My research group has worked on multiple computer security projects. All of these projects work with a system and a specification of the security properties that the system must satisfy. The specification is obtained either directly from a developer, by inferring the specification from observations of the system as it operates securely, or derived from standard execution integrity properties that every running program should observe. Some of the techniques dynamically monitor the execution of the system to observe any attempted security property violation, then intervene to change the behavior of the system to eliminate the violation. Others statically analyze the implementation before it executes to verify that all executions will satisfy the security properties (and potentially change the implementation to do so if it may not).
Unlike many approaches, these projects emphasize the continued safe execution of the system even in the presence of attacks so that it provides as much desirable functionality as possible and continues to provide service to legitimate users while under attack.
Applications are typically able to process the vast majority of inputs securely. Attacks usually succeed because they contain an atypical feature that the application does not process correctly. Our input rectification research observes inputs that the application processes correctly to derive a model (in the form of constraints over input fields) of the "comfort zone" of the application (the set of inputs that the application can process successfully). When it encounters an input that is outside the comfort zone, the rectifier uses the model to change the input to move the input into the comfort zone of the application. Our results show that this technique eliminates security vulnerabilities in a range of applications, leaves the overwhelming majority of safe inputs unchanged, and preserves much of the useful information in modified atypical inputs.
Software is becoming increasingly complex and sophisticated as computing devices become more pervasive. At the same time, approaches for software development and maintenance have not evolved commensurately to this complexity, leading to brittle, insecure programs with errors ranging from runtime failures to large-scale security violations. As software continues to increase in complexity, it is necessary to fundamentally change the capabilities of development environments to prevent exponential increases in errors.
The goal of the CLIO project is to develop a data-driven approach to computer- aided programming. CLIO will use the massive amounts of available data (and metadata) about existing programs and their runtime behavior to introduce automation into software development and maintenance tasks. The goal of the proposed system is to serve as a programming assistant that takes high-level guidance from a programmer regarding a task that needs to be performed and produces high-quality code with minimal interaction.
This project is currently funded under the DARPA Mining and Understanding Software Enclaves (MUSE) program (contract FA8750-14-2-0242) . MIT is the sole performer. The project started in September 2014 and is scheduled to end in September 2018.
Mobile devices are pervasive, flexible resources that are central to the operation of essentially all large organizations, with much of the sensitive information in the organization accessed via mobile devices. But mobile devices are also opaque - despite a complex software ecosystem with multiple (potentially downloaded and cooperating) applications and software layers, there is currently no way to obtain a comprehensive overview of what the device is doing, why it is doing it, or where and how potentially sensitive information is flowing.
The goal of the ClearScope project is to instrument the entire mobile software stack to efficiently generate a precise and comprehensive provenance graph to make the operation of the mobile device transparent and effectively analyzable. The goal is to do so with acceptable overhead, specifically no more than 100% overhead, and to provide fully precise value-level provenance tracking with no provenance conflation. The generated information will be configurable to enable a wide variety of software analytics.
ClearScope provides unprecedented transparency into the operation of mobile devices. By delivering an accurate and comprehensive provenance graph, it enables sophisticated analysis of the events and information that flow through the device, including the ability to link events such as off-device information transfer and application initiation with information from specific remote sources. This analysis is able to immediately detect potential security issues such as the transfer of sensitive information to destinations not authorized to receive that information, even when this information takes a circuitous path through multiple components of the system. The analysis is also able to immediately detect the creation of rogue processes triggered by information from untrustworthy sources.
ClearScope makes the entire Android mobile ecosystem more transparent and secure. Organizations can have more control over their sensitive information and a better understanding of where that information is going. Attackers need a place to hide, and current opaque mobile devices are such an appealing target for attackers in part because they provide so many places to hide. ClearScope eliminates this opacity, enabling analysis tools to immediately detect suspicious and malicious activity, and eliminate untrustworthy software and malware. Essentially every major organization in our society can benefit from this enhanced insight into and more meaningful control over the mobile ecosystem.
This project is currently funded under the DARPA Transparent Computing (TC) program (contract FA8650-15-C-7564). MIT/CSAIL and Aarno Labs are the performers. The contract started in July 2015 and ends in June 2019.
Modern cloud computing systems offer unprecedented computational resources and flexibility in allocating those resources to a variety of users and tasks. But cloud computing systems also provide attackers with new opportunities and can amplify the ability of the attacker to compromise the computing infrastructure.
The Cloud Intrusion Detection and Repair project developed a system that observes normal interactions during the secure operation of the cloud to derive properties that characterize this secure operation. If any part of the cloud subsequently attempts to violate these properties, the system intervenes and changes the interaction (by, for example, adding or removing operations or changing the parameters that appear in operations) to ensure that the cloud executes securely and survives the attack while continuing to provide uninterrupted service to legitimate users.
This project was funded under the DARPA Mission-Oriented Resilient Clouds (MRC) program (Contract FA8650-11-C-7192). MIT is the sole performer. MRC ran from October 2011 to September 2015.
Application marketplaces (such as the Android Market) provide users with a wide range of desirable applications for their mobile devices. But application marketplaces can also provide a compelling distribution channel for attackers who place attractive applications containing malware into the application marketplace. The Provably Safe Android Applications project developed a static program analysis system (DroidSafe) for finding malware in Android applications written in Java. A goal is ensuring that application marketplaces contain only safe mobile applications.
The DroidSafe project developed effective program analysis techniques and tools to uncover malicious code in Android mobile applications. The core of the system is a static information flow analysis that reports the context under which sensitive information is used. For example, “Application A has the potential to send location information to network address 128.6.21.6 on ‘Button B’ press”. The DroidSafe project invested significant time developing a comprehensive semantic model of Android run-time behaviors alongside the analysis to achieve acceptable precision, accuracy, and scalability for real-world Android applications. The combined system has been demonstrated to be the most precise and accurate information flow analysis for Android applications. The analysis results can be used to automatically check applications for security policy violations, and the results can help a human analyst inspect sensitive behaviors of an app, increasing accuracy and throughput of application vetting. For each of the last six APAC engagements, the DroidSafe team was unsurpassed in malware diagnosis accuracy and human-analysis diagnosis throughput.
This project was a collaboration between MIT, Kestrel Institute, Global InfoTek, and Aarno Labs. The project was funded under the DARPA Automated Program Analysis for Cybersecurity (APAC) program (contract FA8750-12-2-0110). APAC ran from February 2012 through June 2016.
The VIBRANCE project developed techniques to eliminate vulnerabilities in Java applications. As part of this effort we developed techniques to eliminate vulnerabilities that are triggered by unchecked inputs. Examples include injection vulnerabilities (such as SQL, command, ldap, and xquery injection attacks), resource allocation vulnerabilities (which cause the application to request excessive resources), and numeric overflow and underflow vulnerabilties.
A central goal of the project was to develop an efficient taint tracer that can detect when an unchecked input value appears at a potential vulnerability site. For example, the application may use an input field directly as a parameter at a memory allocation site without checking that the value in the field is reasonably small (so that the application can perform the allocation successfully). When the taint tracer detects such a value, it consults a configurable security policy to determine what action to take to eliminate the vulnerability and, ideally, enable the application to continue to execute.
The taint tracer combines precise dynamic taint tracing with static analysis to reduce the tracing overhead. By statically tracking the flow of values through the program, the static analysis makes it possible to eliminate intermediate dynamic taint propagation steps (and therefore the overhead otherwise associated with these steps). The goal is a taint tracer with overhead small enough for routine production use (existing taint tracers are used almost exclusively only for testing or debugging).
This project was a collaboration between Kestrel Institute, MIT/CSAIL, and Kestrel Technologies. This project was funded by IARPA under the STONESOUP program. STONESOUP ran from August 2010 to December 2014.
The SPICE project is working to eliminate vulnerabilities triggered by a variety of low-level errors in stripped x86 binaries. As part of this project we are developing on a combined dynamic and static type inference system. This system analyzes reads and writes to infer how the application structures the flat x86/x64 address space. It uses this information to preserve the integrity of the execution. For example, SPICE is designed to neutralize attacks that attempt to exploit buffer overflow vulnerabilities within allocation units. SPICE uses a configurable security policy to modify the execution to eliminate the vulnerability and enable continued safe execution.
The SPICE project is also developing a precise taint tracing system. This system combines static and dynamic analysis to minimize overhead. The taint information enables SPICE to detect the unsafe direct use of untrusted input fields at vulnerability sites such as SQL and command invocation sites and memory allocation sites. SPICE also tracks memory allocation information to eliminate buffer overflow attacks.
This project was funded by IARPA under the STONESOUP program. The performers include MIT, SAIC, Kestrel Technology, The University of California at Berkeley, and Global InfoTek.