TECHNOLOGY AREA(S): Info Systems, Battlespace
OBJECTIVE: Design and implement a framework for application data sandboxing of data-rich applications such as web browsers, document editors and web servers hosting dynamic content.
DESCRIPTION: There is a critical DoD need to develop efficient methods for identifying and enforcing appropriate controls to security-relevant data residing within the address-space of an application. Applications are increasingly data-rich, yet the security protections available for the most popular platforms do not provide any data controls within the context of a single application. While some applications do employ proprietary ad hoc sandboxing, such technology only enforces separation of the application from the operating system, instead of separation of the data used within the application. This topic seeks ways to add data controls with generic operating system or application-embedded security extensions. The root cause of a large class of application attacks stems from memory corruption vulnerabilities. These memory errors may, for example, be caused by an application using uninitialized memory, pointers to objects that have been previously freed, or accessing a buffer of data beyond the allocated size of the data. Traditionally, these vulnerabilities have been used in attacks that seize control of an application by altering control-flow, for example, by injecting new code into the application or by leveraging existing code. Contemporary defenses seek to reduce the number of memory corruption vulnerabilities, and the widespread deployment of practical implementations of data-execution prevention (DEP) and control-flow integrity (CFI)  have made code injection and code reuse attacks more difficult to pull off than they once were. Nevertheless, applications are routinely shown to be vulnerable to the loss of data security , both in terms of confidentiality and integrity, especially in light of non-control data attacks [3,7,8]. Hence, the DoD seeks a framework for application data sandboxing (or isolation, partitioning, etc.) of data-rich applications that provide data security, both in terms of confidentiality and integrity , thereby preventing or significantly limiting both the modification and disclosure of security-relevant data used by an application. The data security model should go beyond Bell-LaPadula and Biba Integrity models, which only separate higher-privileged data from lower-privileged data. This requirement stems from the fact that data-oriented attacks typically involve accessing data of the same privilege-level (e.g., passwords, keys, browser cookies), but across different contexts (e.g., domains, users, processes) [5,6]. The framework should be transparent to the user, not interfere with normal application functionality, not require extensive manual software re-architecting, and should operate with minimal negative performance impact under normal usage of the application. The approaches taken should, for example, identify security-relevant data, partition the data into appropriately sized groupings of data and the code that may access those data groupings, then enforce the partitioning at runtime. Frameworks that correctly and efficiently operate on COTS binaries are favored.
PHASE I: Conduct a feasibility study to determine innovative cyber techniques and mechanisms that can be used within a methodology for application data sandboxing of data-rich applications. Design the resulting concept framework capable of sandboxing data in COTS applications. The framework should prevent or significantly limit the modification and disclosure of security-relevant data used by an application (e.g., cryptographic keys, passwords, personal and banking information, configuration settings) in the presence of a memory disclosure (or modification) attack. The framework should operate with negligible performance overhead. An initial prototype may make use of program source code and have a negative impact on program performance, so long as a clear path is provided to eliminate those issues in Phase II. As part of Phase I, a test case with success criteria for data security in data-rich applications should be defined. Phase I deliverables will include a final report that details initial prototype design and concept framework, and any preliminary results for the test case. For this topic, DARPA will accept proposals for work and cost up to $150,000 for Phase I. The preferred structure is a $100,000, 6-month base period, and a $50,000, 4-month option period.
PHASE II: Fully develop the Phase I concept framework. The resulting prototype will be demonstrated in accordance with the success criteria developed in Phase I. Phase II deliverables will include a working prototype and final report that details demonstration results.
PHASE III: This dual-use technology applies to both military and commercial environments affected by cyber adversaries. Commercial benefits include increased cyber warfare protection of infiltration of a company’s data, preventing or significantly limiting both the modification and disclosure of security-relevant data used by an application, and thus, increased protection of critical infrastructure environments (e.g., health, electrical, transportation, etc.). The DoD and the commercial world have similar challenges with respect to maintaining the integrity of their cyber computing and communications infrastructure. The DoD is concerned with being able to effectively keep the cyber intruder from penetrating operational systems that support the warfighter. The resulting framework, capable of sandboxing data in COTS applications and adding data controls with generic operating system or application-embedded security extensions, is directly transitionable to the DoD for use by the services (e.g., Space and Naval Warfare Systems Center (SSC), Air Force Research Laboratory (AFRL)).
1: CARLINI, N., BARRESI, A., PAYER, M., WAGNER, D., AND GROSS, T. R. Control-flow bending: On the effectiveness of control-flow integrity. In USENIX Security Symposium, 2015.
2: Z. Durumeric, J. Kasten, D. Adrian, J. Halderman, M. Bailey, F. Li, N. Weaver, J. Amann, J. Beekman, M. Payer, and V. Paxson. The Matter of Heartbleed. In Internet Measurement Conference, 2014.
3: S. Chen, J. Xu, E. C. Sezer, P. Gauriar, and R. K. Iyer. Non-control-data attacks are realistic threats. In USENIX Security Symposium, 2005.
4: M. Castro, M. Costa, T. Harris, "Securing software by enforcing data-flow integrity," Symposium on Operating Systems Design and Implementation (OSDI), 2006.
5: Y. Jia, Z. Chua, H. Hu, S. Chen, P. Saxena, and Z. Liang. 2016. "The Web/Local" Boundary Is Fuzzy: A Security Study of Chrome's Process-based Sandboxing. In ACM SIGSAC Conference on Computer and Communications Security, 2016.
6: R. Rogowski, M. Morton, F. Li, K. Z. Snow, F. Monrose, and M. Polychronakis. Revisiting Browser Security in the Modern Era: New Data-only Attacks and Defenses. In IEEE European Symposium on Security and Privacy, 2017.
7: H. Hu, Z. L. Chua, S. Adrian, P. Saxena, and Z. Liang. Automatic generation of data-oriented exploits. In USENIX Security Symposium, 2015.
8: Blog.ropchain.com. Disarming EMET 5.52: Controlling it all with a single write action, April, 2017.
KEYWORDS: Cyber Defense; Memory Error Vulnerability; Data-oriented Attack; Data-flow Integrity; Application Exploit