1 / 28

Survival by Defense-Enabling

Survival by Defense-Enabling. Partha Pal, Franklin Webber, Richard Schantz BBN Technologies LLC Proceedings of the Foundations of Intrusion Tolerant Systems(2003) Presented by J.H. Su. Authors(1/3). Partha Pal

quamar-riley
Download Presentation

Survival by Defense-Enabling

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Survival by Defense-Enabling Partha Pal, Franklin Webber, Richard Schantz BBN Technologies LLC Proceedings of the Foundations of Intrusion Tolerant Systems(2003) Presented by J.H. Su

  2. Authors(1/3) • Partha Pal • a Division Scientist at BBN Technologies. His research interest is in the area of survivable distributed systems.

  3. Authors(2/3) • Franklin Webber • a software engineer, have primarily been supporting BBN Technologies doing DARPA-sponsored research on strengthening the resistance of computer systems to malicious attack.

  4. Authors(3/3) • Richard Schantz • Works At Intelligent Distributed Computing Department in BBN.

  5. Outline • Introduction • “Survival by Defense” of Critical Application • Acquisition of Privilege • Control of Resources • Use of Defensive Adaptation in Application’s Survival • Issues and Limitations • Related Work • Conclusion

  6. Introduction(1/4) • Attack survival • The ability to provide some level of service despite an ongoing attack by tolerating its impact.

  7. Introduction(2/4) • Attack prevention • Lead to the development of what is known as a trusted computing base (TCB). • Attack detection and situational awareness • Lead to the development of various intrusion detection system (IDS).

  8. Introduction(3/4) • Drawback • In fact, many of the world’s computer systems today run operating systems and networking software that are far from the TCB ideal. • IDS mostly works off-line, without any direct runtime interaction or coordination with the applications (and with other IDSs) that they aim to protect.

  9. Introduction(4/4) • Survival by protection • Seeks to prevent the attacker from gaining privileges • Survival by defense • Includes protection but also seeks to frustrate an attacker in case protection fails and the attacker gains some privileges anyway

  10. “Survival by Defense” of Critical Application(1/5) • Focus on • The specific need of a specific type of applications. • What is a critical applications? • These applications are critical in the sense that the functions they implement are the main purpose of the computer system on which they run.

  11. “Survival by Defense” of Critical Application(2/5) • Assumption • We can modify or extend the design and implementation of the critical applications.

  12. “Survival by Defense” of Critical Application(3/5) • Corruption • An application that does not function correctly • Reasons of Application corrupt • An accident, such as a hardware failure, or because of malice; • Flaws in its environment or in its own implementation cause it to misbehave.

  13. “Survival by Defense” of Critical Application(5/5) • The Goal • The attacker’s acquisition of privileges must be slowed down. • The defense must respond and adapt to the privileged attacker’s abuse of resources.

  14. Acquisition of Privilege(1/4) • Divide the system into several security domains, each with its own set of privileges • The domains are chosen and configured to make best use of the existing protection in the environment to limit the spread of privilege. • The domains must not overlap. • Each security domain may offer many different kinds of privilege. • The attacker cannot accumulate privileges concurrently in any such set of domains.

  15. Acquisition of Privilege(2/4) • Kinds of Privilege • anonymous user privilege • domain user privilege • domain administrator privilege • application-level privilege

  16. Acquisition of Privilege(3/4) • Three ways for an attacker to gain new privileges • Convert domain or anonymous user privilege into domain administrator privilege. • Convert domain administrator privilege in one domain into domain administrator privilege in another. • Convert domain administrator privilege into application-level privilege.

  17. Acquisition of Privilege(4/4) • Solution for Case1 • Careful configuration of hosts and firewalls. • Solution for Case2 • Proper host configuration and administration • Having a heterogeneous environment with various types of hardware and operating systems. • Solution for Case3 • Use cryptographic techniques

  18. Control of Resource(1/3) • The attacker and the critical applications compete over system resources • Use of redundancy • Monitoring • Adaptation

  19. Control of Resource(2/3) • Use of redundancy • Replicate every essential part of the application and place the replicas in different domains. • The replicas must be coordinated to ensure that, as a group, they will not be corrupted when the attacker succeeds in corrupting some of them.

  20. Control of Resource(3/3) • Monitoring • QoS • Self-checking • whether the application continues to satisfy invariants specified by its developers.

  21. Use of Defensive Adaptation in Application’s Survival(1/4) • A classification of defensive adaptations • Dimension1:The level of system architecture at which these adaptations work . • Dimension2:how aggressively the attack can be countered.

  22. Use of Defensive Adaptation in Application’s Survival(2/4)

  23. Use of Defensive Adaptation in Application’s Survival(3/4) • The importance of the capability to change between various modes and the associated trade-offs. • Defensive adaptation is mostly reactive. • Defensive adaptation could be pro-active.

  24. Use of Defensive Adaptation in Application’s Survival(4/4) • Make these adaptive responses unpredictable. • some uncertainty needs to be injected. • Separate the design of the functional (or business) aspects of the application from the design of defensive adaptation. • Put the latter into middleware. • reusable for many different applications.

  25. Issues and Limitations • The reliance on crypto systems. • It is not simple to combine multiple mechanisms in a defense strategy. • selection of appropriate mechanism, potential conflict analysis and resolution has to be done manually by an expert. • Relies on the fact that attacks proceed sequentially

  26. Related Work • MAFTIA • an ESPRIT project developing an open architecture for transactional operations on the Internet. • The “Survivability Architectures” project • Aims to separate survivability requirements from an application’s functional requirements. • The “An Aspect-Oriented Security Assurance Solution” project • implement security-related code transformations on an application program.

  27. Conclusion • We are implementing technology for defense enabling under the DARPA project titled “Applications that Participate in their Own Defense” (APOD). • Defense enabling can increase an application’s resistance to malicious attack. • Greater survivability for the application on its own and an increased chance for system administrators to detect and thwart the attack before it succeeds.

  28. Thanks for your listening

More Related