dependable intrusion tolerance march 2002 magnus almgren, alfonso valdes sri international...
TRANSCRIPT
Dependable Intrusion Tolerance
March 2002
Magnus Almgren, Alfonso Valdes
SRI InternationalAcknowledgementsResearch sponsored under DARPA Contract N66001-00-C-8058. Views presented are those of the authors and do not represent the views of DARPA or the Space and Naval Warfare Systems Center
Outline
Background System Components The Single Proxy Example Validation Performance Stopping Code Red Future Work
Background
Intrusion Tolerant Server
Background
Intrusion Tolerant Server Redundancy & Diversity
Background
Intrusion Tolerant Server Redundancy & Diversity Hardened Proxy
StackGuard Online Verifiers Small Code Base
Background
Intrusion Tolerant Server Redundancy & Diversity Hardened Proxy
StackGuard Online Verifiers Small Code Base
HIDS/NIDS/app-IDS EMERALD/Snort
System Components
Application Servers Solaris, Win2k, RedHat,
FreeBSD
IDS Proxy
RedHat-6.2 Our own code base
MS Win2kIIS
Solaris 8(Sparc5)Apache
eXpert-BSM
RedHat 7.1iPlanet
FreeBSD 4.2Apache
App-IDS
eXpert-NeteBayes-TCPeBayes-Blue
Snort
RedHat 6.2Proxy
eAggregatorC-R
Proxy in Detail
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerRegimeManager
AlertManager
1,1 2,2 3,3 4,4
4,3Policy/Regime
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerRegimeManager
AlertManager
1,1 2,2 3,3 4,4
4,3Policy/Regime
reconnaissance
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerRegimeManager
AlertManager
1,1 2,2 3,3 4,4
4,3Policy/Regime
reconnaissance
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerRegimeManager
AlertManager
1,1 2,2 3,3 4,4
4,3Policy/Regime
reconnaissance
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerRegimeManager
AlertManager
1,1 2,2 3,3 4,4
4,3Policy/Regime
reconnaissance
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerAlert
Manager
1,1 2,2 3,3 4,4
4,3Policy/Regime
RegimeManager
web attack
Proxy ServerRegimeManager
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerAlert
Manager
1,1 2,2 3,3 4,4
4,3Policy/Regime
web attack
RegimeManager
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerAlert
Manager
1,1 2,2 3,3 4,4
4,3Policy/Regime
web attack
RegimeManager
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerAlert
Manager
1,1 2,2 3,3 4,4
4,3Policy/Regime
web attack
RegimeManager
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerAlert
Manager
1,1 2,2 3,3 4,4
4,3Policy/Regime
RegimeManager
web answer
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerAlert
Manager
1,1 2,2 3,3 4,4
4,3Policy/Regime
RegimeManager
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerAlert
Manager
1,1 2,2 3,3 4,4
4,3
RegimeManager
Policy/Regime
Block clientBlock URI
Simple Example
e-Aggregator
ChallengeResponse
RepairManager
Proxy ServerAlert
Manager
1,1 2,2 3,3 4,4
4,3
RegimeManager
Policy/Regime
Plans for Validation
Performance Preliminary Results
Resistance to attacks Compile a list of existing Web exploits Run these against system Problem: A very new attack, which we might not
have thought about Assembly of Complementary Mechanisms Red Teaming?
Performance Measurement
1) Round-trip time measured through the proxy Regime 1 — 4
2) Round-trip time measured directly for each application server
Asking for index.html with all included images and measured round-trip time.
About 34 kb in 9 requests.
Round-trip time
0
200
400
600
800
1 2 3 4Regime(# of servers asked)
Ro
un
d-t
rip
tim
e /
ms
bobcat
cheetah
hunter
tiger
proxy
10 simultaneous clients
Response vs Number of Clients
0
250
500
750
1000
0 5 10 15 20Number of Simultaneous Clients
Ro
un
d-t
rip
tim
e /
ms
Average
Median
Outline
General principles Architecture overview Proxy functionality Stopping Code Red Summary
Stopping Code Red (and NIMDA)
Proxy Bank
IDS Appliance
IIS1. 3/4 of Code Red attempts miss the IIS server2. IDS detects attempt. System invokes agreement mode
4. Clients get valid content while compromised server is rebuilt
3. In case of a successful infection, corrupt content is detected and reinfection attempts are blocked
Dependable Intrusion Tolerance
Intrusion Detection to Date Seeks to detect an
arbitrary number of attacks in progress
Relies on signature analysis and probabilistic (including Bayes) techniques
Response components immature
No concept of intrusion tolerance
New Emphasis Detection, damage
assessment, and recovery Finite number of attacks or
deviations from expected system behavior
Seek a synthesis of intrusion detection, unsupervised learning, and proof-based methods for the detection aspect
Concepts from fault tolerance are adapted to ensure delivery of service (possibly degraded)
Summary
Developing an adaptable intrusion tolerant server architecture
General Principles: Hardened proxy Redundant capability with diverse implementation Adaptive response
A variety of IDS, symptom detectors, and on-line verifiers provide situational awareness
Stepped policy response enforces content agreement in suspicious situations
Future directions
Refine Alert Manager Multiple proxies Validate with existing exploits Dynamic content