Energy and States of Matter Unit 1 Physical Science HS Credit Mrs. Rubel.
WDMS 2002 June 26 -- page 1 Middleware Policies for Intrusion Tolerance QuO Franklin Webber, Partha...
-
Upload
jonah-wilson -
Category
Documents
-
view
213 -
download
0
Transcript of WDMS 2002 June 26 -- page 1 Middleware Policies for Intrusion Tolerance QuO Franklin Webber, Partha...
WDMS 2002 June 26 -- page 1
Middleware Policies for Intrusion Tolerance
QuOQuO
Franklin Webber, Partha Pal, Chris Jones, Michael Atighetchi, and Paul Rubel
BBN Technologies
WDMS 2002 June 26 -- page 2
Outline
• Using middleware for defense against intrusions• Defense mechanisms• Parameterizing defense policies
WDMS 2002 June 26 -- page 5
An Abstract View
Attacker
Data Processing(Fusion,Analysis,Storage,
Forwarding,etc.)
DataUser
DataSource
WDMS 2002 June 26 -- page 6
Traditional Security
AttackerApplication
PrivateResources
PrivateResources
LimitedSharing
Trusted OSs and Network
WDMS 2002 June 26 -- page 7
Most OSs and Networks In Common Use Are Untrustworthy
AttackerApplication
PrivateResources
PrivateResources
LimitedSharing
OSs and Network
WDMS 2002 June 26 -- page 8
Cryptographic Techniques Can Block (Most) Direct Access to Application
AttackerApplication
PrivateResources
PrivateResources
LimitedSharing
OSs and Network
Crypto
OSs and Network
WDMS 2002 June 26 -- page 9
Attacker
Raw ResourcesCPU, bandwidth, files...
OSs and Network IDSs Firewalls
Firewalls Block Some Attacks;Intrusion Detectors Notice Others
Application
Crypto
WDMS 2002 June 26 -- page 10
ApplicationAttacker
Raw ResourcesCPU, bandwidth, files...
Crypto
OSs and Network IDSs Firewalls
Defense-Enabled Application CompetesWith Attacker for Control of Resources
Middleware for QoS andResource Management
WDMS 2002 June 26 -- page 11
QuO Adaptive Middleware Technology
QuO is BBN-developed middleware that provides:•interfaces to property managers, each of which monitors
and controls an aspect of the Quality of Service (QoS)offered by an application;
•specifications of the application’s normal and alternateoperating conditions and how QoS should dependon these conditions.
QuO has integrated managers for several properties:•dependability•communication bandwidth•real-time processing
(using TAO from UC Irvine/WUStL)•security (using OODTE access control from NAI) QuOQuO
WDMS 2002 June 26 -- page 12
QuO adds specification, measurement, and adaptation into the distributed object model
ApplicationDeveloper
MechanismDeveloper
CLIENT
Network
operation()
in args
out args + return value
IDLSTUBS
IDLSKELETON
OBJECTADAPTER
ORB IIOP ORBIIOP
CLIENT OBJECT(SERVANT)OBJECT(SERVANT)
OBJREF
CLIENT
DelegateContract
SysCond
Contract
Network
MECHANISM/PROPERTYMANAGER
operation()
in args
out args + return value
IDLSTUBS
Delegate
SysCond
SysCond
SysCond
IDLSKELETON
OBJECTADAPTER
ORB IIOP ORBIIOP
CLIENT OBJECT(SERVANT)OBJECT(SERVANT)
OBJREF
ApplicationDeveloper
QuODeveloper
MechanismDeveloper
CO
RB
A D
OC
MO
DE
LQ
UO
/CO
RB
A D
OC
MO
DE
L
WDMS 2002 June 26 -- page 13
The QuO Toolkit Supports Building Adaptive Apps or Adding Adaptation to Existing Apps
QuO Code Generator
QoS AdaptivitySpecification
CORBAIDL
Middleware for QoS andResource Management
WDMS 2002 June 26 -- page 14
Implementing Defenses in Middleware
•for simplicity:•QoS concerns separated from functionality of application.•Better software engineering.
•for practicality:•Requiring secure, reliable OS and network support is not currently cost-effective. •Middleware defenses will augment, not replace, defense mechanisms available in lower system layers.
•for uniformity:•Advanced middleware such as QuO provides a systematic way to integrate defense mechanisms.•Middleware can hide peculiarities of different platforms.
•for reuseability•Middleware can support a wide variety of applications.
WDMS 2002 June 26 -- page 15
Security Domains Limit the Damage From A Single Intrusion
hackeddomain
host
router
domain
host
router
domain
host
host
host
host
WDMS 2002 June 26 -- page 16
Replication Management Can Replace Killed Processes
hackeddomain
host
router
domain
host
router
domain
host
host
host
host
application component replicas
QuO replica management
WDMS 2002 June 26 -- page 17
Bandwidth Management Can Counter Flooding Between Routers
hackeddomain
host
router
domain
host
router
domain
host
host
host
host
QuO bandwidth management
RSVP reservation or packet-filtered link
WDMS 2002 June 26 -- page 18
Other Defensive Adaptations
• Dynamically configure firewalls to block traffic• Dynamically configure routers to limit traffic• Dynamically change communication ports• Dynamically change communication protocols
WDMS 2002 June 26 -- page 19
Defense Strategy
• Use QuO middleware to coordinate all available defense mechanisms in a coherent strategy.
• Our best current strategy has two parts:– “outrun”: move application component replicas off bad
hosts and on to good ones
– “contain”: quarantine bad hosts and bad LANs by limiting or blocking network traffic from them and, within limits, shutting them down
WDMS 2002 June 26 -- page 20
Policy Issues for ‘Outrunning’
• Where should new replicas be placed?– Always in new security domain?
– Always on a new host?
– Unpredictably?
• Should number of replicas change under attack?– Increase for protection against stealth?
– Decrease for more rapid response?
WDMS 2002 June 26 -- page 21
Policy Issues for ‘Containment’
• Should quarantine be used?– Or rely only on self-shutdown based on local sensors?
• When is a domain, LAN, or host judged bad?– Depends on source of warning?
– Depends on repeated warnings?
– Depends on combination of warnings?
• Is agreement necessary before quarantine?– Yes: local decisions are easier to spoof
– No: global decisions are impeded by flooding
WDMS 2002 June 26 -- page 22
Avoiding Self-Denial-of-Service
• How to prevent attacker from spoofing defense into quarantining all security domains?– Limit number or fraction of quarantined domains?
– Limit rate of quarantining?
– Allow later reintegration of quarantined domains?