Intrusion Tolerant Distributed Object Systems OASIS PI Meeting Norfolk, VA February 12-16, 2001 Gregg TallyBrent Whitmore

Slides:



Advertisements
Similar presentations
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.
Advertisements

Intrusion Tolerant Distributed Object Systems 2002 OASIS Winter PI Meeting Hilton Head, SC March 12, 2002 Gregg Tally Gregg Tally Brent Whitmore Brent.
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Noel Schmidt Architecture Technology Corporation Odyssey Research Associates DARPA.
Reliability on Web Services Presented by Pat Chan 17/10/2005.
Fundamentals of Computer Security Geetika Sharma Fall 2008.
1 Cryptography and Network Security Third Edition by William Stallings Lecturer: Dr. Saleem Al_Zoubi.
Distributed Systems Fall 2010 Replication Fall 20105DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
Group Communications Group communication: one source process sending a message to a group of processes: Destination is a group rather than a single process.
1 Quality Objects: Advanced Middleware for Wide Area Distributed Applications Rick Schantz Quality Objects: Advanced Middleware for Large Scale Wide Area.
Revision Week 13 – Lecture 2. The exam 5 questions Multiple parts Read the question carefully Look at the marks as an indication of how much thought and.
Group Communication Phuong Hoai Ha & Yi Zhang Introduction to Lab. assignments March 24 th, 2004.
2/23/2009CS50901 Implementing Fault-Tolerant Services Using the State Machine Approach: A Tutorial Fred B. Schneider Presenter: Aly Farahat.
Distributed Systems Fall 2009 Replication Fall 20095DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.
Applied Cryptography for Network Security
Cryptography and Network Security Chapter 1. Chapter 1 – Introduction The art of war teaches us to rely not on the likelihood of the enemy's not coming,
Cryptography and Network Security Third Edition by William Stallings Lecture slides by Lawrie Brown.
Trustworthy Services from Untrustworthy Components: Overview Fred B. Schneider Department of Computer Science Cornell University Ithaca, New York
Stephen S. Yau CSE , Fall Security Strategies.
Cryptography and Network Security Chapter 1 Fourth Edition by William Stallings Lecture slides by Lawrie Brown.
Department Of Computer Engineering
Lab 1 Bulletin Board System Farnaz Moradi Based on slides by Andreas Larsson 2012.
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
Port Knocking Software Project Presentation Paper Study – Part 1 Group member: Liew Jiun Hau ( ) Lee Shirly ( ) Ong Ivy ( )
Cryptography and Network Security
MOBILE AD-HOC NETWORK(MANET) SECURITY VAMSI KRISHNA KANURI NAGA SWETHA DASARI RESHMA ARAVAPALLI.
Fault and Intrusion Tolerant (FIT) Event Broker & BFT-SMaRt A. Casimiro, D. Kreutz, A. Bessani, J. Sousa, I. Antunes, P. Veríssimo University of Lisboa,
The Starfish System: Intrusion Detection and Intrusion Tolerance for Middleware Systems Kim Potter Kihlstrom Westmont College Santa Barbara, CA, USA Priya.
CH2 System models.
OV Copyright © 2013 Logical Operations, Inc. All rights reserved. Network Security  Network Perimeter Security  Intrusion Detection and Prevention.
Wireless Access and Terminal Mobility in CORBA Dimple Kaul, Arundhati Kogekar, Stoyan Paunov.
DSN 2002 June page 1 BBN, UIUC, Boeing, and UM Intrusion Tolerance by Unpredictable Adaptation (ITUA) Franklin Webber BBN Technologies ParthaPal.
Distributed Systems: Concepts and Design Chapter 1 Pages
ARMADA Middleware and Communication Services T. ABDELZAHER, M. BJORKLUND, S. DAWSON, W.-C. FENG, F. JAHANIAN, S. JOHNSON, P. MARRON, A. MEHRA, T. MITTON,
Firewall Technologies Prepared by: Dalia Al Dabbagh Manar Abd Al- Rhman University of Palestine
Authentication Mechanism for Port Control Protocol (PCP) draft-wasserman-pcp-authentication-01.txt Margaret Wasserman Sam Hartman Painless Security Dacheng.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Practical Byzantine Fault Tolerance
Byzantine fault-tolerance COMP 413 Fall Overview Models –Synchronous vs. asynchronous systems –Byzantine failure model Secure storage with self-certifying.
Secure Systems Research Group - FAU 1 Active Replication Pattern Ingrid Buckley Dept. of Computer Science and Engineering Florida Atlantic University Boca.
What security is about in general? Security is about protection of assets –D. Gollmann, Computer Security, Wiley Prevention –take measures that prevent.
CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu.
Farnaz Moradi Based on slides by Andreas Larsson 2013.
Fault Tolerance in CORBA and Wireless CORBA Chen Xinyu 18/9/2002.
1 Chapter 1 – Background Computer Security T/ Tyseer Alsamany - Computer Security.
Topic 1 – Introduction Huiqun Yu Information Security Principles & Applications.
Group Communication A group is a collection of users sharing some common interest.Group-based activities are steadily increasing. There are many types.
Copyright © George Coulouris, Jean Dollimore, Tim Kindberg This material is made available for private study and for direct.
Internet Security and Firewall Design Chapter 32.
1 OFF SYMB - 12/7/2015 Firewalls Basics. 2 OFF SYMB - 12/7/2015 Overview Why we have firewalls What a firewall does Why is the firewall configured the.
Security Patterns for Web Services 02/03/05 Nelly A. Delessy.
P ROTOCOL FOR COLLABORATING MOBILE AGENTS IN THE NETWORK INTRUSION DETECTION SYSTEMS. By Olumide Simeon Ogunnusi Shukor Abd Razak.
1 Distributed Systems Distributed Object-Based Systems Chapter 10.
Cryptography and Network Security Chapter 1. Background  Information Security requirements have changed in recent times  traditionally provided by physical.
PROCESS RESILIENCE By Ravalika Pola. outline: Process Resilience  Design Issues  Failure Masking and Replication  Agreement in Faulty Systems  Failure.
IS3220 Information Technology Infrastructure Security
Intrusion Tolerant Distributed Object Systems Joint IA&S PI Meeting Honolulu, HI July 17-21, 2000 Gregg Tally
Fail-Stop Processors UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 739 Distributed Systems Andrea C. Arpaci-Dusseau One paper: Byzantine.
Lecturer: Eng. Mohamed Adam Isak PH.D Researcher in CS M.Sc. and B.Sc. of Information Technology Engineering, Lecturer in University of Somalia and Mogadishu.
Chapter 8 Fault Tolerance. Outline Introductions –Concepts –Failure models –Redundancy Process resilience –Groups and failure masking –Distributed agreement.
Replication Chapter Katherine Dawicki. Motivations Performance enhancement Increased availability Fault Tolerance.
Reliable multicast Tolerates process crashes. The additional requirements are: Only correct processes will receive multicasts from all correct processes.
BChain: High-Throughput BFT Protocols
Intrusion Tolerant Architectures
DISTRIBUTED SYSTEMS Principles and Paradigms Second Edition ANDREW S
ACM Transactions on Information and System Security, November 2001
Group Service in CORBA Xing Gang Supervisor: Prof. Michael R. Lyu
Presentation transcript:

Intrusion Tolerant Distributed Object Systems OASIS PI Meeting Norfolk, VA February 12-16, 2001 Gregg TallyBrent Whitmore

February 13, Agenda Motivation Overview Plans and Progress to Date Intrusion Tolerant CORBA Architecture Summary

February 13, Motivation Mission critical applications are being developed using CORBA on COTS platforms CORBA Security protects at middleware level, but applications vulnerable to O/S and network attacks Fault Tolerant CORBA does not protect against malicious faults

February 13, Technical Objectives Provide intrusion tolerance for CORBA applications System level approach – Middleware Eliminate reliance on any single server – secure, reliable group communication directly between clients and replicated servers Detect Byzantine (arbitrary) faults in servers Support heterogeneity (diversity of implementation) – Boundary controllers (firewalls) Protocol inspection End-to-end authentication between clients and servers

February 13, Existing Approaches OMG supports Fault Tolerance for CORBA – Doesn’t tolerate Byzantine faults – No firewall support Prior and Current Research – Avoided ORB changes by intercepting process level communications; forces homogeneous server implementation – Uses “primary” or “lead” server that may not tolerate Byzantine faults – Ensemble, Maestro, AQuA, Rampart, Eternal, others

February 13, Technical Approach Leverage prior work on fault tolerant CORBA; secure, reliable, authenticated multicast; total ordering; Byzantine fault detection Modify prior work to fit intrusion tolerance requirements Active replication of clients and servers with voting Protect client and server hosts with application proxy firewall; include firewall in multicast group Integrate with open-source ORB – Detect value faults in middleware – Replace transport layer with secure, reliable, authenticated multicast

February 13, Expected Achievements At least one implementation of an ORB on two or more heterogeneous platforms that tolerates Byzantine faults Integrated application proxy firewall support to protect COTS client and server hosts Understand trade-off between performance and degrees of intrusion tolerance Develop Countermeasure Characterization to identify assumptions and residual risks

February 13, Progress to Date Developing Intrusion Tolerant CORBA Architecture: – Documented low-level use cases – Reviewed prior work: Fault tolerant systems: Electra, Eternal Group communication systems: Rampart, Transis, ISIS, AQuA, SecureRing / SecureGroup, Castro-Liskov Cryptographic algorithms: – Burmeister-Desmedt's Eurocrypt 94 paper – Shoup's Eurocrypt 2000 threshold signature paper – Menezes et al's "Handbook of Applied Cryptography", OMG’s Fault Tolerant CORBA specifications WSU / Verizon-BBN Virtual Voting Machine

February 13, Progress (cont’d) Selected TAO as the prototype implementation ORB Received source code for Castro-Liskov group communication system Initial architecture nearing completion

February 13, Intrusion Tolerant CORBA Architecture

February 13, Conceptual Overview Firewall Secure, Reliable, Auth. Multicast GIOP Proxy Client Application Code IT ORB Voter Value Fault Detection / Voting Redundant Msg. Exclusion Time, Crash, other Fault Detection Encode/Decode Secure, Reliable, Auth. Multicast Firewall M-Cast GIOP Proxy Server Application Code IT ORB Server Application Code IT ORB Server Application Code IT ORB Firewall M-Cast GIOP Proxy Firewall M-Cast GIOP Proxy Client-Side Firewall Server-Side Firewalls Redundant Servers ITDOS Services

February 13, Approach -- What’s Different ? All servers are equal – eliminate need for “primary” or “lead” server Detect value faults in the ORB – encoding of CORBA messages depends on the source platform (i.e, byte ordering) – permits heterogeneous implementations different O/S, hardware, ORBs – permits parametric comparisons exact matches not required for inexact values (e.g., floating point)

February 13, Approach -- What’s Different ? Transparent object replication Application proxy firewall integrated into the architecture – better protection for COTS client and server hosts – end-to-end authentication of client and server – may have better performance than IIOP/SSL proxies

February 13, Operating Constraints  f faulty processors  3 f available processors Deterministic services Separation of replicated servers – network – geography

February 13, Simplifying Assumptions Addition of replacement servers not addressed (first iteration) Network does not partition such that more than f servers are unreachable Secure configuration mechanism Other CORBA services handle these application needs: – object-level access control – audit – non-repudiation – user-level authentication

February 13, Architecture Detailed IT ORB Voting Machine Replication Manager Encode/Decode Secure Reliable Multicast Application Code Group Manager Replica Locator ITDOS Services Replicate d Objects

February 13, Voting Machine IT ORB Voting Machine Replication Manager Encode/Decode Secure Reliable Multicast Application Code Group Manager Replica Locator ITDOS Services

February 13, Voting Machine Borrows from Washington State University/Verizon- BBN work Abstracts out the voting algorithm Determine result from possibly inexact matches Permits alternatives to majority voting & strict equivalence Examples: – mean, median, mode – majority rule – floating point comparison

February 13, ITDOS Services - Group Manager IT ORB Voting Machine Replication Manager Encode/Decode Secure Reliable Multicast Application Code Group Manager Replica Locator ITDOS Services

February 13, Secure Multicast Groups Two flavors – Replica groups – Communication groups Features – IP Multicast address – Intra-group message secrecy – Message authentication Replicated Group Manager object – Creates/destroys groups – Tracks and manages membership – Administers secrecy, authentication, communication policy

February 13, Replica Groups Bind VM algorithm selections Define vote points – Send request/receive reply – Send reply/receive request “A” replicas “B” replicas

February 13, Communication Groups Serves an invocation binding Analogous to unicast connections Members see all requests & replies between client & server replica groups “A” replicas “B” replicas

February 13, Voting Value voting – Receiver – Generates agreement on the value of the request or reply Detection voting – Sender – Detects failure to invoke consistently on other objects Consequences of failure – Remove offending process from all groups

February 13, Voting “A” replicas “B” replicas 4 - Receive reply 3 - Send reply 1 - Send request 2 - Receive request DvDvDvDv DvDvDvDv DvDvDvDv DvDvDvDv DvDvDvDv DvDvDvDv VvVvVvVv VvVvVvVv VvVvVvVv VvVvVvVv VvVvVvVv VvVvVvVv Detection Votes Value Votes

February 13, ITDOS Services IT ORB Voting Machine Replication Manager Encode/Decode Secure Reliable Multicast Application Code Group Manager Replica Locator ITDOS Services

February 13, Replication Manager Manages replication policy – Replica group cardinality – Policy granularity at replica group level Directs Group Manager to establish replica group memberships Called by ORB at object activation – Replication transparent to client and server objects

February 13, Replica Locator Naming service Helps Replication Manager to: – Initiate group creation – Track replica assignment to groups Helps ORB bind CORBA objects to replica groups

February 13, Secure Reliable Multicast Protocol IT ORB Voting Machine Replication Manager Encode/Decode Secure Reliable Multicast Application Code Group Manager Replica Locator ITDOS Services

February 13, Secure Reliable Multicast Protocol Properties – Reliable Delivery by processes integrity - delivered only once & only if sent agreement - all delivered or none validity - delivered if sent – Totally ordered – Secure source authenticity message integrity confidentiality Uses IP multicast

February 13, Summary Continuing to refine Intrusion Tolerant CORBA Architecture – Developed initial architecture – Re-use and modify prior work to meet IT CORBA requirements – Expect to complete Architecture by end of March; begin implementation Plan to start Countermeasure Characterization in March

February 13, Backup

February 13, Metrics Cost/benefit of redundant servers – Tolerance of Byzantine faults (number of faulted servers) vs. impact on throughput due to additional replication – Throughput measured by operations per second – Invocation latency IA Countermeasure Characterization Experimentation at the TIC to validate countermeasure claims

February 13, Questions - Threats / Attacks Tolerate Byzantine (arbitrary) behavior by some threshold number (f) of servers in a replicated group of (n) object servers.  Guarantee availability of the servers, provided that greater than the threshold number of servers has not been compromised.  Guarantee integrity of the communication between the clients and servers, and accuracy of the answers provided by the servers.  Confidentiality of the communication, unless a replicated server or Group Manager is compromised  Given these considerations, any attack against a replicated server in our system may be defended against as long as the resilience threshold (of the replicated group) is not exceeded. However, we should note that DOS attacks against individual servers can affect the system as a whole in that it may impede performance, and possibly affect the eventual exclusion of the attacked (but correct) process.

February 13, Questions - Assumptions The OS and platforms are vulnerable to attack and failure, but a vulnerability in one OS or platform does not necessarily imply that a different OS or platform has the same vulnerability (i.e., diversity of implementation provides better survivability). We rely upon the integrity of the network infrastructure to the extent that not more than f replicated servers become unreachable. The network does not partition such that more than f of the replicated servers becomes unreachable. We assume that there will be  f faults in a replicated group at any one time, where the number of servers in the replicated group is > 3 f. Servers exhibit deterministic behavior.

February 13, Questions - Assumptions (cont’d) A correct server can not be delayed indefinitely. Cryptography prevents identity forgery and traffic sniffing Object-level access control, audit, non-repudiation, and user- level authentication are performed by other CORBA services. QoS and QoP are performed by entities external to our system. In a real deployment of our system, to limit the incidence of simultaneous failures, network and geography separate the replicated servers. We assume that the authentication tokens for each process are adequately protected and only available to authorized users.

February 13, Questions - Policies Policies governing group membership, based on identity of processes wishing to join groups: – Rules indicating fault tolerance level, which directly impacts the number of processes required for a replicated object group. – Policies on “open” operations. An open operation is performed when a client wishes to establish a connection with a replicated group. Voting behavior. In certain cases, there may be legitimate differences in values between replicas, even though the values are equivalent. There may be other cases where voting behavior can be driven by policy. Object-access control, although these will be enforced by CORBA security mechanisms. Those mechanisms are outside the scope of our project. Standard firewall behavior policies (permit / deny) to regulate the secure, reliable multicast protocol. INFOCON changes, especially those for replication levels.

February 13, Questions - Collection of Projects Integrate with intrusion detection – If an intrusion detection system noted a certain level of intrusion in a given network, an intrusion tolerant architecture could downgrade trust for entities within that network. – Or, in a replicated system, remove a replica from that network, and add one to another to proactively counteract the attack.

February 13, Schedule

February 13, Technology Transfer Work with OMG to revise existing specifications, create new specifications – Fault Tolerance specification – Unreliable Multicast specification – Firewall specification Joint experimentation with other DARPA and DoD programs Conferences and workshops