Panel onIntrusion Tolerance

RAID 2001UC Davis

October 11, 2001

Participants

vCrispin Cowan, WireX CommunicationsvAndreas Wespi, IBM Zurich Research Lab.vAl Valdes, SRI InternationalvDan Schnackenberg, Boeing Phantom Works

vModerator: Yves Deswarte

On Dependability,Intrusion Tolerance,

and the MAFTIA project

Yves DeswarteLAAS-CNRS

Toulouse, Francedeswarte@laas.fr

David Powell

Dependability

vTrustworthiness of a computer system suchthat reliance can justifiably be placed on theservice it delivers

J.-C. Laprie (Ed.), Dependability: Basic Concepts and Terminologyin English, French, German, Italian and Japanese,265p., ISBN 3-211-82296-8, Springer-Verlag,1992.

Fault, Error & Failure

ErrorError

FailureFailure

adjudged orhypothesizedcause of anerror

that part of system state whichmay lead to a failure

Fault

occurs when delivered service deviates fromimplementing the system function

H/W faultBugAttackIntrusion

Internal,dormant fault

Example: Single Event LatchupSELs (reversible stuck-at faults)may occur because of radiation

(e.g., cosmic ray, high energy ions)

Satellite on-board computer

Internal,active fault

SEL

Internal,externally-induced

fault

VulnerabilityCosmicRay

Externalfault

Lack ofshielding

Internal,dormant fault

IntrusionsIntrusions result from

(at least partially) successful attacks:

Computing System

Internal,active fault

Intrusion

Internal,externally-induced

fault

Attack

Externalfault

Vulnerability

account withdefault password

Fault Tolerance

ErrorError

FailureFailure

Fault

Fault Treatment

DiagnosisIsolation

Reconfiguration

Fault TreatmentFault Treatment

DiagnosisDiagnosisIsolationIsolation

ReconfigurationReconfigurationError ProcessingError Processing

Detection Detection Damage assessment Damage assessment Recovery Recovery

Error Detection (1)

vLikelihood checkingo by hardware:§ inexistent or forbidden address, instruction, command…§ watchdogs§ error detection code (e.g., parity)

o by software (OS or application) =verify properties on:

§ values (absolute, relative, intervals)§ formats and types§ events (instants, delays, sequences)

o Signatures (error detection code)

Error Detection (2)

vComparison between replicates

o Assumption: a unique fault generates differenterrors on different replicates

§ internal hardware fault: identical copies§ external hardware fault: similar copies§ design fault / interaction fault: diversified copies

o On-line model checking

Backward recovery

Forward recovery

Compensation-based recovery (fault masking)

4 5 6 7

1 2 3

3

12 13111 2 3

1 2 3

1 2 3

4 5 6 7

4 5 6 7

Error Recovery

Error Processing (wrt intrusions)

vError detectiono + Backward recovery (availability, integrity)o + Forward recovery (availability, confidentiality)

vIntrusion maskingo Fragmentation (confidentiality)o Redundancy (availability, integrity)o Scattering

Intrusion Masking

Intrusion into a part of the system should give access onlyto non-significant information

FRS: Fragmentation-Redundancy-Scattering

§ Fragmentation: split the data into fragments so thatisolated fragments contain no significant information:confidentiality

§ Redundancy: add redundancy so that fragmentmodification or destruction would not impedelegitimate access: integrity + availability

§ Scattering: isolate individual fragments

Fault Tolerance

ErrorError

FailureFailure

Fault

Fault Treatment

DiagnosisIsolation

Reconfiguration

Fault TreatmentFault Treatment

DiagnosisDiagnosisIsolationIsolation

ReconfigurationReconfigurationError ProcessingError Processing

Detection Detection Damage assessment Damage assessment

Recovery Recovery

Fault Treatment (wrt intrusions)

vDiagnosiso Non-malicious or malicious (intrusion)o Attack (to allow retaliation)o Vulnerability (to allow removal = maintenance)

vIsolationo Intrusion (to prevent further penetration)o Vulnerability (to prevent further intrusion)

vReconfigurationo Contingency plan to degrade/restore service§ inc. attack retaliation, vulnerability removal

MAFTIA

vMalicious- and Accidental-Fault Tolerance forInternet Applications

IST Dependability InitiativeCross Program Action 2Dependability in services and technologies

University of Newcastle (UK) Brian Randell, Robert StroudUniversity of Lisbon (P) Paulo VerissimoDSTL, Malvern (UK) Tom McCutcheon, Colin O’HalloranUniversity of Saarland (D) Birgit PfitzmannLAAS-CNRS, Toulouse (F) Yves Deswarte, David PowellIBM Research, Zurich (CH) Marc Dacier, Michael Waidner

c. 55 man-years, EU funding c. 2.5M€Jan. 2000 -> Dec. 2002

Objectives

vArchitectural framework and conceptualmodel (WP1)vMechanisms and protocols:

o dependable middleware (WP2)o large scale intrusion detection systems (WP3)o dependable trusted third parties (WP4)o distributed authorization mechanisms (WP5)

vValidation and assessment (WP6)

FTI

http://www.research.ec.org/maftia/

Referencesv Avizienis, A., Laprie, J.-C., Randell, B. (2001). Fundamental Concepts of Dependability, LAAS Report

N°01145, April 2001, 19 p.

v Deswarte, Y., Blain, L. and Fabre, J.-C. (1991). Intrusion Tolerance in Distributed Systems, in IEEESymp. on Research in Security and Privacy, Oakland, CA, USA, pp.110-121.

v Dobson, J. E. and Randell, B. (1986). Building Reliable Secure Systems out of Unreliable InsecureComponents, in IEEE Symp. on Security and Privacy, Oakland, CA, USA, pp.187-193.

v Laprie, J.-C. (1985). Dependable Computing and Fault Tolerance: Concepts and Terminology, in 15thInt. Symp. on Fault Tolerant Computing (FTCS-15), Ann Arbor, MI, USA, IEEE, pp.2-11.

v J.-C. Laprie (Ed.), Dependability: Basic Concepts and Terminology in English, French, German, Italianand Japanese, 265p., ISBN 3-211-82296-8, Springer-Verlag, 1992.

v D. Powell, A. Adelsbasch, C. Cachin, S. Creese, M. Dacier, Y. Deswarte, T. McCutcheon, N. Neves, B.Pfitzmann, B. Randell, R. Stroud, P. Veríssimo, M. Waidner. MAFTIA (Malicious- and Accidental-FaultTolerance for Internet Applications), Sup. of the 2001 International Conference on Dependable Systemsand Networks (DSN2001), Göteborg (Suède), 1-4 juillet 2001, IEEE, pp. D-32-D-35.