LARIAT - Lincoln Adaptable Real-time Information Assurance TestbedStaff members use the Lincoln Adaptable Real-time Information Assurance Testbed (LARIAT) to evaluate the effectiveness of cyber defense techniques.



LARIAT, the Lincoln Adaptable Real-time Information Assurance Testbed, is capable of emulating networks consisting of from one to one million physical hosts, and modeling users performing real tasks, with real application software, whether checking e-mail and browsing the web or operating military sensors and weapon systems. The application-level focus allows for the evaluation of attacks on and defenses of both network and host based systems. LARIAT provides for fully air-gapped Internet emulation, to allow evaluation on complex, realistic networks with realistic user behaviors.


K0ALA, our KVM-based Zero (0) Artifact LARIAT Agent, enables us to actuate software that is not easily scriptable, such as embedded software in military weapon-system consoles and situational awareness displays, or software that employs anti-tamper (DRM or "anti-cheat") features, like digital storefronts and Xboxes. We do this using a combination of physical button-presses and emulated keyboard and mouse input based on real-time image-recognition of the captured video output from the display of the system under test. This enables us to actuate a system without placing any code on the system under test. Using K0ALA, we have successfully demonstrated a "bot" that plays Halo: Reach on an Xbox 360, without in any way tampering with the Xbox 360's hardware or software. K0ALA's associated tools, K0ALA Script and K0ALA Studio, make it easy to create complex, reactive actuations. In addition to enabling the actuation of closed software, K0ALA enables us to test software that may change its behavior if it senses that it is being observed in a testing environment, such as some malware. K0ALA leaves no footprint on the system under test, and it cannot be disabled or subverted by software running on that system.


GOSMR, or Goal-Oriented Scenario Modeling Robots, is used to produce highly complex test scenarios. GOSMR (pronounced "gossamer") is an artificial intelligence (AI) framework for emulating human behavior on a cyber test range. Traditional user emulations employ simple Markov chain models of human behavior. GOSMR models human behavior using techniques borrowed from research in economics and behavioral decision making. GOSMR robots have goals, the satisfaction of which yield rewards, and the robots employ decidedly sub-optimal (but human-like) strategies, such as hyperbolic discounting, to achieve their goals. As an example, GOSMR robots faithfully emulate the human tendency to put off doing unpleasant work until closer to the time that work is due, even though this behavior is inefficient, strictly speaking.


LO-PHI—Low-Observable Physical Host Instrumentation—consists of a suite of physical sensors and high-speed data processors that can read transactions from the various buses and pull data structures directly out of the memory of a system under test while introducing minimal detectable artifacts. Software on an accompanying analysis workstation then analyzes the data to reproduce kernel process tables, disk transactions, etc. Even the most sophisticated rootkits cannot hide from LO-PHI! Challenges to continuing this line of work include miniaturizing and reducing the cost of the sensors, processing, and analysis, to enable more routine instrumentation of massive numbers of host computers.


top of page