130 likes | 277 Views
Motivation. Mission critical applications being developed using CORBA on COTS platforms CORBA Security protects at middleware level, but applications vulnerable to O/S and network attacks Fault Tolerant CORBA does not protect against malicious faults. Technical Objectives.
E N D
Motivation • Mission critical applications being developed using CORBA on COTS platforms • CORBA Security protects at middleware level, but applications vulnerable to O/S and network attacks • Fault Tolerant CORBA does not protect against malicious faults
Technical Objectives • Provide intrusion tolerance for CORBA applications • System level approach • Middleware • Eliminate reliance on any single server • secure, reliable group communication directly between clients and replicated servers • Detect Byzantine (arbitrary) faults in servers • Support heterogeneity (diversity of implementation) • Boundary controllers (firewalls) • Protocol inspection • End-to-end authentication between clients and servers
Existing Approaches • OMG supports Fault Tolerance for CORBA • Not intrusion tolerant • Not fully interoperable • No firewall support • Prior and Current Research • Avoided ORB changes by intercepting process level communications; forces homogeneous server implementation • Use of “primary” or “lead” server; cannot tolerate Byzantine faults • Ensemble, Maestro, AQuA, Rampart, Eternal, others
Technical Approach • Leverage prior work on fault tolerant CORBA; secure, reliable, authenticated multicast; total ordering; Byzantine fault detection • Active replication of servers with voting • Protect client and server hosts with application proxy firewall; include firewall in multicast group • Integrate with open-source ORB • Detect value faults above CDR encode/decode layer • Replace transport layer with secure, reliable, authenticated multicast • Handle duplicate requests and replies
Server Application Code IT ORB Server Application Code IT ORB Server Application Code IT ORB Conceptual Overview Client Application Code IT ORB Value Fault Detection / Voting Redundant Msg. Exclusion Encode/Decode Time, Crash, other Fault Detection Secure, Reliable, Auth. Multicast Server-Side Firewalls Redundant Servers Client-Side Firewall Firewall M-Cast GIOP Proxy Firewall Secure, Reliable, Auth. Multicast GIOP Proxy Firewall M-Cast GIOP Proxy Firewall M-Cast GIOP Proxy
Approach -- What’s Different ? • All servers are equal • eliminate need for “primary” or “lead” server • Detect value faults in the ORB • encoding of CORBA messages depends on the source platform (i.e, byte ordering) • permits heterogeneous implementations • Application proxy firewall integrated into the architecture • better protection for COTS client and server hosts • end-to-end authentication of client and server • may have better performance than IIOP/SSL proxies
Risks and Mitigation Plans • Performance of secure, reliable, authenticated multicast • Mitigation Plan: • Evaluate and experiment with existing research prototypes • Design replaceable transport layer • Take advantage of research advances as they become available • Defense against DoS attacks by compromised servers • Mitigation Plan: • Rely on intruder tracing (IDIP?) to find source and block
Expected Achievements • At least one implementation of an ORB on two more more heterogeneous platforms that tolerates Byzantine faults • Integrated application proxy firewall support to protect COTS client and server hosts • Understand trade-off between performance and degrees of intrusion tolerance
Metrics • Cost/benefit of redundant servers • Tolerance of Byzantine faults (number of faulted servers) vs. impact on throughput due to additional replication • Throughput measured by operations per second • Countermeasure Characterization using either IA or IASET methodology • Experimentation at the TIC to validate countermeasure claims
Policy Issues • Assumptions • Other mechanisms enforce QoS and QoP policies • CORBA Security could be added to architecture to provide other services (access control, audit, non-repudiation, etc.) • Can integrate with intruder tracing mechanisms (e.g., IDIP) to handle denial of service attacks • Enforcement Mechanisms • Need policy for group membership: servers, clients, and firewalls • Standard firewall permit/deny policy extended for secure, reliable, authenticated multicast
Technology Transfer • Work with OMG to revise existing specifications, create new specifications • Fault Tolerance specification • Unreliable Multicast specification • Firewall specification • Joint experimentation with other DARPA and DoD programs • Conferences and workshops