290 likes | 400 Views
Dependable Intrusion Tolerance. March 2002 Magnus Almgren, Alfonso Valdes SRI International. Acknowledgements
E N D
Dependable Intrusion Tolerance March 2002 Magnus Almgren, Alfonso Valdes SRI International Acknowledgements Research sponsored under DARPA Contract N66001-00-C-8058. Views presented are those of the authors and do not represent the views of DARPA or the Space and Naval Warfare Systems Center
Outline • Background • System Components • The Single Proxy • Example • Validation • Performance • Stopping Code Red • Future Work
Background • Intrusion Tolerant Server
Background • Intrusion Tolerant Server • Redundancy & Diversity
Background • Intrusion Tolerant Server • Redundancy & Diversity • Hardened Proxy • StackGuard • Online Verifiers • Small Code Base
Background • Intrusion Tolerant Server • Redundancy & Diversity • Hardened Proxy • StackGuard • Online Verifiers • Small Code Base • HIDS/NIDS/app-IDS • EMERALD/Snort
System Components • Application Servers • Solaris, Win2k, RedHat, FreeBSD • IDS • Proxy • RedHat-6.2 • Our own code base RedHat 6.2 Proxy eAggregator C-R eXpert-Net eBayes-TCP eBayes-Blue Snort MS Win2k IIS Solaris 8(Sparc5) Apache eXpert-BSM RedHat 7.1 iPlanet FreeBSD 4.2 Apache App-IDS
e-Aggregator RegimeManager AlertManager ChallengeResponse Proxy Server RepairManager Policy/Regime 1,1 2,2 3,3 4,4 4,3 Proxy in Detail
reconnaissance e-Aggregator RegimeManager AlertManager ChallengeResponse Proxy Server RepairManager Simple Example Policy/Regime 4,3 1,1 2,2 3,3 4,4
reconnaissance RegimeManager AlertManager Proxy Server RepairManager Simple Example e-Aggregator ChallengeResponse Policy/Regime 4,3 1,1 2,2 3,3 4,4
reconnaissance RegimeManager Proxy Server Simple Example e-Aggregator AlertManager ChallengeResponse RepairManager Policy/Regime 4,3 1,1 2,2 3,3 4,4
reconnaissance RegimeManager Proxy Server Simple Example e-Aggregator AlertManager ChallengeResponse RepairManager Policy/Regime 4,3 1,1 2,2 3,3 4,4
web attack RegimeManager Proxy Server Simple Example e-Aggregator RegimeManager AlertManager ChallengeResponse Proxy Server RepairManager Policy/Regime 4,3 1,1 2,2 3,3 4,4
web attack Simple Example e-Aggregator RegimeManager AlertManager ChallengeResponse Proxy Server RepairManager Policy/Regime 4,3 1,1 2,2 3,3 4,4
web attack Simple Example e-Aggregator RegimeManager AlertManager ChallengeResponse Proxy Server RepairManager Policy/Regime 4,3 1,1 2,2 3,3 4,4
web attack Simple Example e-Aggregator RegimeManager AlertManager ChallengeResponse Proxy Server RepairManager Policy/Regime 4,3 1,1 2,2 3,3 4,4
web answer Simple Example e-Aggregator RegimeManager AlertManager ChallengeResponse Proxy Server RepairManager Policy/Regime 4,3 1,1 2,2 3,3 4,4
Simple Example e-Aggregator RegimeManager AlertManager ChallengeResponse Proxy Server RepairManager Policy/Regime 4,3 1,1 2,2 3,3 4,4
Simple Example Block client Block URI e-Aggregator RegimeManager AlertManager ChallengeResponse Proxy Server RepairManager Policy/Regime 4,3 1,1 2,2 3,3 4,4
Simple Example e-Aggregator RegimeManager AlertManager ChallengeResponse Proxy Server RepairManager Policy/Regime 4,3 1,1 2,2 3,3 4,4
Plans for Validation • Performance • Preliminary Results • Resistance to attacks • Compile a list of existing Web exploits • Run these against system • Problem: A very new attack, which we might not have thought about • Assembly of Complementary Mechanisms • Red Teaming?
Round-trip time measured through the proxy Regime 1 — 4 Round-trip time measured directly for each application server Performance Measurement Asking for index.html with all included images and measured round-trip time. About 34 kb in 9 requests.
Round-trip time 10 simultaneous clients
Outline • General principles • Architecture overview • Proxy functionality • Stopping Code Red • Summary
Proxy Bank IDS Appliance 1. 3/4 of Code Red attempts miss the IIS server 2. IDS detects attempt. System invokes agreement mode 3. In case of a successful infection, corrupt content is detected and reinfection attempts are blocked 4. Clients get valid content while compromised server is rebuilt Stopping Code Red (and NIMDA) IIS
Intrusion Detection to Date Seeks to detect an arbitrary number of attacks in progress Relies on signature analysis and probabilistic (including Bayes) techniques Response components immature No concept of intrusion tolerance New Emphasis Detection, damage assessment, and recovery Finite number of attacks or deviations from expected system behavior Seek a synthesis of intrusion detection, unsupervised learning, and proof-based methods for the detection aspect Concepts from fault tolerance are adapted to ensure delivery of service (possibly degraded) Dependable Intrusion Tolerance
Summary • Developing an adaptable intrusion tolerant server architecture • General Principles: • Hardened proxy • Redundant capability with diverse implementation • Adaptive response • A variety of IDS, symptom detectors, and on-line verifiers provide situational awareness • Stepped policy response enforces content agreement in suspicious situations
Future directions • Refine Alert Manager • Multiple proxies • Validate with existing exploits • Dynamic content