WPI Computer Scientist Developing New Technology to “Contain” Hackers’ Attacks

Shue’s approach uses a technology called “containerization” that will be invisible to end users, but will change how they interact with search engines, news sites, online stores, and other types of websites. Instead of being given direct access to an actual webserver, as happens now, each user will interact with a temporary copy, or instance, of the server. When the session ends, that copy will be destroyed.

In essence, each web session will be isolated within its own container. If a user exploits a vulnerability and attacks the webserver by deploying a malware program, that program will disappear along with the container. Since the actual web server will not be infected, no other users will be harmed.

Shue said his technology will eliminate the vulnerabilities inherent in the current way websites operate, with every user having direct access and interaction with the web servers and software. Under a traditional setup, if hackers were to take advantage of a bug in that software, they could embed malware that could attack every subsequent visitor to that website. And for major sites, that could mean hundreds of thousands of users would be vulnerable.

“It will change how interactions happen on the back end, whether people are getting news or ordering sneakers online,” he said. “We assume software will probably never be bug-free, so let’s just accept that and create better security with these little containers. Nothing will look different to end users but they’ll be safer and the websites will be safer. With more than three billion people using the Internet, many of whom interact with user-facing servers multiple times a day, the project's outcome can broadly impact society's computer security.”

In addition to isolating individual users, Shue is designing the containers so they can offer tailored permissions to each user, allowing websites to have fine-grained control over which services and backend resources each user can access. For example, an e-commerce site could assign buyers and sellers containers with different permissions. Only sellers would be able to access data about inventories, for instance. To do this, Shue is exploring a range of technologies, including Kerberos-style authentication, a computer network authentication protocol that helps communicating nodes prove their identity.

The containers also are being designed to automatically detect hacking attempts and malware infections. Once tampering is detected, the containers will save and log all inputs and outputs to help administrators figure out how the attack was launched and what vulnerability was exploited.

Shue is collaborating with Timothy Wood, an associate professor at George Washington University. Using memory optimization techniques, Wood has created a system called Flurries that can rapidly spawn thousands of new containers per second. Flurries will enable the deployment of containers to be scaled up to the degree needed by major news and commerce websites, Shue said.

Shue’s focus is managing the network communications that will enable the system to create and communicate with each individual container; he will also set up the fine-grained permissions and develop the compromise-detection methodology. He’ll be using technologies like OpenFlow, a communication protocol, and Open vSwitch, an open-source implementation of a distributed virtual multilayer switch, while also working to advance current forensic collection measures.