The purpose of this page is to provide an idea of the kinds of 523/524 projects done at the Secure Systems Laboratory. As such, this page mostly contains completed M.S. projects as opposed to new ones. If you are an M.S. student interested in doing a project in the laboratory, please click here.
Portable System Call Interceptor: System call interception is a very powerful technique that can enhance the functionality of existing software systems without any need to modify them. For instance, you can enhance security by intercepting all system calls made by a process, and checking the arguments to ensure that critical system resources are not accessed (or modified) by the process. Similarly, you can enhance the fault-tolerance properties of an application by intercepting every write system call made by it and transparently duplicating the writes onto two disks.
In this project, the student will develop a portable runtime system that provides an environment where system calls can be intercepted and arbitrary, user-specified code can be executed. The runtime system will form the basis of many tools for enhancing software security and reliability. The runtime environment will be based on the ptrace or /proc based primitives provided (on most versions of UNIX) for one user-level process to intercept the system calls made by another process. The technical issues that need to be addresed include: (a) software architecture for the runtime system that will make it easy to make the system operate on a variety of UNIX variants such as Solaris, IRIX and Linux (b) use of the right set of primitives and mechanisms to ensure adequate performance, (c) understanding system details sufficiently well to be able to access and modify system call arguments of different types.
Students may also take up system-call interception in Microsoft Windows under this project.
Self-Configuring Network Anomaly Detector: "Hacker" attacks launched over networks present a very big challenge in network security. This project involves building a system that can monitor all network traffic and build a model of what is "normal traffic" for a system. Based on this model, attacks can be detected since they would, in most cases, deviate significantly from normal traffic. Examples of attacks that are anomalies include accesses from unusual sites, unusually short, long or frequent access to certain services, repeated connect attempts to multiple serivces on local hosts (aimed at identifying vulnerable services), denial-of-service attacks that exploit errors in operating system implementations (of network protocols) to crash them, etc.
Graphical Language for confining untrusted/malicious applications: We can confine potentially insecure or untrusted applications from causing damage by monitoring the system calls made by them and ensuring that these system calls do not violate important security properties. A key problem in this context is the development of a language that can be used by system administrators to specify security properties of interest. Experience indicates that the most usable languages in this context are those that integrate seamlessly into a graphical interface, with properties obtained by composing building blocks (denoting simpler properties ) using visually intuitive operations. Such a language can also serve as a basis for confining untrusted (and potentially malicious) mobile code that may be downloaded from a remote site, and used.
Attacker Deception: This project will explore the interesting idea of deceiving an attacker such that he/she continue to believe that their attack is successdul, but in fact, the target system has detected the attack and has adequately protected itself from any resultant damage. An important component of such an approach is the isolation capability mentioned above, where a compromised process may be put into an environment where its actions do not damage the rest of the system. However, we need to go beyond this, since, the attacker needs to be given the impression that they are successful in continuing to cause damage. For instance, an attacker will create nackdoor entrances for later use of the exploited system by techniques such as adding entries to password files, replacing sensitive programs (such as telnet and login) with Trojan Horse versions, modifying .rhost files etc. The interesting issue relates to how we can correlate the later attemts to take advantage of these backdoor entrances can be detected, and the attacker continued to be given the illusion of success.
Secure Software Installer: Users and system administrators often download and install software on their systems. Typically, software installation requires superuser privileges. Therefore, a poorly designed (or malicious) software installation process can compromise system security. In this project, we take a software installation manager such as RedHat package manager, and enhance it so that it protects against poorly-designed packages. The manager will examine the package to determine what files it will update, what programs it will run, etc.; compare this with the policies of the user installing the software; and ensure that the user policies are adhered to during installation.
Detecting Trojan Horses and Viruses by learning program behaviors: Trojan Horse and Virus laden programs present an appearance of providing some legitimate function, but operate surreptitiously to compromise system security. For instance, a Trojan Horse telnet program can record login names and passwords and later transmit them to an attacker that will then have access to the user accounts associated with those logins/passwords. One of the key problems is that the user of the program has no easy way of detecting that the original program had been replaced. While techniques such as checksum verification can alleviate this situation, the real problem is that current OSes do not provide mechanisms to verify the integrity of executables. An alternative approach is to develop techniques that can monitor program behaviors under "normal" operating conditions. At a later time, when the program has been replaced with a Trojan Horse version, its behavior will change suddenly, and the monitoring software can detect this variation and alert the system administrators to a potential attack. If the likelihood of attack is very high, the monitoring software can even prevent the quationable operations from succeeding (again using system call interposition facilities.)
