1

INTRUSION TOLERANT SYSTEMSWORKSHOP

Phoenix, AZ4 August 1999

Jaynarayan H. LalaITS Program Manager

2

TOPICS

A Dependability Framework for ITSSharing of Documents & ResultsProgram Review MeetingsReportingExperimentationCoordination with other IA&S ProgramsOther issues

3

A DEPENDABILITY FRAMEWORK FOR ITS

Goal: Establish a multi-dimensional, hierarchical framework for Intrusion Tolerant Systems program

Approach: Put forward a strawman Solicit your inputs

4

WHY DO WE NEED A FRAMEWORK?

To provide a system view of intrusion tolerance.To show inter-relationships between various

techniques and tools.To provide a context for evaluating applicability&

effectiveness of each technique and tool.To partition ITS into its various components and

assign roles & responsibilities to those components.

To design & implement ITS components.

5

PITAC RECOMMENDATIONS

President’s Information Technology Advisory Committee (PITAC) recommended recently (Aug. ‘98) that Federal govt. should

“… foster projects of broader scope and longer duration.” “Increase the emphasis on projects involving multiple

investigators over several years.”Each PI must look beyond his/her own research to

see how it fits in the big picture, relates to other PIs’ work, and advances the strategic vision.

6

ITS DEPENDABILITY FRAMEWORK

Dependability BackgroundA Strawman ITS Framework

7

DEPENDABILITY*: AN OVERARCHING CONCEPT

Dependability is defined as the trustworthiness of a computer system such that reliance can justifiably be placed on the service it delivers.

*J.C. Laprie (ed.), Dependability: Basic Concepts and Terminology, Springer-Verlag, 1992.

8

DEPENDABILITY PROPERTIES

Availability is the readiness for usage.Reliability is the continuity of service.Maintainability is the ease of performing

maintenance actions.Safety is the avoidance of catastrophic

consequences on the environment.Security is the prevention of unauthorized access

(Confidentiality) and/or handling of information (Integrity).

9

IMPAIRMENTS TO DEPENDABILITY

Faults, errors and failures may affect dependability properties.

Faults can be categorized by Nature

Accidental or Intentional Origin

Physical or Human madeInternal or ExternalDesign or Operational

PersistenceTemporary or Permanent

NATUREORIGIN

PERSISTENCEPhenomenological

Cause System Boundaries Phase of Creation UsualLabelling

Physical Faults

Transient Faults

IntermittentFaults

Design Faults

Interaction Faults

MaliciousLogic

Intrusions

AccidentalFaults

IntentionalFaults

PhysicalFaults

Human-madeFaults

InternalFaults

ExternalFaults

DesignFaults

OperationalFaults

PermanentFaults

TemporaryFaults

XXXXXXX

XXXX

XXXX

XXXXXXX

XX

XXX

XXX

X

XX

XX

XX

XXXX

X

XX

X

X

X

XX

XXX

X

X

X

FAULT CLASSIFICATION

11

FAILURE CLASSIFICATION

Consequence Viewpoint Benign vs. Catastrophic Fail-Safe vs. Critical

Domain Viewpoint Timing Value Both

Perception Viewpoint Consistent Byzantine

12

MEANS FOR DEPENDABILITY

Methods and techniques that provide the ability to deliver a service on which reliance can be placed.

Fault/Attack PreventionFault Removal

Verification, Diagnosis, CorrectionFault/Attack Tolerance

Error Processing, Fault TreatmentFault/Attack Forecasting

System Evaluation wrt Fault/Attack Occurrence

13

A STRAWMANITS FRAMEWORK

14

POTENTIAL DIMENSIONS OF ITS FRAMEWORK (1 of 4)

Dependability Property Confidentiality Integrity Availability Other dependability properties

Attack Classification Malicious Logic Intrusions

Fault/Attack Persistence Temporary Permanent

15

POTENTIAL DIMENSIONS OF ITS FRAMEWORK(2 of 4)

Means for Dependability Avoidance (Prevention, Removal) Detection Isolation/Identification Response (Recovery, Reconfiguration, Graceful Degradation) System Evaluation/ Validation

Attack Severity Ankle Biters, Single Target, Benign Terrorist, Multiple Targets, Destructive Rate of Attack

16

POTENTIAL DIMENSIONS OF ITS FRAMEWORK(3 of 4)

Avoidance & Detection Techniques Formal Methods Execution Monitors Others

Tolerance Techniques Data Redundancy Programs Redundancy Hardware Redundancy Communication Codes Redundancy Information (Analytic)/Design Redundancy Temporal Redundancy

17

POTENTIAL DIMENSIONS OF ITS FRAMEWORK(4 of 4)

Maturity for Fielding Concept Exploration Design/Implementation Demonstration Validation