2001 July 30 -- page 1 Applications that Participate in their Own Defense (APOD) BBN Technologies FTN PI Meeting 2001 July 30 Franklin Webber QuO.

Slides:

Advertisements

Similar presentations

CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,

Advertisements

1 12/16/98DARPA Intrusion Detection PI Meeting BBN Technologies Toolkit for Creating Adaptable Distributed Applications Joe Loyall

DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.

Applications that Participate in their Own Defense (APOD) A BBN Technologies Project Sponsored by DARPA Under the FTN Program (Dr. Douglas Maughan) Monitored.

1 23 March 00 APOD Review Applications that Participate in their Own Defense (APOD) Review Meeting 23 March 00 Presentation by: Franklin Webber, Ron Scott,

Objektorienteret Middleware Presentation 2: Distributed Systems – A brush up, and relations to Middleware, Heterogeneity & Transparency.

Distributed Systems Architectures

1 Quality Objects: Advanced Middleware for Wide Area Distributed Applications Rick Schantz Quality Objects: Advanced Middleware for Large Scale Wide Area.

CS 501: Software Engineering Fall 2000 Lecture 16 System Architecture III Distributed Objects.

Exam ● On May 15, at 10:30am in this room ● Two hour exam ● Open Notes ● Will mostly cover material since Exam 2 ● No, You may not take it early.

OCT1 Principles From Chapter One of “Distributed Systems Concepts and Design”

1 8/99 IMIC Workshop 6/22/2015 New Network ServicesJohn Zinky BBN Technologies The Need for A Network Resource Status Service IMIC Workshop 1999 Boston.

UNCLASSIFIED Secure Indirect Routing and An Autonomous Enterprise Intrusion Defense System Applied to Mobile ad hoc Networks J. Leland Langston, Raytheon.

Figure 1.1 Interaction between applications and the operating system.

OPX PI Meeting 2002 February page 1 Applications that Participate in their Own Defense (APOD) QuO Franklin Webber BBN Technologies.

1 FM Overview of Adaptation. 2 FM RAPIDware: Component-Based Design of Adaptive and Dependable Middleware Project Investigators: Philip McKinley, Kurt.

Building Survivable Systems based on Intrusion Detection and Damage Containment Paper by: T. Bowen Presented by: Tiyseer Al Homaiyd 1.

Software Engineering Muhammad Fahad Khan

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 18 Slide 1 Software Reuse.

1 The SpaceWire Internet Tunnel and the Advantages It Provides For Spacecraft Integration Stuart Mills, Steve Parkes Space Technology Centre University.

Intranet, Extranet, Firewall. Intranet and Extranet.

1 4/20/98ISORC ‘98 BBN Technologies Specifying and Measuring Quality of Service in Distributed Object Systems Joseph P. Loyall, Richard E. Schantz, John.

1 05/01/02ISORC 2002 BBN Technologies Joe Loyall Rick Schantz, Michael Atighetchi, Partha Pal Packaging Quality of Service Control Behaviors for Reuse.

©Ian Sommerville 2006Software Engineering, 8th edition. Chapter 12 Slide 1 Distributed Systems Architectures.

BBN Technologies Craig Rodrigues Gary Duzan QoS Enabled Middleware: Adding QoS Management Capabilities to the CORBA Component Model Real-time CCM Meeting.

1 21 July 00 Joint PI Meeting FTN Applications that Participate in their Own Defense (APOD) BBN Technologies Franklin Webber, Ron Scott, Partha Pal, Michael.

6st ACS Workshop UTFSM ACS Course Component, Container, Lifecycle Management 6st ACS Workshop UTFSM, Valparaiso, Chile H. Sommer, G. Chiozzi.

©Ian Sommerville 2000 Software Engineering, 6th edition. Slide 1 Component-based development l Building software from reusable components l Objectives.

Eric Keller, Evan Green Princeton University PRESTO /22/08 Virtualizing the Data Plane Through Source Code Merging.

Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.

1 Using Quality Objects (QuO) Middleware for QoS Control of Video Streams BBN Technologies Cambridge, MA Craig.

Supporting Heterogeneous Users in Collaborative Virtual Environments using AOP CoopIS 2001 September 5-7, Trento, Italy M. Pinto, M. Amor, L. Fuentes,

1 APOD 10/5/2015 NCA 2003Christopher Jones APOD Network Mechanisms and the APOD Red-team Experiments Chris Jones Michael Atighetchi, Partha Pal, Franklin.

MILCOM 2001 October page 1 Defense Enabling Using Advanced Middleware: An Example Franklin Webber, Partha Pal, Richard Schantz, Michael Atighetchi,

1 06/00 Questions 10/6/2015 QoS in DOS ECOOP 2000John Zinky BBN Technologies ECOOP 2000 Workshop on Quality of Service in Distributed Object Systems

DSN 2002 June page 1 BBN, UIUC, Boeing, and UM Intrusion Tolerance by Unpredictable Adaptation (ITUA) Franklin Webber BBN Technologies ParthaPal.

1 10/20/01DOA Application of the QuO Quality-of-Service Framework to a Distributed Video Application Distributed.

WDMS 2002 June page 1 Middleware Policies for Intrusion Tolerance QuO Franklin Webber, Partha Pal, Chris Jones, Michael Atighetchi, and Paul Rubel.

Composing Adaptive Software Authors Philip K. McKinley, Seyed Masoud Sadjadi, Eric P. Kasten, Betty H.C. Cheng Presented by Ana Rodriguez June 21, 2006.

BBN Technologies a part of page 118 January 2001 Applications that Participate in their Own Defense (APOD) BBN Technologies FTN PI Meeting January.

1 APOD 10/19/2015 DOCSEC 2002Christopher Jones Defense Enabling Using QuO: Experience in Building Survivable CORBA Applications Chris Jones Partha Pal,

The Grid System Design Liu Xiangrui Beijing Institute of Technology.

1 06/ /21/2015 ECOOP 2000 Workshop QoS in DOSJohn Zinky BBN Technologies Quality Objects (QuO) Middleware Framework ECOOP 2000 Workshop QoS in DOS.

Middleware for FIs Apeego House 4B, Tardeo Rd. Mumbai Tel: Fax:

Survival by Defense- Enabling Partha Pal, Franklin Webber, Richard Schantz BBN Technologies LLC Proceedings of the Foundations of Intrusion Tolerant Systems(2003)

CE Operating Systems Lecture 3 Overview of OS functions and structure.

1 10/23/98Lunchtime Meeting BBN Technologies Toolkit for Creating Adaptable Distributed Applications Joe Loyall, Rick Schantz, Rodrigo Vanegas, James Megquier,

1 Applying Adaptive Middleware, Modeling, and Real-Time CORBA Capabilities to Ensure End-to- End QoS Capabilities of Video Streams BBN Technologies Cambridge,

1 Integrating security in a quality aware multimedia delivery platform Paul Koster 21 november 2001.

NA-MIC National Alliance for Medical Image Computing UCSD: Engineering Core 2 Portal and Grid Infrastructure.

2001 November13 -- page 1 Applications that Participate in their Own Defense (APOD) Project Status Review Presentation to Doug Maughan Presentation by.

Distribution and components. 2 What is the problem? Enterprise computing is Large scale & complex: It supports large scale and complex organisations Spanning.

Operating System Organization Chapter 3 Michelle Grieco.

Design Reuse Earlier we have covered the re-usable Architectural Styles as design patterns for High-Level Design. At mid-level and low-level, design patterns.

1 BBN Technologies Quality Objects (QuO): Adaptive Management and Control Middleware for End-to-End QoS Craig Rodrigues, Joseph P. Loyall, Richard E. Schantz.

1 010/02 Aspect-Oriented Interceptors Pattern 1/4/2016 ACP4IS 2003John Zinky BBN Technologies Aspect-Oriented Interceptors Pattern Dynamic Cross-Cutting.

GRID ANATOMY Advanced Computing Concepts – Dr. Emmanuel Pilli.

Networking Aspects in the DPASA Survivability Architecture: An Experience Report Michael Atighetchi BBN Technologies.

Middleware for Fault Tolerant Applications Lihua Xu and Sheng Liu Jun, 05, 2003.

Enterprise Wrappers OASIS PI Meeting Feb. 15, 2001 Mark Feldman Lee ftp://ftp.tislabs.com/pub/wrappers.

1 Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Architecture Technology Corporation Odyssey Research Associates DARPA OASIS PI.

Intrusion Tolerant Distributed Object Systems Joint IA&S PI Meeting Honolulu, HI July 17-21, 2000 Gregg Tally

Automating Cyber- Defense Management By: Zach Archer COSC 316.

Slide 1 ITUA: Approach to Project Validation and Characterization Not for public distribution. Intrusion Tolerance by Unpredictable Adaptation (ITUA) Approach.

1 CASE Computer Aided Software Engineering. 2 What is CASE ? A good workshop for any craftsperson has three primary characteristics 1.A collection of.

Chapter 14: System Protection

Middleware Policies for Intrusion Tolerance

Chapter 18 Maintaining Information Systems

Intrusion Tolerance by Unpredictable Adaptation

Software models - Software Architecture Design Patterns

Presentation transcript:

2001 July page 1 Applications that Participate in their Own Defense (APOD) BBN Technologies FTN PI Meeting 2001 July 30 Franklin Webber QuO

2001 July page 2 Contract Overview Start: July 1999 Finish: July 2002 Agent: Patrick Hurley, AFRL Participants (BBN Technologies): –Franklin Webber, PI –Partha Pal –Chris Jones –Michael Atighetchi –Paul Rubel –Nathan Mesh

2001 July page 3 Outline Review of project goals and high-level approach Accomplishments to date Dead ends Adaptive middleware for coordinating defense Tasks in progress and yet to be done Schedule

2001 July page 4 Long-Term Vision Future military systems need to be more survivable than the components from which they are built. These systems need to be designed, implemented, operated, and maintained with less (or at least no more) effort than today’s systems of comparable complexity. Systems with more survivability, built with less effort.

2001 July page 5 Defense-Enabled Applications Focus on defending critical applications, not their environment. OS and network environment offers some protection but are flawed: –vulnerable to intrusion and cyber-attack. Static protection is augmented with dynamic defense: –Applications adapt their own behavior, resource usage, and service levels and add application-level protection to remain as effective as possible in spite of attacks. Focus on integrity and assured service, not confidentiality.

2001 July page 6 Essential Parts of Defense Enabling Slow the acquisition of privileges by the attacker: –multiple security domains with independent privileges –application distributed redundantly over domains –attacks must proceed in stages; privileges cannot be acquired in many domains at once typically an assumption at the application layer but may be enforced at lower layers Respond to attacker’s use of privilege: –monitor for infiltration of domains and damage to application –use privilege to isolate application from infiltration –reconfigure and adapt automatically

2001 July page 7 Security Domains: Example domain host router domain host router domain host replicas of application component 1 replicas of application component 2

2001 July page 8 Kinds of Privilege Some common privileges in application’s environment: –“root” privilege –“user” privilege –anonymous privilege Manufacture new kind of privilege for application: –authorization for interactions between application components, and ability to start new components, issue commands to the application, or modify its functionality

2001 July page 9 Application-Level Privilege Use crypto to make application-level privilege hard for attacker to get, even with “root” privilege –encrypt executables on disk –digitally sign all communication between application processes Implies attacker is unlikely to damage application processes other than by halting them –no “Byzantine” failures in application –a related BBNT project (under OASIS) is relaxing this assumption about the attacker “Intrusion Tolerance by Uncertain Adaptation” (ITUA)

2001 July page 10 Characteristics of Adaptive Defense Multiple mechanisms organized into a coherent strategy for adaptation –many adaptations will involve interacting with management subsystems in the application’s environment to collect information and request changes –some adaptations will result in a degraded mode of operation most suitable given remaining resources –various quality-of-service (QoS) aspects can be used to indicate possible attacks and measure the effectiveness of adaptation

2001 July page 11 Application Attacker Raw Resources CPU, bandwidth, files... QoS Management CryptoCrypto OSs and NetworkIDSsFirewalls Defense-Enabled Application Competes With Attacker for Control of Resources

2001 July page 12 Accomplishments I use Java Cryptography Extension (JCE)(Sun) to enforce application-level privilege –current defense-enabled applications are written in Java use Proteus Dependability Manager (U of I) and Ensemble group communication (Cornell) to replicate essential application components across security domains and to tolerate crash failures –upgrade to new Proteus version in progress will allow replication of Proteus to eliminate single point of attack will allow easier integration with other defense mechanisms NEW!

2001 July page 13 Accomplishments II use OO-DTE (NAI) for adaptive access control policy and policy management –built new policy enforcement to integrate OO-DTE policies with Proteus dependability management –began using NAI’s policy language, DTEL++, to specify application policies required some modification to policy compiler –at our request, NAI is upgrading its policy distribution machinery to allow integration with other defense mechanisms NEW!

2001 July page 14 Accomplishments III use intrusion detection systems (IDSs) to trigger defensive adaptation –Tripwire –Snort use IPtables (Linux) for configurable packet filtering implement TCP, UDP port hopping to evade attacks on communication –dynamic configuration of IPtables

2001 July page 15 Accomplishments IV use RSVP bandwidth management to counter some flooding attacks –investigated security-enhanced RSVP (NCSU/UC Davis) requires authentication during resource reservation and setup was ported, at our request, to Linux from FreeBSD implements RSVP signalling but does not make reservations –modifications to make reservations are being considered –investigated, but have not implemented, the integration of RSVP with other defense mechanisms NEW!

2001 July page 16 Defense-Enabled Examples An air-traffic monitoring system –uses dependability management, access control, Tripwire, and packet filtering A video data service –uses bandwidth management and dependability management (not yet Proteus, but a simpler placeholder mechanism we wrote) –being shown at this PI meeting Test examples for individual mechanisms NEW!

2001 July page 17 A Classification of Defense Mechanisms Table is open to expansion: more mechanisms more columns Boldface mechanisms already implemented and integrated in APOD defenses

2001 July page 18 Security-Enhanced Platform more-secure platform should enhance survivability offered by APOD planning to port APOD technology to Security- Enhanced Linux (NAI/NSA) –goal: middleware control over OS security policies to complement defensive adaptation NEW!

2001 July page 19 Dead Ends Not really “failures” –no examples yet of approaches that did not work, only examples of technology we could not use Defense mechanisms and ideas that were too difficult to use given the project’s budget –Emerald IDS (SRI): no API; Solaris only; needs superuser privilege to configure –Jam IDS (NYU): no API; offline analysis, needs time and training –Quench flooding using IP multicast (AT Corp idea): expected conflicts between IP multicast and protocols used in APOD defense mechanisms

2001 July page 20 Implementing Defenses in Middleware for simplicity: QoS concerns separated from functionality of application. Better software engineering. for practicality: Requiring secure, reliable OS and network support is not currently cost-effective. Middleware defenses will augment, not replace, defense mechanisms available in lower system layers. for uniformity: Advanced middleware such as QuO provides a systematic way to integrate defense mechanisms. Middleware can hide peculiarities of different platforms. for reuseability Middleware can support a wide variety of applications.

2001 July page 21 QuO Technology QuO is DARPA Quorum developed middleware that provides: interfaces to property managers, each of which monitors and controls an aspect of the Quality of Service (QoS) offered by an application; specifications of the application’s normal and alternate operating conditions and how QoS should depend on these conditions. QuO has integrated managers for several properties: dependability (DARPA’s Quorum AQuA project) communication bandwidth (DARPA’s Quorum DIRM project) real-time processing (using TAO from UC Irvine/WUStL) security (using OODTE access control from NAI) QuO

2001 July page 22 QuO adds specification, measurement, and adaptation into the distributed object model Application Developer Mechanism Developer CLIENT Network operation() in args out args + return value IDL STUBS IDL SKELETON OBJECT ADAPTER ORB IIOP ORB IIOP CLIENT OBJECT (SERVANT) OBJECT (SERVANT) OBJ REF CLIENT Delegate Contract SysCond Contract Network MECHANISM/PROPERTY MANAGER operation() in args out args + return value IDL STUBS Delegate SysCond IDL SKELETON OBJECT ADAPTER ORB IIOP ORB IIOP CLIENT OBJECT (SERVANT) OBJECT (SERVANT) OBJ REF Application Developer QuO Developer Mechanism Developer CORBA DOC MODEL QUO/CORBA DOC MODEL

2001 July page 23 The QuO Toolkit supports building adaptive applications or adding adaptation to existing ones Quality Description Languages (QDL) –Contract description language, adaptive behavior description language, connector setup language –Code generators that generate Java and C++ code for contracts, delegates, creation, and initialization System Condition Objects –Provide interfaces to resources, managers, and mechanisms QuO Runtime Kernel –Contract evaluator –Factory object which instantiates contract and system condition objects Instrumentation library QuO gateway –Insertion of special purpose transport layers and adaptation below the ORB

2001 July page 24 Using QuO to integrate defense mechanisms QuO’s quality description languages allow programming of a defense strategy: –how should QuO change state when an anomaly, possibly indicating an attack, is observed? –How should QuO state changes affect resource management? Recent QuO upgrade allows encapsulation of simple adaptive behaviors as “qoskets”, which can be combined –some APOD defense mechanisms have been “qosketized”, others in progress NEW!

2001 July page 25 Goal: Toolkit for Defense Strategies apply all available mechanisms to defense of critical applications –many integration problems between mechanisms remain offer a strategy specification language –allow developers to create a defense strategy easily without need to master QuO do automatic configuration of defense mechanisms –generate QuO-level specifications automatically –configure non-QuO components automatically, e.g., IPtables –resolve tradeoffs and conflicts between different QoS aspects

2001 July page 26 Validating Defense Enabling Testing in-house –specific tests of individual defense mechanisms Red-team experimentation –test of complete defense strategy Technology transition to a military site –meeting site-specific requirements

2001 July page 27 Validating Defenses by Experiment Are APOD defense strategies effective? This question cannot be answered by analysis alone: depends on skill of attacker depends on quality of defenses in underlying OS and network Red-Team experiments may resolve the question Experimental hypothesis: the application-level defensive adaptation in an APOD application significantly increases the work needed to damage or destroy that application

2001 July page 28 Schedule July 1999 Start July 2000July 2001July 2002 Finish Final Survivability Tools Delivery Proof of Concept SW Release Defense-Enabled App SW Releases Validation Experiment Technical Reports Experiment In-house, scheduled