1 apod 10/19/2015 docsec 2002christopher jones defense enabling using quo: experience in building...

1 APOD 04/20/23 DOCSEC 2002 Christopher Jones

Defense Enabling Using QuO:Experience in Building Survivable CORBA

Applications

Chris Jones Partha Pal, Franklin Webber

BBN Technologies

QuO & APODQuO & APOD


APOD Overview

• APOD is toolkit of mechanism wrappers and adaptation strategies that allows an application to use security mechanisms to dynamically adapt to a changing environment

• We believe that adaptation increases an application’s resiliency to certain kinds of attacks

• APOD uses QuO, which provides an application with adaptation.


Quo Overview

• QuO is a middleware system that offers an application the ability to adapt to the changing environment in which it is running.

– Host resources (CPU and memory) usage

– Network resource availability

– Intrusion status

• The adaptive code is separated into a QuO “qosket” for reuse.

– A qosket is a set of specifications and implementations that define a quality of service module.

• It can be added into a distributed object application with minimum impact on the application


QuO Overview (cont.)

• Quality Description Languages (QDL)– Contract description language, adaptive behavior description

language– Code generators that generate Java and C++ code for

contracts, delegates, creation, and initialization

• System Condition Objects– Provide interfaces to resources, managers, and mechanisms

• QuO Runtime Kernel– Contract evaluator– Factory object which instantiates contract and system condition

objects


QuO Architecture

ApplicationDeveloper

MechanismDeveloper

CLIENT

Network

operation()

in args

out args + return value

IDLSTUBS

IDLSKELETON

OBJECTADAPTER

ORB IIOP ORBIIOP

CLIENT OBJECT(SERVANT)OBJECT(SERVANT)

OBJREF

CLIENT

DelegateContract

SysCond

Contract

Network

MECHANISM/PROPERTYMANAGER

operation()

in args

out args + return value

IDLSTUBS

Delegate

SysCond

SysCond

SysCond

IDLSKELETON

OBJECTADAPTER

ORB IIOP ORBIIOP

CLIENT OBJECT(SERVANT)OBJECT(SERVANT)

OBJREF

ApplicationDeveloper

QuODeveloper

MechanismDeveloper

CO

RB

A D

OC

MO

DE

LQ

UO

/CO

RB

A D

OC

MO

DE

L


APOD Description

• We believe that by adapting to and trying to control its environment, an application can increase its chances of survival under attack

– Use QuO to integrate multiple security mechanisms into a coherent strategy for adaptation

– Use mechanisms where they exist to harden or protect an application, a resource, or a service

• Tie security information to the adaptation of an application through the QuO system condition objects


Defense-Enabled Application CompetesWith Attacker for Control of Resources

ApplicationAttacker

Raw ResourcesCPU, bandwidth, files...

QoS Management

Crypto

OSs and Network IDSs Firewalls


APOD Mechanisms

• Network and Host Sensors– Snort is a lightweight network intrusion detection system– Tripwire for detecting file systems integrity violations

• Actuators– Network traffic filters - Iptables– File systems recovery – secure backup

• Dependability management using replication– Aqua – replication system from University of Illinois, Urbana-

Champaign– APOD Bus – mechanism for publishing data about application’s

status and for maintaining replicas of application processes

• Bandwidth Management– Intserv (RSVP, SecureRSVP) and Diffserv

• Access Control– NAI’s OO-DTE at the interceptor layer


APOD Strategies

• QuO’s contract language is used to define defensive strategies

• Example strategies include – containment, which uses snort and iptables to detect and limits the

extent of attacks

– outrun, uses dependability with replication to move away from attacks.


APOD Red-teaming Experimentation

• Sandia labs redteam attacks an APOD enabled application• Test the added value of APOD to an application

– Also, analyzing the overhead of APOD

• Application has three pieces; client, image server, and broker. The broker is responsible for hooking clients requesting images to the server that can provide those images

• Two broker components are maintained by the APOD bus on a set of hosts. Each of these hosts is running a qosket implementing a containment strategy

– Using snort and tripwire as sensors and iptables and the bus to react to attack detections.


APOD Redteam Example

Server 3

Server 1Client 1

Client 2

Server 2

APOD bus

Broker 2

Broker 1

Subscribe/Unsubscribe

Publish/Unpublish

Server ready/Server gone

Subscribe/Unsubscribe

Publish/Unpublish

Publish/Unpublish

Server ready/Server gone


Experimentation Configuration

• Testing environment of 14 hosts on 4 subnets.

broker4_1 broker4_2 server4

.1

.1

.1

.4

.1

.3

.2

192.168.4 (IPNET4)

.2 .3 .4

BB S

Experiment Control,external waypoint

.1

162.168.251VPN/

Internet

192.168.1 (IPNET1)

.2 .3 .4

BB S

broker1_1 broker1_2 server1

192.168.70 (IPNET2)

.21autobot

.2 .3 .4

BC B

broker2_1 broker2_2client2

192.168.3 (IPNET3)

.2 .3 .4 .5

C BB S

broker3_1 broker3_2 server3client3

router_ipnet_2

router_ipnet_4

router_ipnet_1

router_ipnet_3

badguy1

.101


Red-teaming Attack and Preliminary Results

• With APOD and the configuration, the redteam was forced to combine three different attacks to cause a denial of service of the broker

– The three attack are: ARP cache poisoning, Spoofing scan, connection flooding

– The combined attacks took 5 minutes and we have implemented counter defenses

• APOD has added value and the method call latency overhead of QuO and APOD to application is very small (~ .3 msec.)

– note: encryption at interceptor layer not included, but measured by APOD team as roughly 500 msec per method call

» using symmetric encryption can improve this number.

– Ipsec overhead compared to interceptor layer is very small


What APOD would like from DOC security

• Better elimination of software flaws in ORB implementations

• Standardized support across CORBA implementations for – pluggable transports

– interceptors

• “Knobs and Dials” at ORB and service level to adjust security

– Easy configuration of ORB’s port selection dynamically under middleware control.

» Specific ports or range of ports

» How to select the next port to use

• Configuration of timeouts and how to deal with them.


Conclusion

• The red teaming has been extremely useful for APOD– Validated our work and “stress test” our defenses

• CORBA support needs to be as secure and uniform as possible

– Found lack of uniformity in implementations

– Trusting the ORB is secure

• Websites:– QuO: www.dist-systems.bbn.com/tech/QuO

– APOD: www.dist-systems.bbn.com/projects/APOD

1 apod 10/19/2015 docsec 2002christopher jones defense enabling using quo: experience in building...

Documents