DARPA ISO Sponsored Research

2000 Project Summary
A Binary Agent Technology for COTS Software Integrity 
InCert Software Corporation

Project Website: 
http://www.incert.com/research/cots-int/project.html -- Additional project information provided by the performing organization 
Quad Chart: 
http://www.incert.com/research/cots-int/quad.html   provided by the performing organization
Our project is focussed squarely on COTS software integrity -- our objective is to create a technology that will maintain the integrity of mission critical environments in the presence of COTS software. Mission critical systems composed of cost-effective COTS components are becoming commonplace and maintaining their integrity is a challenging problem. Our approach is to insert software functions or agents directly into COTS binaries. The inserted agents detect anomalous process behavior and data corruption, correct or report problems, quickly recover from these problems, and thereby enhance the overall integrity of COTS software and the environment in which they are deployed. By seeking out anomalous behavior, our technology will attempt to detect problems associated with both unintentional faults and malicious attacks. Because it works with binaries, our technology can be applied within a mission critical environment that needs to import COTS software packages. 
Our project uses a system-level approach for COTS software integrity. We are developing a core binary instrumentation technology that will allow us to insert new software function or "agents" directly into COTS NT binaries at the deployment site of software applications, whether the sources are available or not. Because the agents reside within the application binary, and are run from within the application environment when the application itself is run, our binary agents will monitor the behavior of applications from within, thereby enabling the observation, reporting, and sometimes correction of anomalous data I/O or program behavior. Because the agents reside within the binary, the agents are carried along with the application as the application is moved within an environment. Furthermore, we are also developing the capability for the agents to reside in subprocesses spawned by the parent application in distributed multiprocess environments. 

Our project will develop the following inter-related components: (1) a technology for automatic agent insertion in COTS NT binaries, (2) mechanisms for anomaly detection in running applications, (3) mechanisms for reporting and sometimes correcting problems, and (4) technologies for rapid recovery from problems. Our project will also involve overall system integration of these components and evaluation through deployment in a realistic environment. We discuss each of these components of our approach in some more detail below. 

Insertion technology: We use a binary based static approach for software agent insertion. A static approach inserts agents into a binary through static binary analysis and does not incur the runtime performance overhead of a runtime method. We will use incremental control flow analysis combined with incremental value propagation to analyze the binary and create a control flow graph. The control flow graph is needed so that the normal control flow can be reconstructed after software agents are inserted. We need an incremental control flow -- incremental value propagation method because control flow analysis often depends on knowledge of program values, and program values in turn often depend on the specific control flow. The software agents will be inlined with the code to minimize the performance overhead. 

Anomaly detection technology: Agents inlined with the program code are responsible for automatically detecting when the program is behaving abnormally or maliciously. Although we will implement default policies, the technology will also allow policy specification by the host at the deployment site. As one example, we are proposing to use execution path signatures to check whether present behavior is consistent with the behavior during past behavior, for example, the behavior during test. 

Reporting and Recovery technologies: Despite best efforts, as with faults and bugs, intrusion and data corruption is likely to occur. Systems that are prepared to isolate and recover rapidly from such occurrences will be much more robust than those that do not. Accordingly, for the cases in which problems do occur, we will leverage our core binary instrumentation technology to provide mechanisms for the application to quickly protect itself from, correct for, recover from, or as a minimum, report the problem by signaling an alarm. As one example, to facilitate rapid recovery in mission critical environments, we will include a {\it traceback} mechanism in which the applications will maintain a dynamic trace buffer of instructions they have executed. Thus when the system crashes, a traceback history will be available to the user going back from the crash point or data corruption point. We are also proposing to integrate our reporting mechanisms with extant system monitoring consoles. 

Recent FY-99/FY-00 Accomplishments:
We are a new start. We began work on a binary instrumentation technology for X86/NT. 

We have created the instruction set representation for the X86 architecture 

We created a parser for X86 executables that produces a control flow representation of the binary 

We have a prototype version of a phase that rewrites the control flow graph into a working output binary 

FY-00 Plans:
Design and development of the algorithms for the core binary insertion technology and demonstration of a working implementation for a realistic NT binary. 

Design of algorithms for rapid recovery. Proof-of-concept implementation of a dynamic history mechanism. Optimization to reduce runtime overhead. 

Design of algorithms for automatic anomaly detection. Exploration of interfaces for basic user specification of integrity checks. Proof-of-concept implementation of a simple, default anomaly detection case. 

Technology Transition:
New start. 
Principal Investigator:
Richard Schooler and Anant Agarwal
InCert Software Corporation
One Kendall Square, Building 1400W
Cambridge, MA 02139
(617) 621-8080 
(617) 621-8081 fax 
schooler@incert.com and agarwal@incert.com

Admin Contact Name
David Slatcher
InCert Software Corporation
One Kendall Square, Building 1400W
Cambridge, MA 02139
(617) 621-8080 
(617) 621-8081 fax