1 apod 10/19/2015 docsec 2002christopher jones defense enabling using quo: experience in building...
TRANSCRIPT
1 APOD 04/20/23 DOCSEC 2002 Christopher Jones
Defense Enabling Using QuO:Experience in Building Survivable CORBA
Applications
Chris Jones Partha Pal, Franklin Webber
BBN Technologies
QuO & APODQuO & APOD
2 APOD 04/20/23 DOCSEC 2002 Christopher Jones
APOD Overview
• APOD is toolkit of mechanism wrappers and adaptation strategies that allows an application to use security mechanisms to dynamically adapt to a changing environment
• We believe that adaptation increases an application’s resiliency to certain kinds of attacks
• APOD uses QuO, which provides an application with adaptation.
3 APOD 04/20/23 DOCSEC 2002 Christopher Jones
Quo Overview
• QuO is a middleware system that offers an application the ability to adapt to the changing environment in which it is running.
– Host resources (CPU and memory) usage
– Network resource availability
– Intrusion status
• The adaptive code is separated into a QuO “qosket” for reuse.
– A qosket is a set of specifications and implementations that define a quality of service module.
• It can be added into a distributed object application with minimum impact on the application
4 APOD 04/20/23 DOCSEC 2002 Christopher Jones
QuO Overview (cont.)
• Quality Description Languages (QDL)– Contract description language, adaptive behavior description
language– Code generators that generate Java and C++ code for
contracts, delegates, creation, and initialization
• System Condition Objects– Provide interfaces to resources, managers, and mechanisms
• QuO Runtime Kernel– Contract evaluator– Factory object which instantiates contract and system condition
objects
5 APOD 04/20/23 DOCSEC 2002 Christopher Jones
QuO Architecture
ApplicationDeveloper
MechanismDeveloper
CLIENT
Network
operation()
in args
out args + return value
IDLSTUBS
IDLSKELETON
OBJECTADAPTER
ORB IIOP ORBIIOP
CLIENT OBJECT(SERVANT)OBJECT(SERVANT)
OBJREF
CLIENT
DelegateContract
SysCond
Contract
Network
MECHANISM/PROPERTYMANAGER
operation()
in args
out args + return value
IDLSTUBS
Delegate
SysCond
SysCond
SysCond
IDLSKELETON
OBJECTADAPTER
ORB IIOP ORBIIOP
CLIENT OBJECT(SERVANT)OBJECT(SERVANT)
OBJREF
ApplicationDeveloper
QuODeveloper
MechanismDeveloper
CO
RB
A D
OC
MO
DE
LQ
UO
/CO
RB
A D
OC
MO
DE
L
6 APOD 04/20/23 DOCSEC 2002 Christopher Jones
APOD Description
• We believe that by adapting to and trying to control its environment, an application can increase its chances of survival under attack
– Use QuO to integrate multiple security mechanisms into a coherent strategy for adaptation
– Use mechanisms where they exist to harden or protect an application, a resource, or a service
• Tie security information to the adaptation of an application through the QuO system condition objects
7 APOD 04/20/23 DOCSEC 2002 Christopher Jones
Defense-Enabled Application CompetesWith Attacker for Control of Resources
ApplicationAttacker
Raw ResourcesCPU, bandwidth, files...
QoS Management
Crypto
OSs and Network IDSs Firewalls
8 APOD 04/20/23 DOCSEC 2002 Christopher Jones
APOD Mechanisms
• Network and Host Sensors– Snort is a lightweight network intrusion detection system– Tripwire for detecting file systems integrity violations
• Actuators– Network traffic filters - Iptables– File systems recovery – secure backup
• Dependability management using replication– Aqua – replication system from University of Illinois, Urbana-
Champaign– APOD Bus – mechanism for publishing data about application’s
status and for maintaining replicas of application processes
• Bandwidth Management– Intserv (RSVP, SecureRSVP) and Diffserv
• Access Control– NAI’s OO-DTE at the interceptor layer
9 APOD 04/20/23 DOCSEC 2002 Christopher Jones
APOD Strategies
• QuO’s contract language is used to define defensive strategies
• Example strategies include – containment, which uses snort and iptables to detect and limits the
extent of attacks
– outrun, uses dependability with replication to move away from attacks.
10 APOD 04/20/23 DOCSEC 2002 Christopher Jones
APOD Red-teaming Experimentation
• Sandia labs redteam attacks an APOD enabled application• Test the added value of APOD to an application
– Also, analyzing the overhead of APOD
• Application has three pieces; client, image server, and broker. The broker is responsible for hooking clients requesting images to the server that can provide those images
• Two broker components are maintained by the APOD bus on a set of hosts. Each of these hosts is running a qosket implementing a containment strategy
– Using snort and tripwire as sensors and iptables and the bus to react to attack detections.
11 APOD 04/20/23 DOCSEC 2002 Christopher Jones
APOD Redteam Example
Server 3
Server 1Client 1
Client 2
Server 2
APOD bus
Broker 2
Broker 1
Subscribe/Unsubscribe
Publish/Unpublish
Server ready/Server gone
Subscribe/Unsubscribe
Publish/Unpublish
Publish/Unpublish
Server ready/Server gone
12 APOD 04/20/23 DOCSEC 2002 Christopher Jones
Experimentation Configuration
• Testing environment of 14 hosts on 4 subnets.
broker4_1 broker4_2 server4
.1
.1
.1
.4
.1
.3
.2
192.168.4 (IPNET4)
.2 .3 .4
BB S
Experiment Control,external waypoint
.1
162.168.251VPN/
Internet
192.168.1 (IPNET1)
.2 .3 .4
BB S
broker1_1 broker1_2 server1
192.168.70 (IPNET2)
.21autobot
.2 .3 .4
BC B
broker2_1 broker2_2client2
192.168.3 (IPNET3)
.2 .3 .4 .5
C BB S
broker3_1 broker3_2 server3client3
router_ipnet_2
router_ipnet_4
router_ipnet_1
router_ipnet_3
badguy1
.101
13 APOD 04/20/23 DOCSEC 2002 Christopher Jones
Red-teaming Attack and Preliminary Results
• With APOD and the configuration, the redteam was forced to combine three different attacks to cause a denial of service of the broker
– The three attack are: ARP cache poisoning, Spoofing scan, connection flooding
– The combined attacks took 5 minutes and we have implemented counter defenses
• APOD has added value and the method call latency overhead of QuO and APOD to application is very small (~ .3 msec.)
– note: encryption at interceptor layer not included, but measured by APOD team as roughly 500 msec per method call
» using symmetric encryption can improve this number.
– Ipsec overhead compared to interceptor layer is very small
14 APOD 04/20/23 DOCSEC 2002 Christopher Jones
What APOD would like from DOC security
• Better elimination of software flaws in ORB implementations
• Standardized support across CORBA implementations for – pluggable transports
– interceptors
• “Knobs and Dials” at ORB and service level to adjust security
– Easy configuration of ORB’s port selection dynamically under middleware control.
» Specific ports or range of ports
» How to select the next port to use
• Configuration of timeouts and how to deal with them.
15 APOD 04/20/23 DOCSEC 2002 Christopher Jones
Conclusion
• The red teaming has been extremely useful for APOD– Validated our work and “stress test” our defenses
• CORBA support needs to be as secure and uniform as possible
– Found lack of uniformity in implementations
– Trusting the ORB is secure
• Websites:– QuO: www.dist-systems.bbn.com/tech/QuO
– APOD: www.dist-systems.bbn.com/projects/APOD