Embed Size (px)
Citation preview
The Starfish System:Intrusion Detection and Intrusion
Tolerance for Middleware Systems
Kim Potter KihlstromWestmont College
Santa Barbara, CA, USA
Priya NarasimhanCarnegie Mellon University
Pittsburgh, PA, USA
The Starfish System
Kihlstrom and Narasimhan
Motivation
Previous workSecureRing [ACM TISSEC 2001]Eternal [TAPOS 1998]Immune [ICDCS 1999]Byzantine fault detectors [Computer Journal 2003]
Insights and lessons learnedCost of survivabilityReplication of objectsInput and output majority votingGuarantees of underlying multicast protocolDetection and removal of faulty processors/replicas
The Starfish System
Kihlstrom and Narasimhan
Immune: Looking Back
Interception
Replication
Majority voting
Secure multicast protocols
The Starfish System
Kihlstrom and Narasimhan
Immune: Looking Ahead
Issues left openScalability
Increasing number of objectsIncreasing number of processorsLocal area to wide areaBandwidth
Survivability of Immune itselfVotingOther middleware systems besides CORBA
Led to development of Starfish
The Starfish System
Kihlstrom and Narasimhan
Starfish Goals
Intrusion detection and intrusion tolerance for middleware applications
Not specific to any middleware system
Infrastructural support for majority voting
End-to-end intrusion detection
Applicable to local and wide area systems
Currently under development
The Starfish System
Kihlstrom and Narasimhan
Starfish Organization
The Starfish System
Kihlstrom and Narasimhan
Starfish Philosophy
Central coreHighly secure
Tightly coupled
ArmsLess tightly coupled
Less stringent security guarantees
Can be removed in event of security compromise
New arms can be grown
The Starfish System
Kihlstrom and Narasimhan
Starfish Structure
The Starfish System
Kihlstrom and Narasimhan
System Model
AssumptionsDistributed object system
Asynchronous
Determinism
FaultsCommunication
Processor
Object
The Starfish System
Kihlstrom and Narasimhan
Support for Voting
Objects are replicated
Replica consistency in event of malicious processor and object replica faults
Object group abstraction
The Starfish System
Kihlstrom and Narasimhan
Support for Voting
Voting in a dynamic environment
Knowledge of how many votes constitute a majority
Voter must know the number of replicas in the originating object group
Hierarchical membership structureObject groups and voting groups
The Starfish System
Kihlstrom and Narasimhan
Support for Voting
The Starfish System
Kihlstrom and Narasimhan
End-to-End Intrusion Detection
Removal of faulty replica from object group and all voting groups
To remove a faulty replica, all replicas in object group must receive evidence of value fault
Special Value_Fault_Vote message
Value fault detector
The Starfish System
Kihlstrom and Narasimhan
End-to-End Intrusion Detection
The Starfish System
Kihlstrom and Narasimhan
End-to-End Intrusion Detection
The Starfish System
Kihlstrom and Narasimhan
End-to-End Intrusion Detection
The Starfish System
Kihlstrom and Narasimhan
End-to-End Intrusion Detection
The Starfish System
Kihlstrom and Narasimhan
End-to-End Intrusion Detection
The Starfish System
Kihlstrom and Narasimhan
End-to-End Intrusion Detection
Removal of processor hosting faulty replica from system
Byzantine fault detector
To remove the processor, all processors must vote locally on the same set of votes
Special base group
Problem with cascading: fault must be handled first at the object level
The Starfish System
Kihlstrom and Narasimhan
Survivability in StarfishClassification Fault Mechanism
Communication
Message loss
Reliable delivery mechanisms
Message retransmission
Message corruption
Message digest
Message retransmission
Processor
Processor crash
Processor, object, and voting group membership
Failure to receive
Processor, object, and voting group membership
Malicious processor
Byzantine fault detector
Object
Replica crash
Object and voting group membership
Send omission
Majority voting on invocations and responses
Value fault Value fault detector
The Starfish System
Kihlstrom and Narasimhan
Conclusions
Development underway
Prior experience in building systemsSecureRing
Eternal
Immune
Take insights and lessons in building next generation survivable object system: Starfish
The Starfish System
Kihlstrom and Narasimhan
Starfish
Intrusion detection and intrusion tolerance for middleware applications
Not specific to any middleware system
Infrastructural support for majority voting
End-to-end intrusion detection
Applicable to local and wide area systems
The Starfish System
Kihlstrom and Narasimhan
Questions and Feedback
Kim Potter [email protected]
http://homepage.westmont.edu/~kimkihls/
Priya [email protected]
http://www.cs.cmu.edu/~priya/
