260 likes | 404 Views
Agile Objects: Component-based Inherent Survivability. Andrew A. Chien achien@cs.ucsd.edu , UCSD Jane Liu (UIUC) -> Riccardo Bettati (Texas A&M) http://www-csag.ucsd.edu/projects/agileO.html AFRL F30602-9-1-0534 DARPA ISO Intrusion Tolerant Systems PI Meeting
E N D
Agile Objects: Component-based Inherent Survivability Andrew A. Chien achien@cs.ucsd.edu, UCSD Jane Liu (UIUC) -> Riccardo Bettati (Texas A&M) http://www-csag.ucsd.edu/projects/agileO.html AFRL F30602-9-1-0534 DARPA ISO Intrusion Tolerant Systems PI Meeting Year 1 Progress Report, July 19, 2000
Outline • Motivation and Goals • Agile Objects • Location Elusiveness • Interface Elusiveness • Status • Plans
Background/Existing Practice • Static Distributed Software Architectures (nearly) • Fixed points of access, deployment, resource dependence • System/Firewall/Sandbox/Domain based Security • Resource and containment oriented • Security Architecture based on Anticipated Deployment Structures • => Flexibility and reconfiguration can enhance survivability • Our Focus: Flexible Configuration of Distributed C3I Systems (Real-time, High Performance, Mission-Critical Online systems) • E.g. Aegis Battle Cruiser, Theatre Command/Information system, etc.
AO Focus: Tolerance and Response • Resource loss due to compromise • Detected security breach, autonomic response network partition • Resources made undesirable due to changes in security status • Under attack, detected assaults, partially compromised, loss of other security critical information • Information about attack methods and systems targeted • Proactive reconfiguration in response to partial loss
Traditional Static Distributed System Design and Config • Applications Design implicitly assumes distribution and security environment, as well as Specific Resources (and types) • Difficult to reconfigure, requalify • Complex schedulability analysis and resource matching • DARPA ITO/Quorum techniques improve situation, but require significant application involvement and management of environment • => High Performance RPC enables…
Deployment #4 Deployment #3 Deployment #2 Deployment #1 Distribution Independent Design • Identical Application Design can be Deployed in Multiple Configurations • Identical design effort (same performance abstractions ensured by the middleware layer) – rate-based real-time performance at component level • Identical performance experienced by users of the applications • Configurations can be chosen based on many criteria: survivability, load balance, hardware reliability, etc. • => Online Migration and Flexible Replication enables…
Location Elusive Applications • Extend distribution flexibility to runtime • Transparent online reconfiguration; functionality and performance invisible to distributed application and its users (Location Elusiveness) • Respond to dynamic changes in runtime environment (failures, attack, security) • Without major additional design effort • Useful for commodity and legacy software
Change of Protocol and Change of Interface Nasty Virus Attack Elevated Security Barrier Flexible Security Reconfiguration • Integrated security mechanisms with high performance RPC/distributed objects (Elusive Interfaces) • Exploit computer manipulable interfaces and data reorganization • Adaptive security management for Agile, highly decentralized applications • Rapidly and continuously changing environment and configurations
Technical Objectives • Agile Objects enables Elusive Distributed Applications • Location Elusiveness • Seamless boundary between Component and Distributed Object applications • Rate-based real-time framework allows distributed reconfiguration in performance transparent fashion • Replication supports fault tolerance, rapid reconfiguration, multi-version assurance and survivability • Interface Elusiveness • Integrates security mechanisms with traditional object interface marshalling to achieve high performance • An adaptive security mechanism (there are many) • Adaptive security required with rapidly changing application configuration • => also rapidly changing surrounding resource and security environment • Transparent automatic reconfiguration maintains performance and security properties • No major additional application programming effort • Can incorporate commodity software modules without major effort • Respond to critical Assurance and Survivability events fast (<< seconds)
Assumptions and Scope • What threats/attacks is your project addressing? • Any that lead to compromise of nodes, networks, services • esp. object/component interface based attacks • What assumptions does your project make? • Only some resources are compromised; segregation possible • Some warning (could be noisy) => Low impact techniques to respond • What policies can we enforce? • Application configuration <-> Level of compromise of resources • Reflect Infocon level or resource status *fast* • Many that drive reconfiguration, decouple reconfiguration from complex analysis and performance
Challenges • Location Elusiveness: Support rapid application mobility with • Performance insensitivity • Uniform resource access • Continuous real-time performance • => make this real for significant distributed applications • Interface Elusiveness: Adapt security mechanisms and configuration • Support *very* high speed networks • Characterize EI interface configuration spaces and develop innovative configuration mgmt and adaptation • Manage and enforce security requirements, adapting in real time to match rapid changes
Agile Objects Application Demonstrations Elusive Location Demonstration Elusive Interface Demonstration Name Service for Elusive Applications Elusive Interface System Agile Object Migration (RT) Dynamic Mutation (online, reactive) Agile Objects Project Plan Interface Elusiveness Location Elusiveness Work Completed Distrib. Insensitivity Object Replication Elusive Interface Prototype High Performance RPC Analytical Foundations & Case Studies
Expected Major Achievements • Location Elusiveness: Distribution insensitive distributed applications • High Performance RPC which enables flexible configuration • Online Migration and Replication • Real-time applications which reconfigure while maintaining performance guarantees • Interface Elusiveness: Characterize space of interface mutation and dynamic coordination mechanisms • Crystallize a framework for adaptive interface mutation management (reconfiguration, cost, space) • Configuration independent application security specifications • Develop a range of targeted responses based on Intrusion Detection & System status information • Integrate techniques for a unified Agile Objects approach and demonstration
Quantitative Metrics • Location Elusiveness • Speed of remote RPC, ratio of local/remote • Time of application reconfiguration (physical network parameters, applications) • Granularity/precision of real-time guarantees • Interface Elusiveness • Size of reconfiguration space, range of techniques • Reconfiguration Cost • Reconfiguration Delay • Scale of Demonstrations
Progress • Previously reported Accomplishments • User-level networking performance • Fast Remote RPC (+ improving) • 40 microseconds; as fast as local • Basic Real-time Framework • Multi-DCOM Prototype • Elusive Interfaces Framework • Recent Accomplishments (since 2/00) • Elusive Interfaces Prototype • Experimentation with Multi-DCOM Prototype
Elusive Interfaces Specialized Cryptography Hardware • Distributed Object and Component Applications: primitive pairwise relationships • End-to-end encryption techniques practically incompatible with high speed networks • Ideas • Low-cost encryption techniques based on interface structure • Adapt and manage automatically in response to changes • Systematic analysis of opportunities, costs, and capabilities High Speed Net Untrusted Net Time-varying
Security Overhead • SSL inline overhead (excluding initial exchange protocol) • 4x fixed overhead; 17x per byte costs (~2Mbits) • 56-bit keys, 500Mhz Pentium II’s, 100Mbit Ethernet • Cleartext protocol stacks barely feed high speed networks
EI module EI module Elusive Interfaces client • EI Transformations • Size preserving: Method offset, offset range, parameter location, parameter organization, etc. • Non-size preserving: parameter buffering, message buffering • Sequence: Dynamic variation of interface over lifetime of connection... • Low cost due to word-level transformations, bury in (de)marshalling • Vary transformation based on expected attack modes • Active attacks: NumFormats • Passive attacks: NumMethods network server
February 2000 PI Meeting • Analytic analysis of these approaches • Large Elusive interfaces space for realistic interfaces • Simple systems, 106 – 1016 configurations • Report available from http://www-csag.ucsd.edu/projects/AgileO.html • July 2000 PI Meeting • Prototype and evaluation
EI stub EI skel Elusive Interfaces Prototype • Java RMI • Berkeley’s secure NinjaRMI (authentication and encryption infrastructure) • Implementation • RMI compiler which generates mutations in stub and skel files • Transport layer uses secure key-exchange, followed by mutated data stream • Limitation: single, fixed sequence of changes network client server
Elusive Interfaces is: • within 3% of plain text • 11 - 56x faster than Triple-DES • Explain performance anomaly Elusive Interfaces Latency
EI scales with complexity of interface 0 to 64 int ratio is 1 : 1.47 RMI Latency is low Elusive Interfaces Parameter Complexity
Proxy 1 Proxy 2 Customize... Multi-DCOM Transparent Multicast(Interception) Client Interceptor Stub 1 Stub 2 Proxy MSRPC • Transparency • Independent of MSRPC and COM • Universal technique (also applies to network monitoring...) • Interoperable with existing software • Flexibility and Customizability
Multi-DCOM Translucent Replication • Prototype and Replication Control Tool complete • Performance overhead minimal for interception, linear in number of replicas maintained • Translucent replication interface enables • Execution of legacy COM/DCOM applications without change • Construction of replication aware applications • From source • As simple increments by using wrappers • Demonstration on Microsoft Corporate Benefits Program • Binaries only, no source code changes to make this work • => use for experiments in ITS based on lightweight replication
Summary and Future Plans • Progress on both Location and Interface Elusiveness • Richer Elusive Interfaces System • Efficient algorithms to generate mutated interfaces • Dynamic selection of mutations; understand relation to encryption • High Speed Networks; IDS Driven Adaptation • Experimentation with Replicated DCOM infrastructure • Agile Objects Migration System • Online Migration, Continuous Performance • Agile Objects Name Service • High performance, scalable, survivable location • Exploitation of PASIS as a secure, robust back-end distributed storage service • Matches needs of these highly decentralized applications
Technology Transfer • Publication of Results, Talks, Demonstrations • Application Demonstrations: Use of commodity API’s enables use of significant applications • Software releases • Research and Industrial community • Example Microsoft (Jim Gray, Mike Jones, Rod Gamache), Jane Liu as technology transfer targets • Code releases for Object Replication, Object Migration, Elusive Interfaces • Close Interaction with vendors of the COTS source bases • Microsoft (DCOM work) • Sun/Javasoft (Java work) • Build on previous relationship and successful transfers