Randomized Failover Intrusion Tolerant Systems (RFITS)

Ranga Ramanujan

Noel Schmidt

Architecture Technology Corporation

Odyssey Research Associates

DARPA Intrusion Tolerant Systems Program

Architecture Technology Corporation/Odyssey Research Associates

Application Domain Comparison

IBM Compatib le IBM Compatib le

I'net

IBM Compatib le

IBM Compatib le

DA TABA SE

LA N

• Situational awareness• Representation of real-time• Hard real-time• Examples

– Air traffic control– Sonar data processing

• Data collection &dissemination• Up-to-date and historical data• Soft real-time • Examples

– Intelligence gathering– MDDS

Server to Warfighter Sensor to Warfighter

Architecture Technology Corporation/Odyssey Research Associates

Technical Challenge

• Key challenges to building a high availability intrusion tolerant system– maintaining error detection coverage for an evolving fault set– sustaining required error recovery coverage in spite of intentional faults

SystemFailure

ResourceDepletion

Loss ofIntegrity

ProcessingDepletion

Comm.Depletion

Loss ofProgramIntegrity

Loss ofData

Integrity

AccidentalFaults

IntentionalFaults

Architecture Technology Corporation/Odyssey Research Associates

Research Objectives

• Develop general design principles, collectively called RFITS, for building robust information systems that can sustain correct operation in spite of intrusion-induced DOS attacks – Focus on real-time, high availability military systems

• Validate and demonstrate effectiveness of RFITS – establish generality of RFITS architecture and techniques

– build prototype of RFITS-based system

– derive performance characteristics via experimentation and simulations

– perform joint experimentation with other IA&S efforts

Architecture Technology Corporation/Odyssey Research Associates

RFITS Approach

• Randomized failover process

• Randomized distribution of service requests among redundant (and possibly diverse) servers

• Semantic integrity checks at subsystem service boundaries

• Hierarchical recovery management

• Systems engineering methodology for deriving a layered intrusion tolerant architecture

Network(N)

System (S))

Pro ce s s o r(P )

P ro ce s s o r(P )

P ro ce s s o r(P )

Network(N)

Ran

dom

izin

g D

ispa

tche

r

Ran

dom

izin

g D

ispa

tche

r

Local Recovery M anagerS ervice Reques t/Response Units

G lobalRecovery

M anagem ent

Architecture Technology Corporation/Odyssey Research Associates

Strawman RFITS Methodology

• The system engineering methodology consists of the application of the following processes:– Analysis of the operational, systems, and technical architecture to

identify the threats

– Derivation of fault model for the system under study

– FMEA/FMECA driven design of error detection mechanisms

– FMEA driven design of failover policy

– End-to-end threads analyses

• Applied RFITS methodology to tactical ad hoc networks to derive an intrusion tolerant architecture, i.e., TIARA

Architecture Technology Corporation/Odyssey Research Associates

Vulnerabilities of Ad Hoc Networks

• Resource depletion attack

– intruder usurps network resources by injecting spurious traffic or by replaying traffic

• Flow disruption attack– intruder drops,

corrupts, or delays data packets

• Route hijacking– intruder creates

phantom routes

A

B

E

D

C

P

F

G

H

Q

P a th 1

In tru d e r

P a th 2

Architecture Technology Corporation/Odyssey Research Associates

RFITS-Based TIARA Approach

• Collectively, TIARA mechanisms protect ad hoc networks against intrusion attacks on routing as well as data traffic

TIARA CountermeasuresDistributed Firewall Traffic Policing Intrusion Tolerant Routing

FR

AC

Fast

Auth

entic

atio

n

Sequence

Num

bers

Refe

rrals

Flo

w

Monito

ring

Multi-p

ath

Routin

g

Sourc

e In

it.R

oute

Sw

itchin

g

Spurios Trafffic

Packet Replay

Session Flooding

Flow Disruption

Route Hijacking

Intru

sio

n A

ttacks

Architecture Technology Corporation/Odyssey Research Associates

Risks

• Availability of sufficient number of candidate operational systems for study– Leverage FAA connections

– Acquire openly available material on DoD systems

• Implementation of prototype with sufficient richness to demonstrate a range of RFITS derive intrusion tolerant mechanisms– Augment base system with simulations, if possible

Architecture Technology Corporation/Odyssey Research Associates

Metrics

• Coverage of RFITS derived techniques– error detection

– failover

• Lifecycle cost impact– deployment costs

– operating costs

• Performance overhead

Architecture Technology Corporation/Odyssey Research Associates

Major Achievements

• Handbook for building real-time, high-availability intrusion tolerant systems– RFITS system engineering methodology

– RFITS-derived techniques for error detection and failover

• Demonstration of a prototype military application (e.g., air traffic surveillance system) built using RFITS

Architecture Technology Corporation/Odyssey Research Associates

Task Schedule

Task Y1

1. Design RFITS mechanisms

2. Build and Demonstrate Initial

RFITS Sy stem

3. Build and Demonstrate Full

RFITS Sy stem

4. Program Management

5. Perf orm Simulation or

Implementation (Option 1)

6. Perf orm joint experimentation

(Option 2)

Design Rev iew and DemonstrationsDemo 1 Demo 2 Demo 3

Y2 Y3 Y4

Design Rev iew Demo 4

Architecture Technology Corporation/Odyssey Research Associates

Technology Transfer

• Transferable technology resulting from this effort – Design techniques (i.e., RFITS) for building intrusion tolerant

systems

• Technology transition avenues include– Strategic alliances with DoD system integration contractors

– Collaboration with DoD Technology Transition organizations

– Leverage relationship with the FAA

– Publications