Raytheon is working with researchers
at George Mason University's (GMU)
Center for Secure Information Systems
to improve its ability to develop highassurance
systems. Current research and
development activities include automating
vulnerability analysis and hardening systems
through secure virtualization.
CAULDRON (Combinatorial Analysis Utilizing
Logical Dependencies Residing on Networks)
is a tool that GMU recently developed to
automate vulnerability analysis, the task of
examining network security to identify deficiencies
and predict the effectiveness of proposed
improvements. Vulnerability analysis is
performed manually today. To perform this
analysis, engineers must find the vulnerabilities
that an attacker could exploit and the
many paths that an attack could take in
order to traverse a network and reach the
attacker's target. This has become an intractable
task, as systems and networks
have grown more complex and as exploits
have become more numerous. Given thousands
of exploits, vulnerabilities and possible
network configurations, vulnerability analysis
needs to be automated.
An attack may penetrate a network at one
node and then hop from that node to reach
a target at a remote node in the network. A
multistage attack may employ different exploits
along the way, as different nodes may
have different vulnerabilities. It may also traverse
the network via many possible attack paths. A vulnerability analysis should
ideally identify all possible attack paths,
and the exploits and vulnerabilities used
to traverse them.
Once the attack paths and exploits are
known, developers may add security mechanisms
or reconfigure the network in order to
"harden" the network. Proposed changes
can then be analyzed to predict their effectiveness
before they are implemented. Multiple solutions can be explored at minimal
cost if the process is automated.
Vulnerability analysis needs to be a continuing
activity. Networks are dynamic places:
they expand and are upgraded; new vulnerabilities
are discovered, and so are new exploits.
Each of these changes can affect the
security posture of a network. By automating
vulnerability analysis, CAULDRON makes
it practical to periodically perform thorough vulnerability analyses, and find and eliminate
new vulnerabilities before an attacker
finds and exploits them.
Figure 1 shows CAULDRON's inputs.
Commercial off-the-shelf tools provide information
about network topology, known
threats and intrusions. The user provides
CAULDRON with attack scenarios that identify
an attacker's potential network entry
point(s) and target(s). CAULDRON then finds all of the paths and exploits that an attacker
could use to reach those targets.
CAULDRON provides the user with visualizations
of its analysis results, as shown in
Figure 2. This gives the user information
about attack paths, vulnerabilities, and
exploits used, as well as recommendations
for how network security can be effectively
improved with minimal addition of security
mechanisms. Raytheon has successfully used a beta version of CAULDRON on multiple
engineering programs, both to evaluate
its performance and perform vulnerability
On one of these programs, an 81-host
system with more than 2,300 open Internet
ports was analyzed for vulnerabilities.
Current practice would have required engineers
to manually interpret vulnerability
scan data, find critical attack paths and
eliminate critical vulnerabilities. This would
have taken weeks to do. CAULDRON found
the attack paths, identified the critical
exploits, recommended solutions, and
helped eliminate 75 percent of the vulnerabilities
in a few hours. The technology isbeing transitioned into Raytheon for further
use as the technology matures.
Recent research has shown that virtual machines
can be used to improve system security.
The concept of a virtual machine has
been around for many decades; it is a software
implementation of a computer that
executes a program like a real machine. For
example, an application that runs on one
operating system could also run on another
operating system if a virtual machine were
installed between the application and the
second operating system. Security mechanisms
can be combined with virtual machine
technology to isolate a host computer from
its applications in such a way that if an
application is compromised, the application
and its operating environment can be dismissed
without harming the host computer
or other applications.
Internet Cleanroom is one such technology.
It protects hosts from Web-based attacks by
running a browser or e-mail application on
a virtual machine with mechanisms to detect
and respond to compromise. Developed
at GMU, it is transitioning into a commercial
product offered by Secure Command.
Raytheon is evaluating Internet Cleanroom
for potential deployment in its own
products and IT system.
The Uninterruptible Server is another technology
that GMU is developing to protect
servers from attack. It helps make servers intrusion
tolerant, i.e., able to operate
through an attack, even when the attacker has penetrated the system.
Uninterruptible Server runs multiple copies
of server software on separate virtual machines,
which are software emulations of
the computers that run on real computers.
As shown in Figure 3, each virtual server
handles Internet service requests. A VS
handler monitors each VS and makes local
decisions to kill unauthorized processes that
may appear due to Web-based attacks.
Global decisions such as reverting servers
are made by a trustworthy controller. A load
balancer advertises a single IP address to the
Internet and feeds Internet requests to the
servers at random. The trustworthy controller
is not addressable from the Internet
side of the servers, so it is protected from
Raytheon is working with GMU to
adapt these technologies for use in