Fundamental Concepts of Dependability [Avizienis, Laprie & Randell 2001] MAFTIA: FTI Dependability: Basic Concepts and Terminology a European project for [Laprie 1992] Intrusion-tolerant data processing dependable Internet applications [Fabre, Deswarte & Randell 1994] despite intrusions Intrusion-tolerant security server [Deswarte, Blain & Fabre 1991] and accidental faults Secure systems from insecure components [Dobson & Randell 1986] Intrusion-tolerant file system [Fraga & Powell 1985] David Powell Yves Deswarte Dependability as a generic concept LAAS-CNRS [Laprie 1985] Toulouse, France deswarte@laas.fr MAFTIA Industrial Advisory Board � Andrew Izon (North Durham NHS Trust, GB) IST Dependability Initiative � Jean-Claude Lebraud (Rockwell-Collins, F) Cross Program Action 2 Dependability in services and technologies � Derek Long (CISA Ltd., GB) � Joachim Posegga (SAP Systems, D) � Malicious- and Accidental-Fault Tolerance for Internet Applications � Carlos Quintas (Easyphone, P) � Gilles Trouessin (Ernst & Young Audit, F) University of Newcastle (UK) Brian Randell, Robert Stroud University of Lisbon (P) Paulo Verissimo � Gritta Wolf (Credit Suisse, CH) DERA, Malvern (UK) Tom McCutcheon, Colin O’Halloran University of Saarland (D) Birgit Pfitzmann LAAS-CNRS, Toulouse (F) Yves Deswarte, David Powell IBM Research, Zurich (CH) Marc Dacier, Michael Waidner c. 55 man-years, EU funding c. 2.5M€ Jan. 2000 -> Dec. 2002
Objectives Authorisaton � Contributes to protection: � Architectural framework and conceptual model (WP1) o Error detection/confinement o Intrusion prevention/confinement � Mechanisms and protocols: o dependable middleware (WP2) � For Internet applications: o large scale intrusion detection systems (WP3) o More flexible than “client-server” paradigm o dependable trusted third parties (WP4) o Contributes to privacy: o distributed authorization mechanisms (WP5) personal information is disclosed only on a ”need- � Validation and assessment techniques (WP6) to-know” basis Dependability The Dependability Tree � Trustworthiness of a computer system such that reliance can justifiably be placed on the Security Availability Reliability service it delivers Safety Attributes Confidentiality Integrity Maintainability Fault Error Dependability Impairments Failure J.-C. Laprie (Ed.) , Dependability: Basic Concepts and Terminology in English, French, German, Italian and Japanese , Fault Prevention 265p., ISBN 3-211-82296-8, Springer-Verlag, Fault Tolerance 1992. Methods Fault Removal Fault Forecasting
The Dependability Tree Are these attributes sufficient? Availability Availability Availability Reliability Reliability Reliability w.r.t. Safety Safety Safety author- Attributes Confidentiality Confidentiality Attributes Confidentiality ized Integrity Integrity Integrity actions Maintainability Maintainability Maintainability Fault Fault Security Error Error Dependability Impairments Dependability Impairments Failure Failure Fault Prevention Fault Prevention Fault Tolerance Fault Tolerance Methods Methods Fault Removal Fault Removal Fault Forecasting Fault Forecasting Security Properties Security Properties Availability Availability Privacy Privacy Privacy Anonymity Anonymity Anonymity Integrity Integrity Secrecy Secrecy Secrecy Authenticity Authenticity Authenticity Non-repudiability Non-repudiability Non-repudiability Accountability Accountability Accountability Confidentiality Confidentiality Irrefutability Irrefutability Irrefutability Auditability Auditability Auditability Imputability Imputability Imputability Traceability Tracability Tracability Opposability Opposability Opposability
Security Properties The Dependability Tree � Confidentiality Information � Integrity of Availability Reliability Meta-information Safety � Availability Attributes Confidentiality Integrity Maintainability Security • existence of operation Accountability A+I Fault • identity of person Anonymity C Error Dependability Impairments • personal data Failure Privacy C • message content Authenticity I Fault Prevention • message origin Fault Tolerance Non-repudiation A+I Methods • sender, receiver identity Fault Removal Fault Forecasting Fault, Error & Failure Example: Single Event Latchup SELs (reversible stuck-at faults) may occur because of radiation (e.g., cosmic ray, high energy ions) adjuged or H/W fault Intrusion Attack Bug Fault hypothesized cause of an error Error Error that part of system state which Lack of may lead to a failure shielding Cosmic Vulnerability SEL Ray Internal, Internal, External dormant fault active fault Internal, fault externally-induced fault Failure Failure occurs when delivered service deviates from implementing the system function Satellite on-board computer
Intrusions Who are the intruders? Intrusions result from (at least partially) successful attacks: � Authentication 1: Outsider � Authorization � Authentication account with 2: User default password � Authorization Vulnerability Attack Intrusion External Internal, Internal, fault � Authentication dormant fault Internal, active fault 3: Privileged externally-induced � Authorization User fault Computing System Insiders or Outsiders ? Outsiders vs Insiders � 01 Informatique 1998 � Outsider: not authorized to perform any of Outsider: not authorized to perform any of � 1200 companies in 32 countries specified object-operations specified object-operations � 66% experienced fraud in last 12 months � Insider: authorized to perform some of • 85% by company employees specified object-operations � Computer Crime and Security Survey 2001 (Computer Security Institute and the FBI) http://www.gocsi.com/prelea_000321.htm outsider intrusion � 91% of respondent reported employee abuse of Internet (unauthorized increase in privilege) (79% in 2000) � but decreasing proportion of disgruntled employees: 76% (82% in 2000) � 70% cite Internet as a frequent point of attack (59%) D: an object- A: privilege B: privilege operation domain of user a of user b insider intrusion (abuse of privilege)
The Dependability Tree Fault Tolerance Availability Fault Reliability Safety Attributes Confidentiality Integrity Maintainability Fault Treatment Fault Treatment Fault Treatment Error Error Fault Diagnosis Diagnosis Diagnosis Error Dependability Impairments Isolation Isolation Isolation Failure Reconfiguration Reconfiguration Reconfiguration Error Processing Error Processing Security Fault Prevention Damage assessment Damage assessment Fault Tolerance Detection & Recovery Detection & Recovery Methods Fault Removal Fault Forecasting Failure Failure Error Processing Error Processing (wrt intrusions) Backward recovery � Error (security policy violation) detection 1 2 3 o + Backward recovery (availability, integrity) o + Forward recovery (availability, confidentiality) � Intrusion masking 3 4 5 6 7 o Fragmentation (confidentiality) Forward recovery o Redundancy (availability, integrity) o Scattering 1 2 3 11 12 13 Compensation-based recovery (fault masking) 1 2 3 4 5 6 7 1 2 3 4 5 6 7
Intrusion Masking Different kinds of scattering Intrusion into a part of the system should give access only to non-significant information � Space: use different transmission links and different storage sites FRS: Fragmentation-Redundancy-Scattering � Time: mix fragments (from the same source, from � Fragmentation: split the data into fragments so that different sources, with jamming) isolated fragments contain no significant information: confidentiality � Frequency: use different carrier frequencies (spread-spectrum) � Redundancy: add redundancy so that fragment modification or destruction would not impede � Privilege: require the co-operation of differently legitimate access: integrity + availability privileged entities to realise an operation (separation of duty, secret sharing) � Scattering: isolate individual fragments Prototype FRSed File Server [Blain & Deswarte 1994] Fragmentation Replication Scattering Smartcard User Sites Application Windows Key Shadows Networks Security Storage Sites Sites . . [Deswarte et al. 1991] . . . . File Fragment [Fraga & Powell 1985] [Fray et al. 1986] File Fragments Data Processing Sites User Site Multicast Network Application Fragment [Fabre et al. 1994] Storage Sites
File Fragmentation FRSed Security Management Enciphering Distribution Pagination nonce 1. Authentication & access requests Security Server P1 P1 2. Tickets sign. Security Security Security Site Site Site 2. Tickets Key P2 Ciphered Fragments Page 3. Access Server Server Server P3 Fragment name := OWHF(file name, page #, frgt #,key) SERVERS • No single trusted site or administrator P4 • Global trust in a majority of security sites Padding (and administrators) Pages File Authentication Authorization 3. Global Decision Fi l e AC L Ke y name sha d ow Security Server Security Security Security Security Security Security Site Site Site Site Site Site 2. Local Authentication 2. Global 1. Request Decision to open a 4. Session key session distribution 3. tickets CP8 Secured Servers 4. direct access 1. Smartcard Activation
Recommend
More recommend
