Smart Isolation in Large-Scale Production Computing Infrastructures - October 2015

Submitted by drwright on Mon, 09/21/2015 - 8:55am

Public Audience
Purpose: To highlight project progress. Information is generally at a higher level which is accessible to the interested public. All information contained in the report (regions 1-3) is a Government Deliverable/CDRL.

PI(s): Xiaohui (Helen) Gu, William Enck
Researchers: Rui Shu, Adwait Nadkarni

HARD PROBLEM(S) ADDRESSED

Resilient Architectures - Our current focus is the creation and validation of a classification system of existing security isolation techniques, through which we will identify underlying design principles and tradeoffs that will lead to the design of next generation smart isolation techniques to support resilient architectures.

PUBLICATIONS

ACCOMPLISHMENT HIGHLIGHTS

We submitted our survey on security isolation techniques to ACM CSUR. The survey explores different security isolation techniques based on a hierachical classification structure and discusses trade-offs with respect to security, performance, and compatibility. Finally, the work concludes by identifying the requirements for smart security isolation, namely: runtime monitor- ing, on-demand isolation, and measurability.
We explored Decentralized Information Flow Control (DIFC) as a form of smart isolation in the Android platform. A key challenge in this domain is compatability with legacy software, which we addressed by proposing "lazy polyinstantiation". In essense, lazy polyinstantiation strategically creates new instances of application components based on DIFC labeling needs. This work was submitted to a top-tier systems security conference for review.

Groups:

NCSU Science of Security Lablet Research Initiative