Philip K. McKinley Software Engineering and Network Systems Laboratory Department of Computer Science and Engineering Michigan State University RAPIDware: Adaptive Software for Critical Infrastructure Protection

Critical Infrastructures Examples:  Electric power grids  Telecommunication networks  Water systems  Nuclear facilities, hydroelectric dams  Command and control networks  Financial networks, and so on… Managed by distributed computing facilities, connected to the Internet Hence, they are at risk of cyber attack. The consequences could be catastrophic.

RAPIDware Project Five-year, $3.1M project in CSE SENS Laboratory Funded by U.S Office of Naval Research  Adaptable Software / Critical Infrastructure Protection Program  Outgrowth of Presidential Decision Directive 63 (May ’98) Goal: Software (middleware) that can protect itself from:  Cyber attack  Hardware and software component failures  Changing environmental conditions  Dynamic application/user requirements (e.g. security policies) RAPIDware supports:  5 CSE faculty members  10 graduate research assistants Middleware for “Internet Speed” development and evolution of applications must support:  Multiple dimensions of adaptability  Autonomous execution of middleware components  Dynamic composition of middleware services “Principled” methods (compiler/language support, code generation, reflection, run-time checks, etc) needed to help ensure reliability, correctness, reusability, security

RAPIDware Investigators Phil McKinley - distributed computing, network protocols, adaptive middleware, anomaly detection Kurt Stirewalt - software analysis, interactive systems, model checking Laura Dillon - formal methods for concurrent systems, real- time systems Betty Cheng - software engineering, formal methods, object-oriented development Sandeep Kulkarni - fault tolerance, security

What is Middleware? Interconnected Computer Networks Distributed Computer Applications MIDDLEWARE (CORBA, J2EE,.NET,…) Internet Protocols (TCP/IP)

Adaptive Middleware Adaptive middleware can manage nonfunctional aspects of the system in coordinated fashion:  actively monitor the system, execute security policies  provide fault tolerance for specified components  adapt to changing environmental conditions  manage energy consumption in battery-powered devices  insulate the application from device/network differences “Always On” systems  E.g., command and control, many critical infrastructure systems  require dynamic adaptation in ways not envisioned during development. Enables systems to Operate Through Attacks

RAPIDware Approach Adaptive middleware must support  Multiple dimensions of adaptability  Autonomous execution of middleware components  Dynamic composition of middleware services “Principled” methods  Automated software development (e.g., code generation)  Formal methods support for composition and adaptation Needed for reliability, correctness, security We focus on mobile computing systems  Problem is “harder” than in wired systems  Expected to dominate Internet access

Mobile Computing Testbed Multiple-cell wireless LAN Various laptop, handheld, and wearable computers

Isolating Adaptive Functionality APPLICATION LAYER observers responders Proxy node (e.g., desktop) Application Host computer (desktop) core middleware components Application Host computer (wearable) Application Host computer (palmtop) data paths MIDDLEWARE LAYER NETWORK LAYER

Adaptive Java Many adaptive middleware approaches involve  computational reflection  ability of a process to reason about (and alter) its behavior We developed Adaptive Java  Extension of Java programming language  Provides language-level support for adaptability Example use: Meta(morphic) sockets that can:  report behavior to intrusion detection system  insert forward error correction for wireless networks  change socket behavior to save power

MetaSocket Configuration Application or Middleware Base Code MetaSocket Layer To Network Adaptive Logic

MetaSocket Structure Application can insert and remove filters that manipulate the data stream Some base-class methods are occluded Socket Send- Socket InsertFilter RemoveFilter GetStatus close send filter with thread and buffer MetaSendSocket

Examples: Error Control and Component Auditing Adaptive Java makes it possible to change components dynamically. Effectively, any component can be made more robust, or more secure at run time. Nature of auditing can be determined after development. On-demand auditing may be especially useful to mobile systems.

Wired Network Wireless Network Trader Notifying event Refraction or transmutation Component Loader Decision Maker (DM) Information Event Mediator DM A B C Informer DM Decision Maker

Experimental Configuration Second source begins transmitting to multicast address during audio conversation Access Point Wireless iPAQ Receivers Audio Stream Legitimate Source... Malicious/errant Source

Adaptive Metasocket Behavior Loss thresholds set to 30% and 10%.

Detection of Second Source Second source starts at packet 349, detected at packet 379. Filter inserted automatically to remove “noise.”

Summary RAPIDware is an ONR-funded project in the CSE Dept. Addresses adaptive middleware to protect critical infrastructures from:  Cyber attacks  Component failures  Dynamic external conditions Particular focus on wireless, collaborative computing systems Adaptive Java  Programming language support for adaptability  Enables dynamic reconfiguration and auditing of components in deployed systems

Ongoing Work Adaptive Java and MetaSockets:  Dynamic auditing of components  Dynamic energy consumption management  Quality of service for wireless networks Higher-level languages for adaptability Middleware/Operating System cooperation for  Security  Energy management Anomaly detection using statistical methods Wireless network protocols (video, audio, data) Security and robustness of peer-to-peer networks

Potential Collaboration We are always looking for new research collaborators Security/robustness of mobile computing systems  Emergency services  Command and control  Medical applications Intrusion/anomaly detection and monitoring Control of:  Telecommunication networks  Water distribution systems  Power grids  Business/financial systems “Smart” physical infrastructures: buildings, bridges, dams, etc. Traceability of software development and usage for  Computer forensics?  Tracking intruders Cognitive/Decision-making processes

Related Papers P. McKinley, U. Padmanabhan, N. Ancha, “Experiments in composing proxy audio services for mobile users,” Proc. ACM/IFIP International Conference on Distributed Systems Platforms (Middleware’01), Heidelberg, Germany, Nov P. K. McKinley, et al., Realizing multi-dimensional software adaptation,'' in Proceedings of the ACM Workshop on Self-Healing, Adaptive and self- MANaged Systems (SHAMAN), (New York), June E. Kasten, et al., “Separating introspection and intercession to support metamorphic distributed systems,” Proc. IEEE Workshop on Aspect- Oriented Programming for Distributed Computing Systems (AOPDCS’02), Vienna, Austria, July P. K. McKinley, S. Sadjadi, E. P. Kasten, and R. Kalaskar, “Programming language support for adaptable wearable computing,‘” in Proceedings of the Sixth International Symposium on Wearable Computers, Seattle, Washington, October Z. Yang, et al., “An aspect-oriented approach to dynamic adaptation,” in Proceedings of the ACM SIGSOFT Workshop on Self-Healing Systems (WOSS02) (Charleston, South Carolina), November 2002.

Acknowledgements U.S. Department of the Navy, Office of Naval Research, Grant No. N U.S. National Science Foundation grants: CDA , NCR , CCR , EIA , and EIA This work was supported in part by:

Further Information Software Engineering and Network Systems Lab: RAPIDware Project: contact: