This research investigates a new vision for increasing the resilience of computing clouds by elevating continuous change, evolution, and misinformation as first-rate design principles of the cloud's infrastructure. The work is motivated by the fact that today's clouds are very static, uniform, and predictable, allowing attackers who identify a vulnerability in one of the services or infrastructure components to spread their effect to other, mission-critical services. The goal is to integrate into clouds a new level of unpredictability for both their services and data so as to both impede an adversary's ability to achieve an initial system compromise and, if a compromise occurs, to detect, disrupt, and/or otherwise impede their ability to exploit this success.
As a step toward this vision, a broad set of new technologies that add continuous change, deception, and unpredictability to cloud environments were designed, implemented, evaluated, and in some cases deployed. These technologies present significant advances along five major directions:
- continuous migration technologies that can enable for the first time the swift migration of cloud-resident services and data either in response to an attack or continuously so as to present a moving-target defense;
- cloud information flow tracking technologies that can track cloud- resident data at larger scales than ever before, enabling cloud users (e.g., service administrators) to audit the flow of their information in the cloud;
- misinformation and decoy technologies that can automatically generate deceptive information – bogus information that appears genuine – so as to confuse, bait, and track attackers;
- cloud monitoring and self-healing technologies that can integrate information from many sensors spread across the cloud to detect complex, multi-stage attacks;
- stable multithreading technologies that can reduce the security risks posed by concurrent programs by ensuring that upon every execution, a program takes one of a few pre-checked schedules that have already been validated as safe; and
- hardware-enhanced memorization technologies that enable efficient execution of highly replicated environments.
This work was done by Roxana Geam-basu, Dimitris Mitropoulos, Simha Sethu-madhavan, and Junfeng Yang of Columbia University; Angelos Stravrou and Dan Fleck of George Mason University; and Matthew Elder and Azzedine Benameur of Symantec for the Air Force Research Laboratory. AFRL-0245
This Brief includes a Technical Support Package (TSP).
Maintaining Enterprise Resiliency Via Kaleidoscopic Adaption and Transformation of Software Services (MEERKATS)
(reference AFRL-0245) is currently available for download from the TSP library.
Don't have an account? Sign up here.