usable survivability michael atighetchi andrew gronosky partha pal joseph loyall distributed systems...
TRANSCRIPT
Usable Survivability
Michael AtighetchiAndrew GronoskyPartha PalJoseph Loyall
Distributed Systems GroupJuly 6 2010
03.10.10
Outline
• Introduction– Adaptive Middleware Research– Definition of Usable Survivability
• Five Common Usability Issues in Survivability Research– Supporting Different Stakeholder Requirements– Minimizing End User Credential Complexity– Maintaining Performance and Availability– Minimizing False Positives– Measurement and Situational Awareness
• Conclusion– Summary and Next Steps
2
Generations of Security ResearchNo system is perfectly secure– only adequately secured with respect to the perceived threat.
Prevent Intrusions(Access Controls, Cryptography,
Trusted Computing Base)
Prevent Intrusions(Access Controls, Cryptography,
Trusted Computing Base)
1st Generation: Protection
CryptographyTrusted Computing Base
Access Control & Physical Security
Detect Intrusions, Limit Damage(Firewalls, Intrusion Detection Systems,
Virtual Private Networks, PKI)
Detect Intrusions, Limit Damage(Firewalls, Intrusion Detection Systems,
Virtual Private Networks, PKI)
2nd Generation: DetectionBut intrusions will occur
Firewalls
Intrusion Detection Systems
BoundaryControllers VPNs PKI
But some attacks will succeed
Tolerate Attacks(Redundancy, Diversity, Deception,
Wrappers, Proof-Carrying Code, Proactive Secret Sharing)
Tolerate Attacks(Redundancy, Diversity, Deception,
Wrappers, Proof-Carrying Code, Proactive Secret Sharing)
3rd Generation: Intrusion Tolerance and Survivability
Big Board View of Attacks
Real-Time Situation Awareness
& Response
Graceful Degradation
VirtualizedOperating System
3
• “The capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents.”*
• Ability of a system to operate through attacks by using layered defense-in-depth− Protect most valuable
assets and operations− Accept some controlled
degradation− Adapt faster than the
adversary
What is Survivability ?
DetectAttacks
ProtectReact
* R. J. Ellison, D. A. Fisher, R. C. Linger, H. F. Lipson, T. Longstaff, N. R. Mead, Survivable Network Systems: An Emerging Discipline, Carnegie-Mellon Software Engineering Institute Technical Report CMU/SEI-97-TR-013, 1997 revised 1999
4
Survivability Research at BBN
Self-Regenerative Survivable systems
SurvivableandSecure Systems
Adaptive Distributed Object Middleware
2000 2001 2002 2003 2004 2005 2006 2007 2008 2009199919981997
DARPAAFRLDHS/HSARPA
AQuAOIT
APOD: Applications that Participate In Their Own Defense
ITUA: Intrusion ToleranceThrough Unpredictable Adaptation
DPASA: Designing AdaptationAnd Protection into a
Survivability Architecture
QuOIN
CSISM*
Red Team Assessments
*Cognitive Support for Intelligent Survivability Mgmt
Unpredictability
Byzantine FT
Survivability Architectures
Cognitive Survivability Management
Autonomic Defense
DefenseEnabling
Focus Area
5
Increasingly Distributed Computing Systems
Application
OperatingSystem
App
OperatingSystem
App
App
OS
App
OS
NetworkProtocols
App
OS
App
OS
NetworkProtocols
Middle-ware
Middle-ware
MWSvcs
MWSvcs
EmbeddedOS
EmbeddedOS
NetworkProtocols
LW Middle-ware
LW Middle-ware
MWSvcs
MWSvcs
Emb.App
Emb.App
Application
1950s 2010+Sixty Years of Distributed Systems Software Architecture Evolution
1950s 1960s 1970s 1980s 2000s
App
OS
App
OS
NetworkProtocols
DatabaseSystems
DatabaseSystems
1990s
System Development EnvironmentsProgramming
Languages
Enterprise & Tactical
Middle-ware
Middle-ware
Service & Information
Oriented
Adaptable, survivable, predictable Administration
& Security Domains
6
• Usability has been studied extensively in the context of graphical user interface design and has focused on the elegance and clarity of the human-computer interface.
• Usability is a non-functional property of a system that is important for the system’s success and effectiveness
• Various definitions of usability exist• Functional decomposition into core concepts
• Learnability (first time use)• Efficiency (time to perform tasks)• Memorability (reuse after extended period of time)• Errors (how many, how easy to correct)• Situational awareness (ability of the user to notice changes in the
system)• Overall use satisfaction
What is Usability ?
7
Definition: Usable survivability is the ability of a system to continue to provide user satisfaction while at the same time tolerating and recovering from attacks.
Usable Survivability
• Encompasses 2 dimensions• Quality of survivability
mechanisms• Quality of the interactions
between humans and the survivability mechanisms
• Research Challenges• No one size fits all• Various tradeoffs exist
between flexibility, security, usability
Position: Usable survivability is fostered by a middleware-based integration of security mechanisms• Hides the complexity of interoperating components• Presents a simple interface to users and applications• Autonomously balances the security and usability requirements
of various stakeholders. 8
Supporting Different Stakeholders
• Challenge: Security and usability only make sense if tied to stakeholder requirements in a specific context– End users (participate in ongoing missions)
• Require transparent security mechanisms with minimal impact on normal
– System/mission owners (overall responsibility of mission success)• Require a clear operational picture that captures information about key
events and how these impact their ongoing missions
– System administrators (monitor and maintain IT infrastructure) • Require meaningful aggregation with drill down functionality and tools to
ensure that consistent security policies are enforced across multiple systems components and ISO layers
• Candidate Solution: Creation of information assurance toolkits (analogous to GUI toolkits)– Enable security engineers to compose and customize controls for a
given stakeholder and threat environment.– Middleware provide dynamic assembly and integration glue
9
Minimizing Credential Complexity
• Challenge: Long and random passwords increase security decrease usability since they are hard to remember– Multi-factor authentication has a similar problem– Access denied if you forget any of the “something you have” (ID
card) + “something you know” (PIN) + “something you are” (biometrics)
• Candidate Solution: Robust algorithms that establish identities based on “something you do”– Autonomic multi-model combination of observables from video, voice,
and HCI interactions – Dynamic balancing of availability with accountability – Information management middleware can integrate multiple media
streams, perform inference to derive new knowledge, and transparently interface with existing applications
End Users
10
Maintaining Performance and Availability
• Challenge: Balance security overhead with available resources and timeliness requirements of applications– E.g, layered encryption models (WS-Security + TLS) for interactive
web services need to respect upper bounds on RTT defined by usability experiments
• Candidate Solution: Integrate static provisioning and dynamic Quality of Service (QoS) management– Design-time provisioning: Composition techniques that bind the
amount and type of security mechanisms to specific profiles (enterprise systems vs. mobile devices)
– Run-time management: Emerging adaptive Quality of Service middleware technologies can ensure gracefully degraded operation in cases of overloaded shared resources
• Automatic selection between different crypto protocols, key sizes, and layering depth in defense in depth architectures
Sysadmins
11
Minimizing False PositivesEnd Users
• Challenge: Find the ROC curve that optimizes usable survivability– Users are likely to simply overwrite or disable security controls
altogether if normal interactions are flagged as insecure (false positives)
– Failure to detect attacks (false negatives) is often difficult to assess and therefore doesn’t directly impact user experience
• Candidate Solution: Combine overlapping sensor regions with attack tolerance– Middleware can coordinate and correlate output from those sensors
and make the monitoring functionality available to a broader set of applications, increasing both security and usability
• The redundancy must not introduce undue additional latency, or the solution risks simply trading one negative usability impact for another.
– Since survivable systems can operate through attacks, we can focus on manifestations of attack effects (0% false positive rate!)
12
Measurement and Situational Awareness
• Challenge: Non-binary, quantitative, and meaningful metrics – Mission Owners need to make decisions based on the security of the
overall system with no good way to link security events to mission requirements and impact.
– System administrators are often inundated by an enormous amount of low-level security alerts and struggle to separate important events from noise.
• Candidate Solution: Assessments focused on Assured Mission Execution– Security assessment algorithms that take input from various
stakeholders and relate system events to mission models– A number of middleware research efforts are underway to enable
integrated information assurance assessments involving different stakeholders
Mission Owners + Sysadmins
13
Summary
• Managing the interplay between usability and survivability will be a key driver for the success of future distributed systems – Expected to handle increasingly sophisticated tasks and support a
wide range of users with varying level of computer science proficiency
• Middleware-based approaches to usable survivability can help increase both usability and survivability– Autonomously manage the complexity of integrating multiple security
components and human interfaces
• Security R&D community has recognized the need for usable security– DHS Cyber Security Roadmap 2010– BAA expected within months
14
Questions?
Andrew GronoskyBBN Technologies10 Moulton StreetCambridge, MA 02138USA
Michael AtighetchiBBN Technologies10 Moulton StreetCambridge, MA 02138USA
Dr. Partha PalBBN Technologies10 Moulton StreetCambridge, MA 02138USA
Dr. Joseph LoyallBBN Technologies10 Moulton StreetCambridge, MA 02138USA
Backup
Increasingly Distributed Computing Systems
Application
OperatingSystem
App
OperatingSystem
App
App
OS
App
OS
NetworkProtocols
App
OS
App
OS
NetworkProtocols
Middle-ware
Middle-ware
MWSvcs
MWSvcs
EmbeddedOS
EmbeddedOS
NetworkProtocols
LW Middle-ware
LW Middle-ware
MWSvcs
MWSvcs
Emb.App
Emb.App
Application
1950s 2010+Sixty Years of Distributed Systems Software Architecture Evolution
1950s 1960s 1970s 1980s 2000s
App
OS
App
OS
NetworkProtocols
DatabaseSystems
DatabaseSystems
1990s
System Development EnvironmentsProgramming
Languages
Enterprise & Tactical
Middle-ware
Middle-ware
Service & Information
Oriented
Adaptable, survivable, predictable Administration
& Security Domains
18
Survivability Achievements So Far
Survivability Architecture Results• The system survived 75% of attacks• Of those that succeeded, •Average time to failure was 45 minutes•Vs. immediately in the unprotected system•Minimum of 10 minutes to failure•Required combinations of attacks• Adaptive defenses added 5-20% overhead to call
latency
Decision Making Results• Possible to minimize expert involvement• Reasoning about accusatory and evidentiary
information wrt encoded knowledge•Made correct decision in ~75% cases in red team exercises•Compute intensive• Integrating learned responses online needs
additional research
DHS S&T Cyber Security R&D Roadmap
• Produced in November 2009• Provides detailed R&D
agenda for the future relating to 11 hard problem areas[1] Frame overarching problems[2] Specific major threats and
needs[3] “ilities” and system concepts
• Usable Security is listed as 11th area and identifiedas a cross-cutting aspect.
[1]
[2]
[3]
“If taken seriously enough, itcan influence the success of almost allthe other topics. However, some sortof transcendent usability requirementsneed to be embedded pervasively in allthe other topics.” (page VIII)
20