SaTC: CORE: Small: Collaborative: Fine Grained Protection for Scalable Single-Use Services

SaTC：核心：小型：协作：可扩展一次性服务的细粒度保护

• 批准号: 1814402
• 负责人: Craig Shue
• 金额: $ 26.56万
• 依托单位: Worcester Polytechnic Institute
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2023-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1814402&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Collaborative; Fine

Popular Internet servers and web sites may serve thousands of users simultaneously. To handle this volume of activity, these servers share resources, such as processors, memory, and hard disk space. These shared resources provide an avenue for an attacker to affect other users connected to the server if the attacker successfully exploits a vulnerability in the server. This research project aims to eliminate this risk by creating an individual, customized server instance for each user that runs within an isolated single-use container. When the container isolation is carefully managed, this technique prevents an attacker from being able to affect other users, even if the attacker exploits a server instance within a container. The project explores innovative techniques to achieve scalability and security for these containerized services. With over 3 billion people using the Internet, many of whom interact with user-facing servers multiple times a day, the project's outcomes can broadly impact society's computer security. In addition to preventing attackers from affecting other users, the container approach enables detailed forensics to allow defenders to learn from attacks. The research project additionally provides educational opportunities for undergraduate and graduate students as well as outreach activities for the community.To create these single-use containers, the project explores new techniques across the areas of operating systems, network controllers, authentication, and capability management. The project's first research direction explores opportunities to create new operating system and network-function virtualization techniques to scale to large numbers of containers on each host. A second research direction focuses on the design and implementation of new network and container management algorithms so that flexible security policies can be applied on a per-user basis. A third research direction explores how to manage the access and identity associated with each container to tailor permissions to match those of the user on the client. A final research direction explores automated response mechanisms and forensic collection measures needed to understand and reconstruct attacks. These techniques allow defenders to learn the details surrounding container vulnerabilities each time an attacker compromises a container. In combination, these research activities shift the security advantage to the server operator by transforming previously destructive attacks into instructive lessons for the defenders.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

流行的互联网服务器和网站可以同时为成千上万的用户提供服务。为了处理这种活动量，这些服务器共享资源，如处理器、内存和硬盘空间。如果攻击者成功利用服务器中的漏洞，这些共享资源为攻击者提供了影响连接到服务器的其他用户的途径。这个研究项目旨在通过为每个用户创建一个单独的、自定义的服务器实例来消除这种风险，该实例在一个隔离的一次性容器中运行。当容器隔离被仔细管理时，这种技术可以防止攻击者能够影响其他用户，即使攻击者利用容器中的服务器实例。该项目探索了创新技术，以实现这些容器化服务的可伸缩性和安全性。超过30亿人使用互联网，其中许多人每天多次与面向用户的服务器交互，该项目的成果可以广泛影响社会的计算机安全。除了防止攻击者影响其他用户外，容器方法还支持详细的取证，使防御者能够从攻击中学习。该研究项目还为本科生和研究生提供教育机会，并为社区提供外展活动。为了创建这些一次性容器，该项目探索了操作系统，网络控制器，身份验证和功能管理等领域的新技术。该项目的第一个研究方向是探索创建新的操作系统和网络功能虚拟化技术的机会，以扩展到每个主机上的大量容器。第二个研究方向侧重于新的网络和容器管理算法的设计和实现，以便可以在每个用户的基础上应用灵活的安全策略。第三个研究方向探索如何管理与每个容器相关联的访问和身份，以定制与客户端上的用户相匹配的权限。最后一个研究方向探索了理解和重建攻击所需的自动响应机制和取证收集措施。这些技术允许防御者在每次攻击者破坏容器时了解容器漏洞的细节。这些研究活动结合在一起，通过将以前的破坏性攻击转化为防御者的有益教训，将安全优势转移给服务器运营商。该奖项反映了NSF的法定使命，并通过使用基金会的知识价值和更广泛的影响审查标准进行评估，被认为值得支持。

项目成果

Attackers as Instructors: Using Container Isolation to Reduce Risk and Understand Vulnerabilities

• DOI: 10.1007/978-3-031-35504-2_9
• 发表时间: 2023
• 期刊: IEEE Transactions on Computers
• 影响因子: 3.7
• 作者: Yunsen Lei;Julian P. Lanson;Craig A. Shue;Timothy Wood

Visualizing Web Application Execution Logs to Improve Software Security Defect Localization

可视化 Web 应用程序执行日志以改进软件安全缺陷定位

• 发表时间: 2022
• 期刊: Analysis and Evolution of Software Tests
• 作者: Puentes, Matthew A.;Lei, Yunsen;Rakotondravony, Noelle;Harrison, Lane T.;Shue, Craig A.
• 通讯作者: Shue, Craig A.