280 likes | 372 Views
Survival by Defense-Enabling. Partha Pal, Franklin Webber, Richard Schantz BBN Technologies LLC Proceedings of the Foundations of Intrusion Tolerant Systems(2003) Presented by J.H. Su. Authors(1/3). Partha Pal
E N D
Survival by Defense-Enabling Partha Pal, Franklin Webber, Richard Schantz BBN Technologies LLC Proceedings of the Foundations of Intrusion Tolerant Systems(2003) Presented by J.H. Su
Authors(1/3) • Partha Pal • a Division Scientist at BBN Technologies. His research interest is in the area of survivable distributed systems.
Authors(2/3) • Franklin Webber • a software engineer, have primarily been supporting BBN Technologies doing DARPA-sponsored research on strengthening the resistance of computer systems to malicious attack.
Authors(3/3) • Richard Schantz • Works At Intelligent Distributed Computing Department in BBN.
Outline • Introduction • “Survival by Defense” of Critical Application • Acquisition of Privilege • Control of Resources • Use of Defensive Adaptation in Application’s Survival • Issues and Limitations • Related Work • Conclusion
Introduction(1/4) • Attack survival • The ability to provide some level of service despite an ongoing attack by tolerating its impact.
Introduction(2/4) • Attack prevention • Lead to the development of what is known as a trusted computing base (TCB). • Attack detection and situational awareness • Lead to the development of various intrusion detection system (IDS).
Introduction(3/4) • Drawback • In fact, many of the world’s computer systems today run operating systems and networking software that are far from the TCB ideal. • IDS mostly works off-line, without any direct runtime interaction or coordination with the applications (and with other IDSs) that they aim to protect.
Introduction(4/4) • Survival by protection • Seeks to prevent the attacker from gaining privileges • Survival by defense • Includes protection but also seeks to frustrate an attacker in case protection fails and the attacker gains some privileges anyway
“Survival by Defense” of Critical Application(1/5) • Focus on • The specific need of a specific type of applications. • What is a critical applications? • These applications are critical in the sense that the functions they implement are the main purpose of the computer system on which they run.
“Survival by Defense” of Critical Application(2/5) • Assumption • We can modify or extend the design and implementation of the critical applications.
“Survival by Defense” of Critical Application(3/5) • Corruption • An application that does not function correctly • Reasons of Application corrupt • An accident, such as a hardware failure, or because of malice; • Flaws in its environment or in its own implementation cause it to misbehave.
“Survival by Defense” of Critical Application(5/5) • The Goal • The attacker’s acquisition of privileges must be slowed down. • The defense must respond and adapt to the privileged attacker’s abuse of resources.
Acquisition of Privilege(1/4) • Divide the system into several security domains, each with its own set of privileges • The domains are chosen and configured to make best use of the existing protection in the environment to limit the spread of privilege. • The domains must not overlap. • Each security domain may offer many different kinds of privilege. • The attacker cannot accumulate privileges concurrently in any such set of domains.
Acquisition of Privilege(2/4) • Kinds of Privilege • anonymous user privilege • domain user privilege • domain administrator privilege • application-level privilege
Acquisition of Privilege(3/4) • Three ways for an attacker to gain new privileges • Convert domain or anonymous user privilege into domain administrator privilege. • Convert domain administrator privilege in one domain into domain administrator privilege in another. • Convert domain administrator privilege into application-level privilege.
Acquisition of Privilege(4/4) • Solution for Case1 • Careful configuration of hosts and firewalls. • Solution for Case2 • Proper host configuration and administration • Having a heterogeneous environment with various types of hardware and operating systems. • Solution for Case3 • Use cryptographic techniques
Control of Resource(1/3) • The attacker and the critical applications compete over system resources • Use of redundancy • Monitoring • Adaptation
Control of Resource(2/3) • Use of redundancy • Replicate every essential part of the application and place the replicas in different domains. • The replicas must be coordinated to ensure that, as a group, they will not be corrupted when the attacker succeeds in corrupting some of them.
Control of Resource(3/3) • Monitoring • QoS • Self-checking • whether the application continues to satisfy invariants specified by its developers.
Use of Defensive Adaptation in Application’s Survival(1/4) • A classification of defensive adaptations • Dimension1:The level of system architecture at which these adaptations work . • Dimension2:how aggressively the attack can be countered.
Use of Defensive Adaptation in Application’s Survival(3/4) • The importance of the capability to change between various modes and the associated trade-offs. • Defensive adaptation is mostly reactive. • Defensive adaptation could be pro-active.
Use of Defensive Adaptation in Application’s Survival(4/4) • Make these adaptive responses unpredictable. • some uncertainty needs to be injected. • Separate the design of the functional (or business) aspects of the application from the design of defensive adaptation. • Put the latter into middleware. • reusable for many different applications.
Issues and Limitations • The reliance on crypto systems. • It is not simple to combine multiple mechanisms in a defense strategy. • selection of appropriate mechanism, potential conflict analysis and resolution has to be done manually by an expert. • Relies on the fact that attacks proceed sequentially
Related Work • MAFTIA • an ESPRIT project developing an open architecture for transactional operations on the Internet. • The “Survivability Architectures” project • Aims to separate survivability requirements from an application’s functional requirements. • The “An Aspect-Oriented Security Assurance Solution” project • implement security-related code transformations on an application program.
Conclusion • We are implementing technology for defense enabling under the DARPA project titled “Applications that Participate in their Own Defense” (APOD). • Defense enabling can increase an application’s resistance to malicious attack. • Greater survivability for the application on its own and an increased chance for system administrators to detect and thwart the attack before it succeeds.