Software bugs and vulnerabilities are primary causes for cyber-security breaches in today's society. Runtime monitoring, a technique to enforce safety and security properties at program execution time, is essential to detect intrusions and keep the system healthy. One of the main obstacles to adopt runtime monitoring techniques in practice is high performance overhead. Inlined security monitoring enforcement often delays and blocks the execution of protected programs. Conventional concurrent runtime monitors have not been able to leverage the multicore architectures for performance due to synchronization issues. If conventional synchronization primitives are used, when the monitor is crashed or blocked due to external events, the protected program will also be blocked even if the monitor is not monitoring. The goal of this proposal is to develop an innovative security monitoring technology, called Software Cruising, to explore multicore architectures for non-blocking concurrent security monitoring using lock-free data structures and algorithms. Software cruising eliminates the blocking effect and achieves efficient and scalable security monitoring. This can result in a game-changing capability in large-scale security monitoring for both cloud-based and traditional computing systems and applications.
The software cruising applications include, but are not limited to, heap buffer integrity checking, kernel memory cruising, data structure and object invariant checking, rootkit detection, and information provenance and flow checking. Three related sets of prototypical toolkits?Cruiser, Kruiser, and iCruiser?will be developed to demonstrate the effectiveness and practicality of large-scale software cruising. Cruiser is for lock-free heap buffer overflow monitoring of user-space programs. Kruiser is for kernel cruising on OS kernel heap buffer overflows and other security vulnerabilities. iCruiser is for user- and kernel-space data structure and object invariant cruising. The proposed research, upon completion, would make large-scale security monitoring more efficient and scalable in the increasingly popular multicore architecture and cloud environment, and thus significantly enhance system security. With the proposed tech transfer effort, applications as well as OS kernels will have better protection with the deployed software cruising technology. Broader impacts will also result from the education, outreach, and dissemination initiatives. Educational resources from this project, including course modules on software cruising and teaching laboratory designs, will be incorporated into online courses and disseminated through a dedicated web site. The project outcomes of this project will be disseminated broadly through publications, software releases, and technology transfer.