Defense Enabling Using Advanced Middleware: An Example
description
Transcript of Defense Enabling Using Advanced Middleware: An Example
MILCOM 2001 October 30 -- page 1
Defense Enabling Using Advanced Middleware: An Example
Franklin Webber, Partha Pal, Richard Schantz, Michael Atighetchi, Joseph Loyall
BBN Technologies
QuOQuO
MILCOM 2001 October 30 -- page 2
Defense-Enabled Software Applications
Some software applications can be given increased resistance to malicious attack even though the environment in which they run is untrustworthy.
Any such application is “defense-enabled”.
MILCOM 2001 October 30 -- page 3
Research On Defense Enabling
Sponsored by DARPA/ATO
Part of Fault-Tolerant Networking Program
MILCOM 2001 October 30 -- page 4
A Distributed Military Application
MILCOM 2001 October 30 -- page 5
A Cyber-Attack
MILCOM 2001 October 30 -- page 6
An Abstract View
Attacker
Data Processing(Fusion,Analysis,Storage,
Forwarding,etc.)
DataUser
DataSource
MILCOM 2001 October 30 -- page 7
Traditional Security
AttackerApplication
PrivateResources
PrivateResources
LimitedSharing
Trusted OSs and Network
MILCOM 2001 October 30 -- page 8
Most OSs and Networks In Common Use Are Untrustworthy
AttackerApplication
PrivateResources
PrivateResources
LimitedSharing
OSs and Network
MILCOM 2001 October 30 -- page 9
Cryptographic Techniques Can Block (Most) Direct Access to Application
AttackerApplication
PrivateResources
PrivateResources
LimitedSharing
OSs and Network
Crypto
OSs and Network
MILCOM 2001 October 30 -- page 10
Attacker
Raw ResourcesCPU, bandwidth, files...
OSs and Network IDSs Firewalls
Firewalls Block Some Attacks;Intrusion Detectors Notice Others
Application
Crypto
MILCOM 2001 October 30 -- page 11
ApplicationAttacker
Raw ResourcesCPU, bandwidth, files...
QoS Management
Crypto
OSs and Network IDSs Firewalls
Defense-Enabled Application CompetesWith Attacker for Control of Resources
MILCOM 2001 October 30 -- page 12
QuO Adaptive Middleware Technology
QuO is DARPA Quorum developed middleware that provides:•interfaces to property managers, each of which monitors
and controls an aspect of the Quality of Service (QoS)offered by an application;
•specifications of the application’s normal and alternateoperating conditions and how QoS should dependon these conditions.
QuO has integrated managers for several properties:•dependability (DARPA’s Quorum AQuA project)•communication bandwidth
(DARPA’s Quorum DIRM project)•real-time processing
(using TAO from UC Irvine/WUStL)•security (using OODTE access control from NAI)
QuOQuO
MILCOM 2001 October 30 -- page 13
QuO adds specification, measurement, and adaptation into the distributed object model
ApplicationDeveloper
MechanismDeveloper
CLIENT
Network
operation()
in args
out args + return value
IDLSTUBS
IDLSKELETON
OBJECTADAPTER
ORB IIOP ORBIIOP
CLIENT OBJECT(SERVANT)OBJECT(SERVANT)
OBJREF
CLIENT
DelegateContract
SysCond
Contract
Network
MECHANISM/PROPERTYMANAGER
operation()
in args
out args + return value
IDLSTUBS
Delegate
SysCond
SysCond
SysCond
IDLSKELETON
OBJECTADAPTER
ORB IIOP ORBIIOP
CLIENT OBJECT(SERVANT)OBJECT(SERVANT)
OBJREF
ApplicationDeveloper
QuODeveloper
MechanismDeveloper
CO
RB
A D
OC
MO
DE
LQ
UO
/CO
RB
A D
OC
MO
DE
L
MILCOM 2001 October 30 -- page 14
The QuO Toolkit Supports Building Adaptive Apps or Adding Adaptation to Existing Apps
• QuO aspect languages– Contract description language and
adaptive behavior description language
– Code generators that weave QuO code into Java and C++ applications
• System Condition Objects– Provide interfaces to resources,
managers, and mechanisms
• QuO Runtime Kernel– Contract evaluator– Factory object which instantiates
contract and system condition objects
• Instrumentation library• QuO gateway
– Insertion of special purpose transport layers and adaptation below the ORB
QuO GatewayQuO Gateway
IIOPGlue
Control
Clie
nt-S
ide
OR
B
IIOP Group Replication (AQuA)
WAN
Bandwidth Reservation (DIRM)
IIOP over TCP/IP (default)
IIOPGlue
Control
IIOP
Serv
er-S
ide
OR
B
CLIENT
DelegateContract
SysCond
Contract
Network
MECHANISM/PROPERTYMANAGER
operation()
in args
out args + return value
IDLSTUBS
Delegate
SysCond
SysCond
SysCond
IDLSKELETON OBJECT
ADAPTER
ORB IIOP ORBIIOP
CLIENT OBJECT(SERVANT)OBJECT(SERVANT)
OBJREF
CORBA IDL
CodeGenerators
CodeGenerators
Contract DescriptionLanguage (CDL)
Adaptation SpecificationLanguage (ASL)
QuO RuntimeQuO Runtime
Delegates Contracts
MILCOM 2001 October 30 -- page 15
Implementing Defenses in Middleware
•for simplicity:•QoS concerns separated from functionality of application.•Better software engineering.
•for practicality:•Requiring secure, reliable OS and network support is not currently cost-effective. •Middleware defenses will augment, not replace, defense mechanisms available in lower system layers.
•for uniformity:•Advanced middleware such as QuO provides a systematic way to integrate defense mechanisms.•Middleware can hide peculiarities of different platforms.
•for reuseability•Middleware can support a wide variety of applications.
MILCOM 2001 October 30 -- page 16
Security Domains Limit the Damage From A Single Intrusion
hackeddomain
host
router
domain
host
router
domain
host
host
host
host
MILCOM 2001 October 30 -- page 17
Replication Management Can Replace Killed Processes
hackeddomain
host
router
domain
host
router
domain
host
host
host
host
application component replicas
QuO replica management
MILCOM 2001 October 30 -- page 18
Bandwidth Management Can Counter Flooding Between Routers
hackeddomain
host
router
domain
host
router
domain
host
host
host
host
QuO bandwidth management
RSVP reservation
MILCOM 2001 October 30 -- page 19
Other Defense Mechanisms
• Dynamically change communication ports• Dynamically change communication protocols
MILCOM 2001 October 30 -- page 20
A Defense Strategy Coordinates Defense Mechanisms
• “if several IDS alarms on host H, tighten firewall on H”
• “if multiple crashes on host H, move application process replicas elsewhere”
For example:
Applications we have defense-enabled use a varietyof such rules, implemented in QuO.
MILCOM 2001 October 30 -- page 21
Validation
• Effectiveness of individual defense mechanisms has been tested in-house.
• Effectiveness of combined defense strategies will be measured by Red Team experiments.
MILCOM 2001 October 30 -- page 22
Conclusion
The technique of defense enabling is likely to increase the survivability of military applications and, because defenses are implemented in middleware, can be applied with relatively little effort.