A security architecture for information assurance and availability in MANETs

Currently, End-to-End protection architectures, including pervasive ones such as the Internet Protocol suite, as well as others, typically focus on protecting the network availability ignoring the end-system host. Unfortunately, this leads to attacks against the availability and information assurance of the overall system including host-based denial of service attacks and data ex-filtration. In MANETs, such attacks become even more debilitating because each node has a dual role acting both as a source and as a router. To address such attacks, we extend the protection beyond the network encompassing the host end-system platform. By isolating each application running on the end hosts, we extend our ability to scalably and effectively enforce policies beyond network communications to memory, file I/O, and inter-application communications. However, the functions are not merely those of a separation kernel, as applications must interact with the underlying host OS and other applications, whenever permitted by policy. A direct implication of our architecture is that the realization of an end-to-end security protection system must include specific security mechanisms on the host that would be able to isolate services and regulate their resources. Our approach exploits the complementary strengths of four well- known components: lightweight visualization, kernel-level resource management, mandatory access control (MAC) frameworks, and stackable file systems. These mechanisms are available in many off-the-self systems. Finally, we show that our system does not incur significant resource overhead or performance degradation making them appropriate for real-time applications on resource constraint platforms.