Intrusion Tolerance Based on Intelligent ... - Tolerant Systems

boorishadamantAI and Robotics

Oct 29, 2013 (3 years and 8 months ago)

66 views

Intrusion Tolerance Based on Intelligent
Compensating Middleware


(July , 2001)



F. Anjum


A. Ghosh


G. DiCrescenzo

M. Rathi

A. Umar

R. Zbib









DARPA BAA0015



Intrusion Tolerance



Doc Name


2





Special Purpose

Middleware

(e.g., wireless/VOIP/EC middleware)


Network Services (e.g., TCP/IP)

Basic Middleware

(e.g., Web servers, CORBA, MOM)


“Higher Level” Middleware

(e.g., B2B workflow and supply chains)

Advanced

Applications and Services

(e.g.. Extended enterprises)

Specialized

Applications





Basic
Distributed

Applications



Middleware

Platforms

(e.g., J2EE,.Net,

EAIs)

also known as

“app servers”

Goal: Make COTS Middleware Intrusion Tolerant

a) Make the middleware code, data, and messages intrusion tolerant

b)Plug
-
in generic IT functionality (FRS) into COTS middleware (interceptors)

c) Provide intrusion tolerance as a service to apps (API)

Middleware

Doc Name


3

Technical Approach: Four Tasks





Impact analysis

FRS


Algorithms

ICM architecture



Assumptions


Enterprise applications increasingly

dependent on middleware stack


Middleware is target for attacks (code red)


Users can tolerate degraded performance


in certain conditions


A small subset of systems in the


network are trustworthy



Software

Doc Name


4

Task 2: FRS Algorithms


Assume we can estimate characteristics of computer systems


Probability of Unavailability of a data fragment on a computer (u)


Probability of Compromise of a data fragment on a computer (c)


Given this, algorithms should calculate


How many fragments of a data item to make


How many copies (replicas) of each fragment


How should these fragment copies be distributed (scatterd) amongst the
computer systems given their characteristics

Doc Name


5

FRS metrics


Developed a metric to compare the different
algorithms


Intrusion Tolerance Metric


IM
FRS
= f(u, c, F, R, S)

IM
FRS

shows probability of Unavailability of a data item plus
probability of Compromise of a data item


Example:


Machine outside firewall (c is high)


Reduce c of a data item by usimg different FRS


Use proposed metric to design efficient FRS
algorithms


Used simulations to study IM
FRS


Details in past and upcoming reports




Doc Name


6

Dynamic Intrusion Tolerance Schemes


Only static schemes considered so far in the literature


FRS techniques developed in this and other projects


Shamir’s secret sharing, Rabin’s information dispersal (Cryptographic)


Fragments or shadows do not change servers


even when server characteristics (u, c) change


Can we improve the system strength by dynamic schemes?


Where fragments or shadows migrate over their lifetime


Mobile software code then used to carry the fragments


Started Investigations in


Novel dynamic notions of


Secret sharing


Information dispersal


Construction of protocols for these two notions


Construction of non
-
cryptographic FRS protocols


Comparison of these two in a dynamic setting



Doc Name


7

Task 3
-
4: ICM Architecture


Make middleware intrusion tolerant: Lower level services to


Adapt & plug
-
in new/alternate middleware dynamically (interceptors)


Protect middleware by FRSing middleware data, code, messages


Make apps intrusion tolerant: High level services (API)


Protect apps by FRSing app data, code, messages


Intrusion manager to invoke FRS services at Startup, Normal Run Time,
Under attack


Apply to diverse middleware: CORBA, MOM, WAP, VOIP, EAI, COM+,
SOAP, etc



Developed a prototype to demonstrate proof of concept (CORBA, MOM)
for asynch/synch communications


Gained many insights about middleware services and what is missing
(e.g., better interception)

Doc Name


8



FRS Routines


Persistent


Non
-
persistent


Adapters

Intelligent Compensating Middleware for
Intrusion/Assault Tolerance (High Level View)

Applications

COTS

Middleware

Network Services

Intrusion

Triggers

ICM

(API)

“ICM External Architecture”,
Data Item: A002, Work Completed

under the Project "A Comprehensive Approach for Intrusion Tolerance

Based on Intelligent Compensating Middleware", BAA00
-
15, March 2001.

Normal


App IT


Middleware

IT

Doc Name


9

Prototype


Developed a proof of concept prototype


Generic approach for CORBA and MOM


Developed generic FRS proxies that work both for CORBA and
MOM


code FRS (persistent)


data FRS (persistent)


message FRS (non
-
persistent)


Developed FRS Java API


Simple API for fragmenting data


Currently using to fragment the code


Can be used for plugging in different FRS algorithms


Current demo is ICM agnostic (I.e., apps do not issue ICM calls)


We can use ICM aware later (I.e. apps issue calls to do FRS)


Doc Name


10

ORB Core

CORBA Environment

Client

Server

CORBA Proxy

CORBA Proxy

Transport Proxy

Transport Proxy

Non
-
persistent FRS

Proxy

Non
-
persistent FRS

Proxy


ORB Core

Intrusion

triggers

PROTOTYPE: ICM: Synchronous Middlewares
(CORBA)

Persistent FRS Proxy

Doc Name


11

MQ Environment

Client

Server

Intrusion

triggers

ICM: Asynchronous Middlewares (MQ Series)

Client Queue

Server Queue

Message Channel

MQ Proxy

MQ Proxy

Transport Proxy

Transport Proxy

Non
-
persistent FRS

Proxy


Non
-
persistent FRS

Proxy

Persistent

FRS Proxy

Doc Name


12

FRS JAVA API


Objective: Make FRS commonly available


Open Java API:


Persistent FRS.
e.g.


frsProxy.store(byte[] data)


frsProxy.retreive(dataID)


Non
-
persistent FRS (messages). e
.g.


frsProxy.receiveMessages( ),


frsProxy.sendMessage(messageID, message)


Uses the Java Factory design paradigm to create and run new FRS
algorithm implementations


Independent of FRS algorithm implementations


New implementations can be added and easily plugged into the
architecture.


Implementations are instantated by sending them arguments through a
hashtable


Architecture becomes a framework for experimenting with new FRS
algorithms


Implemented several FRS algorithms, implementing more.


Doc Name


13

“Intrusion Threats In Emerging Middleware Platforms: Impact Analysis”,

Data Item: A002, Work Completed under the Project "A Comprehensive Approach for


Intrusion Tolerance Based on Intelligent Compensating Middleware", BAA00
-
15.



Doc Name


14

Industry (business) Patterns

Application patterns

Solution Patterns

Intrusion/Security

Analyzer

Other

Analyzers

(Integration,

COTS middleware
selection,

outsourcing, etc)





Prototype II: Pattern
-
based Intrusion Analysis


Internal Services


External (with consumers)


External (with partners/suppliers)
)


Two, three, n tiered


Interaction with existing systems


Loose versus tight coupling

Infrastructure needed


networks, middleware


Transaction volume


Transaction value


no of partners


Level of trust between partners


Others


IBM's business patterns:

http://www
-
106.ibm.com/developerworks/patterns/


Possible impact of intrusion


Suggested approaches

Doc Name


15

Summary:
Potentially High Payoff in developing a generic
approach to make COTS Middleware IT

Impact analysis

FRS algorithms

ICM architecture

Software

Report Completed,

Discex paper

Prototype: pattern
-
based

Two papers

Published

Reports and papers

(Dec 2001)



Generic architecture

(CORBA, MOM,VOIP)

developed,

preparing papers

Report
-

March 2001(paper)

Prototype 2

(July 2002)

Prototype1

(July 2001)

ReportMarch 2001

Report
-

Dec 2001(paper)

Doc Name


16

Task Schedule

Doc Name


17

Lessons Learned/Path Forward


Key Point: Applications as well as middleware can be made IT
through FRS (application aware and unaware)


FRS has several interesting areas of investigations:


Persistent versus non
-
persistent FRS,


Dynamic FRS can benefit intrusion tolerance plus cryptography


Metrics can be developed/used to determine best schemes


Middleware architectures and prototyping


Interceptors/exits are of key importance for adaption/plug
-
in


CORBA provides best interceptors, but not enough (cannot intercept
ORB)


Some middleware (e.g., MS) do not provide any interceptors/exits


Middleware semantic model can be used to reason about security
(e.g. role of directory for binding and message transfer)


CORBA versus DCOM similarities/dissimilarities


MQ client interception:
MQ does not give us any information about
which receiving application is going to pick up the message



Impact analysis
-

Pattern
-
based approach may be useful


Next Step: Refine/apply to a wide range of COTS middleware

Doc Name


18

Publications/Reports



ICM External Architecture
”,
Data Item: A002, Work Completed under the
Project "A Comprehensive Approach for Intrusion Tolerance Based on Intelligent
Compensating Middleware", BAA00
-
15, March 2001.



Intrusion Tolerance through FRS
”,
Data Item: A003, Work Completed under
the Project "A Comprehensive Approach for Intrusion Tolerance Based on
Intelligent Compensating Middleware", BAA00
-
15, March 2001


“Intrusion Threats In Emerging Middleware Platforms: Impact Analysis”,

Data Item:
A001, Work Completed under the Project "A Comprehensive Approach for Intrusion
Tolerance Based on Intelligent Compensating Middleware", BAA00
-
15,
Dec. 2000



Ghosh, Anjum, Umar, Zbib, Rathi, “On efficient schemes for Intrusion Tolerance”,
Infocom 2001 submitted


Anjum, Ghosh, Umar, Zbib, “On Metrics for Intrusion Tolerance and Efficient
Fragmentation
-
Redundancy
-
Scattering schemes”, IEEE ICON 2001, accepted.


Umar A, Anjum F, Ghosh A, Zbib R, “Intrusion Tolerant Middleware” Discex (Defense
Information Security Exchange), June 2001.


Umar A, Anjum F, Ghosh A, Zbib R , “Intrusion Tolerant Information Distribution in
the Battlefield” 4
th

ATIRP Conference, March 2001



Anjum, A., “Intrusion Tolerance Schemes to Facilitate Mobile e
-
commerce”, (IEEE
ICPWC Dec 2000)


Anjum, A. and Umar, A., “Agent
-
based Intrusion Tolerance Using Fragmentation
Redundancy”, (IEEE WCNC Sept 2000)

Doc Name


19

Questions?