A computer scientist at Worcester Polytechnic Institute has a plan to thwart malware attacks through the use of a new technology.
The technology, known as single-use services, is being developed by Craig Shue, associate professor of computer science, with a three-year, $265,631 grant from the National Science Foundation. It is designed to prevent an attack on a commercial website from compromising other servers, data, and users.
Mr. Shue’s approach uses a technology called “containerization” that will be invisible to end users, but will change how they interact with search engines, news sites, online stores, and other types of websites. Instead of being given direct access to an actual web server, as happens now, each user will interact with a temporary copy, or instance, of the server. When the session ends, that copy will be destroyed.
In essence, each web session will be isolated within its own container. If a user exploits a vulnerability and attacks the web server by deploying a malware program, that program will disappear along with the container. Since the actual web server will not be infected, no other users will be harmed.
Is your research still in the idea stage or have you started to develop it yet?
“We have a component built, but most of the project is in the idea and exploration stage at this point.”
When the program disappears, is this a ‘poof and gone’ kind of disappear, or will it go somewhere to be analyzed? Also, will the attacker know that the attempt has been thwarted?
“When something happens in the container that is abnormal, we save the container and the network traffic to/from it for analysis. Depending on the attack, the attacker may know about it being thwarted. If they simply upload malware for the next visitor, they won’t know that the container was thrown away after they left. But if they try to do something that the container’s permissions don’t allow, they will know it. For example, if a container is tailored only to allow shoppers to buy products, but the attacker tries to access a merchant-only resource, they’ll learn that they don’t have access to that merchant-only resource. But they won’t know that the reason they were denied is because our system is running.”
Do you have a timeline for completion?
“The grant ends August 2021, but we expect some of the tools will be available before then.”
Do you have a team of students who will be working on this project with you?
“We are recruiting students currently. We have some students who are likely to work on it soon, but none of them have started yet.”
Is there anything else that you think is important to mention?
“It is easy to wonder why attackers are continually successful at breaking into computer systems. Essentially, this keeps happening because it is exceedingly difficult to write defect-free software, and attackers are good at finding defects and exploiting them. Our approach accepts that software will continue to have bugs, but with our tightly controlled containers, we make it difficult for attackers to transform a defect into an effective attack. Combined with our analysis of attack attempts, we essentially turn our would-be attackers into computer security instructors: Their attempts show us exactly what software needs to be fixed.”
Mr. Shue is collaborating with Timothy Wood, an associate professor at George Washington University. Using memory optimization techniques, Mr. Wood has created a system called Flurries that can rapidly spawn thousands of new containers per second. Flurries will enable the deployment of containers to be scaled up to the degree needed by major news and commerce websites, Mr. Shue said.
Mr. Shue’s focus is managing the network communications that will enable the system to create and communicate with each individual container; he will also set up the fine-grained permissions and develop the compromise-detection methodology. He’ll use technologies like OpenFlow, a communication protocol, and Open vSwitch, an open-source implementation of a distributed virtual multilayer switch, while also working to advance current forensic collection measures.