, which has coverage over the entire system (not a particular application only), with relatively modest overhead of twenty-five percent or less, targeted toward general purpose and/or embedded computing environment. Identified a set of potential intrusion detection techniques it can support for detecting a comprehensive set of cyber attack-vectors/vulnerabilities , such as buffer overflow, stack & heap overflows, insufficient input validation, file descriptor attack, symbolic link, etc.
PHASE II: Develop and demonstrate a prototype system in a realistic environment. Conduct testing to prove that the subsystem can provide supports for the proposed set of detection techniques, and to prove that the system introduce low overhead, in term of latency and system load, and hence is stealthy.
PHASE III: Integrate into a broad range of information security products within the military. The technologies developed in this SBIR will especially be beneficial in a system where adversarial intrusions can be expected.
PRIVATE SECTOR COMMERCIAL POTENTIAL/DUAL-USE APPLICATIONS: This system could be used in a broad range of information security products within the military, as well as in civilian enterprise applications.
2. M. Sharif, W. Lee, W. Chui, A. Lanzi, "Secure in-VM monitoring using hardware virtualization", Proceedings of ACM conference on Computer and Communication Security 2009.
3. T. Garfinkel, K. Adams, A. Warfield, J. Franklin, "Compatibility is not transparency: VMM detection myths and realities", proceedings of Workshop on Hot Topics in Operating Systems 2007.
4. J. Newsom ,D. Song, "Dynamic taint analysis for automatic detection, analysis, and signature generation of exploits on commodity software", Proceedings of IEEE Symposium on Security and privacy 2005.
5. G.E. Suh, J.W. Lee, D. Zang, S. Devadas, "Secure program execution via dynamic information flow tracking", Proceedings of International Conference on Architectural Support for Programming languages and Operating Systems 2004.
6. R. Sekar, M. Bendre, D. Dhurjati, P. Bollineni, "A fast automaton-based method for detecting anomalous program behaviors", Proceedings of IEEE Symposium on Security and privacy 2001.
7. C. Simmons, C. Ellis, S. Shiva, D. Dasgupta, Q. Wu, "AVOIDIT: a cyber attack taxonomy", http://issrl.cs.memphis.edu/files/papers/CyberAttackTaxonomy_IEEE_Mag.pdf
KEYWORDS: Execution monitoring, active-monitoring, virtual machine, hardware assist, event detection, malware