RICHARD DESWARTE ………………………………………... HEAD OF THE HISTORY DATA SERVICE
deswarte intrusion tolerance panel raid2001
Transcript of deswarte intrusion tolerance panel raid2001
Panel onIntrusion Tolerance
RAID 2001UC Davis
October 11, 2001
Participants
vCrispin Cowan, WireX CommunicationsvAndreas Wespi, IBM Zurich Research Lab.vAl Valdes, SRI InternationalvDan Schnackenberg, Boeing Phantom Works
vModerator: Yves Deswarte
On Dependability,Intrusion Tolerance,
and the MAFTIA project
Yves DeswarteLAAS-CNRS
Toulouse, [email protected]
David Powell
Dependability
vTrustworthiness of a computer system suchthat reliance can justifiably be placed on theservice it delivers
J.-C. Laprie (Ed.), Dependability: Basic Concepts and Terminologyin English, French, German, Italian and Japanese,265p., ISBN 3-211-82296-8, Springer-Verlag,1992.
Fault, Error & Failure
ErrorError
FailureFailure
adjudged orhypothesizedcause of anerror
that part of system state whichmay lead to a failure
Fault
occurs when delivered service deviates fromimplementing the system function
H/W faultBugAttackIntrusion
Internal,dormant fault
Example: Single Event LatchupSELs (reversible stuck-at faults)may occur because of radiation
(e.g., cosmic ray, high energy ions)
Satellite on-board computer
Internal,active fault
SEL
Internal,externally-induced
fault
VulnerabilityCosmicRay
Externalfault
Lack ofshielding
Internal,dormant fault
IntrusionsIntrusions result from
(at least partially) successful attacks:
Computing System
Internal,active fault
Intrusion
Internal,externally-induced
fault
Attack
Externalfault
Vulnerability
account withdefault password
Fault Tolerance
ErrorError
FailureFailure
Fault
Fault Treatment
DiagnosisIsolation
Reconfiguration
Fault TreatmentFault Treatment
DiagnosisDiagnosisIsolationIsolation
ReconfigurationReconfigurationError ProcessingError Processing
Detection Detection Damage assessment Damage assessment Recovery Recovery
Error Detection (1)
vLikelihood checkingo by hardware:§ inexistent or forbidden address, instruction, command…§ watchdogs§ error detection code (e.g., parity)
o by software (OS or application) =verify properties on:
§ values (absolute, relative, intervals)§ formats and types§ events (instants, delays, sequences)
o Signatures (error detection code)
Error Detection (2)
vComparison between replicates
o Assumption: a unique fault generates differenterrors on different replicates
§ internal hardware fault: identical copies§ external hardware fault: similar copies§ design fault / interaction fault: diversified copies
o On-line model checking
Backward recovery
Forward recovery
Compensation-based recovery (fault masking)
4 5 6 7
1 2 3
3
12 13111 2 3
1 2 3
1 2 3
4 5 6 7
4 5 6 7
Error Recovery
Error Processing (wrt intrusions)
vError detectiono + Backward recovery (availability, integrity)o + Forward recovery (availability, confidentiality)
vIntrusion maskingo Fragmentation (confidentiality)o Redundancy (availability, integrity)o Scattering
Intrusion Masking
Intrusion into a part of the system should give access onlyto non-significant information
FRS: Fragmentation-Redundancy-Scattering
§ Fragmentation: split the data into fragments so thatisolated fragments contain no significant information:confidentiality
§ Redundancy: add redundancy so that fragmentmodification or destruction would not impedelegitimate access: integrity + availability
§ Scattering: isolate individual fragments
Fault Tolerance
ErrorError
FailureFailure
Fault
Fault Treatment
DiagnosisIsolation
Reconfiguration
Fault TreatmentFault Treatment
DiagnosisDiagnosisIsolationIsolation
ReconfigurationReconfigurationError ProcessingError Processing
Detection Detection Damage assessment Damage assessment
Recovery Recovery
Fault Treatment (wrt intrusions)
vDiagnosiso Non-malicious or malicious (intrusion)o Attack (to allow retaliation)o Vulnerability (to allow removal = maintenance)
vIsolationo Intrusion (to prevent further penetration)o Vulnerability (to prevent further intrusion)
vReconfigurationo Contingency plan to degrade/restore service§ inc. attack retaliation, vulnerability removal
MAFTIA
vMalicious- and Accidental-Fault Tolerance forInternet Applications
IST Dependability InitiativeCross Program Action 2Dependability in services and technologies
University of Newcastle (UK) Brian Randell, Robert StroudUniversity of Lisbon (P) Paulo VerissimoDSTL, Malvern (UK) Tom McCutcheon, Colin O’HalloranUniversity of Saarland (D) Birgit PfitzmannLAAS-CNRS, Toulouse (F) Yves Deswarte, David PowellIBM Research, Zurich (CH) Marc Dacier, Michael Waidner
c. 55 man-years, EU funding c. 2.5M€Jan. 2000 -> Dec. 2002
Objectives
vArchitectural framework and conceptualmodel (WP1)vMechanisms and protocols:
o dependable middleware (WP2)o large scale intrusion detection systems (WP3)o dependable trusted third parties (WP4)o distributed authorization mechanisms (WP5)
vValidation and assessment (WP6)
FTI
http://www.research.ec.org/maftia/
Referencesv Avizienis, A., Laprie, J.-C., Randell, B. (2001). Fundamental Concepts of Dependability, LAAS Report
N°01145, April 2001, 19 p.
v Deswarte, Y., Blain, L. and Fabre, J.-C. (1991). Intrusion Tolerance in Distributed Systems, in IEEESymp. on Research in Security and Privacy, Oakland, CA, USA, pp.110-121.
v Dobson, J. E. and Randell, B. (1986). Building Reliable Secure Systems out of Unreliable InsecureComponents, in IEEE Symp. on Security and Privacy, Oakland, CA, USA, pp.187-193.
v Laprie, J.-C. (1985). Dependable Computing and Fault Tolerance: Concepts and Terminology, in 15thInt. Symp. on Fault Tolerant Computing (FTCS-15), Ann Arbor, MI, USA, IEEE, pp.2-11.
v J.-C. Laprie (Ed.), Dependability: Basic Concepts and Terminology in English, French, German, Italianand Japanese, 265p., ISBN 3-211-82296-8, Springer-Verlag, 1992.
v D. Powell, A. Adelsbasch, C. Cachin, S. Creese, M. Dacier, Y. Deswarte, T. McCutcheon, N. Neves, B.Pfitzmann, B. Randell, R. Stroud, P. Veríssimo, M. Waidner. MAFTIA (Malicious- and Accidental-FaultTolerance for Internet Applications), Sup. of the 2001 International Conference on Dependable Systemsand Networks (DSN2001), Göteborg (Suède), 1-4 juillet 2001, IEEE, pp. D-32-D-35.