A Foundation for Orchestrating Multiple Security Environments in Endpoint Systems

Beauchaine, Adam

Etd

A Foundation for Orchestrating Multiple Security Environments in Endpoint Systems

Público Deposited

The technologies behind the virtualization and isolation of execution environments have become widespread, leading to their usage in cloud computing environments and software containerization scenarios. In both instances, these technologies combat a number of modern security threats. Despite these use cases, isolation- centric systems have seen limited deployment on modern endpoint devices, even in instances where prior research has noted such systems would benefit greatly through their implementation. There are several reasons for this lack of adoption. Isolation-centric, or “multi-environment” systems require burdensome mandatory access controls to define and delineate asset security levels and their corresponding security environments. This is often done through laborious manual generation of security metadata. Additionally, existing tools that allow the user to engage with isolation on endpoint devices are not widely employed in the context of enterprise workflows, and their usage remains largely restricted to technical specialists. In this thesis, we aim to address these important challenges to create a strong technical and procedural foundation for the usage of isolation-centric security in modern endpoint devices. We explore the challenges of access control complexity in isolation-centric systems. Our work proposes the usage of unsupervised learning as a labeling mechanism for assigning data assets to security groups. Our approach leverages a combination of UI context data gathered from an endpoint device, as well as on-screen natural language data associated with a given asset. We compare our approach with offline strategies for security labeling. Moreover, we address the usability challenges associated with isolation tools on endpoint devices. We conduct classical usability modeling of hypervisors and containerization software using our own tool independent workflow. Our results serve as an analytical usability framework for these tools. We use these results in the construction of a novel tool design that improves upon prior best performers in all measured categories. We introduce a fusion of these components through the notion of system sandboxing as a means of addressing uncertainties in unsupervised learning output. Our results show promise in addressing the most impactful challenges for the usage of multi-environment systems in endpoint devices.

Creator