This project develops the ability to securely monitor host activities, which is the foundation of any host-based security application such as anti-virus software, firewalls, host-based intrusion detection systems, control flow analysis, taint tracking, and more.
The central idea is to use a hybrid approach that combines virtual machine introspection with secure in-VM monitoring to provide the necessary security, efficiency, and flexibility to be useful for a broad range of security applications. The main research activities address the foundational problems inherent to this hybrid architecture, and any other virtualization-based security architecture. Specifically, the project develops: (1) attestation and memory and data structure protection techniques to ensure the security of the trusted computing base (TCB) throughout the lifecycle of the system, (2) algorithms to locate security-critical data structures, reverse-engineer data structure semantics, and automatically generate semantic probes, and (3) algorithms and APIs for developers to divide a security application into in-VM and out-of-VM components.
This project also develops several security monitoring tools based on the hybrid approach, in particular, a system for user input monitoring that securely receives keyboard and mouse events and then determines what application will receive the events and how they will be processed. This tool is useful for classifying system activity as user-intended or automated. The automated activity can then be analyzed to identify potentially malicious host events (e.g., bot-generated traffic).
