The Willow System Implementation John C. Knight University of Virginia Dennis Heimbigner University...
description
Transcript of The Willow System Implementation John C. Knight University of Virginia Dennis Heimbigner University...
The Willow System Implementation
John C. Knight University of VirginiaDennis Heimbigner University of Colorado
Intrusion Tolerance ThroughSecure System Reconfiguration
2
The Willow Team
University of Colorado: Alexander Wolf, Dennis Heimbigner, Antonio Carzaniga Naveed Arshad, Marco Castaldi, John Giacomoni Nathan Ryan
University of Virginia: John Knight, Jonathan Hill, Mike Tashbook, Phil Varner
University of CA, Davis: Prem Devanbu, Michael Gertz, Brian Toone
3
Aspects of Intrusion Tolerance•Very Large Networks•Interdependent Networks•Heterogeneous Nodes•Explicit Sense/Analyze/Respond•Non-Local Faults•Sequential Faults
4
Network
Sensors Act
uato
rs
Network State &Analysis Model
SelfHealing
TolerateAnticipated
Faults
PlannedPostureChange
SystemUpdate
SystemDeployment
External Input
Dimensions of Intrusion Tolerance
Secure &Decentralized
LogicalStructure
5
Interesting Scenario
Very large network, crucial services Many OASIS elements operational in system System software upgrade underway (or your stuff) Several (<10) servers report e-mail with viruses:
Safely stop system software upgrade Isolate local networks containing affected nodes
E-mail attack worsens, wide area affected: Safely stop local isolation process (no point) Isolate critical databases, stop some applications Etc.
6
Willow Architectural Issues Control loop interactions:
Asynchronous Priority & resources Conflicting goals
Network scale: State model Wide area change
Exceptions and results: Dynamic network Absolute vs. statistical Aggregation?
Target system actuation: Lightweight Standard interface & protocol
Network
Sensors Act
uato
rs
Network State &Analysis Model
SelfHealing
TolerateAnticipated
Faults
PlannedPostureChange
SystemUpdate
SystemDeployment
External Input
7
Implementation Overview
Coordination Management
ProactiveReconfiguration
ReactiveReconfiguration
OtherE.g., Offense
Network
Siena P
/S
Actuation
External Entities
Mediators
Sensing
8
Implementation Overview
Coordination Management
ProactiveReconfiguration
ReactiveReconfiguration
OtherE.g., Offense
Network
Siena P
/S
Actuation
External Entities
Mediators
Sensing
9
Coordination Management Approach
Hierarchical workflows Priorities Intention counsel (council?) Site-selective communication Distributed agent structure (Cougaar) Payload delivery
10
Cougaar Agent Structure
PI PI PIPI
PI PI PIPI
Plan
Asset(Attributes)
Society(Abstract Child)
Organizational(Abstract Child)
Task
Task
Task
Blackboard
Pub/sub System
11
Willow Implementation Plug Ins
Site selective command Work request receiver Resource allocation Intention counseling Payload delivery Payload support services
12
Willow Architecture AgentsWide Area Domain
Local Area DomainLocal Area Domain
Network Nodes
13
Site-Selective Command
12
payload
22
1
2
14
An Intrusion Tolerance Example
Intention:=StopPropagatingVirus.StopEmailVirus
At:=LAN(10<=emailVirusAlerts<=50000) AND NetworkNode(any) AND EmailServer(active)
At:=WAN(any)
Actuators shut down server
Intention:=Parent+DisableCapability(Email).ShutdownServer
Intention:=Parent+ReduceCapability(Email).DisableAttachments
At:=NetworkNode(administrator=false) AND EmailCient(active)
Actuators disable attachments
15
An Intrusion Tolerance Example
WAN
LAN LAN
NetworkNodes
Email Clients and Servers
NetworkNodes
16
Example of Intention Council
Intentions are compounded from most general to most specific intentions in layers (forced by specification) Halt_Intrusions(Buffer).Uninstalling_Application(Excel)
(Priority 7.1) Countermeasure(VirusInfected,Containment)
.Activate(TrapDoorExcel) (Priority 8.2) Repair_Application(Excel)
Finite state machine with the following rule: Do not repair applications that are recently uninstalled Do not finish repairs of applications that are to be uninstalled
Excel repair is cancelled if it is scheduled later, and is aborted/cancelled if it activated prior to arrival of the uninstall.
17
Implementation Overview
Coordination, Resource Management
ProactiveReconfiguration
ReactiveReconfiguration
OtherE.g., Offense
Network
Siena P
/S
Actuation
External Entities
Mediators
Sensing
18
Light-Weight Actuator Interface
Goals Remote management of applications and components
Specifically to actuate reconfigurations Light-weight mechanism capable of using new or
existing mechanisms Approach
Define a standardized interface for managing a single component or application
Coordinated actuation for multiple components Based on a simple and general protocol Minimal component support required
Implemented by the managed component Architecture-based vs ad hoc
19
Dynamic Reconfiguration Single Component Reconfiguration
Application Reconfiguration? ?
?
20
Protocol
System inspired by Network Management (SNMP) Manipulation of “variables” to achieve effects Get – determine component state Set – set state; side effect can cause reconfiguration Call – combination of set/get to achieve function calls Notify – asynchronous output from component
These variables are specified in a Component Description (similar to a MIB)
The developer defines and “exports” the variables
21
Light-Weight Actuator Architecture
Component Agent: per-component code that manages component-specific reconfiguration mechanisms Implementation: in-component, wrapper, separate process
Application Agent: per-application code that coordinates and delegates component-level reconfiguration
Manager: the interface with the reconfiguration decision maker (automatic or manual)
ApplicationAgentManagement
ProtocolComp
Description
ManagerComp
ComponentAgent
ApplicationDescription
ManagementProtocol
22
Field Reconfiguration Controller
ConfiguredComponents
ActivatedSystem
ActivatedSystem
Notification Service
ModelsAgentsAgents ModelsAgentsAgents
ConfiguredComponents
Reconfiguration control and/or data channel
Event channel
Application control and/or data channel
Component activation
Component deactivation
Standard reconfiguration interface
Mediator + Authority
DepotModelsAgents
Components
Mediator
Field Reconfiguration Controller
Mediator
Admin.Workbench
WorkflowManager
RecoveryFSMs
Willow Architecture
23
Example Component Based Application
A
A
A
A
A
AA
A
ApplicationAgent
Manager
WillowFieldReconfigurationController (FRC)
24
Benefits of this Architecture General
The system is independent with respect to applications, operating systems, ...
Component/Application Descriptions and Management Protocol specification allow interoperability with other management systems
Scalable Agents can be composed hierarchically
E.g., Treat whole application as “component” Manager coordinates and uses component-level
agent to perform dynamic reconfiguration at the application level
25
Status
Initial target application: Joint Battlespace Infosphere (JBI) tracking demonstration Disseminators (Siena publish/subscribe servers) now
reconfigure using standard interface Next target: all fuselets comprising our JBI tracking
demonstration Prototype Manager and Application Agents
implemented Next step: J2EE reconfiguration
Questions?