Upload
cory-sullivan
View
221
Download
0
Tags:
Embed Size (px)
Citation preview
CoBFIT: A component-Based Framework for Intrusion Tolerance
Author: HariGovind V. RamasamyAdnan Agbaria
William H. SandersPresented by: Keqiang Zhu
Intrusion Tolerance Despite defense mechanisms and rigorous
testing, most systems remain at least somewhat vulnerable
Protecting against all attacks is not practical
Assumes that over time, a subset of vulnerabilities will be successfully exploited by an attacker
Goal: Provide “acceptable” service despite faults due to intrusions
Traditional Security + IT = defense-in-depth (buying time by yielding space)
Motivation Most of the implementation effort in
building IT system is not spent in the IT functionality but in the support features for IT
Different OS are design requirements for most IT systems, and multiple teams working on different platforms implemented their own versions of support features
Hard to reuse the support features since the various implementation tightly coupled the support features with IT functionality
Motivation (cont.) Lack of a convenient platform for buildin
g and evaluating various design choices for IT protocols
Frameworks for dependability exist but they are mainly for crash-fault-tolerant protocols that consider benign faults, and don’t provide specialized support for IT in the face of malicious faults
Goals
Separate the support features that facilitate the building of IT protocols from the actual IT functionality provided by the protocols
Goals A software framework for intrusion
tolerance Robust – the framework itself needs to be robust
to support robust IT protocols Reconfigurable – need to provide the capability
to dynamically change system posture in the face of attacks
Reusable – serve as a convenient platform for building and testing a variety of IT protocols without having to re-implement the support features
Portable – to exploit diversity through OS heterogeneity for IT benefits
Outline
CoBFIT Architecture Framework Components Example Framework Specialization: an IT
group communication system Support provided by the CoBFIT framew
ork in the context of the example Summary and Future work
CoBFIT Architecture
CoBFIT Architecture (cont.) Framework components implement the
structure of IT Have primitives, abstractions, supporting
software mechanisms for IT Provide Run-time support or development
support Service components implement the
functionality of IT Are specific to a particular domain of
applications Have implementation of an IT protocol/algorithm
Outline
CoBFIT Architecture Framework Components Example Framework Specialization: an IT
group communication system Support provided by the CoBFIT framew
ork in the context of the example Summary and Future work
Event Manager
Restricts communication between service components strictly through events
Publish-subscribe model Components publish events they
generate to the Event Manager Components subscribe to events they
are interested in handling (event handlers) from the Event Manager
Event Manager (Cont.)
Detects, de-multiplexes, and dispatches events to the interested service components
Invocate orders of multiple event handlers subscribed to the same event determined through a dependency graph
Event Manager: Dependency Graph
Nodes: service components in the CoBFIT system
Edge from service component c1 to another component c2 implies that correct operation of c1 depends on whether c2 correctly satisfies its specified properties
Event handler of c2 invoked first, followed by event handler of c1
CoBFIT GCS Service Components
Constructor
Is responsible for reconfiguring the CoBFIT system
Creates all CoBFIT components Hands over dependency graph to the Eve
nt Manager
Constructor (cont.) All CoBFIT components implement a uniform c
omponent management interface Has operation interfaces to (re)initialize, shut d
own, suspend/resume and execution Maintains a component repository Implements rules to choose among multiple scr
ipts, each specifying different adaptation strategies (e.g., which of the available service components to link/unlink)
Failure Detection Is the hub of communication for intrusion dete
ction Identifies compromised subsystems so as to re
pair, replace, or remove them. Enforces a clean separation between failure det
ection and failure response mechanisms Serves as central sink for intrusion detections fr
om internal (service-component-specific) and external (third-party IDSs) source failures
Failure Detection (cont.) Processes the reports and implements policies
to determine which reports should actually lead to system adaptation
Generates a Failure_Detect event to which interested components can subscribe to
Allows service components to be more independent of the specific failure detection tools
Replication Manager
Redundancy by replication: important design primitive used in many fault and intrusion-tolerant systems
manages a replicated application Each replica is a CoBFIT system Each replica has a Replication Manager
Replication Manager (cont.)
Replication Manager components at various replicas Communicate with each other to
reconfigure a replicated application Translate high-level dependability
requirements specified at run-time to particular replication configurations
Consensus
Builds block for many distributed services (atomic multicast, membership)
provides a consensus primitive that can be used for constructing such services
Cryptography Provides a uniform way to access multiple
third-party cryptographic libraries Defines interfaces for common crypto
operations, and adapts the interface of the chosen cryptographic library to the defined interface
Enhances reusability of service components by making them independent of the particular choice of crypto library
Network Messages are special types of events used by a
CoBFIT system to communicate with other CoBFIT systems or the outside world
A service component sends and receives messages through the Network component
Provides portable, object-oriented wrappers around platform specific low-level network functions and data
Provides a uniform networking interface independent of the particular platform or underlying transport mechanism
Secure Data Manager Provides "safe" classes (wrappers around
unsafe C/C++ standard library functions) Classes for marshalling/de-marshalling,
buffering, fragmenting and reassembling messages in an efficient manner without making "deep" copies
Service component developer would use these classes instead of the ones provided by the standard library
Outline CoBFIT Architecture Framework Components Example Framework Specialization: an
IT group communication system Support provided by the CoBFIT framew
ork in the context of the example Summary and Future work
CoBFIT GCS Service Components
CoBFIT GCS Service Components Group Membership
Implements an intrusion-tolerant group membership protocol
Is useful for removing fault members from the group, adding new members to the group
Maintains consistent group membership information across all correct group members
Subscribes to the Failure_Detect event generated by Failure Detection (CoBFIT framework component)
Removes group members for which the Failure_Detect event has been generated from the group
CoBFIT GCS Service Components Reliable Multicast
All correct members deliver the same set of multicast messages
Contents of a multicast message as delivered to all correct processes is the same
Prevents situations in which a malicious group member sends one payload to some group members and another payload to other group members for the same multicast message
CoBFIT GCS Service Components Total Order
Ensures that if two correct group members deliver two application-level multicast messages m1 and m2, then both members deliver the messages in the same order
Is crucial in state machine replicated applications so that group members (replicas) reach same state after executing an operation requested by a multicast message
Protocol partitions the set of all possible multicast sequence numbers among the group members; assigns one partition to each group member
Each replica generates messages with increasing sequence numbers from its assigned partition without any gaps
Messages delivered in sequence number order Protocol proceeds in global rounds, in which each group member sends
exactly one message per round (using sequence number from its assigned partition)
If no application-level message to be sent in a round, a correct group member is required to send null message with correct sequence number
A member that stalls the protocol by refusing send messages in a round will be suspected, and reported to the Failure Detection component if more than two-third group members suspect a group member, then that member will be eventually removed from the group
CoBFIT GCS Service Components Gossip
discovers new processes wanting to join the group
If new process has proper credentials, it is allowed to join the group
Group membership protocol updates the group membership info at all correct group members consistently to reflect the addition of the new process to the group
CoBFIT GCS Service Components Heartbeat
If heartbeat from a process doesn’t arrive in time, it is suspected
If more than two-third group members suspect a member of crash, then that member is removed from the group
CoBFIT GCS Service Components
CoBFIT GCS Service Components Group membership and total order protocol
messages need to be consistently delivered (with the same contents) at all correct group members
Group membership needs Gossip to discover new processes, and Heartbeat to detect crashed group members
Total order protocol needs group membership protocol to remove group members that stall the protocol
Outline
CoBFIT Architecture Framework Components Example Framework Specialization: an IT
group communication system Support provided by the CoBFIT frame
work in the context of the example Summary and Future work
Support Provided by CoBFIT Framework All service components in the CoBFIT GCS rely o
n Cryptography component for digitally signing/verifyi
ng messages Secure Data Manager component for various messag
e marshalling/de-marshalling operations Network component to communicate with peer servi
ce components on remote CoBFIT systems (replicas) belonging to the same group
Event Manager component for communication with other service components within the same CoBFIT system (replica)
Support Provided by CoBFIT Framework Group membership component depends on Failure Detection co
mponent to receive the Failure_Detect event based on which it removes faulty
members from the group Service components
generate Suspect_Report event to identify a suspect group member; handled by the Failure Detection component
Failure Detection components at various group members send Suspect_Report events with each other
When a Failure Detection component receives Suspect_Report events for a particular group member from the peer components at more than two-thirds of the group members, it generates a Failure_Detect event
Failure_Detect event is handled locally by the group membership component to ensure that the “convicted” group member is removed from the group membership
Outline
CoBFIT Architecture Framework Components Example Framework Specialization: an IT
group communication system Support provided by the CoBFIT framew
ork in the context of the example Summary and Future work
Summary and future work Summary
A framework that provides specialized support for intrusion-tolerant services, facilitating their development and run-time adaptation
Incorporates characteristics that are essential for survivability in the face of attacks
Demonstrated how it can serve as a convenient platform for building an IT group communication system
Summary and future work Future Work
Investigate decision procedures that strike a balance between automated reconfiguration and unnecessary reconfiguration (Constructor)
Provide a comprehensive library of safe classes (Secure Data Manager)
Interface with multiple third-party IDSs, new policies for analyzing intrusion reports that reduce reconfiguration resulting from false positives (Failure Detection)
Translate high-level dependability requirements to replication configurations tolerating different types of faults (Replication Manager)
Make a widely used application IT-enabled using the CoBFIT GCS Explore additional supporting software mechanisms for IT that can b
e added as framework components in the CoBFIT framework