The MINESTRONE Architecture Combining Static and Dynamic Analysis Techniques for Software Security

We present MINESTRONE, a novel architecture that integrates static analysis, dynamic confinement, and code diversification techniques to enable the identification, mitigation and containment of a large class of software vulnerabilities in third-party software. Our initial focus is on software written in C and C++; however, many of our techniques are equally applicable to binary-only environments (but are not always as efficient or as effective) and for vulnerabilities that are not specific to these languages. Our system seeks to enable the immediate deployment of new software {e.g., a new release of an open-source project) and the protection of already deployed (legacy) software by transparently inserting extensive security instrumentation, while leveraging concurrent program analysis, potentially aided by runtime data gleaned from profiling actual use of the software, to gradually reduce the performance cost of the instrumentation by allowing selective removal or refinement. Artificial diversification techniques are used both as confinement mechanisms and for fault-tolerance purposes. To minimize the performance impact, we are leveraging multi-core hardware or (when unavailable) remote servers that enable quick identification of likely compromise. To cover the widest possible range of systems, we require no specific hardware or operating system features, although we intend to take advantage of such features where available to improve both runtime performance and vulnerability coverage

OS/2ª

(Statement of Responsibility) by Darrell Kienzle(Thesis) Thesis (B.A.) -- New College of Florida, 1988(Electronic Access) RESTRICTED TO NCF STUDENTS, STAFF, FACULTY, AND ON-CAMPUS USE(Bibliography) Includes bibliographical references.(Source of Description) This bibliographic record is available under the Creative Commons CC0 public domain dedication. The New College of Florida, as creator of this bibliographic record, has waived all rights to it worldwide under copyright law, including all related and neighboring rights, to the extent allowed by law.(Local) Faculty Sponsor: Chae, Soo Bon

A New Model of Security for Distributed Systems

With the rapid growth of the information age, open distributed systems have become increasingly popular. The need for protection and security in a distributed environment has never been greater. The conventional approach to security has been to enforce a system-wide policy, but this approach will not work for large distributed systems where entirely new security issues and concerns are emerging. We argue that a new model is needed that shifts the emphasis from “system as enforcer ” to user-definable policies. Users ought to be able to select the level of security they need and pay only the necessary overhead. Moreover. ultimately, they must be responsible for their own security. This research is being carried out in the context of the Legion project. We start by describing the objectives and philosophy of the overall project and then present our conceptual model and design decisions. A set of technical challenges and related issues are also addressed.

EXECUTIVE SUMMARY Security Patterns for Web Application Development

The views and conclusions contained in this document are those of the authors and should not be interpreted as representing the official policies, either expressed or implied, of the Defense Advanced Research Projects Agency or the U.S. Government

Proceedings of the 1999 workshop on New security paradigms [electronic resource].

Title from The ACM Digital Library

The MEERKATS Cloud Security Architecture

Abstract—MEERKATS is a novel architecture for cloud environments that elevates continuous system evolution and change as first-rate design principles. Our goal is to enable an environment for cloud services that constantly changes along several dimensions, toward creating an unpredictable target for an adversary. This unpredictability will both impede the adversary’s ability to achieve an initial system compromise and, if a compromise occurs, to detect, disrupt, and/or otherwise impede his ability to exploit this success. Thus, we envision an environment where cloud services and data are constantly in flux, using adaptive (both proactive and reactive) protection mechanisms and distributed monitoring at various levels of abstraction. A key element of MEERKATS is the focus on both the software and the data in the cloud, not just protecting but leveraging both to improve mission resilience. MEERKATS seeks to effectively exploit “economies of scale ” (in resources available) to provide higher flexibility and effectiveness in the deployment and use of protection mechanisms as and where needed, focusing on current and anticipated application and mission needs instead of an inefficient, “blanket ” approach to protecting “everything the same way, all the time”. We outline our vision for MEERKATS and describe our approach toward prototyping it. I