| NSF Org: |
CNS Division Of Computer and Network Systems |
| Recipient: |
|
| Initial Amendment Date: | July 15, 2010 |
| Latest Amendment Date: | July 15, 2010 |
| Award Number: | 1018355 |
| Award Instrument: | Standard Grant |
| Program Manager: |
Deborah Shands
CNS Division Of Computer and Network Systems CSE Direct For Computer & Info Scie & Enginr |
| Start Date: | September 1, 2010 |
| End Date: | August 31, 2014 (Estimated) |
| Total Intended Award Amount: | $499,998.00 |
| Total Awarded Amount to Date: | $499,998.00 |
| Funds Obligated to Date: |
|
| History of Investigator: |
|
| Recipient Sponsored Research Office: |
615 W 131ST ST NEW YORK NY US 10027-7922 (212)854-6851 |
| Sponsor Congressional District: |
|
| Primary Place of Performance: |
615 W 131ST ST NEW YORK NY US 10027-7922 |
| Primary Place of Performance Congressional District: |
|
| Unique Entity Identifier (UEI): |
|
| Parent UEI: |
|
| NSF Program(s): | TRUSTWORTHY COMPUTING |
| Primary Program Source: |
|
| Program Reference Code(s): |
|
| Program Element Code(s): |
|
| Award Agency Code: | 4900 |
| Fund Agency Code: | 4900 |
| Assistance Listing Number(s): | 47.070 |
ABSTRACT
Desktop computers run many different applications, the
compromise of any one of which can compromise the entire desktop given
the lack of isolation among applications. Recovering a compromised
desktop remains a time consuming task, which typically requires wiping
everything and reinstalling the system from scratch. These
security issues pose fundamental challenges as desktop computers are
relied on for everything from financial transactions to
medical records. To address these problems, we are creating novel
virtual layered file system (VLFS) technologies to improve system
security. Unlike a traditional file system which is a monolithic
entity, a VLFS dynamically composes together a set of software layers
into a single file system view for a desktop. Changes to one layer
are isolated and decoupled from changes to another. The VLFS dynamic
composition feature enables powerful and easy-to-use security
functionality. We are using VLFSes to build an architecture to enable
security patches to be deployed effectively when managing large
numbers of heterogeneously configured machines, and to speed system
recovery from security exploits. We are also using VLFSes to develop
a transparent desktop application fault containment architecture that
is effective at limiting the damage from exploits to enable quick
recovery while being as easy to use as a traditional desktop system.
The results of this proposal will provide a foundation for future
computer innovations to provide improved system security for users'
systems. Because we are working with industry-standard operating
systems and binary application and patch distributions, our results
will be directly applicable to the commercial world.
PUBLICATIONS PRODUCED AS A RESULT OF THIS RESEARCH
Note:
When clicking on a Digital Object Identifier (DOI) number, you will be taken to an external site maintained by the publisher. Some full text articles may not yet be available without a charge during the embargo (administrative interval).
Some links on this page may take you to non-federal websites. Their policies may differ from this site.
PROJECT OUTCOMES REPORT
Disclaimer
This Project Outcomes Report for the General Public is displayed verbatim as submitted by the Principal Investigator (PI) for this award. Any opinions, findings, and conclusions or recommendations expressed in this Report are those of the PI and do not necessarily reflect the views of the National Science Foundation; NSF has not approved or endorsed its content.
Managing many computers and keeping them secure is difficult. Recent virtualization trends exacerbate this problem by making it easy to create and deploy multiple virtual appliances per physical machine, each of which can be configured with different applications and utilities. Increasing the number of systems in use increases the number of systems that have to get security updates applied to them. Although software patches are released for security threats, the need to constantly deploy patches and upgrade software creates a management nightmare as the number of machines and virtual appliances in the enterprise continues to rise. As machines are increasingly networked, this only complicates the management problem, given the myriad of viruses and other attacks commonplace today.
To address these problems, we have investigated, developed, implemented, and evaluated novel virtual layered file system (VLFS) technologies to improve system security. A VLFS introduces the notion of a layer, a file hierarchy of related files that are typically changed or upgraded as a unit. For example, a software package or application can be stored as a file system layer. A VLFS is used as the file system for a machine. Unlike a traditional file system which is a monolithic entity, a VLFS is a collection of individual layers dynamically composed together into a single file system view. By dynamically building a VLFS out of discrete layers, we introduce file system composition as a simple yet powerful mechanism for assembling, managing, and securing systems and applications. We have developed multiple VLFS-based systems to improve system security by providing simplified machine management for deploying security updates, and easy-to-use application fault containment.
Together with VLFS technologies, we have also introduced the concept of ephemeral containers. Ephemeral containers are execution environments with no access to the user’s data that are quickly instantiated from a clean state for only a single application execution. When the application terminates, the container is archived and never used again. Ephemeral containers together with VLFS technologies provide several benefits, including preventing compromises by ensuring that exploits cannot persist even if triggered, protecting users from compromised applications, and protecting user privacy when using the Internet.
The results of this research provide a basis for simplifying the assembly, management, and security of systems and applications, especially virtualized infrastructure. This provides a foundation for both commercial deployment and future computer systems innovations to provide improved system security and management for computing infrastructure.
Last Modified: 12/17/2014
Modified by: Jason Nieh
Please report errors in award information by writing to: awardsearch@nsf.gov.
