DARPA funds VM sentinels that can repair and inoculate attacked systems
Tue 18 Nov 2014
The Flux Research Group at the University of Utah is developing an attack-resistant sentinel software which can replace compromised code within a virtual machine on the fly.
The system is called ‘Advanced Adaptive Applications’ – or ‘3A’, is partially funded by DARPA’s Clean-slate design of Resilient, Adaptive, Secure Hosts (CRASH) initiative and is being developed in collaboration with Massachusetts-based Raytheon BBN Technologies.
The code sits within Linux monitoring a virtual machine from outside of the VM’s operating space, and constantly scanning for alterations to the running code. If the VM is compromised by an attack or other incursion, AAA is capable of restoring the original system code in real time, and inoculating the system against the same attack vector.
AAA, which took four years to develop, consists of three core planks – Deterministic Record and Replay uses XenTT, the Flux Group’s “time-traveling” hypervisor, to undertake Deterministic Systems Analysis, reproducing any observed attack behaviour and hardening the system against a success repeat attack.
Virtual-Machine Introspection (VMI) performs the real-time monitoring of the VM under observation, employing a specially-developed scripting language called Weir [PDF] to understand the complex streams of data:
“The principal barrier to understanding the performance of a modern systems software stack is often not a lack of data. Rather, it is the difficulty of reasoning over multiple sources of data within a single analysis framework. Weir is a new stream-based programming language that supports whole-system analyses by providing an environment for script-like implementations of analysis algorithms over multiple data sources.”
Finally Kernel-Focused Advanced State Management (ASM) protects – and can restore – the kernel of the OS under observation while taking account of necessary and legitimate modifications that applications may require.
UoU associate professor Eric Eide says in a blog post: “It is a pretty big deal that a computer system could automatically, and in a short amount of time, find an acceptable fix to a widespread and important security vulnerability […] It’s pretty cool when you can pick the Bug of the Week and it works.”
Commenting on the applicability of the research to the commercial sector, the post notes that AAA may ultimately emerge in the private sector, in services such as AWS, but also that the project has been undertaken with the objectives of hardening military cybersecurity.