The Role Of Modeling And Simulation In Developing Secure Computing Environments

Simulating the operation of a computer’s applications can provide models of the computations, which can be used to detect malware. The need for a new approach to detecting malware arises from both the power and stealth of the current threat. In the last decade, attackers have shifted to using complex, multi-phase attacks based on subtle social engineering tactics coupled with advanced cryptographic techniques to prevent analysis and to execute highly targeted attacks against specific system components. Furthermore, these attacks are, to all intents and purposes, imperceptible to current technical defenses and detection technologies. There is every reason to expect that the sophistication of the cyber attacks and the technologies employed will increase and that the cyber attacker will continue to retain a decisive advantage. We believe that a new approach to cyber defense is needed and should not be dependant upon detecting malware at the system boundary or when malware begins to execute but should exploit virtualization technology to the maximum extent possible to detect and contain malware. Virtualization can be used at each CPU in the computer to permit monitoring of the computations at the CPU and to examine all of the data entering and leaving the CPU; thereby allowing us to determine if the CPU has been subverted and is executing malware. Simulation is crucial to the success of this approach because it is only by using simulation that computational models for each CPU and data flow models for each CPU can be developed. In this paper, we describe our approach to using virtualization to secure a computer, the role of simulation in our approach, and a description of our virtualization-based model architecture.