Embed Size (px)
DESCRIPTION
Survival by Defense-Enabling. Partha Pal, Franklin Webber, Richard Schantz BBN Technologies LLC Proceedings of the Foundations of Intrusion Tolerant Systems(2003) Presented by J.H. Su. Authors(1/3). Partha Pal - PowerPoint PPT Presentation
Citation preview
Survival by Defense-Enabling
Partha Pal, Franklin Webber, Richard Schantz
BBN Technologies LLC
Proceedings of the Foundations of Intrusion Tolerant Systems(2003)
Presented by J.H. Su
Authors(1/3)
Partha Pal a Division Scientist at BB
N Technologies. His research interest is in the area of survivable distributed systems.
Authors(2/3)
Franklin Webber a software engineer, hav
e primarily been supporting BBN Technologies doing DARPA-sponsored research on strengthening the resistance of computer systems to malicious attack.
Authors(3/3)
Richard Schantz Works At Intelligent Dis
tributed Computing Department in BBN.
Outline
Introduction “Survival by Defense” of Critical Application Acquisition of Privilege Control of Resources Use of Defensive Adaptation in Application’s Surviva
l Issues and Limitations Related Work Conclusion
Introduction(1/4)
Attack survival The ability to provide some level of service
despite an ongoing attack by tolerating its impact.
Introduction(2/4)
Attack prevention Lead to the development of what is known as a
trusted computing base (TCB).
Attack detection and situational awareness Lead to the development of various intrusion
detection system (IDS).
Introduction(3/4)
Drawback In fact, many of the world’s computer systems tod
ay run operating systems and networking software that are far from the TCB ideal.
IDS mostly works off-line, without any direct runtime interaction or coordination with the applications (and with other IDSs) that they aim to protect.
Introduction(4/4)
Survival by protection Seeks to prevent the attacker from gaining
privileges
Survival by defense Includes protection but also seeks to frustrate an
attacker in case protection fails and the attacker gains some privileges anyway
“Survival by Defense” of Critical Application(1/5)
Focus on The specific need of a specific type of
applications.
What is a critical applications? These applications are critical in the sense that
the functions they implement are the main purpose of the computer system on which they run.
“Survival by Defense” of Critical Application(2/5)
Assumption We can modify or extend the design and impleme
ntation of the critical applications.
“Survival by Defense” of Critical Application(3/5)
Corruption An application that does not function correctly
Reasons of Application corrupt An accident, such as a hardware failure, or
because of malice; Flaws in its environment or in its own
implementation cause it to misbehave.
“Survival by Defense” of Critical Application(5/5)
The Goal The attacker’s acquisition of privileges must be
slowed down. The defense must respond and adapt to the
privileged attacker’s abuse of resources.
Acquisition of Privilege(1/4)
Divide the system into several security domains, each with its own set of privileges The domains are chosen and configured to make best use
of the existing protection in the environment to limit the spread of privilege.
The domains must not overlap. Each security domain may offer many different kinds of
privilege.
The attacker cannot accumulate privileges concurrently in any such set of domains.
Acquisition of Privilege(2/4)
Kinds of Privilege anonymous user privilege domain user privilege domain administrator privilege application-level privilege
Acquisition of Privilege(3/4)
Three ways for an attacker to gain new privileges Convert domain or anonymous user privilege into
domain administrator privilege. Convert domain administrator privilege in one
domain into domain administrator privilege in another.
Convert domain administrator privilege into application-level privilege.
Acquisition of Privilege(4/4)
Solution for Case1 Careful configuration of hosts and firewalls.
Solution for Case2 Proper host configuration and administration Having a heterogeneous environment with
various types of hardware and operating systems. Solution for Case3
Use cryptographic techniques
Control of Resource(1/3)
The attacker and the critical applications compete over system resources Use of redundancy Monitoring Adaptation
Control of Resource(2/3)
Use of redundancy Replicate every essential part of the application a
nd place the replicas in different domains. The replicas must be coordinated to ensure that,
as a group, they will not be corrupted when the attacker succeeds in corrupting some of them.
Control of Resource(3/3)
Monitoring QoS Self-checking
whether the application continues to satisfy invariants specified by its developers.
Use of Defensive Adaptation in Application’s Survival(1/4)
A classification of defensive adaptations Dimension1: The level of system architecture at
which these adaptations work . Dimension2: how aggressively the attack can be
countered.
Use of Defensive Adaptation in Application’s Survival(2/4)
Defeat Attack Work Around Attack
Guard Against Future Attack
Application level
Retry failed request
Redirect request
;degrade service
Increase self-checking
QoS management
level
Reserve CPU, bandwidth
migrate replicas Tighten cryptographic, access control
Infrastructure level
Block IP sources Change ports, protocols
Configure IDSs
Use of Defensive Adaptation in Application’s Survival(3/4)
The importance of the capability to change between various modes and the associated trade-offs.
Defensive adaptation is mostly reactive. Defensive adaptation could be pro-active.
Use of Defensive Adaptation in Application’s Survival(4/4)
Make these adaptive responses unpredictable. some uncertainty needs to be injected.
Separate the design of the functional (or business) aspects of the application from the design of defensive adaptation. Put the latter into middleware. reusable for many different applications.
Issues and Limitations
The reliance on crypto systems. It is not simple to combine multiple
mechanisms in a defense strategy. selection of appropriate mechanism, potential
conflict analysis and resolution has to be done manually by an expert.
Relies on the fact that attacks proceed sequentially
Related Work
MAFTIA an ESPRIT project developing an open architecture for
transactional operations on the Internet.
The “Survivability Architectures” project Aims to separate survivability requirements from an
application’s functional requirements.
The “An Aspect-Oriented Security Assurance Solution” project implement security-related code transformations on an
application program.
Conclusion
We are implementing technology for defense enabling under the DARPA project titled “Applications that Participate in their Own Defense” (APOD).
Defense enabling can increase an application’s resistance to malicious attack.
Greater survivability for the application on its own and an increased chance for system administrators to detect and thwart the attack before it succeeds.
Thanks for your listening
