Presentation is loading. Please wait.

Presentation is loading. Please wait.

Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam.

Published byJacob Gaines Modified over 9 years ago

Similar presentations

Presentation on theme: "Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam."— Presentation transcript:

1 Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam

2 Original Work  Multi-Level Security Model Architecture  Secure national power distribution grid  Designed for “System after next”, “Beyond SCADA”  Supported by  Department of Energy  FSU – Center for Advanced Power Systems Research July 9, 20092NCA09 - BIOCOMS

3 Background  Combine ideas into new architecture  Software mutation – agent diversity  Computation replication – fault tolerance  Software voting – fault detection  Focus on strengthening security triad  Prevention : anticipate and thwart attacks  Detection : recognize penetrations  Correction : recover while limiting consequences  Evolve security to prevent / deter recurrence July 9, 20093NCA09 - BIOCOMS

4 Security Model Fall 2009 ShowcaseUWF - Simmons4 SCADA Sensors & Actuators Communication Agent Distribution/ Voting Agent Replicated Computational Agent Replicated Computational Agent Replicated Computational Agent Monitor/ Resurrection Agent Mutation Agent Source network serial Hardware Protected Normal I/O Control Signals Computational Agent

5 Previous Results  Computational agents  Mutated and replicated  Different random mutation for each  Prevents multiple Byzantine failures  Faults result in crash failures  Distribution/Voting agent  Replicate input to computation agents  Combines output into majority decision  Identifies faulty/failed computational agents Fall 2009 ShowcaseUWF - Simmons5

6 Previous Results  Communication agent  Implements encryption, validation  Only entrance into system  Monitor/resurrection agent  Monitors health of other agents  Rebuilds faulty/failed agents  Implemented in hardware Fall 2009 ShowcaseUWF - Simmons6

7 Model Limitations  Specialized prevention  Buffer overflow attacks  Software failures  Designed for agent-based systems  Dynamic port binding not supported  Server processes not supported  Operating system remains vulnerable  Required hardware protection  M/R agent is single-point-of-failure Fall 2009 ShowcaseUWF - Simmons7

8 Proposed System  Multi-layered security model  Build from previous success  Provides for replication and voting  Replicated processes  Computationally equivalent  Executed on different virtual platforms  Platform targeted attack ineffective  Implementation targeted attack ineffective  Platform weaknesses mitigated  Failures isolated and identified  Failed system recovered Fall 2009 ShowcaseUWF - Simmons8

9 Proposed System  Guest OS  Assigned private IP address  Monitors health of server processes  Server processes  Perform duties as if in isolation  Results used as votes  Host OS  Assigned public IP address  Uses NAT to map public  private Ips  Monitors health of guest OSes  Limites consequences of attack to Guest OS Fall 2009 ShowcaseUWF - Simmons9

10 Proposed Model Fall 2009 ShowcaseUWF - Simmons10 Communication Interface network Server Guest OS 1 Virtual Machine Host OS NAT Server Guest OS 3 Server Guest OS 2

11 Prototype  Host OS  Macintosh OS X  Virtual Machine  Sun’s Virtual Box  Guest OSes  Windows XP  Linux Fedora 10  Solaris  Server  Apache web server (httpd)  Each server on port 80 of private IP Fall 2009 ShowcaseUWF - Simmons11

12 Prototype  External communication  Via communication interface  Port 80 on well-known IP  Specialized NAT replicated input (NAT now client)  Responses from Apache  Sent to NAT (client)  NAT tallies votes and returns decision to real client  Prototype status  In experimentation/design phase  Communication with dual servers  Voting not yet implemented Fall 2009 ShowcaseUWF - Simmons12

13 Demonstration Prototype Fall 2009 ShowcaseUWF - Simmons13 Communication Interface (Distribution & Voting) network Apache Windows XP VirtualBox OS X NAT Apache Solaris Apache Linux F10

14 Summary Previous success with power distribution grid Known limitations of system Proposed system will – Take advantage of multiple execution cores – Use virtualization for system replication – Provide distinct execution bases for each replicate – Use voting to identify faulty components – Recover from faults with no externally visible effects – Contain consequences to virtual host Fall 2009 ShowcaseUWF - Simmons14

15 Contact Information Dennis Edwards dedwards@uwf.edu Sharon Simmons ssimmons2@uwf.edu Fall 2009 ShowcaseUWF - Simmons15

Download ppt "Critical Software Security Through Replication and Virtualization A Research Proposal Dennis Edwards Sharon Simmons Arangamanikkannan Manickam."

Similar presentations

The Access Grid Ivan R. Judson 5/25/2004.

The Access Grid Ivan R. Judson 5/25/2004.
Remus: High Availability via Asynchronous Virtual Machine Replication

Remus: High Availability via Asynchronous Virtual Machine Replication
Moving Target Defense in Cyber Security

Moving Target Defense in Cyber Security
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.

The Phoenix Recovery System: Rebuilding from the ashes of an Internet catastrophe Flavio Junqueira, Ranjita Bhagwan, Keith Marzullo, Stefan Savage, and.
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.

Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 5 Network Security.
Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc. 15-1 Introduction to Information Technology.

Introduction to Information Technology, 2nd Edition Turban, Rainer & Potter © 2003 John Wiley & Sons, Inc Introduction to Information Technology.
COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.

COS 420 Day 20. Agenda Group Project Discussion Protocol Definition Due April 12 Paperwork Due April 29 Assignment 3 Due Assignment 4 is posted Last Assignment.
ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.

ChowSCOLD1 Secure Collective Defense Network (SCOLD) C. Edward Chow Yu Cai Dave Wilkinson Sarah Jelinek Part of this project is sponsored by a grant from.
U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Virtualization in Data Centers Prashant Shenoy

U NIVERSITY OF M ASSACHUSETTS, A MHERST Department of Computer Science Virtualization in Data Centers Prashant Shenoy
Computer Security and Penetration Testing

Computer Security and Penetration Testing
Lesson 1: Configuring Network Load Balancing

Lesson 1: Configuring Network Load Balancing
© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.

© 2012 IBM Corporation IBM Security Systems 1 © 2014 IBM Corporation IBM Security Network Protection (XGS) Advanced Threat Protection Integration Framework.
Minimal Instrumentation for Software Feature Location Sharon Simmons Dennis Edwards Norman Wilde Eric Daniels.

Minimal Instrumentation for Software Feature Location Sharon Simmons Dennis Edwards Norman Wilde Eric Daniels.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 1.

©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 12 Slide 1 Distributed Systems Design 1.
Virtualization A way To Begin with Virtual Reality… - Rahul Khanwani.

Virtualization A way To Begin with Virtual Reality… - Rahul Khanwani.
A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.

A project under the 7th Framework Programme CPS Workshop Stockholm 12/04/2010 Gunnar Björkman Project Coordinator A Security Project for the Protection.
E Virtual Machines Lecture 4 Device Virtualization

E Virtual Machines Lecture 4 Device Virtualization
Lesson 3 Introduction to Networking Concepts Lesson 3.

Lesson 3 Introduction to Networking Concepts Lesson 3.
Achieving Qualities 1 Võ Đình Hiếu. Contents Architecture tactics Availability tactics Security tactics Modifiability tactics 2.

Achieving Qualities 1 Võ Đình Hiếu. Contents Architecture tactics Availability tactics Security tactics Modifiability tactics 2.

Similar presentations

Ads by Google