cobfit: a component-based framework for intrusion tolerance author: harigovind v. ramasamy adnan...
TRANSCRIPT
![Page 1: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/1.jpg)
CoBFIT: A component-Based Framework for Intrusion Tolerance
Author: HariGovind V. RamasamyAdnan Agbaria
William H. SandersPresented by: Keqiang Zhu
![Page 2: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/2.jpg)
Intrusion Tolerance Despite defense mechanisms and rigorous
testing, most systems remain at least somewhat vulnerable
Protecting against all attacks is not practical
Assumes that over time, a subset of vulnerabilities will be successfully exploited by an attacker
Goal: Provide “acceptable” service despite faults due to intrusions
Traditional Security + IT = defense-in-depth (buying time by yielding space)
![Page 3: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/3.jpg)
Motivation Most of the implementation effort in
building IT system is not spent in the IT functionality but in the support features for IT
Different OS are design requirements for most IT systems, and multiple teams working on different platforms implemented their own versions of support features
Hard to reuse the support features since the various implementation tightly coupled the support features with IT functionality
![Page 4: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/4.jpg)
Motivation (cont.) Lack of a convenient platform for buildin
g and evaluating various design choices for IT protocols
Frameworks for dependability exist but they are mainly for crash-fault-tolerant protocols that consider benign faults, and don’t provide specialized support for IT in the face of malicious faults
![Page 5: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/5.jpg)
Goals
Separate the support features that facilitate the building of IT protocols from the actual IT functionality provided by the protocols
![Page 6: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/6.jpg)
Goals A software framework for intrusion
tolerance Robust – the framework itself needs to be robust
to support robust IT protocols Reconfigurable – need to provide the capability
to dynamically change system posture in the face of attacks
Reusable – serve as a convenient platform for building and testing a variety of IT protocols without having to re-implement the support features
Portable – to exploit diversity through OS heterogeneity for IT benefits
![Page 7: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/7.jpg)
Outline
CoBFIT Architecture Framework Components Example Framework Specialization: an IT
group communication system Support provided by the CoBFIT framew
ork in the context of the example Summary and Future work
![Page 8: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/8.jpg)
CoBFIT Architecture
![Page 9: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/9.jpg)
CoBFIT Architecture (cont.) Framework components implement the
structure of IT Have primitives, abstractions, supporting
software mechanisms for IT Provide Run-time support or development
support Service components implement the
functionality of IT Are specific to a particular domain of
applications Have implementation of an IT protocol/algorithm
![Page 10: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/10.jpg)
Outline
CoBFIT Architecture Framework Components Example Framework Specialization: an IT
group communication system Support provided by the CoBFIT framew
ork in the context of the example Summary and Future work
![Page 11: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/11.jpg)
Event Manager
Restricts communication between service components strictly through events
Publish-subscribe model Components publish events they
generate to the Event Manager Components subscribe to events they
are interested in handling (event handlers) from the Event Manager
![Page 12: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/12.jpg)
Event Manager (Cont.)
Detects, de-multiplexes, and dispatches events to the interested service components
Invocate orders of multiple event handlers subscribed to the same event determined through a dependency graph
![Page 13: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/13.jpg)
Event Manager: Dependency Graph
Nodes: service components in the CoBFIT system
Edge from service component c1 to another component c2 implies that correct operation of c1 depends on whether c2 correctly satisfies its specified properties
Event handler of c2 invoked first, followed by event handler of c1
![Page 14: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/14.jpg)
CoBFIT GCS Service Components
![Page 15: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/15.jpg)
Constructor
Is responsible for reconfiguring the CoBFIT system
Creates all CoBFIT components Hands over dependency graph to the Eve
nt Manager
![Page 16: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/16.jpg)
Constructor (cont.) All CoBFIT components implement a uniform c
omponent management interface Has operation interfaces to (re)initialize, shut d
own, suspend/resume and execution Maintains a component repository Implements rules to choose among multiple scr
ipts, each specifying different adaptation strategies (e.g., which of the available service components to link/unlink)
![Page 17: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/17.jpg)
Failure Detection Is the hub of communication for intrusion dete
ction Identifies compromised subsystems so as to re
pair, replace, or remove them. Enforces a clean separation between failure det
ection and failure response mechanisms Serves as central sink for intrusion detections fr
om internal (service-component-specific) and external (third-party IDSs) source failures
![Page 18: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/18.jpg)
Failure Detection (cont.) Processes the reports and implements policies
to determine which reports should actually lead to system adaptation
Generates a Failure_Detect event to which interested components can subscribe to
Allows service components to be more independent of the specific failure detection tools
![Page 19: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/19.jpg)
Replication Manager
Redundancy by replication: important design primitive used in many fault and intrusion-tolerant systems
manages a replicated application Each replica is a CoBFIT system Each replica has a Replication Manager
![Page 20: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/20.jpg)
Replication Manager (cont.)
Replication Manager components at various replicas Communicate with each other to
reconfigure a replicated application Translate high-level dependability
requirements specified at run-time to particular replication configurations
![Page 21: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/21.jpg)
Consensus
Builds block for many distributed services (atomic multicast, membership)
provides a consensus primitive that can be used for constructing such services
![Page 22: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/22.jpg)
Cryptography Provides a uniform way to access multiple
third-party cryptographic libraries Defines interfaces for common crypto
operations, and adapts the interface of the chosen cryptographic library to the defined interface
Enhances reusability of service components by making them independent of the particular choice of crypto library
![Page 23: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/23.jpg)
Network Messages are special types of events used by a
CoBFIT system to communicate with other CoBFIT systems or the outside world
A service component sends and receives messages through the Network component
Provides portable, object-oriented wrappers around platform specific low-level network functions and data
Provides a uniform networking interface independent of the particular platform or underlying transport mechanism
![Page 24: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/24.jpg)
Secure Data Manager Provides "safe" classes (wrappers around
unsafe C/C++ standard library functions) Classes for marshalling/de-marshalling,
buffering, fragmenting and reassembling messages in an efficient manner without making "deep" copies
Service component developer would use these classes instead of the ones provided by the standard library
![Page 25: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/25.jpg)
Outline CoBFIT Architecture Framework Components Example Framework Specialization: an
IT group communication system Support provided by the CoBFIT framew
ork in the context of the example Summary and Future work
![Page 26: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/26.jpg)
CoBFIT GCS Service Components
![Page 27: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/27.jpg)
CoBFIT GCS Service Components Group Membership
Implements an intrusion-tolerant group membership protocol
Is useful for removing fault members from the group, adding new members to the group
Maintains consistent group membership information across all correct group members
Subscribes to the Failure_Detect event generated by Failure Detection (CoBFIT framework component)
Removes group members for which the Failure_Detect event has been generated from the group
![Page 28: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/28.jpg)
CoBFIT GCS Service Components Reliable Multicast
All correct members deliver the same set of multicast messages
Contents of a multicast message as delivered to all correct processes is the same
Prevents situations in which a malicious group member sends one payload to some group members and another payload to other group members for the same multicast message
![Page 29: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/29.jpg)
CoBFIT GCS Service Components Total Order
Ensures that if two correct group members deliver two application-level multicast messages m1 and m2, then both members deliver the messages in the same order
Is crucial in state machine replicated applications so that group members (replicas) reach same state after executing an operation requested by a multicast message
Protocol partitions the set of all possible multicast sequence numbers among the group members; assigns one partition to each group member
Each replica generates messages with increasing sequence numbers from its assigned partition without any gaps
Messages delivered in sequence number order Protocol proceeds in global rounds, in which each group member sends
exactly one message per round (using sequence number from its assigned partition)
If no application-level message to be sent in a round, a correct group member is required to send null message with correct sequence number
A member that stalls the protocol by refusing send messages in a round will be suspected, and reported to the Failure Detection component if more than two-third group members suspect a group member, then that member will be eventually removed from the group
![Page 30: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/30.jpg)
CoBFIT GCS Service Components Gossip
discovers new processes wanting to join the group
If new process has proper credentials, it is allowed to join the group
Group membership protocol updates the group membership info at all correct group members consistently to reflect the addition of the new process to the group
![Page 31: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/31.jpg)
CoBFIT GCS Service Components Heartbeat
If heartbeat from a process doesn’t arrive in time, it is suspected
If more than two-third group members suspect a member of crash, then that member is removed from the group
![Page 32: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/32.jpg)
CoBFIT GCS Service Components
![Page 33: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/33.jpg)
CoBFIT GCS Service Components Group membership and total order protocol
messages need to be consistently delivered (with the same contents) at all correct group members
Group membership needs Gossip to discover new processes, and Heartbeat to detect crashed group members
Total order protocol needs group membership protocol to remove group members that stall the protocol
![Page 34: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/34.jpg)
Outline
CoBFIT Architecture Framework Components Example Framework Specialization: an IT
group communication system Support provided by the CoBFIT frame
work in the context of the example Summary and Future work
![Page 35: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/35.jpg)
Support Provided by CoBFIT Framework All service components in the CoBFIT GCS rely o
n Cryptography component for digitally signing/verifyi
ng messages Secure Data Manager component for various messag
e marshalling/de-marshalling operations Network component to communicate with peer servi
ce components on remote CoBFIT systems (replicas) belonging to the same group
Event Manager component for communication with other service components within the same CoBFIT system (replica)
![Page 36: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/36.jpg)
Support Provided by CoBFIT Framework Group membership component depends on Failure Detection co
mponent to receive the Failure_Detect event based on which it removes faulty
members from the group Service components
generate Suspect_Report event to identify a suspect group member; handled by the Failure Detection component
Failure Detection components at various group members send Suspect_Report events with each other
When a Failure Detection component receives Suspect_Report events for a particular group member from the peer components at more than two-thirds of the group members, it generates a Failure_Detect event
Failure_Detect event is handled locally by the group membership component to ensure that the “convicted” group member is removed from the group membership
![Page 37: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/37.jpg)
Outline
CoBFIT Architecture Framework Components Example Framework Specialization: an IT
group communication system Support provided by the CoBFIT framew
ork in the context of the example Summary and Future work
![Page 38: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/38.jpg)
Summary and future work Summary
A framework that provides specialized support for intrusion-tolerant services, facilitating their development and run-time adaptation
Incorporates characteristics that are essential for survivability in the face of attacks
Demonstrated how it can serve as a convenient platform for building an IT group communication system
![Page 39: CoBFIT: A component-Based Framework for Intrusion Tolerance Author: HariGovind V. Ramasamy Adnan Agbaria William H. Sanders Presented by: Keqiang Zhu](https://reader036.vdocument.in/reader036/viewer/2022062518/56649f0e5503460f94c2338c/html5/thumbnails/39.jpg)
Summary and future work Future Work
Investigate decision procedures that strike a balance between automated reconfiguration and unnecessary reconfiguration (Constructor)
Provide a comprehensive library of safe classes (Secure Data Manager)
Interface with multiple third-party IDSs, new policies for analyzing intrusion reports that reduce reconfiguration resulting from false positives (Failure Detection)
Translate high-level dependability requirements to replication configurations tolerating different types of faults (Replication Manager)
Make a widely used application IT-enabled using the CoBFIT GCS Explore additional supporting software mechanisms for IT that can b
e added as framework components in the CoBFIT framework