deswarte intrusion tolerance panel raid2001
TRANSCRIPT
![Page 1: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/1.jpg)
Panel onIntrusion Tolerance
RAID 2001UC Davis
October 11, 2001
![Page 2: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/2.jpg)
Participants
vCrispin Cowan, WireX CommunicationsvAndreas Wespi, IBM Zurich Research Lab.vAl Valdes, SRI InternationalvDan Schnackenberg, Boeing Phantom Works
vModerator: Yves Deswarte
![Page 3: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/3.jpg)
On Dependability,Intrusion Tolerance,
and the MAFTIA project
Yves DeswarteLAAS-CNRS
Toulouse, [email protected]
David Powell
![Page 4: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/4.jpg)
Dependability
vTrustworthiness of a computer system suchthat reliance can justifiably be placed on theservice it delivers
J.-C. Laprie (Ed.), Dependability: Basic Concepts and Terminologyin English, French, German, Italian and Japanese,265p., ISBN 3-211-82296-8, Springer-Verlag,1992.
![Page 5: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/5.jpg)
Fault, Error & Failure
ErrorError
FailureFailure
adjudged orhypothesizedcause of anerror
that part of system state whichmay lead to a failure
Fault
occurs when delivered service deviates fromimplementing the system function
H/W faultBugAttackIntrusion
![Page 6: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/6.jpg)
Internal,dormant fault
Example: Single Event LatchupSELs (reversible stuck-at faults)may occur because of radiation
(e.g., cosmic ray, high energy ions)
Satellite on-board computer
Internal,active fault
SEL
Internal,externally-induced
fault
VulnerabilityCosmicRay
Externalfault
Lack ofshielding
![Page 7: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/7.jpg)
Internal,dormant fault
IntrusionsIntrusions result from
(at least partially) successful attacks:
Computing System
Internal,active fault
Intrusion
Internal,externally-induced
fault
Attack
Externalfault
Vulnerability
account withdefault password
![Page 8: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/8.jpg)
Fault Tolerance
ErrorError
FailureFailure
Fault
Fault Treatment
DiagnosisIsolation
Reconfiguration
Fault TreatmentFault Treatment
DiagnosisDiagnosisIsolationIsolation
ReconfigurationReconfigurationError ProcessingError Processing
Detection Detection Damage assessment Damage assessment Recovery Recovery
![Page 9: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/9.jpg)
Error Detection (1)
vLikelihood checkingo by hardware:§ inexistent or forbidden address, instruction, command…§ watchdogs§ error detection code (e.g., parity)
o by software (OS or application) =verify properties on:
§ values (absolute, relative, intervals)§ formats and types§ events (instants, delays, sequences)
o Signatures (error detection code)
![Page 10: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/10.jpg)
Error Detection (2)
vComparison between replicates
o Assumption: a unique fault generates differenterrors on different replicates
§ internal hardware fault: identical copies§ external hardware fault: similar copies§ design fault / interaction fault: diversified copies
o On-line model checking
![Page 11: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/11.jpg)
Backward recovery
Forward recovery
Compensation-based recovery (fault masking)
4 5 6 7
1 2 3
3
12 13111 2 3
1 2 3
1 2 3
4 5 6 7
4 5 6 7
Error Recovery
![Page 12: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/12.jpg)
Error Processing (wrt intrusions)
vError detectiono + Backward recovery (availability, integrity)o + Forward recovery (availability, confidentiality)
vIntrusion maskingo Fragmentation (confidentiality)o Redundancy (availability, integrity)o Scattering
![Page 13: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/13.jpg)
Intrusion Masking
Intrusion into a part of the system should give access onlyto non-significant information
FRS: Fragmentation-Redundancy-Scattering
§ Fragmentation: split the data into fragments so thatisolated fragments contain no significant information:confidentiality
§ Redundancy: add redundancy so that fragmentmodification or destruction would not impedelegitimate access: integrity + availability
§ Scattering: isolate individual fragments
![Page 14: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/14.jpg)
Fault Tolerance
ErrorError
FailureFailure
Fault
Fault Treatment
DiagnosisIsolation
Reconfiguration
Fault TreatmentFault Treatment
DiagnosisDiagnosisIsolationIsolation
ReconfigurationReconfigurationError ProcessingError Processing
Detection Detection Damage assessment Damage assessment
Recovery Recovery
![Page 15: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/15.jpg)
Fault Treatment (wrt intrusions)
vDiagnosiso Non-malicious or malicious (intrusion)o Attack (to allow retaliation)o Vulnerability (to allow removal = maintenance)
vIsolationo Intrusion (to prevent further penetration)o Vulnerability (to prevent further intrusion)
vReconfigurationo Contingency plan to degrade/restore service§ inc. attack retaliation, vulnerability removal
![Page 16: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/16.jpg)
MAFTIA
vMalicious- and Accidental-Fault Tolerance forInternet Applications
IST Dependability InitiativeCross Program Action 2Dependability in services and technologies
University of Newcastle (UK) Brian Randell, Robert StroudUniversity of Lisbon (P) Paulo VerissimoDSTL, Malvern (UK) Tom McCutcheon, Colin O’HalloranUniversity of Saarland (D) Birgit PfitzmannLAAS-CNRS, Toulouse (F) Yves Deswarte, David PowellIBM Research, Zurich (CH) Marc Dacier, Michael Waidner
c. 55 man-years, EU funding c. 2.5M€Jan. 2000 -> Dec. 2002
![Page 17: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/17.jpg)
Objectives
vArchitectural framework and conceptualmodel (WP1)vMechanisms and protocols:
o dependable middleware (WP2)o large scale intrusion detection systems (WP3)o dependable trusted third parties (WP4)o distributed authorization mechanisms (WP5)
vValidation and assessment (WP6)
![Page 18: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/18.jpg)
FTI
http://www.research.ec.org/maftia/
![Page 19: deswarte intrusion tolerance panel raid2001](https://reader031.vdocument.in/reader031/viewer/2022020622/61ed5433486a073d4e6412fe/html5/thumbnails/19.jpg)
Referencesv Avizienis, A., Laprie, J.-C., Randell, B. (2001). Fundamental Concepts of Dependability, LAAS Report
N°01145, April 2001, 19 p.
v Deswarte, Y., Blain, L. and Fabre, J.-C. (1991). Intrusion Tolerance in Distributed Systems, in IEEESymp. on Research in Security and Privacy, Oakland, CA, USA, pp.110-121.
v Dobson, J. E. and Randell, B. (1986). Building Reliable Secure Systems out of Unreliable InsecureComponents, in IEEE Symp. on Security and Privacy, Oakland, CA, USA, pp.187-193.
v Laprie, J.-C. (1985). Dependable Computing and Fault Tolerance: Concepts and Terminology, in 15thInt. Symp. on Fault Tolerant Computing (FTCS-15), Ann Arbor, MI, USA, IEEE, pp.2-11.
v J.-C. Laprie (Ed.), Dependability: Basic Concepts and Terminology in English, French, German, Italianand Japanese, 265p., ISBN 3-211-82296-8, Springer-Verlag, 1992.
v D. Powell, A. Adelsbasch, C. Cachin, S. Creese, M. Dacier, Y. Deswarte, T. McCutcheon, N. Neves, B.Pfitzmann, B. Randell, R. Stroud, P. Veríssimo, M. Waidner. MAFTIA (Malicious- and Accidental-FaultTolerance for Internet Applications), Sup. of the 2001 International Conference on Dependable Systemsand Networks (DSN2001), Göteborg (Suède), 1-4 juillet 2001, IEEE, pp. D-32-D-35.