dsn 2002 june 24 -- page 1 bbn, uiuc, boeing, and um intrusion tolerance by unpredictable adaptation...
TRANSCRIPT
DSN 2002 June 24 -- page 1 BBN, UIUC, Boeing, and UM
DARPAIntrusion Tolerance by Unpredictable
Adaptation (ITUA)
Franklin WebberBBN Technologies
• Partha Pal (PI)
• Michael Atighetchi
• Chris Jones
• Paul Rubel
• Franklin Webber
• Idit Keidar(MIT/Technion )
• Bill Sanders
• Tod Courtney
• Vishu Gupta
• James Lyons
• Hari Ramasamy
• Mouna Seri
• Sankalp Singh
• Jeanna Gossett
• Michel Cukier
• Anil Sharma
DSN 2002 June 24 -- page 2 BBN, UIUC, Boeing, and UM
DARPA Outline
• Technology Description• Assumptions• Attack and Defense Scenario• Results
DSN 2002 June 24 -- page 3 BBN, UIUC, Boeing, and UM
DARPA Application-Level Intrusion Tolerance
Ability to operate through attacks
• adaptive middleware to coordinate defense and manage resources• crypto to block most direct attacks on application• attacks exploit security weaknesses in the environment
ApplicationAttacker
Raw ResourcesCPU, bandwidth, files...
Crypto
OSs and Network IDSs Firewalls
Middleware for QoS andResource Management
ApplicationAttacker
Raw ResourcesCPU, bandwidth, files...
Crypto
OSs and Network IDSs Firewalls
Middleware for QoS andResource Management
DSN 2002 June 24 -- page 4 BBN, UIUC, Boeing, and UM
DARPA ITUA Approach
• Security domains– privilege in one domain not easily transferred to another
• Multiple defense mechanisms– replication across security domains with decentralized management– dynamic firewalls– intrusion detection
• Defense strategy (policy) to coordinate mechanisms• Range of adaptive response
– rapid local reaction– global coordinated adaptation
DSN 2002 June 24 -- page 5 BBN, UIUC, Boeing, and UM
DARPA Basic ITUA Architecture
manager
SecurityDomain
IDSs
Firewall
replica
replica
managermanagermanagermanagermanager
IDSsIDSsIDSsIDSsIDSs
Firewall
Firewall
Firewall
Firewall
Firewall
replicareplicareplicareplica
replicareplicareplica
replica replicareplicareplica
SecurityDomain
SecurityDomain
SecurityDomain
SecurityDomain
SecurityDomain
manager group
replica group
DSN 2002 June 24 -- page 6 BBN, UIUC, Boeing, and UM
DARPA ITUA Group Communication System
• Byzantine intrusion-tolerant process-group abstraction– group membership
– reliable delivery
– total ordering
• Implemented by modifying crash-tolerant C-Ensemble– removing implicit trust assumptions
– authentication by public-key crypto
– new microprotocol layers
DSN 2002 June 24 -- page 7 BBN, UIUC, Boeing, and UM
DARPA Assumptions
• Cryptographic keys and algorithms cannot be broken;• Some communication links may be broken, but the network is
not systematically flooded;• Diversity in OSs and networks prevent concurrent infiltration of
every security domain and guarantees, at worst, a maximum infiltration rate;
• Intrusion detectors have a decent chance of detecting any infiltration of a security domain;
• The application and ITUA implementation have no exploitable flaws (but any property of the ITUA design may be exploited!).
DSN 2002 June 24 -- page 8 BBN, UIUC, Boeing, and UM
DARPA Scenario: The Attack
• Attacker gains privileges by exploiting known OS and network vulnerabilities– may have privileges initially if insider
– stealth preferred
• Attacker uses “root” (or comparable) privilege to corrupt running application processes– preferably, malicious behavior to be triggered later
– platform-specific modification of process
– other corruption would be detected immediately
DSN 2002 June 24 -- page 9 BBN, UIUC, Boeing, and UM
DARPA Scenario: The Defense
• Defense eventually detects attacker– by intrusion detector– by incorrect process behavior
• Defense adapts– killing bad application replicas– quarantining apparently bad security domains– starting new replicas in apparently good domains
• Adaptive response is made unpredictable for the attacker– varying detection thresholds– varying response times– varying new replica placement
DSN 2002 June 24 -- page 10 BBN, UIUC, Boeing, and UM
DARPA Scenario: The Outcome
• Application has been moved away from the attack– some resources now unavailable
• Defenses are in higher state of alertness– possibly reduced application performance
• System administrators have been notified of attack
DSN 2002 June 24 -- page 11 BBN, UIUC, Boeing, and UM
DARPA Results -- Prototypes
• Prototype of application-level defense prior to ITUA– “Applications that Participate in their Own Defense (APOD)”
– tolerates only crash failures
– no use of unpredictability
• Prototype of ITUA design– used to defend existing military software components:
“Insertion of Embedded Infosphere Support Technologies (IEIST)” (shown at DARPA PI meeting)
– DARPA Tech 2002 (upcoming)
DSN 2002 June 24 -- page 12 BBN, UIUC, Boeing, and UM
DARPA Results -- Experiments
• An image-server application defended with the APOD prototype was subjected to Red Team attack– Sandia Red Team
– whiteboard analysis in late 2001
– hands-on attack in early 2002
• Replication management with dynamic firewalls forced the Red Team to use complex and persistent attacks to deny service from the application, with some cost to the attacker in time and exposure.
• Corrupting any running application component to behave badly could have denied service, but Red Team decided this attack was harder than others.
DSN 2002 June 24 -- page 13 BBN, UIUC, Boeing, and UM
DARPA Summary
The ITUA defenses are designed to delay a broad range of attacks, completely surviving the undesirable effects of some of them:– attacks that start with insider privileges
– attacks that gain privileges in stages, infiltrating new security domains
– attacks that corrupt running components maliciously.