Usable Survivability

Michael AtighetchiAndrew GronoskyPartha PalJoseph Loyall

Distributed Systems GroupJuly 6 2010

03.10.10

Outline

• Introduction– Adaptive Middleware Research– Definition of Usable Survivability

• Five Common Usability Issues in Survivability Research– Supporting Different Stakeholder Requirements– Minimizing End User Credential Complexity– Maintaining Performance and Availability– Minimizing False Positives– Measurement and Situational Awareness

• Conclusion– Summary and Next Steps

2

Generations of Security ResearchNo system is perfectly secure– only adequately secured with respect to the perceived threat.

Prevent Intrusions(Access Controls, Cryptography,

Trusted Computing Base)

Prevent Intrusions(Access Controls, Cryptography,

Trusted Computing Base)

1st Generation: Protection

CryptographyTrusted Computing Base

Access Control & Physical Security

Detect Intrusions, Limit Damage(Firewalls, Intrusion Detection Systems,

Virtual Private Networks, PKI)

Detect Intrusions, Limit Damage(Firewalls, Intrusion Detection Systems,

Virtual Private Networks, PKI)

2nd Generation: DetectionBut intrusions will occur

Firewalls

Intrusion Detection Systems

BoundaryControllers VPNs PKI

But some attacks will succeed

Tolerate Attacks(Redundancy, Diversity, Deception,

Wrappers, Proof-Carrying Code, Proactive Secret Sharing)

Tolerate Attacks(Redundancy, Diversity, Deception,

Wrappers, Proof-Carrying Code, Proactive Secret Sharing)

3rd Generation: Intrusion Tolerance and Survivability

Big Board View of Attacks

Real-Time Situation Awareness

& Response

Graceful Degradation

VirtualizedOperating System

3

• “The capability of a system to fulfill its mission, in a timely manner, in the presence of attacks, failures, or accidents.”*

• Ability of a system to operate through attacks by using layered defense-in-depth− Protect most valuable

assets and operations− Accept some controlled

degradation− Adapt faster than the

adversary

What is Survivability ?

DetectAttacks

ProtectReact

* R. J. Ellison, D. A. Fisher, R. C. Linger, H. F. Lipson, T. Longstaff, N. R. Mead, Survivable Network Systems: An Emerging Discipline, Carnegie-Mellon Software Engineering Institute Technical Report CMU/SEI-97-TR-013, 1997 revised 1999

4

Survivability Research at BBN

Self-Regenerative Survivable systems

SurvivableandSecure Systems

Adaptive Distributed Object Middleware

2000 2001 2002 2003 2004 2005 2006 2007 2008 2009199919981997

DARPAAFRLDHS/HSARPA

AQuAOIT

APOD: Applications that Participate In Their Own Defense

ITUA: Intrusion ToleranceThrough Unpredictable Adaptation

DPASA: Designing AdaptationAnd Protection into a

Survivability Architecture

QuOIN

CSISM*

Red Team Assessments

*Cognitive Support for Intelligent Survivability Mgmt

Unpredictability

Byzantine FT

Survivability Architectures

Cognitive Survivability Management

Autonomic Defense

DefenseEnabling

Focus Area

5

Increasingly Distributed Computing Systems

Application

OperatingSystem

App

OperatingSystem

App

App

OS

App

OS

NetworkProtocols

App

OS

App

OS

NetworkProtocols

Middle-ware

Middle-ware

MWSvcs

MWSvcs

EmbeddedOS

EmbeddedOS

NetworkProtocols

LW Middle-ware

LW Middle-ware

MWSvcs

MWSvcs

Emb.App

Emb.App

Application

1950s 2010+Sixty Years of Distributed Systems Software Architecture Evolution

1950s 1960s 1970s 1980s 2000s

App

OS

App

OS

NetworkProtocols

DatabaseSystems

DatabaseSystems

1990s

System Development EnvironmentsProgramming

Languages

Enterprise & Tactical

Middle-ware

Middle-ware

Service & Information

Oriented

Adaptable, survivable, predictable Administration

& Security Domains

6

• Usability has been studied extensively in the context of graphical user interface design and has focused on the elegance and clarity of the human-computer interface.

• Usability is a non-functional property of a system that is important for the system’s success and effectiveness

• Various definitions of usability exist• Functional decomposition into core concepts

• Learnability (first time use)• Efficiency (time to perform tasks)• Memorability (reuse after extended period of time)• Errors (how many, how easy to correct)• Situational awareness (ability of the user to notice changes in the

system)• Overall use satisfaction

What is Usability ?

7

Definition: Usable survivability is the ability of a system to continue to provide user satisfaction while at the same time tolerating and recovering from attacks.

Usable Survivability

• Encompasses 2 dimensions• Quality of survivability

mechanisms• Quality of the interactions

between humans and the survivability mechanisms

• Research Challenges• No one size fits all• Various tradeoffs exist

between flexibility, security, usability

Position: Usable survivability is fostered by a middleware-based integration of security mechanisms• Hides the complexity of interoperating components• Presents a simple interface to users and applications• Autonomously balances the security and usability requirements

of various stakeholders. 8

Supporting Different Stakeholders

• Challenge: Security and usability only make sense if tied to stakeholder requirements in a specific context– End users (participate in ongoing missions)

• Require transparent security mechanisms with minimal impact on normal

– System/mission owners (overall responsibility of mission success)• Require a clear operational picture that captures information about key

events and how these impact their ongoing missions

– System administrators (monitor and maintain IT infrastructure) • Require meaningful aggregation with drill down functionality and tools to

ensure that consistent security policies are enforced across multiple systems components and ISO layers

• Candidate Solution: Creation of information assurance toolkits (analogous to GUI toolkits)– Enable security engineers to compose and customize controls for a

given stakeholder and threat environment.– Middleware provide dynamic assembly and integration glue

9

Minimizing Credential Complexity

• Challenge: Long and random passwords increase security decrease usability since they are hard to remember– Multi-factor authentication has a similar problem– Access denied if you forget any of the “something you have” (ID

card) + “something you know” (PIN) + “something you are” (biometrics)

• Candidate Solution: Robust algorithms that establish identities based on “something you do”– Autonomic multi-model combination of observables from video, voice,

and HCI interactions – Dynamic balancing of availability with accountability – Information management middleware can integrate multiple media

streams, perform inference to derive new knowledge, and transparently interface with existing applications

End Users

10

Maintaining Performance and Availability

• Challenge: Balance security overhead with available resources and timeliness requirements of applications– E.g, layered encryption models (WS-Security + TLS) for interactive

web services need to respect upper bounds on RTT defined by usability experiments

• Candidate Solution: Integrate static provisioning and dynamic Quality of Service (QoS) management– Design-time provisioning: Composition techniques that bind the

amount and type of security mechanisms to specific profiles (enterprise systems vs. mobile devices)

– Run-time management: Emerging adaptive Quality of Service middleware technologies can ensure gracefully degraded operation in cases of overloaded shared resources

• Automatic selection between different crypto protocols, key sizes, and layering depth in defense in depth architectures

Sysadmins

11

Minimizing False PositivesEnd Users

• Challenge: Find the ROC curve that optimizes usable survivability– Users are likely to simply overwrite or disable security controls

altogether if normal interactions are flagged as insecure (false positives)

– Failure to detect attacks (false negatives) is often difficult to assess and therefore doesn’t directly impact user experience

• Candidate Solution: Combine overlapping sensor regions with attack tolerance– Middleware can coordinate and correlate output from those sensors

and make the monitoring functionality available to a broader set of applications, increasing both security and usability

• The redundancy must not introduce undue additional latency, or the solution risks simply trading one negative usability impact for another.

– Since survivable systems can operate through attacks, we can focus on manifestations of attack effects (0% false positive rate!)

12

Measurement and Situational Awareness

• Challenge: Non-binary, quantitative, and meaningful metrics – Mission Owners need to make decisions based on the security of the

overall system with no good way to link security events to mission requirements and impact.

– System administrators are often inundated by an enormous amount of low-level security alerts and struggle to separate important events from noise.

• Candidate Solution: Assessments focused on Assured Mission Execution– Security assessment algorithms that take input from various

stakeholders and relate system events to mission models– A number of middleware research efforts are underway to enable

integrated information assurance assessments involving different stakeholders

Mission Owners + Sysadmins

13

Summary

• Managing the interplay between usability and survivability will be a key driver for the success of future distributed systems – Expected to handle increasingly sophisticated tasks and support a

wide range of users with varying level of computer science proficiency

• Middleware-based approaches to usable survivability can help increase both usability and survivability– Autonomously manage the complexity of integrating multiple security

components and human interfaces

• Security R&D community has recognized the need for usable security– DHS Cyber Security Roadmap 2010– BAA expected within months

14

Questions?

Andrew GronoskyBBN Technologies10 Moulton StreetCambridge, MA 02138USA

agronosk@bbn.com

Michael AtighetchiBBN Technologies10 Moulton StreetCambridge, MA 02138USA

matighet@bbn.com

Dr. Partha PalBBN Technologies10 Moulton StreetCambridge, MA 02138USA

matighet@bbn.com

Dr. Joseph LoyallBBN Technologies10 Moulton StreetCambridge, MA 02138USA

jloyall@bbn.com

Backup

Increasingly Distributed Computing Systems

Application

OperatingSystem

App

OperatingSystem

App

App

OS

App

OS

NetworkProtocols

App

OS

App

OS

NetworkProtocols

Middle-ware

Middle-ware

MWSvcs

MWSvcs

EmbeddedOS

EmbeddedOS

NetworkProtocols

LW Middle-ware

LW Middle-ware

MWSvcs

MWSvcs

Emb.App

Emb.App

Application

1950s 2010+Sixty Years of Distributed Systems Software Architecture Evolution

1950s 1960s 1970s 1980s 2000s

App

OS

App

OS

NetworkProtocols

DatabaseSystems

DatabaseSystems

1990s

System Development EnvironmentsProgramming

Languages

Enterprise & Tactical

Middle-ware

Middle-ware

Service & Information

Oriented

Adaptable, survivable, predictable Administration

& Security Domains

18

Survivability Achievements So Far

Survivability Architecture Results• The system survived 75% of attacks• Of those that succeeded, •Average time to failure was 45 minutes•Vs. immediately in the unprotected system•Minimum of 10 minutes to failure•Required combinations of attacks• Adaptive defenses added 5-20% overhead to call

latency

Decision Making Results• Possible to minimize expert involvement• Reasoning about accusatory and evidentiary

information wrt encoded knowledge•Made correct decision in ~75% cases in red team exercises•Compute intensive• Integrating learned responses online needs

additional research

DHS S&T Cyber Security R&D Roadmap

• Produced in November 2009• Provides detailed R&D

agenda for the future relating to 11 hard problem areas[1] Frame overarching problems[2] Specific major threats and

needs[3] “ilities” and system concepts

• Usable Security is listed as 11th area and identifiedas a cross-cutting aspect.

[1]

[2]

[3]

“If taken seriously enough, itcan influence the success of almost allthe other topics. However, some sortof transcendent usability requirementsneed to be embedded pervasively in allthe other topics.” (page VIII)

20