A Comprehensive Approach for Intrusion ... - Tolerant Systems

Document Sample
A Comprehensive Approach for Intrusion ... - Tolerant Systems Powered By Docstoc
					                          DARPA BAA0015
                          Intrusion Tolerance



A Comprehensive Approach for Intrusion Tolerance
  Based on Intelligent Compensating Middleware



                                     Amjad Umar
                                    Farooq Anjum
                                       Rabih Zbib
                                   Abhrajit Ghosh
 Some Examples (from “Dark”)
 Situation: XML “Trade Languages” in many industry segments
  based on a common DTD. DTD is used to validate the information
  being exchanged between trading partners.
  – Threat: Someone modifies the DTD (or DTD parser) so that every
    transaction becomes invalid
 Situation: Pub/subscribe for Integration. Many organizations, such
  as JBI (Joint Battlespace Infosphere), are beginning to use
  publish/subscribe platforms.
  – Threat: someone damages/modifies the P/S channel
 Situation: components (EJBs, CORBA components) are being
  positioned to develop many applications. Vendors are providing EJBs
  for industry segments (Financial). Components are “dropped in” to
  containers that provide security, transaction etc.
  – Threat: someone contaminates container disabling industry segments
 Other examples:
  – “electronification” of supply chains
  – call agent for VOIP
                      JBI web site: http://www.sab.hg.af.mil/archives/index.html
                                                                         Doc Name – 2
Background and Scope
Motivated by
  – Army Fed Labs (ATIRP) -- Information distribution in battlefields
  – Ebusiness “Frontiers” - Extended enterprises, large scale integration
  – Telcommunications - OSSs, call agents
 Common problem: getting uniformity out of non-uniformity (same COTS
  from same supplier with different capabilities at different sites)
 What threats/attacks is your project considering
  – Focus on assault tolerance (“threat model”)
  – Vicious attack to damage/disable (attacks may be subtle)
  – Explore “dark points” (e.g., attacks on emerging COTS with heavy use)
 What assumptions does your project make
  – Very knowledgeable attacker (can infer what you are relying on to conduct
    operations)
  – Knows your weak points (e.g., middleware stack)
 What policies can your project enforce
  – Concentrate on “continue to operate as long as possible” and higher



                                                                            Doc Name – 3
           Applications are increasingly relying on layers of technologies


                                          Trading Hubs,
   MS Office     Web App     E-           Large collaborative
                             Purchasing   systems



                                  Higher Level
                                   Middleware (“Upperware”)
                                                                Intrusion
  Software
                                                                Tolerance
                            EC Middleware
Infrastructure

                       General Purpose Middleware

                 Operating Systems, DBMS,,

                             Network Services
                             (PSTN, IP, NGN,,)
                                                                     Doc Name – 4
             Sidebar: IT infrastructure needed to support Modern Apps (a Checklist)
NGE Specific (“Advanced”) Middleware
       Middleware to support mobility
       Collaborative computing software that spans multiple organizations
       Workflow and transaction management across multiple enterprises that cooperate in virtual operations
       Clearinghouse/Auctioning /electronic marketplaces support
       EC middleware such for advertising, browser / navigation, negotiation and trading, purchase and delivery,
       Invoicing/billing, payment and reconciliation, EDI, directories, catalogs,
       Gateways and interfaces of NGE with traditional systems (EAIs, ERPs)

Basic EC specific Middleware :
-       Catalogs
        EDI
        Transaction Management
-       Queued Messaging/Transactions
-       Transaction Services for Web Commerce
-       Object transaction services
-       Internet transaction services

Advanced General Purpose Middleware
-        Distributed Object Technologies (Java, CORBA, DCOM)
-        Message oriented middleware for wrappers
-        Workflow Management (simple, single organization)
-        Transaction Management (Transaction Services for Web Commerce, Object transaction services, Internet
transaction services)
-        Enterprise Application Integrators (EAI)
-        Wireless Middleware
-        Collaborative services support
-        Groupware
-        Additional security and management support
-        Remote Operation Infrastructure (CORBA/DCOM/RPC)

Basic General Purpose Middleware
-       File Transfer, Telnet
-       Messaging and Email services
-       Web services (HTML, XML, HTTP, Java Applets, Browsers and W3 Servers)
-       Remote Data Access Infrastructure (SQL/ODBC/JDBC) for accessing data
-       Remote processing access (e.g. Sun RPC, Sockets)
-       Basic security services (e.g. SSL)
-       Service Management Systems to support and manage the infrastructure

Network services
       VPN services
       Voice/data integration
       IP routers and Gateways
       Network segments LANs, MANS, WANS
       Network elements (Frame relay, ATM, DSL, Sonet,,)
                                                                                                            Doc Name – 5
Problem Statement and Approach
Intrusion tolerant systems must, as stated in the
  BAA00-15 PIP, be able to
    – maintain the integrity of application data and programs
    – assure high availability under information attacks
Our Approach: Attempt to address both issues
    a) For integrity of application data and programs, we attempt to
     provide
       capabilities to make the application programs and data intrusion
        tolerant.
       integrity of “behaviour of application” by assuring intrusion
        tolerance of middleware itself.
    b) For high availability, our focus is also on middleware since
     availability of network, hardware, and system software is
     discussed heavily elsewhere.
.

                                                                        Doc Name – 6
Reality Check: How To Introduce Intrusion
Tolerance in Middleware (any COTS)
Given:
    - a set of requirements R (e.g., intrusion/assault tolerance)
    - M middleware components are available (M > 200)
    - m middleware components (where m < M) that do not satisfy R

 Find the most practical approach to satisfy R
Possible approaches:
    • Extend the non-conforming m middleware components to
      satisfy R (not doable).
    • Imbed the functionality in the applications (not advisable).
    • Build completely new middleware M’ (not advisable).
    • * Build intelligent compensating middleware (ICM) that provides
      the missing functionality and interworks with m through an
      open API


                                                             Doc Name – 7
   Intelligent Compensating Middleware for
   Intrusion/Assault Tolerance (Detailed View)


                                                                         FRS
                                         Applications                    (Fragmentation,
 Operational                                                             Replication,
Knowledgebase                   ICM          B1                          scattering)
                       Scheduler                                   A1
                   C
Intrusion                             H-API            B2
                                                                  COTS
Triggers            IT Components       C
                                                                  Middleware
                    . R, F, S, A                          A2
                    . Encryption        L-API                               B3
            C
                                    A3, C

                                             Network Services
                •Arrows A1, A2, A3 indicate Path A (ICM as a lower level service)
                •Arrows B1, B2, B3 indicate Path B (ICM as a higher level service)
                •Arrow C indicates Path C (ICM invoked by intrusion triggers in random order)
                                                                                 Doc Name – 8
Policies (Specified in Operational
Knowledgebase)
Protection Policy (secrecy, IT)
                     No IT      R      FRS         FRSA
      No
      Encryption P-Policy 0 P-Policy 2  P-Policy 4 P-Policy 6
      Encryption P-Policy 1 P-Policy 3  P-Policy 5 P-Policy 7
                                                Compensation
   Protection policies can be described for
   •applications (by users or system administrators)
   •middleware also (by system administrators)
Recovery Policies to specify level of recovery from intrusions
   R-Policy 0     R-Policy 1    R-Policy 2   R-Policy 3    R-Policy 4
   Stop, send     Stop,          Continue      Continue    Continue
   message       reload,        to allow     as long as    under all
                 continue       shutdown     possible      conditions

     Recovery policies can be                      Compensation
     inferred from Protection Policies
     and vice versa
                                                                 Doc Name – 9
    An XML-CORBA Example
                                                                          Oracle
Applications                                          Server              Customer
               Client
                                                                         Information


                    IDL (XML)                  IDL (XML)


                                   CORBA Services                           XML
               •Basic services (finding and invoking objects)
Middleware                                                                  Support
               •Thread services (create and manage threads)
               •Object life cycle services (create, destroy objects)
               •Naming services (facilitate portable names)
               •Others: Event, Trading, transactions, Persistence,,

                                          P-Policy         R-Policy
                           App            6 (FRSA)         4(always)
                           CORBA          4 (FRS)          4(always)
                           XML            1(E)             2 (graceful
                                                           shut down)            Doc Name – 10
 ICM higher layer services
Purpose:
   Make application itself intrusion tolerant
   Level of intrusion tolerance is specified by protection policies
How will it work (example: FRSA specified) :
  – Startup: FRSA the application - data and DTD (one copy in
    highly secure site)
  – Normal runtime: keep updating FRSs (based on policy)
  – Under attack - indicated by triggers (recovery policy is
    “Continue under all conditions”):
     No damage to application ; no action required (pass to monitor)
     partly damaged - isolated (database destroyed, or DTD
      overwritten): use replicated database or DTD
     partly damaged but unpredictable or severely damaged - attempt
      to rebuild/reconstruct. Give up with messages to roll back, restart


                                                                     Doc Name – 11
ICM lower layer services
Purpose:
   Make COTS middleware intrusion tolerant
   Level of intrusion tolerance is specified by protection policies
How will it work (example: CORBA =FRS, XML =E specified) :
  – Startup: FRS the CORBA middleware, encrypt XML middleware
  – Normal runtime: keep updating FRSs of CORBA and verifying XML
  – Under attack - indicated by triggers (recovery policy is
    “Continue as long as possible” and “graceful shutdown”):
      No damage to middleware; no action required
      partly damaged - identified (directory destroyed): restore
       replicated directory
      partly damaged but unpredictable or severely damaged
       – for XML, send message, reload
       – for CORBA.
           Switch to another middleware (e.g., MOM) to continue operation
           ICM itself takes over completely in case of disasters (can
             send/receive info through an open API invoked through
             interceptors)
                                                                       Doc Name – 12
Operational Knowledgebase - Rules for operation
 Protection Startup                   Normal Runtime          Sample Intrusion
 Policy                                                       Recovery rules
 Policy 0   Nothing                   Nothing                 Stop, send a message

 Policy 1      Encryption             Verify for authorized   Stop, reload
                                      access
 Policy 2      Replicate              Update replicated       Switch to replicated
                                      copies                  copy
 Policy 3      Encrypt, replicate     Verify,                 Switch to replicated
                                      Update replicated       copy
                                      copies
 Policy 4      Fragment, replicate,   Maintain operational    Reconstruct from
               scatter                view of FRS             FRSd
 Policy 5      Encrypt, FRS           Verify, Maintain        Reconstruct from
                                      operational view of     FRSd
                                      FRS
 Policy 6      Fragment, replicate,   Maintain operational    Switch to another
               scatter, adapt         view of FRSA            middleware, if
                                                              possible
 Policy 7      Encrypt, Fragment,     Maintain operational    Switch to ICM as a
               replicate, scatter,    view of FRSA            fall-back middleware
               adapt
            Also contains what needs to be compensated where             Doc Name – 13
    Scheduler and Triggers
                           Scheduler:
                               – Invoked by the triggers (subscriber)
                               – consults the knowledgebase to determine what to do
                               – invokes high level for app
                               – invokes low level for middleware

                                                                    Operational
                                                                   Knowledgebase
      Publisher                                    Subscribers

   Intrusion Triggers               Intrusion
                                                       Scheduler       H-API
detect intrusions                  Channel
•publish intrusions as events
    • No damage                                      IT Components
    •Modified (isolated)                             . R, F, S, A
                                                     . Encryption      L-API
    •Modified (not isolated)
                                        No
    •Disaster
                                        damage
                                                 Admnistrator
                                                                          Doc Name – 14
Intrusion Tolerant Components




                      Redundancy
  Fragmentation                            Scattering

                                    Agents
      Others        Encryption
                                         Core-ICM
                                         Middleware

        Use the EJB (CORBA Component) type model
        “Intrusion Tolerant Container”
        Components dropped in the container

                                                        Doc Name – 15
Work Done So Far (since June 22)
  Task 1: Impact Analysis
   – Several cases gathered about various newer COTS and possible threats
  Task 2: Architecture Specification
   – Rough outline prepared
  Task 3: Software prototyping
   – A simple prototype working (inherited from Army)
   – Compensates/adjusts for wireless/wired networks and network congestions
   – Examining how to extend it
  Task 4: FRSA Evaluation
   – Quantify the level of intrusion tolerance achieved based on
       Degree of Fragmentation
       Degree of Redundancy
       Degree of Scattering
   – Collaboration between Agents to achieve the given level of intrusion tolerance
   – The combined effect of FRS schemes and cryptographic schemes
   – Analytical models to evaluate tradeoffs (
  Task 5: Operational Management (optional)
   – Some initial thoughts (from OSSs)


                                                                                      Doc Name – 16
D. Schedule of Milestones
               GFY 2000        GFY 2001             GFY2002              GFY 2003
               3Q   4Q    1Q   2Q   3Q    4Q   1Q   2Q   3Q   4Q   1Q   2Q   3Q     4Q
TASKS
Task 1
Impact
Analysis
Task 2
Architecture
Task 3
Software
Task 3-Opt
Task 4
Evaluation
Of FRSA
Task 5
(opt.)
Managemen
t



                                                                                         Doc Name – 17
Technology Transfer
 Publicize the results of the work in academic/industrial conferences
 Investigate the possibility of initiating an Intrusion Tolerance Task
  Force in OMG (we are already active members of the OMG Fault
  Tolerance Task Force)
 Work with DARPA to identify potential transition to military customers.
  In particular, Army Research Lab, JBI, National Security Agency and
  CECOM
 Leverage Telcordia’s industrial position to pursue the following
  avenues:
       Work with some vendors to introduce the results of our research directly
        into the future COTS middleware.
       Utilize the concepts and software produced by this research in building
        the future intrusion tolerant telecommunications operation support
        systems (OSSs).
 Build intrusion tolerance as a consulting offer that will promote the
  practice of intrusion tolerance.



                                                                            Doc Name – 18
Risks and Issues

 Difficult to keep up with emerging COTS (will have to be
  selective)
 May have to change direction of research somewhat due to
  industry evolution (not sure about DARPA process)
 Some spaces may be too dark for DARPA




                                                             Doc Name – 19
Conclusions
 Focus on :
  – Dependability from undependable COTS
  – Assault tolerance (“threat model”)
  – Explore “dark points” (e.g., attacks on emerging COTS with heavy
    use)
 Approach: intelligent compensation to introduce IT on
  – applications
  – middleware
 Main interest in building flexible architectures that can
  automatically adjust/compensate for missing functionalities in
  available COTS




                                                                 Doc Name – 20
 Backup stuff




                 Doc Name – 21
      Middleware



                            Application                                  Application

                          Middleware                                    Middleware

                          Network                                       Network

      Definition: MIDDLEWARE is a set of common business/industry-unaware services
          enabling applications and end users to interact with each other across a network.
      It resides above the network and below the business-aware application software.
      Examples: email, Web, CORBA, distributed transaction processors, data replicators,
          workflow systems, collaborating systems
      More than 200 middleware packages (Gartner)




USWeb Professional Certification      Legacy Systems and the Web
                                                                                              Doc Name – 22
      Intelligent Compensating Middleware for
      Intrusion/Assault Tolerance (High Level View)


                                      Applications
 Operational
Knowledgebase                             B1
                               ICM                             A1
                 C
Intrusion            •Runs on trusted               B2
                                                               COTS
Triggers             machines
                                                               Middleware
                     • Compensation at               A3
     Publish         startup, normal runtime,                       B3   A2
     intrusion       intrusion recovery
     events

                                      Network Services
                     Intended for large scale systems
                     Different levels of compensation needed at different sites
                                                                            Doc Name – 23

				
DOCUMENT INFO
Shared By:
Categories:
Tags:
Stats:
views:0
posted:2/11/2013
language:English
pages:23