20 July 2000 DARPA IA&S Joint PI Meeting

Computational ResiliencyComputational Resiliency

Steve J. Chapin, Susan OlderSteve J. Chapin, Susan Older

Syracuse UniversitySyracuse University

Gregg IrvinGregg Irvin

Mobium EnterprisesMobium Enterprises1

Computational ResiliencyComputational Resiliency

CR: the ability to sustain operation CR: the ability to sustain operation and dynamically restore the level and dynamically restore the level

of assurance during an attack.of assurance during an attack.

A computationally-resilient applicationA computationally-resilient applicationcan sense, tolerate, and react to attack.can sense, tolerate, and react to attack.

Computational ResiliencyComputational Resiliency

A mix of application A mix of application libraries, system libraries, system software, and theorysoftware, and theory

A complementary A complementary solutionsolution

Focused on the Focused on the application (karate)application (karate)

IntrospectiveIntrospective

An intrusion detection An intrusion detection systemsystem although it might use onealthough it might use one

A front-line defenseA front-line defense A system-wide defense A system-wide defense

focused on negative focused on negative policypolicy

Is...Is... Is not...Is not...

Computational CockroachesComputational Cockroaches11

Breed -- use rapid replication to maintain Breed -- use rapid replication to maintain numbers.numbers.

Hide from light -- sense attacks and migrate Hide from light -- sense attacks and migrate away.away.

Adapt -- reconfigure application; use Adapt -- reconfigure application; use camouflage and other tools to make oneself camouflage and other tools to make oneself harder to hit. harder to hit.

1Thanks to Cathy McCollum for the roach analogy.

No matter how hard you try, No matter how hard you try, you just can’t wipe them out.you just can’t wipe them out.

Three-Pronged ApproachThree-Pronged Approach

Strong theoretical basisStrong theoretical basis reason about conformance to policyreason about conformance to policy

Computational resiliency libraryComputational resiliency library dynamic application managementdynamic application management

System software supportSystem software support scheduling/policy frameworksscheduling/policy frameworks sensorssensors

Theoretical FrameworkTheoretical Framework

Support reasoning about application and system Support reasoning about application and system behavior subject to resource constraints and behavior subject to resource constraints and application configurationapplication configuration

Formal notation based on Formal notation based on -calculus-calculus -calculus covers migrating threads, communicating -calculus covers migrating threads, communicating

agents, dynamic topologiesagents, dynamic topologies Extend for location and resource awarenessExtend for location and resource awareness

cf. distributed join-calculus, cf. distributed join-calculus, 11-calculus, D-calculus, D-calculus-calculus

Capture notion of “sufficiently equivalent efficiency”Capture notion of “sufficiently equivalent efficiency”

Computational Resiliency LibraryComputational Resiliency Library

Dynamic multithreadingDynamic multithreading MigrationMigration ReplicationReplication CamouflageCamouflage Functionality reconfigurationFunctionality reconfiguration Policy-based managementPolicy-based management

}Build on SCPlib

Library Technology (SCPlib)Library Technology (SCPlib)

threadprocessor

channel

Reconfigurable Threads may move betweenprocessors to accommodate failuresor changes to resource availability.

Processors may be microprocessors,SMP machines, or special devices.

Reconfigurable Channels provide uniform communication mechanism in SMPs and networks.

Replication with Group Replication with Group CommunicationCommunication

Shadow Threads

Basic CRlib Mechanisms for Basic CRlib Mechanisms for Dynamic ReconfigurationDynamic Reconfiguration

0 1

2Move

0

1 2

3

0

1-2

3Merge

Split

After

0 1

0

1 2

0

1-2

3

0

1 2

3

Before

10

CamouflageCamouflage

SimpleSimple rename process, respawn processrename process, respawn process

More complexMore complex change functionality (via split/merge)change functionality (via split/merge) process size/behavior patternsprocess size/behavior patterns mimic interface of real programsmimic interface of real programs decoy processesdecoy processes

Policy-based ManagementPolicy-based Management

Applications/users specify CR policy:Applications/users specify CR policy: number of replicas number of replicas mutation policymutation policy migration policy migration policy checkpointingcheckpointing

As much as we can, draw on past and As much as we can, draw on past and concurrent work in policy specification concurrent work in policy specification and management at DARPA (we really and management at DARPA (we really would rather not build this yet again)would rather not build this yet again)

System SupportSystem Support Schedulers that Schedulers that

understand CR understand CR policies, resultant policies, resultant resource demands, resource demands, user/process priorityuser/process priority

Build on our past work Build on our past work in scheduling in scheduling (MESSIAHS, Legion)(MESSIAHS, Legion)

High potential for High potential for collaborationcollaboration

Scheduler

User Requests

Thread ManagementCommunication

Management

User Application Code

User Process (user application + library code)

Intrusion DetectionSystem

Testbed EnvironmentTestbed Environment

GigabitSwitch

WirelessHub

GigabitSwitch

Intel8-way

Intel4-way

SGIOrigin

200SMPSGI

PowerChallSMP(14)

SensorSGIIndigo

PC SUNSparc

PC

RadarSensor

SUNSparc

Mobium

AFRL

PC/Alphacluster

Routers

IW-Hardened ApplicationsIW-Hardened Applications

Collaborate with Real-Time Sensors Collaborate with Real-Time Sensors project at Syracuse (DARPA ITO)project at Syracuse (DARPA ITO)

Develop IW-hardened multispectral Develop IW-hardened multispectral imaging application (TBD), e.g.:imaging application (TBD), e.g.: Land mines using UAV’sLand mines using UAV’s Camouflaged equipment and personnelCamouflaged equipment and personnel Missile threats - plume signatures Missile threats - plume signatures Concealed weaponsConcealed weapons Treaty compliance/surveillance using UAV’sTreaty compliance/surveillance using UAV’s

Real Time Multi-spectral Real Time Multi-spectral CameraCamera

Deliver up to 110 frs/secDeliver up to 110 frs/sec Full pixel resolution at Full pixel resolution at

1024x10241024x1024 Filter wheel with 12 Filter wheel with 12

filters ranges from filters ranges from 500nm to 1050nm500nm to 1050nm

motor controlled motor controlled variable frame rate, and variable frame rate, and exposure timeexposure time

Spectral-Screening PCTSpectral-Screening PCT

Entropy = 2.25Entropy = 2.25 Entropy = 0.726Entropy = 0.726

Delta SNR = 4.508 dBDelta SNR = 4.508 dB

Risks and ConcernsRisks and Concerns Self-DOSSelf-DOS

cost of response vs. the cost of attackcost of response vs. the cost of attack cost of defense in the absence of attackcost of defense in the absence of attack manipulation via corrupted sensorsmanipulation via corrupted sensors avoid if possible; document if unavoidableavoid if possible; document if unavoidable

Timing issues and race conditionsTiming issues and race conditions can we react fast enough in the face of heavy attack? can we react fast enough in the face of heavy attack?

Attacks during reconfiguration?Attacks during reconfiguration? Observation reducing the effectiveness of our Observation reducing the effectiveness of our

methodsmethods

Technology TransferTechnology Transfer

Mobium EnterprisesMobium Enterprises subcontractor on this effortsubcontractor on this effort integrate this technology with DARPA integrate this technology with DARPA

applicationsapplications CASE center at SyracuseCASE center at Syracuse

NY state-sponsored incubatorNY state-sponsored incubator sole purpose is tech transfer of computing sole purpose is tech transfer of computing

technology to startups in central NYtechnology to startups in central NY

MilestonesMilestones

6-12 months6-12 months core calculuscore calculus extend SCPlib to create basic CRlibextend SCPlib to create basic CRlib simple camouflagesimple camouflage decoysdecoys prototype IW application using basic CRlibprototype IW application using basic CRlib

Milestones IIMilestones II

15-24 months15-24 months rough equivalence in calculusrough equivalence in calculus initial use of calculus to analyze schedules initial use of calculus to analyze schedules

and configuration changesand configuration changes functionality mutationfunctionality mutation policy specification frameworkspolicy specification frameworks

Milestones IIIMilestones III

36-42 months36-42 months Advanced camouflageAdvanced camouflage CR-aware schedulersCR-aware schedulers Final IW-hardened applicationFinal IW-hardened application policy specification framework using calculuspolicy specification framework using calculus

IW exercises to test system every 6 IW exercises to test system every 6 months starting at 1 yearmonths starting at 1 year

Hypothetical ExampleHypothetical Example

RockyRocky highest priorityhighest priority expands out of safe expands out of safe

zonezone replicationreplication

DudleyDudley lowest priority userlowest priority user stays inside safe stays inside safe

zonezone

BullwinkleBullwinkle expands out of safe expands out of safe

zonezone splits computation to splits computation to

obtain higher obtain higher concurrencyconcurrency

employs replication, employs replication, checkpointingcheckpointing

The Attack...The Attack...

Natasha -> RockyNatasha -> Rocky caught by IDScaught by IDS

Boris -> BullwinkleBoris -> Bullwinkle successfully kills some of Bullwinkle’s successfully kills some of Bullwinkle’s

processesprocesses Snideley ->DudleySnideley ->Dudley

caught at firewall (“Curses, foiled again!”)caught at firewall (“Curses, foiled again!”)

The ReactionThe Reaction Rocky’s applicationRocky’s application

retreats into the safe zoneretreats into the safe zone Bullwinkle’s application Bullwinkle’s application

employs camouflageemploys camouflage puts out decoysputs out decoys recovers from checkpointrecovers from checkpoint

Dudley’sDudley’s does nothing, but must release resources to does nothing, but must release resources to

Rocky’s applicationRocky’s application

Jay’s QuestionsJay’s Questions

Attacks/ThreatsAttacks/Threats We don’t have a specific model at this timeWe don’t have a specific model at this time Alerts by IDS, noticing when our threads Alerts by IDS, noticing when our threads

are killed/incapacitatedare killed/incapacitated Policies we’ll supportPolicies we’ll support

““Positive” policies regarding the behavior Positive” policies regarding the behavior and properties of our applicationsand properties of our applications