Isolation-Centric Operating Systems for the Enterprise

Allan, Annalisa; Hall, Quentin; Humphrey, Zaq; Kneissl-Williams, Charles; Chlebowski, Jacob; Ouellette, Cole; West, Connor; Plante, Saranya; Zhang, Edison; Scopetski, Caleb; Wech, Aidan

Student Work

Isolation-Centric Operating Systems for the Enterprise

Public Deposited

Every year, ransomware introduces over $2 billion in damages to enterprises. Current antivirus technologies do not sufficiently serve this need. With the majority of computers set up in a single execution environment, one compromised application may spread into the entire system and, from there, the entire network. Because attackers are always developing new malware attacks, preventing malware from getting into a system entirely is impossible. IT administrators need a way to minimize the damage that malware can inflict across their system once it has already infiltrated a system. One way to minimize potential damage is through isolation. Isolation mitigates the damage that malware can cause by containing the malware within the infected environment and limiting communication with other components on the system. Existing methods of isolation introduce usability and performance costs on the user. As such, IT administrators need a more usable and performant way of providing isolation to the end user. Isolation restricts communication between environments to prevent malware from spreading. However, strict isolation limits user productivity and collaboration within the enterprise. IT administrators need a way to maintain the benefits of isolation while maximizing inter-environment productivity. In doing so, the effectiveness of isolation can be uncompromised. Administrators need an efficient way to observe and identify anomalous activity to enable collaboration while maintaining the integrity of isolation. To implement strict isolation while maintaining usability and reducing performance costs on the end user, we created a system that utilizes virtualization to provide isolation between applications. In doing so, we created a web interface that mirrors a traditional environment allowing for seamless VM access. Additionally, we leveraged remote computational resources to reduce the burden of running multiple VMs on the end user system and provide rapid availability of VMs. To maintain the benefits of isolation while maximizing inter-environment productivity, we provided a more usable way of creating and maintaining policy by modifying an existing SDN-based policy management tool. The tool uses user intent data in decisions by adding machine context labels to assist decision making in multi-machine environments. We performed testing on the updated tool to compare it to traditional networking systems and the unmodified version of the tool using three scenarios based on real-world threat models. To provide an efficient way to observe and identify anomalous activity, we created a custom virtual environment that utilizes a series of sensors to record workflow data which our visualization scripts parse to present the user with time series graphs detailing different types of system activity over runtime. Our time series graphs aid the user in deciding if sandbox activity is indicative of a benign workflow. To test the usability and performance of our system for isolating environments, we evaluated application startup time, wasted screen space, VM startup processes, and computing resource costs. We compared our system to a traditional desktop system and a traditional VM, VirtualBox. For application startup time, our system took slightly longer than a traditional system to start all applications, but was significantly faster than VirtualBox across all scenarios. For screen space, our system contained 4.85% wasted screen space running an application in comparison to a traditional system rendering the same application, while VirtualBox contained 7.8% wasted screen space under the same circumstances. For the VM startup process, the KLM time for accessing a VM on our system was faster than in VirtualBox. In evaluating performance costs, our client performed similarly to the traditional desktop environment and heavily outperformed VirtualBox in the most intensive scenario. Additionally, our client consumed minimal additional resources as the number of running applications increased, which suggests increased scalability over the traditional environment. As expected, our server consumed the most resources in the most intensive scenario due to the overhead associated with single application isolation with VMs. To ensure that policy scalability in a multi-machine environment did not interfere with firewall accuracy, the modified version of the tool was compared to the original tool and the traditional networking system. This was done by running each system through a set of scenarios representing real-life security threats. Our results indicated that the system integrating the modified tool had increased policy scalability without majorly affecting accuracy when compared to the other two systems. The modified tool was most successful in situations where user or machine groups were implemented to create policy decisions. To observe and identify anomalous activity, the team recorded time series data to test the idea that untrusted activities can be identified when there is misalignment between user activities and system behavior. When observing activities of malicious and benign scenarios, our expectations were met. In scenarios involving ransomware, there was a noticeable absence of consistent user-initiated keystrokes and mouse clicks, or an irregular pattern that deviated significantly from expected human behavior. Some samples revealed their malicious intent almost immediately after execution through a rapid succession of Indicators of Compromise, while others required a more extended observation period. Nevertheless, the combination of network behavior, file activity, and the absence or irregularity of user interaction data typically yielded enough information within the first few minutes of execution to classify the scenario accurately.

This report represents the work of one or more WPI undergraduate students submitted to the faculty as evidence of completion of a degree requirement. WPI routinely publishes these reports on its website without editorial or peer review.

Creator

Subject

Publisher