SaTC: CORE: Small: Collaborative: Fine Grained Protection for Scalable Single-Use Services

SaTC：核心：小型：协作：可扩展一次性服务的细粒度保护

• 批准号: 1814234
• 负责人: Timothy Wood
• 金额: $ 26.6万
• 依托单位: George Washington University
• 依托单位国家: 美国
• 项目类别: Standard Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-09-01 至 2021-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1814234&HistoricalAwards=false
• 关键词: SaTC; CORE; Small; Collaborative; Fine

Popular Internet servers and web sites may serve thousands of users simultaneously. To handle this volume of activity, these servers share resources, such as processors, memory, and hard disk space. These shared resources provide an avenue for an attacker to affect other users connected to the server if the attacker successfully exploits a vulnerability in the server. This research project aims to eliminate this risk by creating an individual, customized server instance for each user that runs within an isolated single-use container. When the container isolation is carefully managed, this technique prevents an attacker from being able to affect other users, even if the attacker exploits a server instance within a container. The project explores innovative techniques to achieve scalability and security for these containerized services. With over 3 billion people using the Internet, many of whom interact with user-facing servers multiple times a day, the project's outcomes can broadly impact society's computer security. In addition to preventing attackers from affecting other users, the container approach enables detailed forensics to allow defenders to learn from attacks. The research project additionally provides educational opportunities for undergraduate and graduate students as well as outreach activities for the community.To create these single-use containers, the project explores new techniques across the areas of operating systems, network controllers, authentication, and capability management. The project's first research direction explores opportunities to create new operating system and network-function virtualization techniques to scale to large numbers of containers on each host. A second research direction focuses on the design and implementation of new network and container management algorithms so that flexible security policies can be applied on a per-user basis. A third research direction explores how to manage the access and identity associated with each container to tailor permissions to match those of the user on the client. A final research direction explores automated response mechanisms and forensic collection measures needed to understand and reconstruct attacks. These techniques allow defenders to learn the details surrounding container vulnerabilities each time an attacker compromises a container. In combination, these research activities shift the security advantage to the server operator by transforming previously destructive attacks into instructive lessons for the defenders.This award reflects NSF's statutory mission and has been deemed worthy of support through evaluation using the Foundation's intellectual merit and broader impacts review criteria.

流行的Internet服务器和网站可以同时为数千个用户提供服务。为了处理这一活动量，这些服务器共享资源，例如处理器，内存和硬盘空间。如果攻击者成功利用服务器中的漏洞，这些共享资源为攻击者提供了影响与服务器连接的其他用户的途径。该研究项目旨在通过为在隔离的一次性容器中运行的每个用户创建一个单独的自定义服务器实例来消除这种风险。当仔细管理容器隔离时，即使攻击者在容器中利用了服务器实例，该技术也会阻止攻击者能够影响其他用户。该项目探讨了创新技术，以实现这些集装箱服务的可扩展性和安全性。有超过30亿人使用Internet，其中许多人每天与面向用户的服务器进行多次互动，该项目的结果可能会广泛影响社会的计算机安全。除了防止攻击者影响其他用户外，容器方法还使详细的取证能够使后卫从攻击中学习。该研究项目还为本科生和研究生提供教育机会，并为社区提供外展活动。为了创建这些一次性容器，该项目探索了操作系统，网络控制器，身份验证和能力管理领域的新技术。该项目的第一个研究方向探索了创建新的操作系统和网络功能虚拟化技术的机会，以扩展到每个主机上的大量容器。第二个研究方向着重于新网络和容器管理算法的设计和实施，因此可以按使用者使用灵活的安全策略。第三个研究方向探讨了如何管理与每个容器相关的访问和身份，以量身定制权限以匹配客户端上的用户。最终的研究方向探讨了理解和重建攻击所需的自动响应机制和法医收集措施。这些技术使防御者每次攻击者都会妥协容器时，都可以了解围绕容器漏洞的细节。结合起来，这些研究活动通过将先前破坏性的攻击转换为捍卫者的指导性课程，将安全优势转移到了服务器运营商中。该奖项反映了NSF的法定任务，并被认为是通过基金会的知识分子的智力优点和更广泛的影响来评估的评估，并被认为值得支持。

项目成果

A SmartNIC-based Load Balancing and Auto Scaling Framework for Middlebox Edge Server

• DOI: 10.1109/nfv-sdn53031.2021.9665167
• 发表时间: 2021-11
• 期刊: 2021 IEEE Conference on Network Function Virtualization and Software Defined Networks (NFV-SDN)
• 作者: Zhen Ni;Cui Wei;Timothy Wood;Nakjung Choi

Advancing Network Function Virtualization Platforms with Programmable NICs

使用可编程 NIC 推进网络功能虚拟化平台

• DOI: 10.1109/lanman.2019.8847032
• 发表时间: 2019
• 期刊: IEEE International Symposium on Local and Metropolitan Area Networks (LANMAN
• 作者: Ni, Zhen;Liu, Guyue;Afanasev, Dennis;Wood, Timothy;Hwang, Jinho
• 通讯作者: Hwang, Jinho

Fine-Grained Isolation for Scalable, Dynamic, Multi-tenant Edge Clouds

• 发表时间: 2020-07
• 作者: Yuxin Ren;Guyue Liu;Vlad Nitu;Wenyuan Shao;Riley Kennedy;Gabriel Parmer;Timothy Wood;A. Tchana