DSN 2002 June 24 -- page 1 BBN, UIUC, Boeing, and UM

DARPAIntrusion Tolerance by Unpredictable

Adaptation (ITUA)

Franklin WebberBBN Technologies

• Partha Pal (PI)

• Michael Atighetchi

• Chris Jones

• Paul Rubel

• Franklin Webber

• Idit Keidar(MIT/Technion )

• Bill Sanders

• Tod Courtney

• Vishu Gupta

• James Lyons

• Hari Ramasamy

• Mouna Seri

• Sankalp Singh

• Jeanna Gossett

• Michel Cukier

• Anil Sharma

DSN 2002 June 24 -- page 2 BBN, UIUC, Boeing, and UM

DARPA Outline

• Technology Description• Assumptions• Attack and Defense Scenario• Results

DSN 2002 June 24 -- page 3 BBN, UIUC, Boeing, and UM

DARPA Application-Level Intrusion Tolerance

Ability to operate through attacks

• adaptive middleware to coordinate defense and manage resources• crypto to block most direct attacks on application• attacks exploit security weaknesses in the environment

ApplicationAttacker

Raw ResourcesCPU, bandwidth, files...

Crypto

OSs and Network IDSs Firewalls

Middleware for QoS andResource Management

ApplicationAttacker

Raw ResourcesCPU, bandwidth, files...

Crypto

OSs and Network IDSs Firewalls

Middleware for QoS andResource Management

DSN 2002 June 24 -- page 4 BBN, UIUC, Boeing, and UM

DARPA ITUA Approach

• Security domains– privilege in one domain not easily transferred to another

• Multiple defense mechanisms– replication across security domains with decentralized management– dynamic firewalls– intrusion detection

• Defense strategy (policy) to coordinate mechanisms• Range of adaptive response

– rapid local reaction– global coordinated adaptation

DSN 2002 June 24 -- page 5 BBN, UIUC, Boeing, and UM

DARPA Basic ITUA Architecture

manager

SecurityDomain

IDSs

Firewall

replica

replica

managermanagermanagermanagermanager

IDSsIDSsIDSsIDSsIDSs

Firewall

Firewall

Firewall

Firewall

Firewall

replicareplicareplicareplica

replicareplicareplica

replica replicareplicareplica

SecurityDomain

SecurityDomain

SecurityDomain

SecurityDomain

SecurityDomain

manager group

replica group

DSN 2002 June 24 -- page 6 BBN, UIUC, Boeing, and UM

DARPA ITUA Group Communication System

• Byzantine intrusion-tolerant process-group abstraction– group membership

– reliable delivery

– total ordering

• Implemented by modifying crash-tolerant C-Ensemble– removing implicit trust assumptions

– authentication by public-key crypto

– new microprotocol layers

DSN 2002 June 24 -- page 7 BBN, UIUC, Boeing, and UM

DARPA Assumptions

• Cryptographic keys and algorithms cannot be broken;• Some communication links may be broken, but the network is

not systematically flooded;• Diversity in OSs and networks prevent concurrent infiltration of

every security domain and guarantees, at worst, a maximum infiltration rate;

• Intrusion detectors have a decent chance of detecting any infiltration of a security domain;

• The application and ITUA implementation have no exploitable flaws (but any property of the ITUA design may be exploited!).

DSN 2002 June 24 -- page 8 BBN, UIUC, Boeing, and UM

DARPA Scenario: The Attack

• Attacker gains privileges by exploiting known OS and network vulnerabilities– may have privileges initially if insider

– stealth preferred

• Attacker uses “root” (or comparable) privilege to corrupt running application processes– preferably, malicious behavior to be triggered later

– platform-specific modification of process

– other corruption would be detected immediately

DSN 2002 June 24 -- page 9 BBN, UIUC, Boeing, and UM

DARPA Scenario: The Defense

• Defense eventually detects attacker– by intrusion detector– by incorrect process behavior

• Defense adapts– killing bad application replicas– quarantining apparently bad security domains– starting new replicas in apparently good domains

• Adaptive response is made unpredictable for the attacker– varying detection thresholds– varying response times– varying new replica placement

DSN 2002 June 24 -- page 10 BBN, UIUC, Boeing, and UM

DARPA Scenario: The Outcome

• Application has been moved away from the attack– some resources now unavailable

• Defenses are in higher state of alertness– possibly reduced application performance

• System administrators have been notified of attack

DSN 2002 June 24 -- page 11 BBN, UIUC, Boeing, and UM

DARPA Results -- Prototypes

• Prototype of application-level defense prior to ITUA– “Applications that Participate in their Own Defense (APOD)”

– tolerates only crash failures

– no use of unpredictability

• Prototype of ITUA design– used to defend existing military software components:

“Insertion of Embedded Infosphere Support Technologies (IEIST)” (shown at DARPA PI meeting)

– DARPA Tech 2002 (upcoming)

DSN 2002 June 24 -- page 12 BBN, UIUC, Boeing, and UM

DARPA Results -- Experiments

• An image-server application defended with the APOD prototype was subjected to Red Team attack– Sandia Red Team

– whiteboard analysis in late 2001

– hands-on attack in early 2002

• Replication management with dynamic firewalls forced the Red Team to use complex and persistent attacks to deny service from the application, with some cost to the attacker in time and exposure.

• Corrupting any running application component to behave badly could have denied service, but Red Team decided this attack was harder than others.

DSN 2002 June 24 -- page 13 BBN, UIUC, Boeing, and UM

DARPA Summary

The ITUA defenses are designed to delay a broad range of attacks, completely surviving the undesirable effects of some of them:– attacks that start with insider privileges

– attacks that gain privileges in stages, infiltrating new security domains

– attacks that corrupt running components maliciously.