The A3 project applies virtualization, introspection, repair, record-and-replay, and other techniques to develop a customizable container for “advanced adaptive applications.” The A3 container provides its protected application with both innate and adaptive defenses against security threats.
The Flux Research Group is collaborating with Raytheon BBN Technologies to define, build, and evaluate the A3 container and its environment. The Flux Group focuses on aspects that relate to hardware virtualization, i.e., hypervisor-based approaches to guarding against known attacks, detecting and diagnosing novel attacks, and repairing compromised environments to bring them back to an acceptable state.
Virtual-Machine Introspection (VMI) and Control
Virtual-machine introspection (VMI) allows a monitoring agent on the “outside” of a virtual machine to obtain information about the state of the system that is running on the “inside” of the virtual machine. The Flux Group is developing a VMI-enabled debugging framework, called Stackdb, that is the basis of the A3 environment's detection, prevention, and repair capabilities. For example, Stackdb allows A3 to observe significant events during replay executions, and thus helps to close the semantic gap between the “inside” and “outside” views of a system's behavior.
Atop the basic VMI framework, the Flux Group is implementing semi-automated analyses of security and performance. A new scripting language, called Weir, helps programmers to define and compose analyses that utilize VMI and other data sources.
Kernel-Focused Advanced State Management (ASM)
By observing and maintaining the state of the application within the A3 container, A3 can protect the application against threats. Kernel-focused advanced state management observes and repairs the operating system kernel within the container, not the user-level application directly. A kernel-focused approach is general in the sense that all (current) A3 guests have kernels. It is also application-specific, because desired invariants over kernel state may be specific to a particular protected application.
ASM is the subject of Prashanth Nayak's MS thesis.
Deterministic Record and Replay
When a security incident occurs within an A3 container, deterministic record and replay guarantees that the A3 environment can exactly reproduce the observed behavior—a prerequisite for investigation, diagnosis, and backtracking from symptom to cause. XenTT is the Flux Group's “time-traveling” hypervisor for A3: XenTT extends Xen with the ability to replay and analyze the execution of VM guests. Read the XenTT documentation.
XenTT is the subject of Anton Burtsev's PhD dissertation.
The A3 project is part of the DARPA Clean-Slate Design of Resilient, Adaptive, Secure Hosts (CRASH) program. It is supported by the Air Force Research Laboratory and DARPA under Contract No. FA8750–10–C–0242.