CoBFIT: A component-Based Framework for Intrusion Tolerance

Author: HariGovind V. RamasamyAdnan Agbaria

William H. SandersPresented by: Keqiang Zhu

Intrusion Tolerance Despite defense mechanisms and rigorous

testing, most systems remain at least somewhat vulnerable

Protecting against all attacks is not practical

Assumes that over time, a subset of vulnerabilities will be successfully exploited by an attacker

Goal: Provide “acceptable” service despite faults due to intrusions

Traditional Security + IT = defense-in-depth (buying time by yielding space)

Motivation Most of the implementation effort in

building IT system is not spent in the IT functionality but in the support features for IT

Different OS are design requirements for most IT systems, and multiple teams working on different platforms implemented their own versions of support features

Hard to reuse the support features since the various implementation tightly coupled the support features with IT functionality

Motivation (cont.) Lack of a convenient platform for buildin

g and evaluating various design choices for IT protocols

Frameworks for dependability exist but they are mainly for crash-fault-tolerant protocols that consider benign faults, and don’t provide specialized support for IT in the face of malicious faults

Goals

Separate the support features that facilitate the building of IT protocols from the actual IT functionality provided by the protocols

Goals A software framework for intrusion

tolerance Robust – the framework itself needs to be robust

to support robust IT protocols Reconfigurable – need to provide the capability

to dynamically change system posture in the face of attacks

Reusable – serve as a convenient platform for building and testing a variety of IT protocols without having to re-implement the support features

Portable – to exploit diversity through OS heterogeneity for IT benefits

Outline

CoBFIT Architecture Framework Components Example Framework Specialization: an IT

group communication system Support provided by the CoBFIT framew

ork in the context of the example Summary and Future work

CoBFIT Architecture

CoBFIT Architecture (cont.) Framework components implement the

structure of IT Have primitives, abstractions, supporting

software mechanisms for IT Provide Run-time support or development

support Service components implement the

functionality of IT Are specific to a particular domain of

applications Have implementation of an IT protocol/algorithm

Outline

CoBFIT Architecture Framework Components Example Framework Specialization: an IT

group communication system Support provided by the CoBFIT framew

ork in the context of the example Summary and Future work

Event Manager

Restricts communication between service components strictly through events

Publish-subscribe model Components publish events they

generate to the Event Manager Components subscribe to events they

are interested in handling (event handlers) from the Event Manager

Event Manager (Cont.)

Detects, de-multiplexes, and dispatches events to the interested service components

Invocate orders of multiple event handlers subscribed to the same event determined through a dependency graph

Event Manager: Dependency Graph

Nodes: service components in the CoBFIT system

Edge from service component c1 to another component c2 implies that correct operation of c1 depends on whether c2 correctly satisfies its specified properties

Event handler of c2 invoked first, followed by event handler of c1

CoBFIT GCS Service Components

Constructor

Is responsible for reconfiguring the CoBFIT system

Creates all CoBFIT components Hands over dependency graph to the Eve

nt Manager

Constructor (cont.) All CoBFIT components implement a uniform c

omponent management interface Has operation interfaces to (re)initialize, shut d

own, suspend/resume and execution Maintains a component repository Implements rules to choose among multiple scr

ipts, each specifying different adaptation strategies (e.g., which of the available service components to link/unlink)

Failure Detection Is the hub of communication for intrusion dete

ction Identifies compromised subsystems so as to re

pair, replace, or remove them. Enforces a clean separation between failure det

ection and failure response mechanisms Serves as central sink for intrusion detections fr

om internal (service-component-specific) and external (third-party IDSs) source failures

Failure Detection (cont.) Processes the reports and implements policies

to determine which reports should actually lead to system adaptation

Generates a Failure_Detect event to which interested components can subscribe to

Allows service components to be more independent of the specific failure detection tools

Replication Manager

Redundancy by replication: important design primitive used in many fault and intrusion-tolerant systems

manages a replicated application Each replica is a CoBFIT system Each replica has a Replication Manager

Replication Manager (cont.)

Replication Manager components at various replicas Communicate with each other to

reconfigure a replicated application Translate high-level dependability

requirements specified at run-time to particular replication configurations

Consensus

Builds block for many distributed services (atomic multicast, membership)

provides a consensus primitive that can be used for constructing such services

Cryptography Provides a uniform way to access multiple

third-party cryptographic libraries Defines interfaces for common crypto

operations, and adapts the interface of the chosen cryptographic library to the defined interface

Enhances reusability of service components by making them independent of the particular choice of crypto library

Network Messages are special types of events used by a

CoBFIT system to communicate with other CoBFIT systems or the outside world

A service component sends and receives messages through the Network component

Provides portable, object-oriented wrappers around platform specific low-level network functions and data

Provides a uniform networking interface independent of the particular platform or underlying transport mechanism

Secure Data Manager Provides "safe" classes (wrappers around

unsafe C/C++ standard library functions) Classes for marshalling/de-marshalling,

buffering, fragmenting and reassembling messages in an efficient manner without making "deep" copies

Service component developer would use these classes instead of the ones provided by the standard library

Outline CoBFIT Architecture Framework Components Example Framework Specialization: an

IT group communication system Support provided by the CoBFIT framew

ork in the context of the example Summary and Future work

CoBFIT GCS Service Components

CoBFIT GCS Service Components Group Membership

Implements an intrusion-tolerant group membership protocol

Is useful for removing fault members from the group, adding new members to the group

Maintains consistent group membership information across all correct group members

Subscribes to the Failure_Detect event generated by Failure Detection (CoBFIT framework component)

Removes group members for which the Failure_Detect event has been generated from the group

CoBFIT GCS Service Components Reliable Multicast

All correct members deliver the same set of multicast messages

Contents of a multicast message as delivered to all correct processes is the same

Prevents situations in which a malicious group member sends one payload to some group members and another payload to other group members for the same multicast message

CoBFIT GCS Service Components Total Order

Ensures that if two correct group members deliver two application-level multicast messages m1 and m2, then both members deliver the messages in the same order

Is crucial in state machine replicated applications so that group members (replicas) reach same state after executing an operation requested by a multicast message

Protocol partitions the set of all possible multicast sequence numbers among the group members; assigns one partition to each group member

Each replica generates messages with increasing sequence numbers from its assigned partition without any gaps

Messages delivered in sequence number order Protocol proceeds in global rounds, in which each group member sends

exactly one message per round (using sequence number from its assigned partition)

If no application-level message to be sent in a round, a correct group member is required to send null message with correct sequence number

A member that stalls the protocol by refusing send messages in a round will be suspected, and reported to the Failure Detection component if more than two-third group members suspect a group member, then that member will be eventually removed from the group

CoBFIT GCS Service Components Gossip

discovers new processes wanting to join the group

If new process has proper credentials, it is allowed to join the group

Group membership protocol updates the group membership info at all correct group members consistently to reflect the addition of the new process to the group

CoBFIT GCS Service Components Heartbeat

If heartbeat from a process doesn’t arrive in time, it is suspected

If more than two-third group members suspect a member of crash, then that member is removed from the group

CoBFIT GCS Service Components

CoBFIT GCS Service Components Group membership and total order protocol

messages need to be consistently delivered (with the same contents) at all correct group members

Group membership needs Gossip to discover new processes, and Heartbeat to detect crashed group members

Total order protocol needs group membership protocol to remove group members that stall the protocol

Outline

CoBFIT Architecture Framework Components Example Framework Specialization: an IT

group communication system Support provided by the CoBFIT frame

work in the context of the example Summary and Future work

Support Provided by CoBFIT Framework All service components in the CoBFIT GCS rely o

n Cryptography component for digitally signing/verifyi

ng messages Secure Data Manager component for various messag

e marshalling/de-marshalling operations Network component to communicate with peer servi

ce components on remote CoBFIT systems (replicas) belonging to the same group

Event Manager component for communication with other service components within the same CoBFIT system (replica)

Support Provided by CoBFIT Framework Group membership component depends on Failure Detection co

mponent to receive the Failure_Detect event based on which it removes faulty

members from the group Service components

generate Suspect_Report event to identify a suspect group member; handled by the Failure Detection component

Failure Detection components at various group members send Suspect_Report events with each other

When a Failure Detection component receives Suspect_Report events for a particular group member from the peer components at more than two-thirds of the group members, it generates a Failure_Detect event

Failure_Detect event is handled locally by the group membership component to ensure that the “convicted” group member is removed from the group membership

Outline

CoBFIT Architecture Framework Components Example Framework Specialization: an IT

group communication system Support provided by the CoBFIT framew

ork in the context of the example Summary and Future work

Summary and future work Summary

A framework that provides specialized support for intrusion-tolerant services, facilitating their development and run-time adaptation

Incorporates characteristics that are essential for survivability in the face of attacks

Demonstrated how it can serve as a convenient platform for building an IT group communication system

Summary and future work Future Work

Investigate decision procedures that strike a balance between automated reconfiguration and unnecessary reconfiguration (Constructor)

Provide a comprehensive library of safe classes (Secure Data Manager)

Interface with multiple third-party IDSs, new policies for analyzing intrusion reports that reduce reconfiguration resulting from false positives (Failure Detection)

Translate high-level dependability requirements to replication configurations tolerating different types of faults (Replication Manager)

Make a widely used application IT-enabled using the CoBFIT GCS Explore additional supporting software mechanisms for IT that can b

e added as framework components in the CoBFIT framework