Panel on Intrusion Tolerance RAID 2001 UC Davis October 11, 2001
Participants � Crispin Cowan, WireX Communications � Andreas Wespi, IBM Zurich Research Lab. � Al Valdes, SRI International � Dan Schnackenberg, Boeing Phantom Works � Moderator: Yves Deswarte
On Dependability, Intrusion Tolerance, and the MAFTIA project David Powell Yves Deswarte LAAS-CNRS Toulouse, France deswarte@laas.fr
Dependability � Trustworthiness of a computer system such that reliance can justifiably be placed on the service it delivers J.-C. Laprie (Ed.), Dependability: Basic Concepts and Terminology in English, French, German, Italian and Japanese, 265p., ISBN 3-211-82296-8, Springer-Verlag, 1992.
Fault, Error & Failure adjudged or H/W fault Intrusion Attack Bug Fault hypothesized cause of an error Error Error that part of system state which may lead to a failure Failure Failure occurs when delivered service deviates from implementing the system function
Example: Single Event Latchup SELs (reversible stuck-at faults) may occur because of radiation (e.g., cosmic ray, high energy ions) Lack of shielding Cosmic Vulnerability SEL Ray Internal, Internal, External Internal, dormant fault active fault fault externally-induced fault Satellite on-board computer
Intrusions Intrusions result from (at least partially) successful attacks: account with default password Vulnerability Attack Intrusion External Internal, Internal, fault Internal, dormant fault active fault externally-induced fault Computing System
Fault Tolerance Fault Fault Treatment Fault Treatment Fault Treatment Error Error Diagnosis Diagnosis Diagnosis Isolation Isolation Isolation Reconfiguration Reconfiguration Reconfiguration Error Processing Error Processing Detection Detection Damage assessment Damage assessment Recovery Recovery Failure Failure
Error Detection (1) � Likelihood checking o by hardware: � inexistent or forbidden address, instruction, command… � watchdogs � error detection code (e.g., parity) o by software (OS or application) = verify properties on: � values (absolute, relative, intervals) � formats and types � events (instants, delays, sequences) o Signatures (error detection code)
Error Detection (2) � Comparison between replicates o Assumption: a unique fault generates different errors on different replicates � internal hardware fault: identical copies � external hardware fault: similar copies � design fault / interaction fault: diversified copies o On-line model checking
Error Recovery Backward recovery 1 2 3 3 4 5 6 7 Forward recovery 1 2 3 11 12 13 Compensation-based recovery (fault masking) 1 2 3 4 5 6 7 4 5 6 7 1 2 3
Error Processing (wrt intrusions) � Error detection o + Backward recovery (availability, integrity) o + Forward recovery (availability, confidentiality) � Intrusion masking o Fragmentation (confidentiality) o Redundancy (availability, integrity) o Scattering
Intrusion Masking Intrusion into a part of the system should give access only to non-significant information FRS: Fragmentation-Redundancy-Scattering � Fragmentation: split the data into fragments so that isolated fragments contain no significant information: confidentiality � Redundancy: add redundancy so that fragment modification or destruction would not impede legitimate access: integrity + availability � Scattering: isolate individual fragments
Fault Tolerance Fault Fault Treatment Fault Treatment Fault Treatment Error Error Diagnosis Diagnosis Diagnosis Isolation Isolation Isolation Reconfiguration Reconfiguration Reconfiguration Error Processing Error Processing Detection Detection Damage assessment Damage assessment Recovery Recovery Failure Failure
Fault Treatment (wrt intrusions) � Diagnosis o Non-malicious or malicious (intrusion) o Attack (to allow retaliation) o Vulnerability (to allow removal = maintenance) � Isolation o Intrusion (to prevent further penetration) o Vulnerability (to prevent further intrusion) � Reconfiguration o Contingency plan to degrade/restore service � inc. attack retaliation, vulnerability removal
MAFTIA IST Dependability Initiative Cross Program Action 2 Dependability in services and technologies � Malicious- and Accidental-Fault Tolerance for Internet Applications University of Newcastle (UK) Brian Randell, Robert Stroud University of Lisbon (P) Paulo Verissimo DSTL, Malvern (UK) Tom McCutcheon, Colin O’Halloran University of Saarland (D) Birgit Pfitzmann LAAS-CNRS, Toulouse (F) Yves Deswarte, David Powell IBM Research, Zurich (CH) Marc Dacier, Michael Waidner c. 55 man-years, EU funding c. 2.5M€ Jan. 2000 -> Dec. 2002
Objectives � Architectural framework and conceptual model (WP1) � Mechanisms and protocols: o dependable middleware (WP2) o large scale intrusion detection systems (WP3) o dependable trusted third parties (WP4) o distributed authorization mechanisms (WP5) � Validation and assessment (WP6)
http://www.research.ec.org/maftia/ FTI
References � Avizienis, A., Laprie, J.-C., Randell, B. (2001). Fundamental Concepts of Dependability, LAAS Report N°01145, April 2001, 19 p. � Deswarte, Y., Blain, L. and Fabre, J.-C. (1991). Intrusion Tolerance in Distributed Systems, in IEEE Symp. on Research in Security and Privacy, Oakland, CA, USA, pp.110-121. � Dobson, J. E. and Randell, B. (1986). Building Reliable Secure Systems out of Unreliable Insecure Components, in IEEE Symp. on Security and Privacy, Oakland, CA, USA, pp.187-193. � Laprie, J.-C. (1985). Dependable Computing and Fault Tolerance: Concepts and Terminology, in 15th Int. Symp. on Fault Tolerant Computing (FTCS-15), Ann Arbor, MI, USA, IEEE, pp.2-11. � J.-C. Laprie (Ed.), Dependability: Basic Concepts and Terminology in English, French, German, Italian and Japanese, 265p., ISBN 3-211-82296-8, Springer-Verlag, 1992. � D. Powell, A. Adelsbasch, C. Cachin, S. Creese, M. Dacier, Y. Deswarte, T. McCutcheon, N. Neves, B. Pfitzmann, B. Randell, R. Stroud, P. Veríssimo, M. Waidner. MAFTIA (Malicious- and Accidental-Fault Tolerance for Internet Applications), Sup. of the 2001 International Conference on Dependable Systems and Networks (DSN2001) , Göteborg (Suède), 1-4 juillet 2001, IEEE, pp. D-32-D-35.
Recommend
More recommend
