The Fellowship of the Ring is a familiar tale to many. A group consisting of hobbits, humans, an elf, a dwarf and a wizard embark on a journey to destroy the One Ring, one of the most dangerous artifacts ever created in Middle Earth. Each member had different strengths to offer, their knowledge only benefiting each other. It is through this and strength of will that they were able to succeed.
But that is the literary Fellowship of the Ring. On Earth, a different Fellowship has been formed as part of the DARPA Hardening Development Toolchains Against Emergent Execution Engines (HARDEN) program. The “Netforce One: The Fellowship of the Ring (0)) " project brings together a world-wide network of computer hackers who are bound together by the most critical “ring” of computer security on a device, commonly referred to as ring 0. Led by UIUC and extending computer security analysis software rooted in research performed at UIUC, this team plays the role for DARPA of the evaluator of security hardening technology developed by other HARDEN ‘performers’, i.e., teams of companies and universities who play different roles in the program.
As Information Trust Institute Lead Operational Technology Security Engineer, Edmond Rogers assembled the team and led them to winning a nearly $4 million grant from DARPA to find vulnerabilities and exploits in computer systems that are protected by new technologies developed by other HARDEN performers.
The HARDEN program is exploring novel theories, approaches, and develops practical tools to explore, anticipate, isolate, and mitigate emergent behaviors in computing systems throughout the entire software development lifecycle. Several teams are working under the program, all with the ultimate goal of not only securing systems from attackers, but also closing loopholes that allow attackers to gain access in the first place.
The Fellowship team is unique in university-led research by its extensive inclusion of hacking experts. Some of these work for large companies, some are running startup companies, some work independently in the hacking economy.
The current focus involves boot loaders, the first piece of code that is loaded and run on a computer system during power up. The Fellowship’s interest is in what may happen if it somehow it has been tampered with, e.g., through a supply-chain weakness, which could affect many many commercial devices.
To do this, they find and describe all the interactions that are happening in a device’s operating system. Until recently, it hasn’t been possible to completely measure what happens inside a Linux kernel due to the massive amount of data that’s generated (roughly five to ten terabytes). That is, until now.
A former UIUC Ph.D. student, Nathan Dautenhahn created a tool called Memorizer. Imani Palmer, another UIUC PhD and now an ITI researcher is extending Memorizer to better understand what is normal (and importantly, what is abnormal) in the Linux kernel.
Fellowship researchers are using this approach in their testing of results from HARDEN performers. TA1 detects malware and emergent execution engines, also known as weird machines. This is additional code execution that occurs outside of a program’s original specification. TA2 is formalizing the behavior of the aggressor after they have gained a foothold in the system.
These performers then work on possible solutions to what they have found. Memorizer is then able to evaluate how effective these solutions are through human-run penetration tests.
While the end of the literary Fellowship came with the destruction of the One Ring and the defeat of Sauron, the fight here in the real world to secure against attacks won’t be as simple. But at least researchers will have a better idea of how to do it.
“The data generated from this project will lay the groundwork for solving many foundational security problems,” said Palmer.
That would be the start for future projects focused on properly securing systems, a must for a modern world that runs on technology.
“I want to connect my phone into my laptop and I don’t want to worry about one or the other being hacked because of it,” said Rogers. “We’re not going to be able to solve that problem in four years, but what we do want to do is set up a Toolset so that people can consider answers to these problems.”
For inquiries, you can contact the team via darpa-fellowship@illinois.edu.