The Willow System Implementation

John C. Knight University of VirginiaDennis Heimbigner University of Colorado

Intrusion Tolerance ThroughSecure System Reconfiguration

2

The Willow Team

University of Colorado: Alexander Wolf, Dennis Heimbigner, Antonio Carzaniga Naveed Arshad, Marco Castaldi, John Giacomoni Nathan Ryan

University of Virginia: John Knight, Jonathan Hill, Mike Tashbook, Phil Varner

University of CA, Davis: Prem Devanbu, Michael Gertz, Brian Toone

3

Aspects of Intrusion Tolerance•Very Large Networks•Interdependent Networks•Heterogeneous Nodes•Explicit Sense/Analyze/Respond•Non-Local Faults•Sequential Faults

4

Network

Sensors Act

uato

rs

Network State &Analysis Model

SelfHealing

TolerateAnticipated

Faults

PlannedPostureChange

SystemUpdate

SystemDeployment

External Input

Dimensions of Intrusion Tolerance

Secure &Decentralized

LogicalStructure

5

Interesting Scenario

Very large network, crucial services Many OASIS elements operational in system System software upgrade underway (or your stuff) Several (<10) servers report e-mail with viruses:

Safely stop system software upgrade Isolate local networks containing affected nodes

E-mail attack worsens, wide area affected: Safely stop local isolation process (no point) Isolate critical databases, stop some applications Etc.

6

Willow Architectural Issues Control loop interactions:

Asynchronous Priority & resources Conflicting goals

Network scale: State model Wide area change

Exceptions and results: Dynamic network Absolute vs. statistical Aggregation?

Target system actuation: Lightweight Standard interface & protocol

Network

Sensors Act

uato

rs

Network State &Analysis Model

SelfHealing

TolerateAnticipated

Faults

PlannedPostureChange

SystemUpdate

SystemDeployment

External Input

7

Implementation Overview

Coordination Management

ProactiveReconfiguration

ReactiveReconfiguration

OtherE.g., Offense

Network

Siena P

/S

Actuation

External Entities

Mediators

Sensing

8

Implementation Overview

Coordination Management

ProactiveReconfiguration

ReactiveReconfiguration

OtherE.g., Offense

Network

Siena P

/S

Actuation

External Entities

Mediators

Sensing

9

Coordination Management Approach

Hierarchical workflows Priorities Intention counsel (council?) Site-selective communication Distributed agent structure (Cougaar) Payload delivery

10

Cougaar Agent Structure

PI PI PIPI

PI PI PIPI

Plan

Asset(Attributes)

Society(Abstract Child)

Organizational(Abstract Child)

Task

Task

Task

Blackboard

Pub/sub System

11

Willow Implementation Plug Ins

Site selective command Work request receiver Resource allocation Intention counseling Payload delivery Payload support services

12

Willow Architecture AgentsWide Area Domain

Local Area DomainLocal Area Domain

Network Nodes

13

Site-Selective Command

12

payload

22

1

2

14

An Intrusion Tolerance Example

Intention:=StopPropagatingVirus.StopEmailVirus

At:=LAN(10<=emailVirusAlerts<=50000) AND NetworkNode(any) AND EmailServer(active)

At:=WAN(any)

Actuators shut down server

Intention:=Parent+DisableCapability(Email).ShutdownServer

Intention:=Parent+ReduceCapability(Email).DisableAttachments

At:=NetworkNode(administrator=false) AND EmailCient(active)

Actuators disable attachments

15

An Intrusion Tolerance Example

WAN

LAN LAN

NetworkNodes

Email Clients and Servers

NetworkNodes

16

Example of Intention Council

Intentions are compounded from most general to most specific intentions in layers (forced by specification) Halt_Intrusions(Buffer).Uninstalling_Application(Excel)

(Priority 7.1) Countermeasure(VirusInfected,Containment)

.Activate(TrapDoorExcel) (Priority 8.2) Repair_Application(Excel)

Finite state machine with the following rule: Do not repair applications that are recently uninstalled Do not finish repairs of applications that are to be uninstalled

Excel repair is cancelled if it is scheduled later, and is aborted/cancelled if it activated prior to arrival of the uninstall.

17

Implementation Overview

Coordination, Resource Management

ProactiveReconfiguration

ReactiveReconfiguration

OtherE.g., Offense

Network

Siena P

/S

Actuation

External Entities

Mediators

Sensing

18

Light-Weight Actuator Interface

Goals Remote management of applications and components

Specifically to actuate reconfigurations Light-weight mechanism capable of using new or

existing mechanisms Approach

Define a standardized interface for managing a single component or application

Coordinated actuation for multiple components Based on a simple and general protocol Minimal component support required

Implemented by the managed component Architecture-based vs ad hoc

19

Dynamic Reconfiguration Single Component Reconfiguration

Application Reconfiguration? ?

?

20

Protocol

System inspired by Network Management (SNMP) Manipulation of “variables” to achieve effects Get – determine component state Set – set state; side effect can cause reconfiguration Call – combination of set/get to achieve function calls Notify – asynchronous output from component

These variables are specified in a Component Description (similar to a MIB)

The developer defines and “exports” the variables

21

Light-Weight Actuator Architecture

Component Agent: per-component code that manages component-specific reconfiguration mechanisms Implementation: in-component, wrapper, separate process

Application Agent: per-application code that coordinates and delegates component-level reconfiguration

Manager: the interface with the reconfiguration decision maker (automatic or manual)

ApplicationAgentManagement

ProtocolComp

Description

ManagerComp

ComponentAgent

ApplicationDescription

ManagementProtocol

22

Field Reconfiguration Controller

ConfiguredComponents

ActivatedSystem

ActivatedSystem

Notification Service

ModelsAgentsAgents ModelsAgentsAgents

ConfiguredComponents

Reconfiguration control and/or data channel

Event channel

Application control and/or data channel

Component activation

Component deactivation

Standard reconfiguration interface

Mediator + Authority

DepotModelsAgents

Components

Mediator

Field Reconfiguration Controller

Mediator

Admin.Workbench

WorkflowManager

RecoveryFSMs

Willow Architecture

23

Example Component Based Application

A

A

A

A

A

AA

A

ApplicationAgent

Manager

WillowFieldReconfigurationController (FRC)

24

Benefits of this Architecture General

The system is independent with respect to applications, operating systems, ...

Component/Application Descriptions and Management Protocol specification allow interoperability with other management systems

Scalable Agents can be composed hierarchically

E.g., Treat whole application as “component” Manager coordinates and uses component-level

agent to perform dynamic reconfiguration at the application level

25

Status

Initial target application: Joint Battlespace Infosphere (JBI) tracking demonstration Disseminators (Siena publish/subscribe servers) now

reconfigure using standard interface Next target: all fuselets comprising our JBI tracking

demonstration Prototype Manager and Application Agents

implemented Next step: J2EE reconfiguration

Questions?