1 intrusion tolerant systems workshop williamsburg, virginia 5 - 6 october 1999 jaynarayan h. lala...
TRANSCRIPT
1
INTRUSION TOLERANT SYSTEMSWORKSHOP
Williamsburg, Virginia
5 - 6 October 1999
Jaynarayan H. LalaITS Program Manager
Information Systems Office
2
ITS WORKSHOP AGENDA (1 of 2)
Tuesday 8:00 - 12:30 PRESENTATIONS
Workshop Goals, DARPA IA&S & ITS Programs J. Lala Intrusion Detection State-of-the-Art & Challenges R. Maxion ABFT & Other Error Detection Techniques J. Abraham Security & Fault Tolerance Perspectives J. Rushby Mission & Safety-Critical Architectures L. Alger Threats to Information Systems D. Faatz Abstractions for Building Fault-Tolerant Distr. S/W R. Schlichting Attack / Intrusion Tolerance D. Powell State Restoration D. Siewiorek DICOTS and Stackguard C. Landwehr
3
ITS WORKSHOP AGENDA (2 of 2)
Tue 1:30 - 4:30 Working Group SessionsTue 4:30 - 5:30 Working Group Preliminary Reports
Wed 8:00 - 11:30 Working Group SessionsWed 11:30 - 12:30Working Group Final Reports
4
PRESENTATION OUTLINE
Workshop GoalsDARPA’s Information Assurance & Survivability
Programs OverviewIntrusion Tolerant Systems Program OverviewBridging Fault Tolerance & Intrusion/Attack
Tolerance
5
WORKSHOP GOALS
Bring together experts from dependable computing / fault tolerant domain and security domain to exchange ideas that might benefit ITS program
Several prior attempts at exploring applicability of fault tolerance technology to information assurance problems
Matching solutions from one domain to problems from the other domain has not been a successful endeavorOne possible reason: both disciplines are very broad
6
WORKSHOP FOCUS
Current workshop is very narrowly focused on Applicability of fault tolerance techniques designed for
accidental and (unintentional) design faults to certain subset of information assurance (availability & integrity) with respect to intentional faults and attacks
Specifically, use of redundancy, in all its forms, for detecting abnormal behavior and tolerating intentional faults and attacks
Workshop focus is NOT on reconciling terminology of the two communities or solving fault tolerance problems.
7
INFORMATION ASSURANCE & SURVIVABILTY (IA&S) PROGRAMS OVERVIEW
Jay Lala, Douglas Maughan, Cathy McCollum,Sami Saydjari, Mike Skroch, Brian Witten
Project ManagersInformation Systems & Technology Offices
Detection
Attacks
PreventionTolerance
8
Challenging questions Commander’s attack triage questions
Am I under attack ?What is the nature of the attack ?
Class, mechanism, from where ? What is mission impact ?
Urgency, damage assessment & control, initial responseWhen did attack start ?
Follow-on damage assessment, what have I done wrong ?Who is attacking
What are they trying to do, what is their next step ?What can I do about it ?
Course of action analysis, collateral damage risk, reversibility of actionCan I survive the attack?Long term solution
Currently, we are Blind and Powerless at all echelons
9
Information Assurance Science & Engineering
Defensive Mechanisms
Strategic cyber defense - a map history
Information Assurance Base Program - Composable Trust
Trustworthy SystemsScience & Engineering Tools
NSA Crypto
Cyber Command & Control
Cyber Situation Awareness
Cyber Defense Strategy
Cyber Sensors & Exploitation
Information SurvivabilityInformation
Survivability
Survivable Dynamic Coalitions
Intrusion Tolerant Systems & NetworksStrategic Intrusion
Assessment
Cyber Command & Control
Autonomic Information Assurance
10
Information Assurance & SurvivabilityOverview
Science
1999 2000 2001 2002 2003 2004 2005
Command & Control
Action Fabric
11
Correction Function
Algorithms
Actuators
Autonomic Information Assurance (AIA)
System
Control systems for directing adaptive defenseModeling is imperativeCorrection FunctionMultidimensional PolicyState Estimation
Policy Specification
Policy Projection
Multidimensional Policy
State Projection
Attack
12
Cyber Command and Control (CC2)
Networks and Hosts
Applications and Information
Decisions
Kinetic actions
Information is the foundation on which we fight, yet...We are BLIND to the information situation
We are POWERLESS to defend it
Develop effective IA visualization frameworks
Model information flow and mission dependencies
Assess damage to own information and functions
Fuse external situation and system state information
Identify information gaps and task cyber sensors
Infer and project adversary intent
Develop mission-based utility models
Construct IA tactics and strategies from mechanisms
Isolate new attack mechanisms and create countermeasures
Determine possible plans and game out against adversary moves
Model IA behavior with adaptive and autonomous elements
Execute courses of action conditioned on monitoring of outcomes
13
Strategic Intrusion Assessment (SIA)
Detector Coordination Build on CIDF to allow sharing of events
and analysis Exploit global information at local detector
Filter false alarms, focus local detection Correlation & Inference
Algorithms to correlate and analyze sensor information
Automated planning techniques to track attack
Hypothesize adversary goals and predict actions
Attack Forensics Damage Determination
Exploit automated learning techniques for damage assessment
Evidence Collection
Goal: Discern and assess coordinated attacks from analysis of observed/reported activities, enabling response at appropriate level - autonomic or human command & control - through
International/Allied Reporting Centers
National Reporting Centers
DoD Reporting Centers
Regional Reporting Centers (CERTs)
Organizational Security Centers
Local Intrusion Detectors
14
IA Science & Engineering Tools (IASET)
Problem area definition
Approach
Math & models• new ways to calculate and model IA relationships
• model where no closed solution
• logic, reasoning, IA bounds• need decision points, transformations, visualizations
Cyberscience• IA equivalents to physics, geometry, biology, etc.
• consider convergence of existing sciences to develop new
• information theory, risk analysis, attack graphs, causality
We don’t understand the science of IA in systems.
IA metrics• create IA metric ontology• create methodology for generating and using IA metrics
• generate benchmarks for qualitative metric comparison
• hold experiments to validate
Math & models• primarily utilize metrics &cyberscience discoveries
• develop cyber-real space transforms for AIA & CC2
• e.g., develop stochastic model for worm behavior on network
Cyberscience• survey existing related IA research
• identify candidate dark spaces in IA; apply existing science
• e.g., trust modeling could use majority encryption techniques
IA metrics• for design, assessment, operations, test
• no process for creating IA metrics, methods for using them
• no unified understanding, no consistent measures for design
15
IA Science & Engineering Tools (IASET)
Problem area definition
Approach
Common environment• publish IA design/assess high-level ontology & methodology
• identify then select mechanics for software integration platform
• demonstrate environment with real programs, DARPA & others
Methods• survey existing tools, adopt complete methods, adapt others
• combine in self-consistent library of methods for IA
• experiment to validate; modify to improve; transition to users
Tools• identify existing tools,make science-based
• create common ontology for interaction between tools
•e.g., risk assessment cost trade off to help make decisions
Common environment• to model system and implicit IA knowledge of designers
• maintain and distribute wisdom gained - don’t repeat mistakes
• change fundamental approach to IA design and assessment
Methods• create science-based, reliable ways to approach IA design and assessment
• develop, demonstrate utilize IA measures, risk, red teaming, IA specification and testing
Tools• identify and develop“IA CAD” software (databases, models taxonomies, etc.)
• capture and apply wisdom• make CAD for trust, complexity issues, composition rules
We don’t know how to design and assess IA in systems.
16
INTRUSION TOLERANT SYSTEMSPROGRAM OVERVIEW
17
BACKGROUND
So far, emphasis has been on making information systems secure by keeping intruders out.
Confidentiality and integrity have been achieved by encrypting critical information and limiting access to it only to authenticated users.
Trusted computing bases, highly classified limited access networks, boundary controllers, in conjunction with physical security, have met the security needs of a relatively small community of highly sensitive users.
18
BACKGROUND
Costs of these techniques, as measured in performance, functionality and affordability, have been high.
Commercial marketplace now dominated by COTS components
the control over the detailed design of hardware, software and architecture necessary to implement these techniques is no longer cost-effective
19
INTRUSION TOLERANT SYSTEMS
Premise Attacks will happen; some will be successful Attacks may be coordinated across multiple sites
Hypothesis Attacks can be detected, contained, and tolerated,
enabling continued correct progress of mission critical applications
2012
INTRUSION TOLERANT SYSTEMS
Programmatic/Technical Approach Identify processing system and network vulnerabilities Develop innovative technologies to solve well-defined
portion of vulnerabilities Apply systems engineering discipline rigorously
Borrow heavily from practices and principles used successfully to engineer fault tolerant computers for mission- and life-critical applications
Support DARPA’s Strategic Cyber Defense vision Transition to commercial practice
21
INTRUSION TOLERANT SYSTEMS
Definition: An intrusion tolerant system is one that can continue to function correctly and provide the intended services to the user in a timely manner even in the face of an attack.
Goal: To conceive, design, develop, implement, demonstrate, and validate tools and techniques that would allow fielding of intrusion tolerant systems.
228
DEPENDABILITY PROPERTIES*
Availability is the readiness for usage.Reliability is the continuity of service.Maintainability is the ease of performing
maintenance actions.Safety is the avoidance of catastrophic
consequences on the environment.Security is the prevention of unauthorized access
(Confidentiality) and/or handling of information (Integrity).
* Dependability: Basic Concepts & Terminology, J.C.Laprie (Ed), Springer-Verlag, New York, 1992
23
INFORMATION ASSURANCE ATTRIBUTES*
Availability: Timely, reliable access to data and servicesIntegrity: No unauthorized modification (including
destruction) of dataIdentification & Authentication: Certainty of user or
receiver identity and authorization to receive specific categories of information
Confidentiality: No unauthorized disclosureNon-repudiation: Proof of message receipt and sender
identification, so neither can deny having processed the data
* DoD Directive 12/9/96 S-3600.1 Subject: Information Operations
24
INFORMATION ASSURANCE*
Information Operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and non-repudiation.
This includes providing for restoration of information systems by incorporating protection, detection, and reaction capabilities.
* DoD Directive 12/9/96 S-3600.1 Subject: Information Operations
25
ITS PROGRAM EMPHASIS
Availability (Protection against Denial-of-Service Attacks)
Integrity
26
NATUREORIGIN
PERSISTENCEPhenomenological
CauseSystem Boundaries Phase of Creation Usual
Labelling
Physical Faults
Transient Faults
IntermittentFaults
Design Faults
Interaction Faults
MaliciousLogic
Intrusions
AccidentalFaults
IntentionalFaults
PhysicalFaults
Human-madeFaults
InternalFaults
ExternalFaults
DesignFaults
OperationalFaults
PermanentFaults
TemporaryFaults
X
X
X
X
X
X
XX
X
X
X
X
X
X
X
X
X
XX
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
XX
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
X
FAULT CLASSIFICATION: ITS SCOPE
27
ITS TECHNICAL APPROACHES: CURRENT PROJECTS
Eleven projects that span formal methods to sand-boxing techniques
Proof Carrying Code Execution Time Monitors: Wrappers, Software Insertion Fragmentation & Encoding Watermarks
28
CURRENT PROJECTS
NO. PROJECT TITLE PRINCIPALINVESTIGATOR
PERFORMING ORG.
1 Semantic Data Integrity D. Rosenthal Odyssey ResearchAssoc.
2 Sandboxing Mobile Code Execution Environments A. Ghosh Reliable SoftwareTechnologies Corp.
3 Containment and Integrity for Mobile Code F. Schneider Cornell Univ.4 FOUR –A –Agent Adaptation and Assurance W. Scherlis Carnegie Mellon
Univ.5 Integrity Through Mediated Interfaces R. Balzer USC- Information
Sciences Institute6 Agile Objects – Component-Based Inherent
SurvivabilityA. Chien UC San Diego
7 A Distributed Framework for Perpetually Availableand Secure Information Systems
P. Khosla Carnegie MellonUniv.
8 New Approaches to Mobile Code: ReconcilingExecution Efficiency with Provable Security
M. Franz UC Irvine
9 Scaling Proof-Carrying Code to ProductionCompilers and Security Policies
A. Appel Princeton Univ.
10 A Binary Agent Technology for COTS SoftwareIntegrity
A. Agarwal InCert Software Corp.
11 Secure Execution of Mobile Programs R. Pandey UC Davis
29
TAXONOMY OF CURRENT PROJECTS
Fault Detection andRecovery
Fault Isolation Fault Prevention Fault Avoidance
Mobile CodeMisbehavior(Integrity, Denial ofService)
Embedded ExecutionMonitoring & RearGuard (Schneider &Myers, Cornell)
SandboxingExecution Env.(Ghosh, RST)
Code Interposition(Pandey, UCD)
Proof-Carrying Code(Appel, Felton, &Shao)Embedded executionmonitoring(Schneider & Myers,Cornell)
Graph-basedprogram encoding(Franz, UCI)Four-A codetransformation(Scherlis, CMU)
Binary CodeMisbehavior(Integrity, Denial ofService)
Binary codetransformation(Agarwal & Schooler,InCert)
Data Integrity Watermarking(Rosenthal, ORA)Mediated Interfaces(Balzer, ISI)
Denial of Service PASIS - server anddata redundancy(Khosla & Kiliccote,CMU)Agile Objects (Chien,UCSD & Liu, UI)
30
BRIDGING FAULT TOLERANCE &
INTRUSION / ATTACK TOLERANCE
31
PARALLELS TO FAULT TOLERANCE
Many of the functions that must be performed to tolerate intentional faults/attacks are the same as those required to tolerate accidental faults.
Many hard problems have been solved in the design, development and implementation of these functions.
32
FAULT TOLERANCE-SECURITY: KNOWLEDGE EXCHANGE
Security community should become aware of the required functions and techniques as well as the problems posed and solutions discovered.
Fault tolerance community should become familiar with the types of intentional faults/attacks to which information infrastructure is vulnerable so as to adapt solutions to security domain.
33
EXAMPLES OF FAULT TOLERANCE FUNCTIONS & TECHNIQUES
34
FAULT TOLERANCE FUNCTIONS: EXAMPLES
Error/Damage ConfinementError Detection*Error Isolation/ IdentificationError Masking Fail-SilentFail-StopGraceful DegradationState Restoration*ReconfigurationRepair / Replacement
35
ERROR DETECTION / ISOLATION
Hardware Self-Tests / Software Check-SumsAlgorithm Based Fault Tolerance Value Domain ChecksTime Domain ChecksHeartbeat MonitorsRedundant Computation & Comparison
Self-Checking Pair Temporal Redundancy Analytical Redundancy Design Diverse Redundancy
…..
36
STATE RESTORATION
Check-Point / RollbackRoll-ForwardSwitch to Backup
Hot, warm, coldMajority Vote RestoreRepair / Replace & RestartSoftware Rejuvenation
37
CHALLENGES
What fault tolerance functions are relevant to intrusion / attack tolerance? What additional functions must be performed by ITS?
Can FT techniques be adapted to intrusion/attack tolerance? If yes, how? If not, what innovative techniques are necessary to tolerate attacks /intrusions?
What additional vulnerabilities do these techniques introduce that can be exploited by attackers?
How to counter these additional vulnerabilities?