The A3 project applies virtualization, introspection, repair, record-and-replay, and other techniques to develop a customizable container for “advanced adaptive applications.” The A3 container provides its protected application with both innate and adaptive defenses against security threats.

Recent News

• Dec. 18, 2014 — KPCW Cool Science Radio Interview
  Eric Eide talks about the A3 project and computer security.
• Nov. 13, 2014 — Self-Repairing Software Tackles Bugs
  University of Utah press release about the A3 project.
• Oct. 11, 2014 — Fun with Shellshock
  Blog post describing an experiment that tested the A3 environment against an exploit of the “shellshock” bash bug.

Available Software

• Stackdb — a VMI-enabled debugging library for multi-level systems
  (read the paper; browse the source code; git clone the source repository)
• ASM — a system for kernel-focused anomaly detection and repair
  (read the thesis; source code is packaged with Stackdb)
• Weir — a streaming language for systems analysis
  (read the paper; browse the source code; git clone the source repository)
• XenTT — a “time-traveling” hypervisor
  (read the dissertation; docs and source code)
• Security-enhanced UNFS3 — a user-mode NFS server with a configurable security policy
  (browse the source code; git clone the source repository)
• Demo materials — scripts and files used in various A3 demonstrations
  Posted here for completeness, but these are not “ready to run” demonstrations! We hope to provide ready-to-run demos in the near future.
  (browse the source code; git clone the source repository)

The Flux Research Group is collaborating with Raytheon BBN Technologies to define, build, and evaluate the A3 container and its environment. The Flux Group focuses on aspects that relate to hardware virtualization, i.e., hypervisor-based approaches to guarding against known attacks, detecting and diagnosing novel attacks, and repairing compromised environments to bring them back to an acceptable state.

Virtual-Machine Introspection (VMI) and Control

Virtual-machine introspection (VMI) allows a monitoring agent on the “outside” of a virtual machine to obtain information about the state of the system that is running on the “inside” of the virtual machine. The Flux Group is developing a VMI-enabled debugging framework, called Stackdb, that is the basis of the A3 environment's detection, prevention, and repair capabilities. For example, Stackdb allows A3 to observe significant events during replay executions, and thus helps to close the semantic gap between the “inside” and “outside” views of a system's behavior.

Atop the basic VMI framework, the Flux Group is implementing semi-automated analyses of security and performance. A new scripting language, called Weir, helps programmers to define and compose analyses that utilize VMI and other data sources.

Kernel-Focused Advanced State Management (ASM)

By observing and maintaining the state of the application within the A3 container, A3 can protect the application against threats. Kernel-focused advanced state management observes and repairs the operating system kernel within the container, not the user-level application directly. A kernel-focused approach is general in the sense that all (current) A3 guests have kernels. It is also application-specific, because desired invariants over kernel state may be specific to a particular protected application.

ASM is the subject of Prashanth Nayak's MS thesis.

Deterministic Record and Replay

When a security incident occurs within an A3 container, deterministic record and replay guarantees that the A3 environment can exactly reproduce the observed behavior—a prerequisite for investigation, diagnosis, and backtracking from symptom to cause. XenTT is the Flux Group's “time-traveling” hypervisor for A3: XenTT extends Xen with the ability to replay and analyze the execution of VM guests. Read the XenTT documentation.

XenTT is the subject of Anton Burtsev's PhD dissertation.

Other Resources

• Raytheon BBN Technologies' A3 project web site
• DARPA I2O CRASH Program web site

Acknowledgments

The A3 project is part of the DARPA Clean-Slate Design of Resilient, Adaptive, Secure Hosts (CRASH) program. It is supported by the Air Force Research Laboratory and DARPA under Contract No. FA8750–10–C–0242.