Institute for Cyber Security Overview Ravi Sandhu Executive Director Professor of Computer Science Lutcher Brown Chair in Cyber Security October 2019 ravi.sandhu@utsa.edu www.ics.utsa.edu www.profsandhu.com © Ravi Sandhu World-Leading Research with Real-World Impact!
ICS Mission and History Excellence in graduate-level sponsored research 2012-2017 Graduated to a self-sustaining operation 2007-2012 Founded by start-up funding from State of Texas 2017-2022 Major expansion by winning NSF C-SPECC grant In collaboration with: College of Engineering College of Business College of Education Open Cloud Institute Cyber Center for Security & Analytics Partnership with 4 NISD High Schools: Harlan, Woodson, Taft, Business Careers FlexCloud & FlexFarm World class research laboratories Sustained production of PhD graduates and sponsored research © Ravi Sandhu World-Leading Research with Real-World Impact!
Holistic Cyber Security Research Objectives POLICY ATTACKS What? Why? Enforce Enable Defend Respond PROTECT DETECT Complement How? Mechanisms © Ravi Sandhu World-Leading Research with Real-World Impact!
Holistic Cyber Security Research Objectives POLICY ATTACKS What? Why? Enforce Enable Defend Respond Requires Institute Level Effort World Class Laboratories Global Collaborative Connections PROTECT DETECT Complement How? Mechanisms © Ravi Sandhu World-Leading Research with Real-World Impact!
ICS Major Research Thrusts APPLICATION DOMAINS Cloud Computing, Internet of Things (IoT), Social Media, Big Data, Mobile Platforms, Enterprise, Insider Threat, Scientific Infrastructure, Smart Homes, Smart Cities, Smart Cars etcetera WORLD CLASS LABS FlexCloud Flex Farm FOUNDATIONAL TECHNOLOGIES Access Control, Policy, Malware, Forensics, Blockchain, Artificial Intelligence, Machine Learning, Data Provenance, Formal Methods etcetera Goal: Broaden and Deepen © Ravi Sandhu World-Leading Research with Real-World Impact!
World-Leading Research with Real-World Impact! Facts and Figures PAST SYNOPSIS PhDs graduated: 27 External funding raised: $22M CURRENT STATUS Faculty affiliates: 22 College of Sciences: 8 College of Engineering: 7 College of Business: 6 College of Education: 1 Current PhD students: 29 College of Sciences: 19 College of Engineering: 7 College of Business: 2 College of Education: 1 Domestic vs Foreign: roughly 50-50 © Ravi Sandhu World-Leading Research with Real-World Impact!
World-Leading Research with Real-World Impact! This slide was intentionally left blank. World-Leading Research with Real-World Impact!
Institute for Cyber Security: Galahad Project James Benson Technology Research Analyst October 2019 James.Benson@utsa.edu www.ics.utsa.edu https://gitlab.com/utsa-ics/galahad © James Benson World-Leading Research with Real-World Impact!
World-Leading Research with Real-World Impact! ICS Data Center Research Data Center (RDC) was opened in the summer of 2012. Total square footage for servers is 1,632 sq. ft. The entire MS RDC is 3,558 sq. ft. Our equipment consists of over: 1,300 threads, 10TB of RAM, 370TB of storage, and a 10GB backbone. © James Benson World-Leading Research with Real-World Impact!
Galahad 10,000 Foot Galahad was Star Lab’s solution for IARPA VirtUE program - Virtuous User Environment (VirtUE). 4 Original Contenders: Star Labs; Raytheon BBN; Siege Technologies; and Next Century Galahad is unique in that it was transitioned from Star Labs to ICS; We have open-sourced it. To create a turn-key opensource deployment tool to share it with others. Program manager, Kerry Long Galahad runs as a discrete software components. It utilizes EC2, Elastic File System - EFS, Route53,... a complete software solution. © James Benson
Goals and Motivation Objective: Detection and mitigation of threats attempting to exploit, collect, and/or effect user computing environments (UCE) within public clouds Cloud service providers have not offered any “game changing” security solutions Adversaries can leverage an arsenal of capabilities used to succeed Providers cannot necessarily be trusted Current end-point security solutions and analytical approaches are not tuned for cloud environments 2. Cloud providers simply provide VMs that resemble desktop, i.e., general purpose operating systems. They'll protect their resources but not their users’ - Frequently companies don’t use AWS’s solutions, and instead use their own. Logging is limited to CloudWatch with limited logging metrics (https://docs.aws.amazon.com/workspaces/latest/adminguide/cloudwatch-metrics.html#wsp-metrics). 3. End-point solutions designed for enterprise workstations that fulfill multiple roles. Unclear whether they can even be tuned given the current all-inclusive VM construct. Role-based VMs open the door to improved models of expected use. © James Benson
Galahad Approach To combat threats in a public cloud, isolate, protect what is controlled, and maneuver Do not attempt to establish trust Do not require special cloud services, e.g., dedicated servers Impede the ability of adversaries to operate within AWS by making it more difficult to co-locate Force adversaries to consume more resources thereby increasing the accuracy, rate, and speed with which threats maybe detected Facilitate the creation of role-enabled security models Reduce attack surface area, hardened kernel, real-time sensing, limit resources. No positive control of traditional trust-establishing components Don’t rely on “dedicated” (exclusively for our use) server Make it more costly for adversary to find us in the cloud and more difficult to attack us Role-based isolation, attack surface minimization practices, operating system (OS) and application hardening techniques, real-time sensing, and maneuver / deception © James Benson
Galahad VirtUE Containers for easy packaging and security configuration A small, hardened, de-privileged Linux OS VM A nested hypervisor to facilitate regular, recurring live migration of Unity VMs inside AWS Valor: running directly on our EC2 instance; responsible for supporting migration (VirtUE load/unload) and some sensing Unity: Can host multiple containers, one-to-one relationship between unity/role/and user. User can have multiple roles. A role defines what a user needs access to. For example, word and firefox. Expra exports the display using a html5 wrapped in a nodejs. nodejs runs on the client side, all roles get displayed on a single canvas. © James Benson
Sensing/control Capabilities Valor: Network communications, Virtual memory remapping, Physical device access Unity/VirtUE: Process creation, Storage usage, Network access Libraries loaded by Win processes Attempted access to privileged resources Docker: Start/Stop services Enable/disable ports © James Benson
Galahad Use Case Galahad Canvas User interface Resource sharing Single sign-on Galahad Lifecycle Control VirtUE Assembler VirtUE Control API Galahad Sensors and Loggers Configurable to allow for performance / logging tradeoffs Spans entire Galahad VirtUE software stack © James Benson
Galahad Components Unity Unity EC2 Instance EC2 Instance Unity Admin Unity Unity Windows App(s) Wine Wine Server syslog-ng client syslog-ng client EC2 Instance RethinkDB Local Storage EC2 Instance ElasticSearch Kibana Wine Instr. Unity Syslog syslog-ng client Local Storage Process Killer EC2 Instance Heartbeat Listener Merlin Net_Block Kernel Module Excalibur Linux Kernel LSM Excaliber is webserver (using rest commands for CLI) for Oauth for login, all API’s(Security, Admin, User) are hosted there. The webserver allows for 2 profiles, for example a home and work profile. So if one is compromised, the other is intact. Gaius is the agent that run on the valor and is responsible for receiving commands from excalibur through rethinkdb and then issue pertinent "xen" API commands and then sync the output to rethinkdb Merlin is the agent that runs on the virtues and valor and responsible for interactions with the transducers - i.e sensors and actuators - so config changes of the sensors or commands issued by a transducer e.g change firewall rule or turn in logging etc So for e.g the auto migration algorithm can be implemented in excalibur and then --> API call --> populate migration command in rethinkdb --> gaius picks up the updated rethinkdb entry and then calls the xen migration command Valor Gaius syslog-ng client Introspection Monitor © James Benson
Galahad Architecture The VirtUE Administrator can: View the status of individual or groups of VirtUEs Push orders to VirtUEs through the VirtUE Controller, e.g., force a launch / halt, migrate a VirtUE, or change the configuration of migration behavior. Push active response [mitigation] orders through the Sensor Controller, e.g., force some sensors to halt, reconfigure how sensors store data, etc. The user interacts with their UCI via Canvas running in a thin client. Using the same VirtUE control library found in VirtUE Administrator, users will select roles and start / stop VirtUEs. They SSO through a 3rd party package, Oauth. © James Benson
World-Leading Research with Real-World Impact! Questions? © James Benson World-Leading Research with Real-World Impact!