WPI - Computer Science Department, MS Thesis Presentation, Adam Beauchaine "A Foundation for Orchestrating Multiple Security Environments in Endpoint Systems"
10:00 am to 11:00 am
Adam Beauchaine
MS Student
WPI – Computer Science Department
Monday, April 22, 2024
Time: 10:00 a.m. – 11:00 a.m
Location: Fuller Labs 234
Advisor: Prof. Craig Shue
Reader: Prof. Jun Dai
Abstract:
The technologies behind the virtualization and isolation of execution environments have become widespread,
leading to their usage in cloud computing environments and software containerization scenarios. In both
instances, these technologies combat a number of modern security threats. Despite these use cases, isolation-
centric systems have seen limited deployment on modern endpoint devices, even in instances where prior
research has noted such systems would benefit greatly through their implementation. There are several
reasons for this lack of adoption. Isolation-centric, or “multi-environment“ systems require burdensome
mandatory access controls to define and delineate asset security levels and their corresponding security
environments. This is often done through laborious manual generation of security metadata. Additionally,
existing tools that allow the user to engage with isolation on endpoint devices are not widely employed in
the context of enterprise workflows, and their usage remains largely restricted to technical specialists. In this
thesis, we aim to address these important challenges to create a strong technical and procedural foundation
for the usage of isolation-centric security in modern endpoint devices.
We explore the challenges of access control complexity in isolation-centric systems. Our work proposes
the usage of unsupervised learning as a labeling mechanism for assigning data assets to security groups. Our
approach leverages a combination of UI context data gathered from an endpoint device, as well as on-screen
natural language data associated with a given asset. We compare our approach with offline strategies for
security labeling. Moreover, we address the usability challenges associated with isolation tools on endpoint
devices. We conduct classical usability modeling of hypervisors and containerization software using our
own tool independent workflow. Our results serve as an analytical usability framework for these tools. We
use these results in the construction of a novel tool design that improves upon prior best performers in all
measured categories. We introduce a fusion of these components through the notion of system sandboxing as
a means of addressing uncertainties in unsupervised learning output. Our results show promise in addressing
the most impactful challenges for the usage of multi-environment systems in endpoint devices.