1 / 54

Arun Sood Task Technologies Ltd {Professor & Chair, CS, GMU}

Self Cleansing Intrusion Tolerance ( SCIT) for Computing and Communications Critical Infrastructure Protection. Arun Sood Task Technologies Ltd {Professor & Chair, CS, GMU} Work done with Yih Huang, Asst Prof, CS, GMU Patent applied for by GMU. Overview. Context of the problem

Download Presentation

Arun Sood Task Technologies Ltd {Professor & Chair, CS, GMU}

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript


  1. Self Cleansing Intrusion Tolerance (SCIT) for Computing and Communications Critical Infrastructure Protection Arun Sood Task Technologies Ltd {Professor & Chair, CS, GMU} Work done with Yih Huang, Asst Prof, CS, GMU Patent applied for by GMU SCIT for Computing and Comm Critical Infrastructure Protection

  2. Overview • Context of the problem • Intrusion Tolerance – systems view • Self Cleansing Intrusion Tolerance (SCIT) • Reduced vulnerability through diversity • Demos / Prototypes • SCITizable servers • Conclusions SCIT for Computing and Comm Critical Infrastructure Protection

  3. Typical Approach for System Security • Perimeter defense • Firewalls • Intrusion detection systems • Layered defense • Network layer • Processor based • Overall strategy • Protect, Detect, React cycle SCIT for Computing and Comm Critical Infrastructure Protection

  4. Firewall IDS Firewall Firewall IDS P1 P3 P4 P2 IDS Firewall IDS System Security External Network Firewall IDS SCIT for Computing and Comm Critical Infrastructure Protection

  5. Firewalls • Firewalls • Network Address Translation • Packet filtering: filter out unwelcome traffics • Stateful monitoring of connections • Limited functionality • Problems • Firewalls can be hacked • Port settings can be changed • Firewalls can participate in Denial of Service attacks SCIT for Computing and Comm Critical Infrastructure Protection

  6. IDS • Intrusion Detection Systems • Usually adopt Perceive, Plan, and Act (PPA) cycle • Multiple levels of resolution • Iterative application • Signature matching • Anomaly detection/misuse detection • False alarms usually overwhelm the system (not solved yet) • Fusion algorithms • Better at false alarms • Multiple points of monitoring • Not trivial what to fuse SCIT for Computing and Comm Critical Infrastructure Protection

  7. IDS – Problems • Trade-off between probability of detection and false alarms • Typically false alarm rates are too high • The hardware / software costs are manageable • Monitoring of the IDS is labor intensive and can be very expensive • Unaffordable by small users • Doctors office vs hospitals • Weakest link determines overall security • Underlying assumption – all intrusions can be detected SCIT for Computing and Comm Critical Infrastructure Protection

  8. IDS Problems (Continued) • Eternal race with hackers • Software has to be constantly updated to catch up with new hacking techniques • Do we know all hacking techniques? • “There are unknown unknowns”, Donald Rumsfeld SCIT for Computing and Comm Critical Infrastructure Protection

  9. Overview • Context of the problem • Intrusion Tolerance – systems view • Self Cleansing Intrusion Tolerance (SCIT) • Reduced vulnerability through diversity • Demos / Prototypes • SCITizable servers • Conclusions SCIT for Computing and Comm Critical Infrastructure Protection

  10. Intrusion Tolerance - Our Approach • Add an additional layer of defense • Focus on protecting the computing resources • Underlying concepts • Zero trust • Systems view • Loss curve • Hacking takes time • SCIT: Self-Cleansing Intrusion Tolerance SCIT for Computing and Comm Critical Infrastructure Protection

  11. Pessimistic Assumptions – Zero Trust • There will be unknown types of attacks. • There will be attacks beneath the radar of intrusion detection systems. • What could be done about unknown and/or undetected attacks? • One issue: we are protecting against external intruders, what about internal threats? Zero trust has two faces. SCIT for Computing and Comm Critical Infrastructure Protection

  12. In Short • We merely acknowledge a fact of life • You can never be certain. • Examples • The intranet passwords of many multinationals were learned by purchasing second-hand hard drives on ebay. • Social engineering targets humans, not machines. SCIT for Computing and Comm Critical Infrastructure Protection

  13. Systems Motivation • High Availability, Fault Tolerance, Reliable Systems • Based on improving system performance • Rely on redundancy • Reliability formulated with time as an important parameter – MTTF, MTTR • Can we use redundancy to improve system security? SCIT for Computing and Comm Critical Infrastructure Protection

  14. Relationship with High-Availability (HA) Computing • With HA, a backup is always ready to replace a failed primary server. • Many mature HA products available for a wide range of network servers. • Implications: Industrial strength solutions are readily available for server switchovers SCIT for Computing and Comm Critical Infrastructure Protection

  15. HA and SCIT • HA systems are SCIT ready. • Just deliberately introduce “failures” to force switching • Indeed, our prototypes borrow many ideas/codes from HA. SCIT for Computing and Comm Critical Infrastructure Protection

  16. Intrusion Containment Loss (Dollars, Information) High loss threshold Low loss threshold Intruder Residence Time SCIT for Computing and Comm Critical Infrastructure Protection

  17. Steps in a typical crime Planning (meeting) Purchases ($) Formulate orders Give orders Avoid detection (survival planning) Training / education Reconnaissance Surveillance Practice Implement Crime steps {Kim Rossmo, Prof of Criminology, Texas State Univ.} SCIT for Computing and Comm Critical Infrastructure Protection

  18. BEGINNERS "STEP BY STEP" SECURITY GUIDE, v0.1.32 – June 1998 • Hacking into a Computer System • Two main approaches • Authenticate • Exploit a weakness • Hide: avoid trace back • Information gathering (traceroute, whois, finger) • Port scan (determine services being run: ftp{21}, telnet{23}, etc) • Find server type • Login with root privileges • www.cyberarmy.com/tute/ SCIT for Computing and Comm Critical Infrastructure Protection

  19. What does this mean? • Hacking into a server takes time • Time has been reduced because of tools • Hackers’ task is more complex if the hacker is not familiar with the server software • SCIT objective is to make the hackers task more difficult SCIT for Computing and Comm Critical Infrastructure Protection

  20. Overview • Context of the problem • Intrusion Tolerance – systems view • Self Cleansing Intrusion Tolerance (SCIT) • Reduced vulnerability through diversity • Demos / Prototypes • SCITizable servers • Conclusions SCIT for Computing and Comm Critical Infrastructure Protection

  21. SCIT: Self-Cleansing Intrusion Tolerance • After a system has communicated with the outside world, it is assumed comprised. • Our pessimistic assumption • It is brought off-line for integrity checking and system cleansing. • A backup takes over. • The newly cleansed system becomes the backup. • The process repeats itself. SCIT for Computing and Comm Critical Infrastructure Protection

  22. SCIT supplements IDS, Firewall • SCIT does not replace existing intrusion defenses. • Rather, it adds another line of defense. • The stronger the existing defenses, • the longer the low loss threshold, • the more effective the SCIT system. SCIT for Computing and Comm Critical Infrastructure Protection

  23. SCIT works with Data Security • Integrity of system and critical data are traditionally protected by • Encryption • Digital signatures • System auditing • These mechanisms can be integrated with self-cleansing cycles. • Our prototype shows that the integration strengthens both. SCIT for Computing and Comm Critical Infrastructure Protection

  24. Overview • Context of the problem • Intrusion Tolerance – systems view • Self Cleansing Intrusion Tolerance (SCIT) • Reduced vulnerability through diversity • Demos / Prototypes • SCITizable servers • Conclusions SCIT for Computing and Comm Critical Infrastructure Protection

  25. Diversity Reduces Vulnerability • In recent cyber attacks, ISPs using multiple platforms/OSes were far more resilient than others • Diversity increases hackers’ time to “conquer” • Additional management overhead is justified by increase in security • Some applications will work under multiple servers • Java • Apache, Tomcat • Virtual machines • Multiple OS on the same platform • VMware • More complex environments increase difficulty of conquering the target server SCIT for Computing and Comm Critical Infrastructure Protection

  26. Strategies for Increased Diversity Tomcat Tomcat Linux Windows VM ware Linux Intel hardware SCIT for Computing and Comm Critical Infrastructure Protection

  27. Diversity and SCIT • SCIT approach works perfectly with diversity. • Different servers use different platforms, OSes, vendors, and configurations. • Many services are supported by more than one platforms/vendors: Java, Apache, Tomcat • Switching among more than 2 servers • 1-out-of-N in cleansing: maximize throughput • 1-out-of-N in service: maximize security • M-out-of-N allows tradeoffs • Enclaves: server within servers SCIT for Computing and Comm Critical Infrastructure Protection

  28. Diversify Platforms SCIT Web Server Apache on top of Linux Server Microsoft IIS on top of Windows Server SCIT for Computing and Comm Critical Infrastructure Protection

  29. 1-out-of-N in Self-Cleansing Cleansing Serving Serving • Work load sharing among multiple working servers • High performance • Cost effective yet secured thru cleansing SCIT for Computing and Comm Critical Infrastructure Protection

  30. 1-out-of-N in Service Serving Cleansing Cleansing • Shortest hacking time windows • A hacker stays on one server for only seconds • Highest security but expensive SCIT for Computing and Comm Critical Infrastructure Protection

  31. Enclaves • Both the industry and academics have studied server enclaves: • Virtual machine • User-mode Linux • Root jails and its variants • Basic Idea is to have the service running • Inside a virtual environment • On top of a physical platform SCIT for Computing and Comm Critical Infrastructure Protection

  32. Enclaves IIS Apache Windows Linux Linux Server Windows Server SCIT for Computing and Comm Critical Infrastructure Protection

  33. Software-Level Cleansing • Kill the current server application and relaunch it. • Can use different vendor’s implementations in different “incarnations.” Apache IIS Apache IIS SCIT for Computing and Comm Critical Infrastructure Protection

  34. Multilevel SCIT • Software-level SCIT supports higher switching - cleaning rate • Hardware-level SCIT supports lower switching - cleaning rate SCIT for Computing and Comm Critical Infrastructure Protection

  35. Endless Possibilities • These approaches produce endless combinations. • When switching from one configuration to another, it is as if the system morphs. • The result is a most hostile environment for hackers. SCIT for Computing and Comm Critical Infrastructure Protection

  36. Results of diversity • Adds a level of confusion for the hacker • Increases the time for the defender to act • Increases the fixed cost • Hardware • Software • Labor • Diversity may reduce operating costs SCIT for Computing and Comm Critical Infrastructure Protection

  37. Universal SCIT Solutions ? • Having all those platforms working together is not trivial. • We do not expect universal solutions. • Rather, we focus on tailored solutions for critical networking components: • Firewalls, web servers, file servers, DNS, security gateways (IPsec), … • Each component a research challenge of its own SCIT for Computing and Comm Critical Infrastructure Protection

  38. Overview • Context of the problem • Intrusion Tolerance – systems view • Self Cleansing Intrusion Tolerance (SCIT) • Reduced vulnerability through diversity • Demos / Prototypes • SCITizable servers • Conclusions SCIT for Computing and Comm Critical Infrastructure Protection

  39. SCIT Demos: We have built … • SCIT Firewalls • Rebooting to self-cleanse • Entirely “stateless” • SCIT Web Servers • Rebooting to self-cleanse • Digital signals for integrity checking • Do not abandon customers on switching SCIT for Computing and Comm Critical Infrastructure Protection

  40. SCIT Firewall SCIT Firewall SCIT Firewall f-box 1 f-box 1 Inbound traffic Inbound traffic f-box 2 f-box 2 (a) f-box 1 in operation (b) f-box 2 in operation SCIT for Computing and Comm Critical Infrastructure Protection

  41. Discussion: Firewall • Negligible impact on client’s performance. • Self-cleansing cycle is 90 seconds. • Potential to reduce time • Shared SCIT strategies • Occasional packet losses are observed in transition periods. • In current prototype rebooting is the system cleansing mechanism. SCIT for Computing and Comm Critical Infrastructure Protection

  42. Web Defacing Attacks • Subvert the contents of a web site • Potential consequence • Denial of services • Stepping stones to even more critical systems SCIT for Computing and Comm Critical Infrastructure Protection

  43. SCIT Web Server W-box 1 W-box 1 W-box 2 W-box 2 (a) W-box 1 in operation (b) W-box 2 in operation SCIT for Computing and Comm Critical Infrastructure Protection

  44. Challenges • Should not abandon customers when a server box goes down. • New customers must be directed to the new server box. • Similar challenges present in many other servers. SCIT for Computing and Comm Critical Infrastructure Protection

  45. Component Technologies • Use the ? (VRRP) protocol (RFC 2338) to share the server IP address • Digital signatures generated by tripwire for integrity checking • Signature keys recreated upon each rebooting • Protecting static HTML pages and systems files by signing respective directories. SCIT for Computing and Comm Critical Infrastructure Protection

  46. Testbed SCIT for Computing and Comm Critical Infrastructure Protection

  47. Life Cycle • Check signature integrity, using previous keys. • Generate new keys and re-sign web pages with new keys. • Claim server IP address by VRRP. • Probe the other box, until a response is received. • Reboot and return to step 1. SCIT for Computing and Comm Critical Infrastructure Protection

  48. Prototype in Operation Server booting, validating signatures Active: Monitoring Other server NFS server SCIT for Computing and Comm Critical Infrastructure Protection

  49. Performance • Rebooting cycles are around 7 minutes. • To evade signature checking, the hacker has to break a set of keys every cycle – almost impossible • Dependent on the hardware • Handles 100 to 105 calls per second • On average, 1.833 calls lost per server switching SCIT for Computing and Comm Critical Infrastructure Protection

  50. Discussion: Web server • Rebooting cycles are around 5 minutes. • Depends on processor speed • Signature checking detects compromised data. • To evade signature checking, the hacker has to break a set of keys every cycle – challenging problem for hacker SCIT for Computing and Comm Critical Infrastructure Protection

More Related