| 2004 Technology
Symposium > Information Assurance
Information Assurance
Information Assurance investigates security vulnerabilities in distributed
information systems and develops architectures, systems and techniques
for providing protection from attack, and exploitation. Existing tools
for system protection will be tested and evaluated.
Automated Worm Detection and Response
Dan Ellis, Principal Investigator
Location(s): Washington
Problems
Worms can propagate through an enterprise in seconds. Current defenses include coarse-grained perimeters protected by firewalls and monitored by intrusion detection systems. Current intrusion detection and response processes do not scale to the time frame or scope of the worm problem. The problem is to detect and mitigate worm attacks within an enterprise environment in real time. Objectives
This research program will develop signatures and algorithms for detecting worm behavior inside an enterprise, validate prototype detection on MITRE's internal corporate network, and evaluate candidate defensive technologies for near-real-time responses. Activities
We will develop worm signatures and evaluate them both in simulations and on the MII. The first milestone is effective detection of worm-like behavior on the MII. We will identify and evaluate reaction strategies, focusing on completeness and performance. The second milestone is a matrix outlining the simulated effectiveness of the various strategies against a test suite of worm algorithms. Impact
This project will result in the ability to detect a worm in near-real time and provide an indication of those defensive strategies that are worth further investigation. This will improve the state of the art of enterprise security management by enabling near-real-time adaptation to threats and other dynamic conditions.
^TOP
Controlled Information Sharing
Rich Pietravalle, Principal Investigator
Location(s): Washington and Bedford
Problems
World conditions have increased the need for cross-domain information-sharing, from business operations and support functions to intelligence and combat operations. Current technologies strain to meet the information-sharing requirements for flexibility, scalability, granularity, and tracking: even the number and identity of trusted partners change from one operation or action to another. Objectives
This project intends to use technologies identified with "Digital Rights Management" (DRM) to develop novel solutions for information sharing across non-MLS (Multi-level Security) domains. Towards this end, the project will define architectural requirements and propose the architecture elements to meet those information-sharing and content access control needs. Activities
The project will select DRM approaches and existing DRM components to include for evaluation in test settings representing customer environments. Those DRM elements will be used to both evaluate operation against requirements and add practical findings towards architectural and implementation recommendations. Further investigations will test the observations against variations, such as supporting document privacy versus intelligence information security. Impact
The project will create novel solutions, new architectural elements and requirements for cross-domain information sharing. The work will influence shaping of Air Force and DoD architectures, provide guidance to specific programs, and increase MITRE expertise focus for information sharing and DRM technologies.
^TOP
Defeating Armored Malicious Code
Steven Christey, Principal Investigator
Location(s): Washington and Bedford
^TOP
Detecting Insider Threat Behavior
Greg Stephens, Principal Investigator
Location(s): Washington and Bedford
Problems
Trusted insiders committing espionage have caused tremendous damage to U.S. national security. The vulnerability of sensitive U.S. information assets to misuse by insiders is significant. Most organizations have large amounts of data accessible to users who do not have a need to know. Unfortunately, there are currently no effective mechanisms available to detect when users perform unauthorized information gathering (reconnaissance). Objectives
Anecdotal evidence, formal insider threat studies, and common sense suggest that information reconnaissance is a common precursor to insider abuse. Therefore, the purpose of this effort is to develop a framework that includes specific techniques to detect unauthorized information gathering. Activities
The project will develop sensors that collect and process data streams strongly tied to information use, initially focusing on the Common Internet File System (CIFS). We will use the wealth of organizational knowledge available to provide informational context, develop rules to flag inappropriate information gathering, and test the framework using a series of red team exercises. Impact
Insider abuse is a significant and growing concern throughout the government and the private sector. Effectively detecting insider reconnaissance could thwart malicious insiders before they cause damage to national security and will help promote improved intelligence community sharing.
^TOP
Enterprise-wide Security with Cryptographic Hardware Assistance
Joshua Guttman, Principal Investigator
Location(s): Washington and Bedford
Problems
When an employee accesses corporate servers remotely, is there a trusted path from laptop to servers? Can the employee access email, but not financial systems? Can a contractor's PC or network be part of a trusted path to proprietary data? The Trusted Computing Platform Alliance (TCPA) has defined security coprocessor functionality that provides an opportunity for easily tailored end-to-end security. Objectives
Three specific problems need to be solved. First, can TCPA and operating system security (e.g., in SELinux) provide assurance of software integrity? Second, what protocols can carry user, device, and application authentication from the TCPA device to information services? And third, given information about device identity and integrity together with user identity, how can we enforce fine-grained authorization policies? Activities
We will first demonstrate local authentication and mutually authenticated access from trusted platform module (TPM)-equipped Linux computers and design a trust framework with a trust management theory and an implementation strategy. Next, we will demonstrate the trust management system, design integrity reporting for Linux and SELinux, and design a trust management proxy for compatibility with existing applications. Finally, we will implement the proxy and integrity-reporting protocols. Impact
Our clients need enterprise-wide security for widely accepted equipment and application software. Collaborating with vendors committed to TCPA, we will demonstrate systems that provide greatly improved information assurance, using TCPA-standardized cryptographic hardware. We will make the protocols and operating system support we develop available as open source so that vendors can easily make this functionality available to our clients.
^TOP
Guarded Sharing of Information with XML (GSIX)
James Garriss, Principal Investigator
Location(s): Washington and Bedford
Problems
The DoD is migrating to a Web-based environment as one means to share information. This includes the use of industry standards, such as eXtensible Markup Language (XML) and Web services. The DoD uses cross-domain solutions to mediate controlled transfers of information across security boundaries. As DoD systems move toward using XML for data exchange, cross-domain solutions need to modernize to remain effective. Objectives
Several projects and research efforts within MITRE are examining new ways to enforce cross-domain security policies upon XML documents with various XML technologies. Guarded Sharing of Information with XML (GSIX) is a prototype that implements the results of these efforts, providing a vehicle to test and refine various solutions. Activities
The core component of GSIX is the Content Enforcer, which uses XML technologies to enforce the policies. The GSIX team will add several new features - including a graphical user interface for monitoring and changing the active policies, support for Web services through GSIX, and support for XML signatures - to the prototype. We will test them in the lab and at the Joint Warfighter Interoperability Demonstration 2004. Impact
The goal of GSIX is not to build a new guard, but to transition new capabilities to existing content-based guards. Both the Information Support Server Environment Program Management Office (PMO) and the C2 Guard PMO are exploring the use of XML parsers, XML schema validators, and eXtensible Stylesheet Language Transformations processors. We have also coordinated with the Cross Domain Solutions Office at the National Security Agency.
^TOP
Organically Assured and Survivable Information Systems (OASIS)
Lora Voas, Principal Investigator
Location(s): Washington
Problems
Current mission-critical systems may be operationally fragile. While under attack, they may fail to operate to specification. The Organically Assured Survivable Information Systems (OASIS) Demonstration and Validation (Dem/Val) program seeks to leverage investments of DARPA-funded cyber defense survivability research, demonstrate such survivability technologies on a working prototype of a military mission-critical system, and accelerate the transition of DARPA-developed cyber defense technologies to DoD systems. Objectives
The OASIS Dem/Val program will develop a prototype that demonstrates the means to enable the target systems to operate through a wide class of cyber attacks, provide continued and correct operation of mission-critical functions, gracefully degrade nonessential system functionality, and reconfigure dynamically to optimize performance, functionality, and survivability. The target system is the Air Force's Joint Battlespace Infosphere (JBI). Activities
During the design phase, two teams competed to integrate many OASIS intrusion tolerance and survivability technologies and other research results into new architectures to develop the next level of secure and survivable JBI. One team has been selected to continue with the implementation phase, which will develop a survivable JBI prototype that demonstrates the abilities of OASIS-hardened systems to operate through 12 hours of determined Red team attacks. Impact
Both technology transition efforts will demonstrate how the target systems can continue to provide mission-critical functionality and operate through attacks. Successful demonstration will exemplify how the OASIS research and development efforts were leveraged. Additionally, this will exemplify how to create and formally validate a secure and survivable architecture employing defense-in-depth layers of real-time execution monitors and adaptive reconfigurable strategies.
^TOP
Quantum Network (QuIST)
Gerald Gilbert, Principal Investigator
Location(s): Washington and Bedford
Problems
Quantum cryptography, a branch of the new field of quantum information science, allows cryptographic keys to be distributed in real time in unconditional secrecy, a feat that cannot be performed in any other way. This MITRE project is directed principally to the challenge of incorporating -- for the first time -- quantum communications in realistic networks. Objectives
This task involves performing detailed physics-based research on the security and performance characteristics of quantum networks in general, with emphasis on the characteristics of the developing DARPA Quantum Network. The task also involves providing guidance for, and review of, draft classification guideline documents relevant to this area. Activities
Activities include, among others, computation of protocol parameters and identification of possible adjustments to protocols for systems to provide requisite degrees of secrecy and performance; estimation of key generation throughput; analysis of general systems performance requirements; evaluation of security thresholds for specifying performance requirements of the system; and development of techniques to improve secure quantum cryptographic throughput. Impact
The DARPA Quantum Network is expected be the first functioning communications network incorporating quantum communications in a non-trivial way: MITRE is providing crucial analysis and support to this project to help enable the successful realization of this expectation.
^TOP
Security Guards for the Future Web
Nancy Reed, Principal Investigator
Location(s): Washington and Bedford
Problems
MITRE's clients are migrating to a Web environment as one means of sharing information. The number of new mission partners, including foreign partners, is growing dramatically. Traditionally, computer security guards have been used to control what information flows between security domains. Unfortunately, guard technology has not kept pace with the evolving Web environment. Objectives
We will see what functionality both existing and emerging guards provide within a Web-enabled environment. We will recommend how to configure Web guards to minimize security risks to the enterprise. We will also determine how guarding capabilities will need to evolve as the Web evolves to a Web services environment. Activities
We will document the operational and security requirements of Web producers and consumers. We will then perform vulnerability assessments of proposed guarding solutions and document ways to mitigate security risks. Finally, we will prototype a capability to exchange information across security domains using a publish/subscribe paradigm to demonstrate how guarding capabilities will need to evolve in a Web services environment. Impact
Our research will make specific recommendations on how to enable computer security guards to work effectively in the future Web environment. While our research will focus primarily on information sharing within government enterprises, it will be directly applicable to the commercial world's push to provide "trusted" e-commerce.
^TOP
Self-Regenerative Systems (SRS)
Chuck Howell, Principal Investigator
Location(s): Washington
Problems
Network centric warfare demands robust systems that can respond automatically and dynamically to both accidental and deliberate faults. Adaptation of fault-tolerant computing techniques has made computing and information systems intrusion tolerant and much more survivable during cyber attacks. Even with these advances, computing and information systems tend to become more fragile and susceptible to accidental faults and malicious attacks over time. Objectives
The SRS program seeks to create a new generation of security and survivability technologies. These technologies will bring attributes of human cognition to bear on the problem of reconstituting systems that suffer the accumulated effects of imperfect software, human error, and accidental hardware faults, or of a successful cyber attack. Desired capabilities include self-optimization, self-diagnosis, and self-healing. Systems must support self-awareness and reflection to achieve these capabilities. Activities
MITRE participated in the proposal review for SRS in early 2004, and will work with DARPA to identify future technology transition opportunities. SRS technologies will draw on biological metaphors such as natural diversity and immune systems to achieve robustness and adaptability, the structure of organisms and ecosystems to achieve scalability, and human cognitive attributes to achieve the capacity to predict, diagnose, heal, and improve services. Impact
SRS technologies will enable systems that are better protected from malicious attacks and accidental faults. System reliability will continually improve as vulnerabilities and software bugs are discovered and fixed autonomously, and the ability to provide critical services is maintained.
^TOP
Trust Management for Mobile Devices
Vipin Swarup, Principal Investigator
Location(s): Washington and Bedford
Problems
The access rights that mobile devices grant each other may vary as the devices move around and their relative position and communication topology change. However, existing security architectures assume static trust relationships among principals and are unable to support transient or context-sensitive trust. Moreover, it is very difficult to develop secure applications that operate seamlessly as trust relationships change. Objectives
This project will develop trust management and programming language techniques that simplify building secure mobile systems from cryptographic primitives. Our primary hypothesis is that we can build secure applications that function seamlessly even as trust relationships change due to device mobility. Our second hypothesis is that we can specify and implement many security aspects separately from the functionality aspects of a distributed mobile system. Activities
We will develop an abstract trust model that captures transient and context-sensitive trust. We will also develop a theory of authorization that will enable systems to perform access control in the presence of transient trust. Next, we will define a high-level security policy language for specifying security properties of programs and will develop a compiler that transforms a program to meet a specified security policy. Impact
This project will advance the state of the art of information assurance. Our trust model for context-sensitive, transient trust will improve the security of a wide variety of dynamic systems such as applications for mobile devices, Jini/JXTA services, and advanced collaboration systems. Our language-based security technology will simplify the development of security-aware applications, such as PKI-enabled applications and secure mobile applications.
^TOP
Views-Blueprints for Security
Jay Brennan, Principal Investigator
Location(s): Washington
Problems
Many modern applications are distributed, resulting in complex system and security designs. Since security architects lack the ability to represent application-level security properties visually, the accompanying security documentation is often voluminous, and, lacking visual aids, can be difficult to comprehend. As a result, security designs are frequently poorly understood and quite often poorly engineered. Objectives
The goal of Views is to facilitate the description of system security properties using a graphical language. Views intends to complement, not replace, other system and security documentation. The Views design aims to be relevant in sponsor environments and useful in answering the question, �Is this system secure?�
Activities
Views can model authentication, access control, credentials, channels, zones, and channel or zone properties. Current activities include developing extensions to address audit, authentication mechanisms, and security management, as well as completing the formal definition of Views. Later activities will extend Views for use outside its original target environment and examine integrating Views with existing system engineering notation. Impact
Diagrams built with Views can improve the understanding and analysis of security designs, facilitating early identification of design deficiencies. Besides enhancing a system's security posture, identification and correction of deficiencies leads to savings in both time and money. Additionally, Views enables improved communications about security, which allows better integration of system and security designs and encourages design reuse.
^TOP
|
