WDMS 2002 June 26 -- page 1 Middleware Policies for Intrusion Tolerance QuO Franklin Webber, Partha...

WDMS 2002 June 26 -- page 1

Middleware Policies for Intrusion Tolerance

QuOQuO

Franklin Webber, Partha Pal, Chris Jones, Michael Atighetchi, and Paul Rubel

BBN Technologies


Outline

• Using middleware for defense against intrusions• Defense mechanisms• Parameterizing defense policies


A Distributed Military Application


A Cyber-Attack


An Abstract View

Attacker

Data Processing(Fusion,Analysis,Storage,

Forwarding,etc.)

DataUser

DataSource


Traditional Security

AttackerApplication

PrivateResources

PrivateResources

LimitedSharing

Trusted OSs and Network


Most OSs and Networks In Common Use Are Untrustworthy

AttackerApplication

PrivateResources

PrivateResources

LimitedSharing

OSs and Network


Cryptographic Techniques Can Block (Most) Direct Access to Application

AttackerApplication

PrivateResources

PrivateResources

LimitedSharing

OSs and Network

Crypto

OSs and Network


Attacker

Raw ResourcesCPU, bandwidth, files...

OSs and Network IDSs Firewalls

Firewalls Block Some Attacks;Intrusion Detectors Notice Others

Application

Crypto


ApplicationAttacker

Raw ResourcesCPU, bandwidth, files...

Crypto

OSs and Network IDSs Firewalls

Defense-Enabled Application CompetesWith Attacker for Control of Resources

Middleware for QoS andResource Management


QuO Adaptive Middleware Technology

QuO is BBN-developed middleware that provides:•interfaces to property managers, each of which monitors

and controls an aspect of the Quality of Service (QoS)offered by an application;

•specifications of the application’s normal and alternateoperating conditions and how QoS should dependon these conditions.

QuO has integrated managers for several properties:•dependability•communication bandwidth•real-time processing

(using TAO from UC Irvine/WUStL)•security (using OODTE access control from NAI) QuOQuO


QuO adds specification, measurement, and adaptation into the distributed object model

ApplicationDeveloper

MechanismDeveloper

CLIENT

Network

operation()

in args

out args + return value

IDLSTUBS

IDLSKELETON

OBJECTADAPTER

ORB IIOP ORBIIOP

CLIENT OBJECT(SERVANT)OBJECT(SERVANT)

OBJREF

CLIENT

DelegateContract

SysCond

Contract

Network

MECHANISM/PROPERTYMANAGER

operation()

in args

out args + return value

IDLSTUBS

Delegate

SysCond

SysCond

SysCond

IDLSKELETON

OBJECTADAPTER

ORB IIOP ORBIIOP

CLIENT OBJECT(SERVANT)OBJECT(SERVANT)

OBJREF

ApplicationDeveloper

QuODeveloper

MechanismDeveloper

CO

RB

A D

OC

MO

DE

LQ

UO

/CO

RB

A D

OC

MO

DE

L


The QuO Toolkit Supports Building Adaptive Apps or Adding Adaptation to Existing Apps

QuO Code Generator

QoS AdaptivitySpecification

CORBAIDL

Middleware for QoS andResource Management


Implementing Defenses in Middleware

•for simplicity:•QoS concerns separated from functionality of application.•Better software engineering.

•for practicality:•Requiring secure, reliable OS and network support is not currently cost-effective. •Middleware defenses will augment, not replace, defense mechanisms available in lower system layers.

•for uniformity:•Advanced middleware such as QuO provides a systematic way to integrate defense mechanisms.•Middleware can hide peculiarities of different platforms.

•for reuseability•Middleware can support a wide variety of applications.


Security Domains Limit the Damage From A Single Intrusion

hackeddomain

host

router

domain

host

router

domain

host

host

host

host


Replication Management Can Replace Killed Processes

hackeddomain

host

router

domain

host

router

domain

host

host

host

host

application component replicas

QuO replica management


Bandwidth Management Can Counter Flooding Between Routers

hackeddomain

host

router

domain

host

router

domain

host

host

host

host

QuO bandwidth management

RSVP reservation or packet-filtered link


Other Defensive Adaptations

• Dynamically configure firewalls to block traffic• Dynamically configure routers to limit traffic• Dynamically change communication ports• Dynamically change communication protocols


Defense Strategy

• Use QuO middleware to coordinate all available defense mechanisms in a coherent strategy.

• Our best current strategy has two parts:– “outrun”: move application component replicas off bad

hosts and on to good ones

– “contain”: quarantine bad hosts and bad LANs by limiting or blocking network traffic from them and, within limits, shutting them down


Policy Issues for ‘Outrunning’

• Where should new replicas be placed?– Always in new security domain?

– Always on a new host?

– Unpredictably?

• Should number of replicas change under attack?– Increase for protection against stealth?

– Decrease for more rapid response?


Policy Issues for ‘Containment’

• Should quarantine be used?– Or rely only on self-shutdown based on local sensors?

• When is a domain, LAN, or host judged bad?– Depends on source of warning?

– Depends on repeated warnings?

– Depends on combination of warnings?

• Is agreement necessary before quarantine?– Yes: local decisions are easier to spoof

– No: global decisions are impeded by flooding


Avoiding Self-Denial-of-Service

• How to prevent attacker from spoofing defense into quarantining all security domains?– Limit number or fraction of quarantined domains?

– Limit rate of quarantining?

– Allow later reintegration of quarantined domains?


Conclusion

• The feasibility of adaptive cyber-defense is being explored.

• Adaptive cyber-defense is naturally implemented in middleware.

• A strategy for cyber-defense can be parameterized in several ways.

WDMS 2002 June 26 -- page 1 Middleware Policies for Intrusion Tolerance QuO Franklin Webber, Partha...

Documents

Transcript of WDMS 2002 June 26 -- page 1 Middleware Policies for Intrusion Tolerance QuO Franklin Webber, Partha...