You are here

IA^2: Intent-Capturing Annotations for Isolation and Assurance

Award Information
Agency: Department of Defense
Branch: Defense Advanced Research Projects Agency
Contract: W912CG-21-C-0020
Agency Tracking Number: D2-2586
Amount: $999,986.00
Phase: Phase II
Program: STTR
Solicitation Topic Code: HR001120S0019-001
Solicitation Number: HR001120S0019.T
Timeline
Solicitation Year: 2020
Award Year: 2021
Award Start Date (Proposal Award Date): 2021-07-30
Award End Date (Contract End Date): 2023-08-14
Small Business Information
3420 Bristol St., Suite 600
Costa Mesa, CA 92626-7133
United States
DUNS: 079422609
HUBZone Owned: No
Woman Owned: No
Socially and Economically Disadvantaged: No
Principal Investigator
 Per Larsen
 (949) 293-7927
 perl@immunant.com
Business Contact
 Stephen Crane
Phone: (562) 646-7836
Email: sjc@immunant.com
Research Institution
 University of California, Irvine
 Natalie Tedford
 
5270 California Ave.
Irvine, CA 92697-7700
United States

 (949) 824-8109
 Nonprofit College or University
Abstract

Systems software can be tricked into performing unintended computation by feeding it carefully crafted inputs that corrupt and leak internal state. Modern software is so complex that implementation defects, some of which are exploitable, will only be discovered in the field. Operating systems isolate the state of each process such that a program experiencing an error does not bring down the entire system. There is no separation between libraries inside a single process, however. This has become a problem as applications grow more complex and defects in unrelated components can be combined freely into a weird machine performing unintended, malicious computations. As a result, several large applications have switched to a multi-process design. The idea is to reduce the “blast radius” of malicious inputs by i) processing untrusted inputs in a sandboxed process with few privileges and ii) performing privileged operations in a separate, higher privileged process. The application of multi-process designs is unfortunately limited by the substantial additional developer effort required to re-architect large and complex code bases such that costly inter-process interactions and marshaling of data does not lead to unacceptable slow downs. We propose an easy-to-use and efficient compartmentalization scheme that leverages a new memory management feature in x86 processors. The approach is easy to use because it does not require developers to split their application into multiple processes. Instead, programmers will use annotations to map libraries and executables to a set of compartments. When the application is built, we will automatically insert call gates on call edges that cross compartments thus reducing the programmer burden. Call gates implement compartment switches without assistance from the kernel and are therefore more efficient than full context switches from one process to another. Programmers are required to declare their intent to share certain data between compartments; this again requires less effort than marshaling data between processes. The compartmentalization substrate allocates data based on whether it is shared between compartments or private to a single compartment. We will provide tools that help programmers insert the necessary sharing annotations and diagnose segmentation faults triggered by accesses to the private memory of another compartment.   The proposed work builds on the encouraging results obtained during the Phase I effort. The experimental design of Phase I relied on a customized Rust compiler to compartmentalize applications. A major goal of Phase II is the ability to compartmentalize applications without the need to use a custom compartment-aware compiler to facilitate deployability. Other key improvements include the ability to support more compartmentalization models and deployments scenarios.

* Information listed above is at the time of submission. *

US Flag An Official Website of the United States Government