Presentation is loading. Please wait.

Presentation is loading. Please wait.

CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu.

Published byCory Sullivan Modified over 9 years ago

Similar presentations

Presentation on theme: "CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu."— Presentation transcript:

1 CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu

2 Intrusion Tolerance  Despite defense mechanisms and rigorous testing, most systems remain at least somewhat vulnerable  Protecting against all attacks is not practical  Assumes that over time, a subset of vulnerabilities will be successfully exploited by an attacker  Goal: Provide “ acceptable ” service despite faults due to intrusions  Traditional Security + IT = defense-in- depth (buying time by yielding space)

3 Motivation  Most of the implementation effort in building IT system is not spent in the IT functionality but in the support features for IT  Different OS are design requirements for most IT systems, and multiple teams working on different platforms implemented their own versions of support features  Hard to reuse the support features since the various implementation tightly coupled the support features with IT functionality

4 Motivation (cont.)  Lack of a convenient platform for building and evaluating various design choices for IT protocols  Frameworks for dependability exist but they are mainly for crash-fault- tolerant protocols that consider benign faults, and don ’ t provide specialized support for IT in the face of malicious faults

5 Goals  Separate the support features that facilitate the building of IT protocols from the actual IT functionality provided by the protocols

6 Goals  A software framework for intrusion tolerance Robust – the framework itself needs to be robust to support robust IT protocols Reconfigurable – need to provide the capability to dynamically change system posture in the face of attacks Reusable – serve as a convenient platform for building and testing a variety of IT protocols without having to re-implement the support features Portable – to exploit diversity through OS heterogeneity for IT benefits

7 Outline  CoBFIT Architecture  Framework Components  Example Framework Specialization: an IT group communication system  Support provided by the CoBFIT framework in the context of the example  Summary and Future work

8 CoBFIT Architecture

9 CoBFIT Architecture (cont.)  Framework components implement the structure of IT Have primitives, abstractions, supporting software mechanisms for IT Provide Run-time support or development support  Service components implement the functionality of IT Are specific to a particular domain of applications Have implementation of an IT protocol/algorithm

10 Outline  CoBFIT Architecture  Framework Components  Example Framework Specialization: an IT group communication system  Support provided by the CoBFIT framework in the context of the example  Summary and Future work

11 Event Manager  Restricts communication between service components strictly through events  Publish-subscribe model Components publish events they generate to the Event Manager Components subscribe to events they are interested in handling (event handlers) from the Event Manager

12 Event Manager (Cont.)  Detects, de-multiplexes, and dispatches events to the interested service components  Invocate orders of multiple event handlers subscribed to the same event determined through a dependency graph

13 Event Manager: Dependency Graph  Nodes: service components in the CoBFIT system  Edge from service component c1 to another component c2 implies that correct operation of c1 depends on whether c2 correctly satisfies its specified properties  Event handler of c2 invoked first, followed by event handler of c1

14 CoBFIT GCS Service Components

15 Constructor  Is responsible for reconfiguring the CoBFIT system  Creates all CoBFIT components  Hands over dependency graph to the Event Manager

16 Constructor (cont.)  All CoBFIT components implement a uniform component management interface  Has operation interfaces to (re)initialize, shut down, suspend/resume and execution  Maintains a component repository  Implements rules to choose among multiple scripts, each specifying different adaptation strategies (e.g., which of the available service components to link/unlink)

17 Failure Detection  Is the hub of communication for intrusion detection  Identifies compromised subsystems so as to repair, replace, or remove them.  Enforces a clean separation between failure detection and failure response mechanisms  Serves as central sink for intrusion detections from internal (service- component-specific) and external (third- party IDSs) source failures

18 Failure Detection (cont.)  Processes the reports and implements policies to determine which reports should actually lead to system adaptation  Generates a Failure_Detect event to which interested components can subscribe to  Allows service components to be more independent of the specific failure detection tools

19 Replication Manager  Redundancy by replication: important design primitive used in many fault and intrusion-tolerant systems  manages a replicated application  Each replica is a CoBFIT system  Each replica has a Replication Manager

20 Replication Manager (cont.)  Replication Manager components at various replicas Communicate with each other to reconfigure a replicated application Translate high-level dependability requirements specified at run-time to particular replication configurations

21 Consensus  Builds block for many distributed services (atomic multicast, membership)  provides a consensus primitive that can be used for constructing such services

22 Cryptography  Provides a uniform way to access multiple third-party cryptographic libraries  Defines interfaces for common crypto operations, and adapts the interface of the chosen cryptographic library to the defined interface  Enhances reusability of service components by making them independent of the particular choice of crypto library

23 Network  Messages are special types of events used by a CoBFIT system to communicate with other CoBFIT systems or the outside world  A service component sends and receives messages through the Network component  Provides portable, object-oriented wrappers around platform specific low-level network functions and data  Provides a uniform networking interface independent of the particular platform or underlying transport mechanism

24 Secure Data Manager  Provides "safe" classes (wrappers around unsafe C/C++ standard library functions)  Classes for marshalling/de-marshalling, buffering, fragmenting and reassembling messages in an efficient manner without making "deep" copies  Service component developer would use these classes instead of the ones provided by the standard library

25 Outline  CoBFIT Architecture  Framework Components  Example Framework Specialization: an IT group communication system  Support provided by the CoBFIT framework in the context of the example  Summary and Future work

26 CoBFIT GCS Service Components

27  Group Membership Implements an intrusion-tolerant group membership protocol Is useful for removing fault members from the group, adding new members to the group Maintains consistent group membership information across all correct group members Subscribes to the Failure_Detect event generated by Failure Detection (CoBFIT framework component) Removes group members for which the Failure_Detect event has been generated from the group

28 CoBFIT GCS Service Components  Reliable Multicast All correct members deliver the same set of multicast messages Contents of a multicast message as delivered to all correct processes is the same Prevents situations in which a malicious group member sends one payload to some group members and another payload to other group members for the same multicast message

29 CoBFIT GCS Service Components  Total Order Ensures that if two correct group members deliver two application-level multicast messages m1 and m2, then both members deliver the messages in the same order Is crucial in state machine replicated applications so that group members (replicas) reach same state after executing an operation requested by a multicast message Protocol partitions the set of all possible multicast sequence numbers among the group members; assigns one partition to each group member Each replica generates messages with increasing sequence numbers from its assigned partition without any gaps Messages delivered in sequence number order Protocol proceeds in global rounds, in which each group member sends exactly one message per round (using sequence number from its assigned partition) If no application-level message to be sent in a round, a correct group member is required to send null message with correct sequence number A member that stalls the protocol by refusing send messages in a round will be suspected, and reported to the Failure Detection component if more than two-third group members suspect a group member, then that member will be eventually removed from the group

30 CoBFIT GCS Service Components  Gossip discovers new processes wanting to join the group If new process has proper credentials, it is allowed to join the group Group membership protocol updates the group membership info at all correct group members consistently to reflect the addition of the new process to the group

31 CoBFIT GCS Service Components  Heartbeat If heartbeat from a process doesn ’ t arrive in time, it is suspected If more than two-third group members suspect a member of crash, then that member is removed from the group

32 CoBFIT GCS Service Components

33  Group membership and total order protocol messages need to be consistently delivered (with the same contents) at all correct group members  Group membership needs Gossip to discover new processes, and Heartbeat to detect crashed group members  Total order protocol needs group membership protocol to remove group members that stall the protocol

34 Outline  CoBFIT Architecture  Framework Components  Example Framework Specialization: an IT group communication system  Support provided by the CoBFIT framework in the context of the example  Summary and Future work

35 Support Provided by CoBFIT Framework  All service components in the CoBFIT GCS rely on Cryptography component for digitally signing/verifying messages Secure Data Manager component for various message marshalling/de-marshalling operations Network component to communicate with peer service components on remote CoBFIT systems (replicas) belonging to the same group Event Manager component for communication with other service components within the same CoBFIT system (replica)

36 Support Provided by CoBFIT Framework  Group membership component depends on Failure Detection component to receive the Failure_Detect event based on which it removes faulty members from the group  Service components generate Suspect_Report event to identify a suspect group member; handled by the Failure Detection component Failure Detection components at various group members send Suspect_Report events with each other When a Failure Detection component receives Suspect_Report events for a particular group member from the peer components at more than two-thirds of the group members, it generates a Failure_Detect event Failure_Detect event is handled locally by the group membership component to ensure that the “ convicted ” group member is removed from the group membership

37 Outline  CoBFIT Architecture  Framework Components  Example Framework Specialization: an IT group communication system  Support provided by the CoBFIT framework in the context of the example  Summary and Future work

38 Summary and future work  Summary A framework that provides specialized support for intrusion-tolerant services, facilitating their development and run-time adaptation Incorporates characteristics that are essential for survivability in the face of attacks Demonstrated how it can serve as a convenient platform for building an IT group communication system

39 Summary and future work  Future Work Investigate decision procedures that strike a balance between automated reconfiguration and unnecessary reconfiguration (Constructor) Provide a comprehensive library of safe classes (Secure Data Manager) Interface with multiple third-party IDSs, new policies for analyzing intrusion reports that reduce reconfiguration resulting from false positives (Failure Detection) Translate high-level dependability requirements to replication configurations tolerating different types of faults (Replication Manager) Make a widely used application IT-enabled using the CoBFIT GCS Explore additional supporting software mechanisms for IT that can be added as framework components in the CoBFIT framework

Download ppt "CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu."

Similar presentations

Computer Systems & Architecture Lesson 2 4. Achieving Qualities.

Computer Systems & Architecture Lesson 2 4. Achieving Qualities.
DISTRIBUTED COMPUTING PARADIGMS

DISTRIBUTED COMPUTING PARADIGMS
MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.

MicroKernel Pattern Presented by Sahibzada Sami ud din Kashif Khurshid.
Threads, SMP, and Microkernels

Threads, SMP, and Microkernels
Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.

Distributed Systems Major Design Issues Presented by: Christopher Hector CS8320 – Advanced Operating Systems Spring 2007 – Section 2.6 Presentation Dr.
Serverless Network File Systems. Network File Systems Allow sharing among independent file systems in a transparent manner Mounting a remote directory.

Serverless Network File Systems. Network File Systems Allow sharing among independent file systems in a transparent manner Mounting a remote directory.
Reliability on Web Services Presented by Pat Chan 17/10/2005.

Reliability on Web Services Presented by Pat Chan 17/10/2005.
Distributed Systems Fall 2010 Replication Fall 20105DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.

Distributed Systems Fall 2010 Replication Fall 20105DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.
Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.

Slide 1 Client / Server Paradigm. Slide 2 Outline: Client / Server Paradigm Client / Server Model of Interaction Server Design Issues C/ S Points of Interaction.
A Dependable Auction System: Architecture and an Implementation Framework

A Dependable Auction System: Architecture and an Implementation Framework
CS 582 / CMPE 481 Distributed Systems Fault Tolerance.

CS 582 / CMPE 481 Distributed Systems Fault Tolerance.
Group Communications Group communication: one source process sending a message to a group of processes: Destination is a group rather than a single process.

Group Communications Group communication: one source process sending a message to a group of processes: Destination is a group rather than a single process.
1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.

1 ITC242 – Introduction to Data Communications Week 12 Topic 18 Chapter 19 Network Management.
CS 501: Software Engineering Fall 2000 Lecture 16 System Architecture III Distributed Objects.

CS 501: Software Engineering Fall 2000 Lecture 16 System Architecture III Distributed Objects.
- 1 - Component Based Development R&D SDM 1 2009 Theo Schouten.

- 1 - Component Based Development R&D SDM Theo Schouten.
Distributed Systems Fall 2009 Replication Fall 20095DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.

Distributed Systems Fall 2009 Replication Fall 20095DV0203 Outline Group communication Fault-tolerant services –Passive and active replication Highly.
Architectural Design Principles. Outline  Architectural level of design The design of the system in terms of components and connectors and their arrangements.

Architectural Design Principles. Outline  Architectural level of design The design of the system in terms of components and connectors and their arrangements.
6/27/2015Page 1 This presentation is based on WS-Membership: Failure Management in Web Services World B. Ramamurthy Based on Paper by Werner Vogels and.

6/27/2015Page 1 This presentation is based on WS-Membership: Failure Management in Web Services World B. Ramamurthy Based on Paper by Werner Vogels and.
Case Study: The E1 Distributed Operating System Chris Krentz 3/20/2007.

Case Study: The E1 Distributed Operating System Chris Krentz 3/20/2007.
16: Distributed Systems1 DISTRIBUTED SYSTEM STRUCTURES NETWORK OPERATING SYSTEMS The users are aware of the physical structure of the network. Each site.

16: Distributed Systems1 DISTRIBUTED SYSTEM STRUCTURES NETWORK OPERATING SYSTEMS The users are aware of the physical structure of the network. Each site.

Similar presentations

Ads by Google