Home

Programmable Adaptive Reactors

Welcome to our project Home Page! You may want to browse our publications and presentations to get a more detailed overview of PARR, or check out related projects at the Secure and Reliable System Laboratory.

Networks and distributed software systems are bringing about fundamental changes in the way we conduct our commercial, educational and research activities. Critical infrastructures such as banking and commerce, telecommunication, transportation, power distribution and medicine, are all becoming increasingly dependent on networked software systems. This has led to a surge of interest in techniques for making network and software systems survivable so that they can continue to perform their critical functions even in the face of spontaneous faults or coordinated, malicious attacks.

Objective:

Development of a programming environment for rapidly developing host-based real-time responses to known and unknown intrusions. These responses are aimed at protecting host resources against vulnerabilities in applications executing on the host.

Approach:

This project builds our earlier DARPA-supported project ``Survivable Active Networks (SAN).''

The key to building survivable systems is to detect and respond to problems before they impact system functionality or security. In contrast with prior research efforts aimed mainly at post-attack detection, this project proposes a new approach aimed at early attack identification, damage prevention and containment.

Assuming physical security of the different components of the information system, the only mechanism for delivering attacks is the network packets arriving at the target host. Moreover, any damage to the system must eventually be effected via the system calls made by the attacked process to obtain services from its operating system environment. Based on these observations, the approach taken in this project is to specify security-related (normal or under-attack) behaviors of processes or hosts as patterns over sequences of system calls and network packets in a high-level language called BMSL. The BMSL compiler generates optimized programs for efficient detection of deviations (and initiation of corresponding responses) from these specifications. These programs are linked with appropriate runtime environments to produce the system call monitoring system (SMS) and network-packet monitoring system (NMS) respectively. An attack is identified when a deviation from the specified normal behavior (or conformance with known attack behavior) is detected. Being based on security-relevant behaviors rather than known attack signatures, our approach can protect against unknown attacks. At the same time, it produced few false positives --- a property that is critical for automating intrusion response.

In PARR, we develop techniques to address some of issues that are critical for building practical systems that incorporate responses to intrusion. Some of these issues are:

Errors in intrusion detection/response code can cause serious damage to the system. To minimize this risk, PARR explores the following approaches:

develop a technique for splitting intrusion response/detection code in such a manner that most of the intrusion response code resides in the user space, while a small part operates from within the operating system kernel. The kernel-resident code is constrained to operate with predetermined limits on storage and execution time, and is limited to perform a small subset of operations that are deemed very safe.

develop language and compiler features that reduce coding errors and/or their impact. PARR intrusion detection/response programs are written in a high-level, domain-specific language called BMSL (Behavior Specification and Monitoring Language). By developing high-level language features that simplify specification of intrusion detection and response, BMSL reduces the amount of "low-level coding" needed to be performed by programmers, thereby cutting down on programming errors. Use of a strong type system, combined with techniques for detecting conflicting responses, will further minimize programming errors.

The SAN (application-specific) approach to developing intrusion responses may not scale well in the presence of large number of applications. We therefore explore a complementary approach that is aimed at protecting resources. As compared to applications, the number of different kinds of resources on a host are smaller, thus making it possible for a programmer to cover a larger number (or classes) of attacks in a given amount of time.

The key innovations of this project include: (a) expressive and robust high-level language that simplifies specification of normal (or under-attack) behaviors of processes and hosts, as well as responses to be launched when attacks are detected, (b) compilation algorithms for generating efficient code for detecting conformance with specifications, (c) efficient techniques for runtime enforcement of behaviors (and isolation of compromised processes) by interception and modification of process-to-operating system and host-to-network interactions, and (d) resource-centric organization of responses.

Recent Accomplishments

Resource-Centric Model:

	Log-file protection: We identified the access semantics of UNIX log files, and developed defenses to protect against accesses that violate this semantics. This effort resulted in the development of defenses against programs such as `invisible`. In addition, we identified auditing possibilities across log files aimed at enforcing consistencies across them.
	User-private file protection: detect and prevent escalation from user A to root to obtain user B’s private files. (This mechanism was used in BBN experiments.)
	Tagged-file execution protection: performed in conjunction with email experiment to sandbox executables downloaded via email, or executed from a linux mailer

Orchestration Hypothesis:

Synergistic coupling of PARR and WireX through SoSmart: SoSmart couples WireX’s accurate detection of buffer overflow attacks, with PARR’s flexible reactions to achieve a combined effect greater than either WireX or PARR. The response combined deception (as a way to waste attacker's resources), with enhanced logging to detect attacker's target.

Synergistic coupling of PARR and ADF through SoSmart: SoSmart chooses ADF or PARR based on threat resource availability and reactions:

	ADF: high accuracy & trust, limited reactions, fixed cost
	PARR: lower accuracy & trust, many reactions possible, variable cost.

SoSmart deduces degree of compromise by co-relating redundant reports

User/Kernel Level Split:

	We defined the interface between the user-level and kernel-resident portions of PARR.
	We developed algorithms for compiling BMSL specifications into a kernel-resident and user-level component. A key benefit of this algorithm is that it minimizes context switches, while offering the flexibility and relative safety offered by user-level responses.

This is a joint project involving Telcordia Technologies and SUNY, Stony Brook and is funded by DARPA-ISO.