1. MAFTIA concepts Yves Deswarte & David Powell LAAS-CNRS, France SRI International

2. FTI MAFTIA Malicious- and Accidental-Fault Tolerance for Internet Applications European IST Program Dependability Initiative University of Newcastle (UK) University of Lisbon (P) DERA, Malvern (UK) University of Saarland (D) LAAS-CNRS, Toulouse (F) IBM Research, Zurich (CH) 3 years (2000-2002), ~45 man-years, EU funding ~2.5M€

3. Dependability as a generic concept [Laprie 1985] Secure systems from insecure components [Dobson & Randell 1986] Intrusion-tolerant file system [Fraga & Powell 1985] Intrusion-tolerant security server [Deswarte, Blain & Fabre 1991] Intrusion-tolerant data processing [Fabre, Deswarte & Randell 1994] FTI Delta-4 project

4. Workplan  WP1: Conceptual model and architecture  WP2: Dependable middleware  WP3: Intrusion detection  WP4: Dependable trusted third parties  WP5: Distributed authorization  WP6: Assessment  WP1: Conceptual model and architecture  WP2: Dependable middleware  WP3: Intrusion detection  WP4: Dependable trusted third parties  WP5: Distributed authorization  WP6: Assessment

5. Fault, Error & Failure Error Failure adjuged or hypothesize d cause of an error that part of system state which may lead to a failure Fault occurs when delivered service deviates from implementing the system function bugH/W fault Intrusion

6. Internal, dormant fault Example: Single Event Upset SEUs (bit-flips, stuck-at faults, cell destructions) can result from radiation (e.g., cosmic ray, high energy ions) Satellite on-board computer Internal, active fault SEU Internal, externally-induced fault Vulnerability Cosmic Ray External fault Lack of shielding

7. Internal, dormant fault Intrusions Intrusions are resulting from (at least partially) successful attacks: Computing System Internal, active fault Intrusion Internal, externally-induced fault Attack External fault Vulnerability account with default password

8. Dependability obtained through: how to prevent the occurrence or introduction of faults how to provide a service capable of or imple- menting the system function despite faults how to reduce the presence (number, severity) of faults how to estimate the presence, creation and consequences of faults Fault prevention Fault tolerance Fault removal Fault forecasting

9. For intrusions: how to provide a service capable of or imple- menting the system function despite vulnerabilities synonym for intrusion tolerance how to reduce the presence (number, severity) of vulnerabilities how to estimate the presence, creation and consequences of vulnerabilities how to prevent the occurrence or introduction of vulnerabilities Vulnerability prevention Vulnerability tolerance Vulnerability removal Vulnerability forecasting how to prevent the occurrence of intrusions (vulnerability prevention + attack deterrence) how to provide a service capable of or imple- menting the system function despite intrusions not meaningful how to estimate the creation and consequences of intrusions (vulnerability + attack forecasting) Intrusion prevention Intrusion tolerance Intrusion forecasting Intrusion removal

10. Fault Tolerance Error Failure Fault Fault Treatment DiagnosisIsolationReconfiguration DiagnosisIsolationReconfiguration Error Processing Detection & Recovery Masking

11. Intrusion tolerance  Error processing: oIntrusion-symptom detection + recovery oIntrusion masking  Fault treatment oIntrusion diagnosis (+ retaliation?) oVulnerability removal

12. FRS Intrusion Masking: Delta-4 (86-96) [Blain & Deswarte 1994] [Fraga & Powell 1985] [Fray et al. 1986] [Deswarte et al. 1991] [Fabre et al. 1994] Fragmentation-Redundancy-

13. Ideal Fault-tolerant Component Administration (sub-)system component or (sub-)system Error processingFault treatment masking a posteriori error detection service user API service Exception error reports Faulty unit isolation and system reconfiguration recovery detection/recovery error detection error detection Fault diagnosis (from possible lower level) serviceException

14. IntrusionTolerant Component security administration (sub-)system component or (sub-)system Error processingFault treatment masking a posteriori error detection intruder alert System security officer (SSO) service user API service insecurity signal error reports intrusion isolation and system reconfiguration (from possible lower level) serviceinsecurity signal error detection standalone sensors recovery detection/recovery error detection error detection intrusion diagnosis

15. References  Blain, L. and Deswarte, Y. (1994). A Smartcard Fault-Tolerant Authentication Server, in 1st Smart Card Research and Advanced Application Conference (CARDIS'94), Lille, France, pp.149-165.  Deswarte, Y., Blain, L. and Fabre, J.-C. (1991). Intrusion Tolerance in Distributed Systems, in Symp. on Research in Security and Privacy, Oakland, CA, USA, pp.110-121.  Deswarte, Y., Fabre, J.-C., Laprie, J.-C. and Powell, D. (1986). A Saturation Network to Tolerate Faults and Intrusions, in 5th Symp. on Reliability of Distributed Software and Database Systems, Los Angeles, CA, USA, pp.74-81, IEEE Computer Society Press.  Fabre, J.-C., Deswarte, Y. and Randell, B. (1994). Designing Secure and Reliable Applications using FRS: an Object-Oriented Approach, in 1st European Dependable Computing Conference (EDCC-1), Berlin, Germany LNCS 852, pp.21-38.  Fraga, J. and Powell, D. (1985). A Fault and Intrusion-Tolerant File System, in IFIP 3rd Int. Conf. on Computer Security, (J. B. Grimson and H.-J. Kugler, Eds.), Dublin, Ireland, Computer Security, pp.203-218.  Fray, J.-M., Deswarte, Y. and Powell, D. (1986). Intrusion-Tolerance using Fine-Grain Fragmentation-Scattering, in Symp. on Security and Privacy, Oakland, CA, USA, pp.194-201.

16. FTI http://www.research.ec.org/maftia/