Deep Introspection

Concept

Commodity computing systems are often designed to execute code as quickly as possible; they are not designed to inspect code very quickly at all. Yet, such inspection provides the basis for most security reference monitors, and implementing security policies based on such measurement still results in poor performance. The key problem seems to be a significant gap between abstract or formal security policy models and the capabilities, peculiarities, and limitations of commodity computing systems. This gap leads to a mismatch between security policy requirements and a system's ability to efficiently (1) trap and aggregate events of interest and (2) extract state relevant to the security decision at hand.

This research effort considers system support for security policy expression, translation, and enforcement collectively called "Deep Introspection": the ability to transport security-relevant information and trust relationships across layers of abstraction in a principled fashion.

Philosophy

Introspection: "(from Latin introspicere, 'to look within'), the process of observing the operations of one's own mind with a view to discovering the laws that govern the mind." - Encyclopedia Britannica (via dictionary.com) The security and networking folks among you will note the similarity in name and concept to DPI; this is not accidental, since both are attempts to peer through layers of abstraction. In some sense, the task of successful DI (and DPI) is to build a recognizer for embedded or tunneled languages.

The research area of Deep Introspection is an attempt to bridge the semantic gap -- the distance between the high-level abstractions of traditional security policy models and the actual capabilities of real commodity harware. This gap leads to a mismatch between security policy requirements and a system's ability to efficiently (1) trap and aggregate events of interest and (2) extract state relevant to the security decision at hand. DI is also an attemtp to answer two seemingly simple questions:

  1. What is my program doing?
  2. Can I trust it?
Before we can answer these question, we should also ask for this to happen quickly and efficiently; the major problem here is twofold: (1) I can extract data, but it imposes significant overhead and (2) the model of behavior I choose to "recognize" may not be computable (Deep Introspection focuses on the first problem, not the second; for more on the second problem, see the langsec.org site.

Resources

An overview slide deck [slides distilled from Purdue talk (26 Sept 2011) (PDF)]

Keeping track of related work on UofC's wiki: http://wiki.ucalgary.ca/page/Deep_Introspection

Some implementation notes and relevant kernel lines of code.

People

This is joint work with Sean Smith and Sergey Bratus at Dartmouth College. Ashwathi S. Shiva is the lead student at the UofC.