The College of Computer and Information Science and the College of Engineering have active
research programs in software and architecture security. Software security goes beyond communication security, network security and cryptographic security to address the issues of software
and hardware vulnerabilities. The goal is to produce software execution that is less likely to be
compromised by attackers. The faculty involved in this thrust include:
• Kenneth Baclawski (CCIS)
• Matthias Felleisen (CCIS)
• David Kaeli (ECE)
• Karl Lieberherr (CCIS)
• Riccardo Pucella (CCIS)
• Xinping Zhu (ECE)
Aspectual Security
Karl Lieberherr is working on treating security concerns as aspects. He is researching how to reduce
vulnerabilities by writing software at a higher level of abstraction, avoiding the typical tangling
that occurs.
We follow the motto: the closer the program is to a design, the easier it is to understand and the less likely it will contain design vulnerabilities. Making programs closer to a design is achieved
by using better separation of concerns. Better separation of concerns means that first the concerns
are properly separated and implemented as aspects AND second, the concern implementations
(aspects) are loosely coupled so that a change to one aspect does not have too many repercussions
on the other aspects. We achieve the loose coupling by using a generative approach. When one
aspect changes, we regenerate code of other aspects, sometimes after small manual updates to those
other aspects.
A theme we pursue is the investigation of security-specific aspect languages. We started our investigation with implementing different version of the Chinese Wall policy language. The goal
of this approach is to study multiple policy languages and how the rules they contain crosscut the
application code. This leads to interesting insights about safely deploying security policies and how
to use aspect technology to safely inject the policy code at the right places in the application. A
related project with the architecture group is elaborated on later in this thrust outline.
The security-specific aspect languages (SALs) not only address information security issues but also software security issues. For example, a SAL that is used in the context of web applications
will enforce rules that guarantee that form changing attacks (e.g., price changing attacks), SQL
attacks and cross-site scripting attacks can not happen. Our future work will explore collaborations
of SALs. In the context of web applications, a SAL can be viewed as an application-level firewall
programming tool. Code from a SAL is translated into code for a security gateway that checks
HTTP requests and also code that is woven into clients demonstrating the cross-cutting features
of the security concern.
An important topic in software security is to analyze security issues in the presence of aspects.On the one hand, aspect-oriented software development (AOSD) helps to better address security
issues but on the other hand it also puts more tools into the hands of attackers. An important
question is how to control AOSD so that it is safe.
The group also works in the space of general-purpose aspect languages and their application to software security. For example, AspectJ is a general-purpose aspect language that is useful for
run-time monitoring of programs but also for static checking of programs with respect to security
properties. However, AspectJ is not expressive enough for some problems, for example to detect
buffer overflows easily. We are investigating the expressiveness of various kinds of selector languages
to choose points in the execution of a program. In collaboration with Ravi Sundaram we evaluate
the computational complexity of various problems/selector languages.
Computer Architecture
The Northeastern University Computer Architecture Research Laboratory (NUCAR) is presently
supported on an NSF-funded project to develop architectural approaches to preventing malicious
code attacks and accelerate anti-virus application execution.
In 1988, the Morris Worm Incident raised the awareness of the computing public to the potential impact of malicious
software, spreading a worm that corrupted over 6000 computers (approximately 10% of all Internet
users at that time). The Morris Worm gained access through Unix send mail, fingerd, rsh/rexec
and weak passwords, using a buffer overflow. The Morris Worm Incident prompted the creation
of the Computer Emergency Response Team (CERT), which has tracked computer security and
vulnerability issues. We have studied the CERT vulnerability incident reports and have used this
information to guide our current approach to remedy these security holes.
More recently, the Code Red and Nimbda worms used buffer overflow to compromise Microsoft's Internet Information Server (IIS). Buffer overflow-based attacks have been the most commonly
exploited form of security vulnerability, as reported by CERT. In 1998, 9 of 13 CERT advisories
were due to buffer overflows, and in 1999 more than half of the advisories were due to buffer
overflows.
The research we are pursuing will both complement and improve upon the current virus protection technology available. We are
developing novel architectural features that will dynamically detect viruses using hardware, and
we are proposing to develop new architectural features to accelerate the execution of anti-virus
softwares. The goals of our present research are:
| • |
Develop new architectural features that will aid in the runtime detection of viruses. |
| • |
Propose a multi-threaded microarchitecture that allows for the transparent detection of and recovery from viruses. |
| • |
Produce a characterization of the most frequently used commercial anti-virus softwares. |
| • |
Propose new architectural features that can accelerate the execution of anti-virus software. |
We have published three papers describing this work. We have also started anew workshop that focuses on Architectural Support for Security and Anti-virus (WASSA), which
was held in October 2004 with the ACM ASPLOS Conference
Languages and Ontology-based Security
Ken Baclawski is the leader of an NSF project entitled Achieving Interoperability of Emergency
Response Teams Using Model Driven Architecture and Software Defined Radios. This project ad-
dresses a number of software security issues. The overall goal of this project is to develop a Proof
of Concept that: demonstrates optimized dynamic interoperability between different emergency
response teams and different unattended sensors, specifies the performance and the Quality of Service
measures, and establishes approaches to verification of conformance to analytical standards.
which addresses software security issues.
The work on software contracts by Prof. Matthias Felleisen is important for checking software vulnerabilities because contracts can detect mismatches and assign blame properly. The work by
Wand and Clinger on provably secure compilers is important for software security because compilers
can be hidden sources of Trojan horses. Felleisen is developing a new programming language that
supports more powerful interfaces. Using such a programming language will lead to fewer software
vulnerabilities because the programming language will do more checking.
Virtual Machines
There exists a broad class of vulnerabilities that are difficult to remedy mainly because they appear
to be safe upon initial download and/or inspection, but exhibit malicious behavior at some later
time. Two examples of this kind of attack include Trojan horses and back doors. We have studied
CERT reports associated with Trojan horses and have tried to develop a defense against such
attacks.
We are proposing to develop a virtual machine approach to detect and guard against this class of attacks. Some examples of the characteristic behavior we are trying to detect include:
1. Control flow that jumps to frozen code (i.e., code accessed for the first time); if so, consider the following:
• is the control flow dependent on user supplied or remote data?
• is there an 'if' argument hard-coded in the binary?
2. Hard-coded data in the binary; if so, consider the following:
• does the data refer to a file name?
• does the data refer to an IP addresses?
3. self modifying code.
The software and architecture groups have joined forces to address this class of vulnerabilities.The objectives of this joint effort include:
| • |
Design a policy language that can be used to specify levels of trust associated with an application (initially we will utilize Demeter AspectJ in this work). |
| • |
Develop a static compilation environment (initially, based on the Microsoft Phoenix Compiler and Tools Framework) to identify potential security problems in downloaded source. |
| • |
Implement a novel runtime environment (just-in-time profiler) that can identify potential malicious behavior. |
| • |
Implement this system in the IBM Jikes RVM. An implementation will enable us to evaluate how well we can guard against Trojan horse attacks by dynamically monitoring runtime
behavior. |
In this work we intend to utilize Aspect-Oriented Programming (AOP) to facilitate our run-time profiling framework. AOP is a fairly recent programming paradigm that allows cross-cutting
concerns to be modularized . This model fits well with our requirements to perform behavior
monitoring. We have utilized AOP in previous work for monitoring program control flow and
heap accesses. The work on heap monitoring (for adaptive garbage collection) included an
implementation with AspectJ in the Jikes RVM.
In this project we will develop both static and dynamic access control language and mechanisms that monitor program access behavior. The goal is to enable the user to access safe regions of the
system unfettered, while preventing an untrusted application to access sensitive information or
perform potentially dangerous actions.
| 
