Dependable Intrusion Tolerance

Preview:

DESCRIPTION

Dependable Intrusion Tolerance. March 2002 Magnus Almgren, Alfonso Valdes SRI International. Acknowledgements - PowerPoint PPT Presentation

Citation preview

Dependable Intrusion Tolerance

March 2002

Magnus Almgren, Alfonso Valdes

SRI InternationalAcknowledgementsResearch sponsored under DARPA Contract N66001-00-C-8058. Views presented are those of the authors and do not represent the views of DARPA or the Space and Naval Warfare Systems Center

Outline

Background System Components The Single Proxy Example Validation Performance Stopping Code Red Future Work

Background

Intrusion Tolerant Server

Background

Intrusion Tolerant Server Redundancy & Diversity

Background

Intrusion Tolerant Server Redundancy & Diversity Hardened Proxy

StackGuard Online Verifiers Small Code Base

Background

Intrusion Tolerant Server Redundancy & Diversity Hardened Proxy

StackGuard Online Verifiers Small Code Base

HIDS/NIDS/app-IDS EMERALD/Snort

System Components

Application Servers Solaris, Win2k, RedHat,

FreeBSD

IDS Proxy

RedHat-6.2 Our own code base

MS Win2kIIS

Solaris 8(Sparc5)Apache

eXpert-BSM

RedHat 7.1iPlanet

FreeBSD 4.2Apache

App-IDS

eXpert-NeteBayes-TCPeBayes-Blue

Snort

RedHat 6.2Proxy

eAggregatorC-R

Proxy in Detail

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerRegimeManager

AlertManager

1,1 2,2 3,3 4,4

4,3Policy/Regime

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerRegimeManager

AlertManager

1,1 2,2 3,3 4,4

4,3Policy/Regime

reconnaissance

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerRegimeManager

AlertManager

1,1 2,2 3,3 4,4

4,3Policy/Regime

reconnaissance

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerRegimeManager

AlertManager

1,1 2,2 3,3 4,4

4,3Policy/Regime

reconnaissance

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerRegimeManager

AlertManager

1,1 2,2 3,3 4,4

4,3Policy/Regime

reconnaissance

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerAlert

Manager

1,1 2,2 3,3 4,4

4,3Policy/Regime

RegimeManager

web attack

Proxy ServerRegimeManager

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerAlert

Manager

1,1 2,2 3,3 4,4

4,3Policy/Regime

web attack

RegimeManager

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerAlert

Manager

1,1 2,2 3,3 4,4

4,3Policy/Regime

web attack

RegimeManager

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerAlert

Manager

1,1 2,2 3,3 4,4

4,3Policy/Regime

web attack

RegimeManager

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerAlert

Manager

1,1 2,2 3,3 4,4

4,3Policy/Regime

RegimeManager

web answer

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerAlert

Manager

1,1 2,2 3,3 4,4

4,3Policy/Regime

RegimeManager

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerAlert

Manager

1,1 2,2 3,3 4,4

4,3

RegimeManager

Policy/Regime

Block clientBlock URI

Simple Example

e-Aggregator

ChallengeResponse

RepairManager

Proxy ServerAlert

Manager

1,1 2,2 3,3 4,4

4,3

RegimeManager

Policy/Regime

Plans for Validation

Performance Preliminary Results

Resistance to attacks Compile a list of existing Web exploits Run these against system Problem: A very new attack, which we might not

have thought about Assembly of Complementary Mechanisms Red Teaming?

Performance Measurement

1) Round-trip time measured through the proxy Regime 1 — 4

2) Round-trip time measured directly for each application server

Asking for index.html with all included images and measured round-trip time.

About 34 kb in 9 requests.

Round-trip time

0

200

400

600

800

1 2 3 4Regime(# of servers asked)

Ro

un

d-t

rip

tim

e /

ms

bobcat

cheetah

hunter

tiger

proxy

10 simultaneous clients

Response vs Number of Clients

0

250

500

750

1000

0 5 10 15 20Number of Simultaneous Clients

Ro

un

d-t

rip

tim

e /

ms

Average

Median

Outline

General principles Architecture overview Proxy functionality Stopping Code Red Summary

Stopping Code Red (and NIMDA)

Proxy Bank

IDS Appliance

IIS1. 3/4 of Code Red attempts miss the IIS server2. IDS detects attempt. System invokes agreement mode

4. Clients get valid content while compromised server is rebuilt

3. In case of a successful infection, corrupt content is detected and reinfection attempts are blocked

Dependable Intrusion Tolerance

Intrusion Detection to Date Seeks to detect an

arbitrary number of attacks in progress

Relies on signature analysis and probabilistic (including Bayes) techniques

Response components immature

No concept of intrusion tolerance

New Emphasis Detection, damage

assessment, and recovery Finite number of attacks or

deviations from expected system behavior

Seek a synthesis of intrusion detection, unsupervised learning, and proof-based methods for the detection aspect

Concepts from fault tolerance are adapted to ensure delivery of service (possibly degraded)

Summary

Developing an adaptable intrusion tolerant server architecture

General Principles: Hardened proxy Redundant capability with diverse implementation Adaptive response

A variety of IDS, symptom detectors, and on-line verifiers provide situational awareness

Stepped policy response enforces content agreement in suspicious situations

Future directions

Refine Alert Manager Multiple proxies Validate with existing exploits Dynamic content

Recommended