SDI-CSCS: Collaborative Research: S2OS Enabling Infrastructure-Wide Programmable Security with SDI

SDI-CSCS：协作研究：S2OS 通过 SDI 实现基础设施范围内的可编程安全性

• 批准号: 1834216
• 负责人: Zhiqiang Lin
• 金额: $ 39.34万
• 依托单位: Ohio State University
• 依托单位国家: 美国
• 项目类别: Continuing Grant
• 财政年份: 2018
• 资助国家: 美国
• 起止时间: 2018-01-01 至 2022-08-31
• 项目状态: 已结题
• 来源: https://www.nsf.gov/awardsearch/showAward?AWD_ID=1834216&HistoricalAwards=false
• 关键词: SDI; CSCS; Collaborative; Research; S2OS

Traditionally, many of our critical systems have been developed with security as a reactive add-on, rather than a by default design. As a result, existing security mechanisms are often fragmented, hard to configure or verify, which makes it difficult to defend against various cyber attacks. This project will build the "holy grail" for enterprise/cloud/data-center security management with software-defined infrastructure (SDI): a unified framework for security and management of disparate resources, ranging from processes to storage to networking. Cloud computing is now an essential part of our national cyberinfrastructure; the proposed work will lower the total cost of ownership for clouds - further unlocking economic and environmental benefits - as well as improving the security of today's clouds.This project proposes S2OS (SDI-defined Security Operating System), which abstracts security capabilities and primitives at both the host Operating System (OS) and network levels and offers an easy-to-use and programmable security model for monitoring and dynamically securing applications. This project will explore new techniques to transparently compose software into a unified enterprise, even if the individual pieces were never explicitly designed to inter-operate, similar in a way a traditional operating system managing various hardware resources for upper-layer user applications. Further, this project will contribute new ways to leverage global information for making effective local security management decisions. Finally, this project enables new innovations in programming dynamic, host-network coordinated, and intelligent security applications to protect the entire infrastructure.This project will make significant contributions to how enterprise, data centers and cloud computing are securely built and managed. The project's PIs will engage in educational and outreach activities to train the next generation talent. In particular, the PIs plan to integrate the interdisciplinary research ideas into courses spanning networking, systems and security. The project will also actively encourage participation from underrepresented groups and transfer technology to industry partners.

传统上，我们的许多关键系统都是将安全性作为反应性附加组件开发的，而不是默认设计。因此，现有的安全机制往往比较分散，难以配置或验证，难以防御各种网络攻击。该项目将通过软件定义基础设施（SDI）构建企业/云/数据中心安全管理的“圣杯”：一个用于安全和管理不同资源（从流程到存储再到网络）的统一框架。云计算现在是我们国家网络基础设施的重要组成部分；拟议的工作将降低云的总体拥有成本，进一步释放经济和环境效益，并提高当今云的安全性。该项目提出了 S2OS（SDI 定义的安全操作系统），它抽象了安全功能和原语主机操作系统 (OS) 和网络级别，并提供易于使用且可编程的安全模型，用于监控和动态保护应用程序。该项目将探索新技术，以透明地将软件组合成一个统一的企业，即使各个部分从未明确设计为可互操作，类似于传统操作系统为上层用户应用程序管理各种硬件资源的方式。此外，该项目还将提供利用全球信息做出有效的本地安全管理决策的新方法。最后，该项目在动态编程、主机网络协调和智能安全应用程序方面实现了新的创新，以保护整个基础设施。该项目将为企业、数据中心和云计算的安全构建和管理做出重大贡献。该项目的 PI 将参与教育和外展活动，以培训下一代人才。特别是，PI 计划将跨学科研究思想整合到网络、系统和安全领域的课程中。该项目还将积极鼓励代表性不足的群体参与，并向行业合作伙伴转让技术。

项目成果

Automatic Fingerprinting of Vulnerable BLE IoT Devices with Static UUIDs from Mobile Apps

使用移动应用程序中的静态 UUID 对易受攻击的 BLE IoT 设备进行自动指纹识别

• DOI: 10.1145/3319535.3354240
• 发表时间: 2019-11-06
• 期刊: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Chaoshun Zuo;Haohuang Wen;Zhiqiang Lin;Yinqian Zhang
• 通讯作者: Yinqian Zhang

vSGX: Virtualizing SGX Enclaves on AMD SEV

vSGX：在 AMD SEV 上虚拟化 SGX Enclave

• DOI: 10.1109/sp46214.2022.9833694
• 发表时间: 2022-05-01
• 期刊: 2022 IEEE Symposium on Security and Privacy (SP)
• 作者: Shixuan Zhao;Mengyuan Li;Yinqian Zhang;Zhiqiang Lin
• 通讯作者: Zhiqiang Lin

CrossLine: Breaking "Security-by-Crash" based Memory Isolation in AMD SEV

CrossLine：打破 AMD SEV 中基于“安全崩溃”的内存隔离

• DOI: 10.1145/3460120.3485253
• 发表时间: 2020-08-01
• 期刊: Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Mengyuan Li;Yinqian Zhang;Zhiqiang Lin
• 通讯作者: Zhiqiang Lin

Exploiting Unprotected I/O Operations in AMD's Secure Encrypted Virtualization

利用 AMD 安全加密虚拟化中未受保护的 I/O 操作

• 发表时间: 2024-09-14
• 作者: Mengyuan Li;Yinqian Zhang;Zhiqiang Lin;Yan Solihin
• 通讯作者: Yan Solihin

Towards Memory Safe Enclave Programming with Rust-SGX

使用 Rust-SGX 实现内存安全 Enclave 编程

• DOI: 10.1145/3319535.3354241
• 发表时间: 2019-11-06
• 期刊: Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security
• 作者: Huibo Wang;Pei Wang;Yu Ding;Mingshen Sun;Yiming Jing;Ran Duan;Long Li;Yulong Zhang;Tao W
• 通讯作者: Tao W