The cloud program, known as Mission-oriented Resilient Clouds will be detailed at a meeting in Arlington, Va., on May 26 and a Broad Agency Announcement will follow.
According to DARPA: "Mission-oriented Resilient Clouds is concerned with the amplifying effect of the network, seeking to turn this around and use the network as a vulnerability damper and a source of resiliency. The focus of the Mission-oriented Resilient Clouds program is to support mission-oriented computation running on an ensemble of interconnected hosts acting in concert. The goal is to provide resilient support to the mission through adaptation. Loss of individual hosts and tasks within the ensemble is allowable as long as mission effectiveness is preserved."
According to DARPA, there is a high degree of implicit trust between the computational nodes within a cloud or a distributed computing infrastructure, which allows malware to propagate rapidly once it is within the enclave. Cloud computing infrastructures, in particular, tightly integrate large numbers of hosts using high speed interconnection fabrics that can serve to propagate attacks even more rapidly than conventional networked systems. Today's hosts, of course, are highly vulnerable, but even if the hosts within a cloud are reasonably secure, any residual vulnerability in the hosts will be amplified dramatically.
DARPA said it believes that "we must not only address host vulnerabilities but must also pursue clean-slate approaches to the design of networked computations and cloud-computing infrastructures."
With that idea in mind, the MRC program is a companion program to DARPA's ambitious clean-slate design effort known as CRASH, or Clean‐Slate Design of Resilient, Adaptive, Secure Hosts (CRASH), a program that looks to lean heavily on what DARPA says is human biology to develop super-smart, highly adaptive, supremely secure networks.
For example, the CRASH program looks to translate human immune system strategies into computational terms. In the human immune system multiple independent mechanisms constantly monitor the body for pathogens. Even at the cellular level, multiple redundant mechanisms monitor and repair the structure of the DNA. These mechanisms consume tons of resources, but let the body continue functioning and to repair the damage caused by malfunctions and infectious agents, DARPA stated.
"The analog of the innate immune system will include combinations of hardware and software elements that constantly enforce basic semantic properties such as type safety, memory integrity, code/data distinctions, information flow, and access control constraints. The innate subsystem will render impossible attacks based on vulnerabilities stemming from violations of these basic properties. As with biological systems, significant resources should be dedicated to this task. Since hardware resources are now plentiful, it would be reasonable to use hardware mechanisms where this will lead to more complete enforcement or to better runtime performance," DARPA stated.
CRASH systems will feature the closely integrated hardware, system software, programming languages and design environments. Often, making a small change in one of these domains can greatly ease the task of another. For example, providing a uniform software support system for automatic memory management can reduce the task of analyzing memory safety. Similarly, hardware tagging can systematically enforce code/data and other distinctions that might be more difficult and more costly to guarantee at other levels. Programming languages and environments that capture design rationale, constraints, and invariants make it easier to implement self‐checking and self‐adaptive software systems, DARPA stated.
In designing CRASH, DARPA said it will be evaluating six critical technical areas:
Processor Architectures: Modest processor extensions may be the most appropriate mechanism for systematically enforcing basic semantic properties such as type safety, memory safety, and information control. Such work may include, but is not limited to, tagging for information flow tracking, taint propagation, bounds checking, type checking, access control, and concurrency control. Possible implementation techniques include Field Programmable Gate Arrays or instruction set level simulations. The performance goal of the resulting implementation is only to be fast enough to support experimentation in this and other technical areas. Costly and time consuming implementation techniques such as full custom chips whose only purpose is performance should be avoided.
Operating Systems: The system will be designed around the enforcement of basic semantic properties such as memory safety, type safety, information flow, and access control. It will work in concert with features provided by the hardware. Cooperation between the operating system and hardware design is strongly encouraged if new hardware is being developed. New operating system structures that do away with the concept of a single all‐privileged kernel are what DARPA is looking for. The operating system should provide techniques that lead to effective rollback and recovery, information flow tracking, and systematic logging. The goal is not to produce a feature rich operating system competitive with commercial systems, but rather to build a prototype system capable of illustrating and testing core principles.
Machine Learning, Self‐Adaptation, Diagnosis, Recovery and Repair: The techniques to be explored in this area include, but are not limited to:
-Machine learning techniques that develop a model of the program's intended behavior-Static analysis techniques for extracting models of the program's intended behavior
-Detection techniques that help determine that the program has stepped outside the bounds of its intended behavior
-Adaptation techniques that allow a program to continue functioning even after a successful attack has corrupted some resources
-Diagnosis techniques to help isolate the underlying cause of the problem
-Recovery techniques that allow a program to roll back to a safe state from which it may continue
-Repair techniques that allow the system to fix the underlying vulnerability
Programming Languages and Environments: Language features and runtime support to guarantee important properties will be encouraged. In addition, it will be of interest to provide language and/or programming environment features that facilitate the capture of important constraints on program execution such as information flow or invariants that must hold at specific points in the program. In addition, language features that facilitate the capture of multiple methods for common goals and the trade‐offs among alternative methods are also encouraged.
Formal Methods: Ideally, formal analysis of software and hardware designs will be used to verify that important properties are being preserved; more importantly, information gathered from formal analysis should be a part of a continual evolutionary design process. Techniques are sought that will allow formal proofs of program properties and other static analysis techniques to help build effective computational models of the intended behavior of a program. Such techniques may include the extraction of efficiently checkable invariant conditions, as well as models of the allowable control flows and data flows.
Dynamic Diversification: This technical area will focus on techniques that introduce diversity between different copies of the same system and within a single copy over time. Topics of interest include memory randomization, data structure randomization, stack layout randomization, instruction set diversification, and the use of multiple alternative methods for achieving the same goal.
The need for such an advanced system is obvious: "Current computer systems are not resilient to attacks. They lack the means to recover from attacks either by finding alternative methods for achieving their goals or by repairing the resources corrupted by the attack. They also typically lack the ability to diagnose the underlying problem and to fix the vulnerabilities that enabled the attack. Once a machine is corrupted, manual repairs by specialized personnel are required while the forensic information necessary to affect the repair is typically lacking," DARPA stated.
While these problems are not new, they have not been adequately dealt with largely because designers have been intellectually and institutionally bound by the need to maintain compatibility with legacy systems, DARPA stated.
Follow Michael Cooney on Twitter: nwwlayer8
Layer 8 Extra
Check out these other hot stories: