Secure Proactive Recovery – a Hardware Based Mission Assurance Scheme

Secure Proactive Recovery a Hardware Based Mission Assurance Scheme*6thInternational Conference on Information Warfare and Security, 2011

Ruchika Mehresh1 Shambhu J. Upadhyaya1 Kevin [email protected]@[email protected] 1Department of Computer Science and Engineering, State University of New York at Buffalo, NY, USA2Air Force Research Laboratory, Rome, NY, USA

Research Supported in Part by ITT Grant No. 200821J and NSF Grant No. DUE-0802062

OutlinePerformance analysisMotivationThreat modelSystem designConclusionStructure*

MotivationMission assuranceGoalsSurvivabilitySecurity Fault toleranceLow cost (Time overhead) Adaptation and evolutionFeasibility studyLong running applications

* Prevention Detection Recovery

Hardware-based

Smart defender

OutlinePerformance analysisMotivationThreat modelSystem designConclusion*Structure

Threat Model*

The Quiet InvaderSmart attackerMake decisions to maximize the potential of achieving their objectives based on dynamic informationQuiet invaderCamouflages to buy more timePlan to attack mission during critical stage (Why?)Example:Long running countdown for a space shuttle launch that runs for several hours

*

CoordinatorReplica 1Replica 2Replica 3Replica nWorkloadWorkloadWorkloadWorkloadWorkloadReplica 3RRRRPeriodic checkpointHardware SignaturePeriodic checkpointHardware Signature*

Hardware Signature Generation*System regIDS

Performance AnalysisCasesCase 1: Systems with no checkpointingCase 2: Systems with checkpointing, no failures/attacksCase 3: Systems with checkpointing, failures/attacksWorkloadJava SciMark 2.0 benchmark workloads: FFT, SOR, Sparse, LUMulti-step simulation based evaluation approach [Reference: Mehresh, R., Upadhyaya, S. and Kwiat, K. (2010)A Multi-Step Simulation Approach Toward Fault Tolerant system Evaluation,Third International Workshop on Dependable Network Computing and Mobile Systems, October]*

Results*

ResultsTable 1: Execution Times (in hours) for the Scimark workloads across three cases

Table : Execution times (in hours) for the Scimark workloads for the three cases

*

FFTLUSORSparseCase 13421.09222.6913.656223.9479Case 23477.46226.3613.881124.3426Case 3 (M=10)3824.63249.0815.202626.7313Case 3 (M=25)3593.39233.8313.881124.3426

Results*

Results*Table : Approximate optimal checkpoint interval values and their corresponding workload execution times for LU (Case 3) at different values of M

M=5M=10M=15M=25Optimal Checkpoint Interval (hours)0.30.50.650.95Execution Times(hours)248.97241.57238.16235.06

ConclusionLow cost solution to secure proactive recoveryMission survivabilityUtilized redundant hardwareSmall overhead in absence of failuresEffective preventive measureFuture workTo evaluate this scheme for a distributed system

*

Thank You !!*

DFTDesign for test Process that incorporates rules and techniques in product design to make testing easier.Testing aspectsControlObservationIEEE Std 1149.1 Allows test instructions and data to be serially loaded into a device Enables subsequent test results to be serially read out. [Source: IEEE Std 1149.1 (JTAG) Testability PrimerA technical presentation on Design-for-Test centered on JTAG and Boundary Scan]

*

Boundary ScanBoundary scan is a special type of scan path with a register added at every I/O pin on a deviceHardware signature of a replica can be stored in the flip flops of the boundary scan chain around a processorOur simulation centered around a boundary scan inserted DLX processor *

DLXRISC (Reduced instruction set computing)processor architecture designedcleaned up and simplified MIPS processor, with a simple 32-bit load/store architectureVerilogcode for the boundary scan inserted DLX processor is elaborated in cadence RTL compiler

*

Hardware SignatureLoading signature into scan cells We inserted amultiplexer before each cell, which has one of the inputs as test data input (TDI) and the other from the 32 bit signature vector. Depending on the select line either the test data or the signature is latched into the flip flops of the scan cells. To read signature out we have to serially shift the bits from the flip flops onto the output (IEEE 1149.1)

*

SurvivabilityMission: A set of a very high level requirements or goals.Not limited to military settingsSurvivability Capability of a system to fulfill its mission in a timely manner in presence of attacks, failures, or accidents. Reaction and recovery must be successful, whether the cause is ever determined or not. Reference : Ellison, R.J.; Fisher, D.A.; Linger, R.C.; Lipson, H.F.; Longstaff, T.A.; Mead, N.R.; , "Survivability: protecting your critical systems,"Internet Computing, IEEE, vol.3, no.6, pp.55-63, Nov/Dec 1999*

Byzantine Fault-toleranceByzantine fault: An arbitraryfaultthat occurs during the execution of analgorithmby adistributed systemOmission failurese.g., crash failures, failing to receive a requestCommission failures e.g., processing a request incorrectlyClassical solutions: n> 3tWhere, n is the total number of processes in the systemt is the number of faulty processesOur caseCentralized system Majority vote: n>2t*

TPMTrusted Platform ModuleSecure cryptoprocessor that can store cryptographic keys that protect informationSealed storage, Remote AttestationPrivacy issuesFeasibility studyCan use alternatives such as active attestation by Nexus*

**************************

Secure Proactive Recovery – a Hardware Based Mission Assurance Scheme

Documents

Transcript of Secure Proactive Recovery – a Hardware Based Mission Assurance Scheme