SDI-CSCS: Collaborative Research: S2OS: Enabling Infrastructure-Wide Programmable Security with SDI

SDI-CSCS：协作研究：S2OS：通过 SDI 实现基础设施范围内的可编程安全性

• 批准号: 1700544
• 负责人: Guofei Gu
• 金额: $ 40万
• 依托单位: Texas A&M Engineering Experiment Station
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2017
• 资助国家: 美国
• 起止时间: 2017-09-01 至 2023-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1700544&HistoricalAwards=false
• 关键词: SDI; CSCS; Collaborative; Research; S2OS

Traditionally, many of our critical systems have been developed with security as a reactive add-on, rather than a by default design. As a result, existing security mechanisms are often fragmented, hard to configure or verify, which makes it difficult to defend against various cyber attacks. This project will build the "holy grail" for enterprise/cloud/data-center security management with software-defined infrastructure (SDI): a unified framework for security and management of disparate resources, ranging from processes to storage to networking. Cloud computing is now an essential part of our national cyberinfrastructure; the proposed work will lower the total cost of ownership for clouds - further unlocking economic and environmental benefits - as well as improving the security of today's clouds.This project proposes S2OS (SDI-defined Security Operating System), which abstracts security capabilities and primitives at both the host Operating System (OS) and network levels and offers an easy-to-use and programmable security model for monitoring and dynamically securing applications. This project will explore new techniques to transparently compose software into a unified enterprise, even if the individual pieces were never explicitly designed to inter-operate, similar in a way a traditional operating system managing various hardware resources for upper-layer user applications. Further, this project will contribute new ways to leverage global information for making effective local security management decisions. Finally, this project enables new innovations in programming dynamic, host-network coordinated, and intelligent security applications to protect the entire infrastructure.This project will make significant contributions to how enterprise, data centers and cloud computing are securely built and managed. The project's PIs will engage in educational and outreach activities to train the next generation talent. In particular, the PIs plan to integrate the interdisciplinary research ideas into courses spanning networking, systems and security. The project will also actively encourage participation from underrepresented groups and transfer technology to industry partners.

传统上，我们的许多关键系统都是将安全性作为响应式附加组件开发的，而不是默认设计。因此，现有的安全机制往往是碎片化的，难以配置或验证，这使得很难抵御各种网络攻击。该项目将通过软件定义基础设施（SDI）为企业/云/数据中心安全管理构建“圣杯”：一个统一的框架，用于不同资源的安全和管理，从流程到存储再到网络。云计算现在是我们国家网络基础设施的重要组成部分;拟议的工作将降低云的总拥有成本-进一步释放经济和环境效益-以及提高当今云的安全性。该项目提出了S2 OS（SDI定义的安全操作系统），它在主机操作系统（OS）和网络级别上抽象了安全功能和原语，并提供了一个易于使用可编程的安全模型，用于监控和动态保护应用程序。该项目将探索新技术，将软件透明地组合成一个统一的企业，即使各个部分从未明确设计为互操作，类似于传统操作系统管理上层用户应用程序的各种硬件资源。此外，这一项目还将为利用全球信息作出有效的地方安保管理决定提供新的途径。最后，该项目将在动态、主机-网络协调和智能安全应用程序编程方面实现新的创新，以保护整个基础设施。该项目将为企业、数据中心和云计算的安全构建和管理做出重大贡献。该项目的PI将参与教育和外展活动，以培训下一代人才。特别是，PI计划将跨学科的研究思想整合到网络，系统和安全课程中。该项目还将积极鼓励代表性不足的群体参与，并向行业合作伙伴转让技术。

项目成果

Mobile Application Web API Reconnaissance: Web-to-Mobile Inconsistencies & Vulnerabilities

• DOI: 10.1109/sp.2018.00039
• 发表时间: 2018-04
• 期刊: 2018 IEEE Symposium on Security and Privacy (SP)
• 作者: Abner Mendoza;G. Gu

When Match Fields Do Not Need to Match: Buffered Packets Hijacking in SDN

• DOI: 10.14722/ndss.2020.23040
• 发表时间: 2020
• 期刊: Proceedings 2020 Network and Distributed System Security Symposium
• 作者: Jiahao Cao;Renjie Xie;Kun Sun;Qi Li;G. Gu;Mingwei Xu

Security Study of Service Worker Cross-Site Scripting.

Service Worker 跨站点脚本的安全研究。

• DOI: 10.1145/3427228.3427290
• 发表时间: 2020
• 期刊: Proc. of 2020 Annual Computer Security Applications Conference (ACSAC’20
• 作者: Chinprutthiwong, Phakpoom;Vardhan, Raj;Yang, GuangLiang;Gu, Guofei
• 通讯作者: Gu, Guofei

vNIDS: Towards Elastic Security with Safe and Efficient Virtualization of Network Intrusion Detection Systems

• DOI: 10.1145/3243734.3243862
• 发表时间: 2018-10
• 期刊: Proceedings of the 2018 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Hongda Li;Hongxin Hu;G. Gu;Gail-Joon Ahn;Fuqiang Zhang

The CrossPath Attack: Disrupting the SDN Control Channel via Shared Links

• 发表时间: 2019
• 作者: Jiahao Cao;Qi Li;Renjie Xie;Kun Sun;G. Gu;Mingwei Xu;Yuan Yang