TC: Small: A Foundational and Practical Platform for Host Security Applications

TC：小型：主机安全应用程序的基础实用平台

• 批准号: 1017265
• 负责人: Wenke Lee
• 金额: $ 42.96万
• 依托单位: Georgia Tech Research Corporation
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2010
• 资助国家: 美国
• 起止时间: 2010-08-01 至 2015-07-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1017265&HistoricalAwards=false
• 关键词: TC; Small; Foundational; Practical; Platform

This project develops the ability to securely monitor host activities, which is the foundation of any host-based security application such as anti-virus software, firewalls, host-based intrusion detection systems, control flow analysis, taint tracking, and more. The central idea is to use a hybrid approach that combines virtual machine introspection with secure in-VM monitoring to provide the necessary security, efficiency, and flexibility to be useful for a broad range of security applications. The main research activities address the foundational problems inherent to this hybrid architecture, and any other virtualization-based security architecture. Specifically, the project develops: (1) attestation and memory and data structure protection techniques to ensure the security of the trusted computing base (TCB) throughout the lifecycle of the system, (2) algorithms to locate security-critical data structures, reverse-engineer data structure semantics, and automatically generate semantic probes, and (3) algorithms and APIs for developers to divide a security application into in-VM and out-of-VM components. This project also develops several security monitoring tools based on the hybrid approach, in particular, a system for user input monitoring that securely receives keyboard and mouse events and then determines what application will receive the events and how they will be processed. This tool is useful for classifying system activity as user-intended or automated. The automated activity can then be analyzed to identify potentially malicious host events (e.g., bot-generated traffic).

该项目开发了安全监控主机活动的能力，这是任何基于主机的安全应用程序的基础，如防病毒软件，防火墙，基于主机的入侵检测系统，控制流分析，污点跟踪等。 其核心思想是使用一种混合方法，将虚拟机内省与安全的VM内监控相结合，以提供必要的安全性、效率和灵活性，从而适用于广泛的安全应用程序。主要的研究活动解决了这种混合架构以及任何其他基于虚拟化的安全架构所固有的基本问题。具体而言，该项目开发：（1）证明以及存储器和数据结构保护技术，以确保可信计算基础（TCB）在系统的整个生命周期中的安全性，（2）算法，以定位安全关键数据结构、对数据结构语义进行反向工程、以及自动生成语义探测，以及（3）供开发人员将安全应用程序划分为VM内和VM外组件的算法和API。 该项目还开发了几个基于混合方法的安全监控工具，特别是一个用于用户输入监控的系统，该系统安全地接收键盘和鼠标事件，然后确定什么应用程序将接收事件以及如何处理这些事件。 此工具可用于将系统活动分类为用户预期活动或自动活动。 然后可以分析自动化活动以识别潜在的恶意主机事件（例如，bot生成的业务）。