The A3 project applies virtualization, record-and-replay, introspection, repair, and other techniques to develop a customizable container for “advanced adaptive applications.” The A3 container provides its protected application with both innate and adaptive defenses against security threats.

In the TCloud project we are developing a self-defending, self-evolving, and self-accounting trustworthy cloud platform. Our approach in realizing TCloud holds to the following five tenets: defense in depth, least authority, explicit orchestration of security function, moving-target defense, and verifiable accountability.

We are creating XCap, a secure environment for least-authority execution of applications and system services. Unmodified, untrusted, off-the-shelf applications, running on untrusted operating systems, are isolated by a virtual machine manager. XCap brings the power of a capability-based security system to Xen, building on two principles: strong isolation and secure collaboration.

We are developing an SDN End-to-end Application Containment ArchitecTure (SeaCat).

Our approach involves extending SDN primitives into end-points, adapting existing mechanisms for end-point application containment and orchestrating the creation of these contexts based on policies associated with specific health care applications.

Many of the ideas that drive modern cloud computing, such as server virtualization, network slicing, and robust distributed storage, arose from the research community. Despite this success, today’s clouds have become environments that are unsuitable for moving this research agenda forward—they have particular, unmalleable implementations of these ideas “baked in.” CloudLab will not be a cloud; it will be large-scale, distributed scientific infrastructure on top of which many different clouds can be built.

CapNet, will provide a practical platform for enforcing strong isolation for scientific workflows. Fine-grained nature of CapNet provides support for the principle of least authority. Individual scientific workflows, and even their tasks will run with a minimal set of privileges required for completing their goals, but not more. The basis for CapNet’s design is (1) strong isolation of network activities with the mechanisms of software defined networks (SDN) and (2) mediation of all communication between network hosts by a capability access control model.

Deker is a framework for decomposing and verifying commodity operating system kernels. Deker turns a de-facto standard commodity operating system kernel into a collection of strongly isolated subsystems suitable for verification.

University campus infrastructures count among the most complex and sophisticated information technology (IT) deployments; often combining a mix of enterprise, academic, research, and healthcare environments, each having their own distinct security, privacy, and priority policies. In this project we address these challenges through a collaborative research effort, called NetSecOps (Network Security Operations), that attempts to assist IT security teams by automating many of the operational steps that are tedious, error-prone, and otherwise problematic in current campus networks.

POWDER (the Platform for Open Wireless Data-driven Experimental Research) is a facility for experimenting on the future of wireless networking in a city-scale “living laboratory.” Visit the POWDER portal.

This project is creating a new, collaborative, community-driven platform for researchers in cybersecurity. The platform aims to lower the barrier to experiment sharing and reproducibility within the cybersecurity community by aiding researchers in packaging, importing, locating, understanding, and reusing experiment artifacts. The artifacts organized by the platform, including tools, methodologies, documentation, and data, can be deployed to various community testbeds for performing new experiments.