CNS Core: Small: eXecution Graph Path Security (XGPS)

CNS 核心：小型：执行图路径安全 (XGPS)

• 批准号: 2008867
• 负责人: Nathan Dautenhahn
• 金额: $ 50万
• 依托单位: William Marsh Rice University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2020
• 资助国家: 美国
• 起止时间: 2020-10-01 至 2023-09-30
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=2008867&HistoricalAwards=false
• 关键词: CNS; Core; Small; eXecution; Graph

eXecution Graph Path Security (XGPS) is a new computer processor that restricts common low-level behaviors so that attackers cannot use them to take control of a system. By replacing general purpose control operations with new limited operations, XGPS will prevent common attacker steps while preserving expected functionality. This is important because almost all computing systems are susceptible to compromises. Existing approaches emphasize general protection hardware but leave gaps in defenses and cannot easily trace the program as it executes.The core challenge and idea is to describe, track, and ensure good behavior in the hardware itself.XGPS observes that almost all security policies are more precise when including a description of the program path. XGPS will develop a novel hardware mechanism for representing, tracing, and securing all program paths, including for the operating system. The first thrust will develop a general purpose data structure capable of representing the program path while remaining finite in size. The second thrust will implement the path in hardware while protecting it from supervisor level compromise. The third thrust will develop new efficient path based hardware/software security policies, demonstrating the efficacy of the path to enforce meaningful properties.The end result of this research will be the enhanced understanding and development of a system with rigorous control of program behavior. By controlling this behavior, XGPS will deny large classes of threats and, if adopted, will lead to a significantly stronger trusted computing base. Moreover, XGPS will enable existing hardware to tackle problems better suited to their capabilities. A core element of this research program will be engaging graduate and undergraduate students through courses, mentorship, and hands-on research activities. This project will actively pursue underrepresented minority students for research and security technology education.The outcome of this work will be high level models of core components, hardware based design and implementation, written reports, and experimental data. All artifacts will be kept at https://fiercelab.cs.rice.edu/projects/xgps/ and maintained for three years following the conclusion of the project.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

XGPS是一种新的计算机处理器，它限制了常见的低级行为，使攻击者无法使用它们来控制系统。通过用新的有限操作替换通用控制操作，XGPS将阻止常见的攻击步骤，同时保留预期的功能。这很重要，因为几乎所有的计算系统都容易受到损害。现有的方法强调一般的保护硬件，但在防御方面留下了空白，并且在程序执行时不能容易地跟踪程序。核心挑战和想法是描述、跟踪和确保硬件本身的良好行为。XGPS观察到，当包括程序路径的描述时，几乎所有的安全策略都更精确。XGPS将开发一种新颖的硬件机制来表示、跟踪和保护所有程序路径，包括操作系统。第一个推力将开发一个通用的数据结构，能够表示程序路径，同时保持有限的大小。第二个目标是在硬件中实现路径，同时保护它免受管理员级别的危害。第三个推力将开发新的有效的路径为基础的硬件/软件的安全策略，展示的路径，以加强有意义的properties的有效性。这项研究的最终结果将是加强理解和开发的系统与严格的程序行为控制。通过控制这种行为，XGPS将拒绝大类威胁，如果采用，将导致一个更强大的可信计算基础。此外，XGPS将使现有的硬件能够更好地解决适合其能力的问题。该研究计划的核心要素将通过课程，导师和实践研究活动吸引研究生和本科生。该项目将积极争取少数民族学生参与研究和安全技术教育。这项工作的成果将是核心组件的高级模型，基于硬件的设计和实现，书面报告和实验数据。所有的文物将被保存在https://fiercelab.cs.rice.edu/projects/xgps/和维护三年后，该项目的结论。这个奖项反映了NSF的法定使命，并已被认为是值得通过评估使用基金会的智力价值和更广泛的影响审查标准的支持。

项目成果

Lossless instruction-to-object memory tracing in the Linux kernel

Linux 内核中的无损指令到对象内存跟踪

• DOI: 10.1145/3456727.3463767
• 发表时间: 2021
• 期刊: The ACM International Systems and Storage Conference (SYSTOR
• 作者: Roessler, Nick;Chien, Yi;Atayde, Lucas;Yang, Peiru;Palmer, Imani;Gray, Lily;Dautenhahn, Nathan
• 通讯作者: Dautenhahn, Nathan