Tolerating Intrusions ThroughSecure System Reconfiguration

Dennis Heimbigner and Alexander WolfUniversity of Colorado at Boulder

John KnightUniversity of Virginia

Prem Devanbu, Michael Gertz, and Karl LevittUniversity of California at Davis

Distributed ActiveMngmt. & Control(before/during/after)

ATTACKS

Intrusion ToleranceMechanism

Critical System Secure System

Configuration/Reconfiguration

Project Overview

Solution RequirementsTimely

AssuredMediated

Automated

Driving PrinciplesBend, don’t break

Proactive and reactiveSpecification/model-based

Dynamic tolerance evolution

Critical SystemsFamilies

DistributedNetworked

Componentized

ConfigurabilitySpecifications

PrivilegeSpecifications

SurvivabilitySpecifications

Posturing

AnticipatedAttacks

IntelligenceInformation

VulnerabilityAnalysis

OperationalExperience

Analysis

PosturePosture

PosturePosture

Posture

Attacked Threatened Over hardened

Secure SystemConfiguration/

Reconfiguration

No requirement to mask faults

Survivability Architecture (Logical View)

Reactive

ActiveControl

Proactive

ActiveManagement

NewPostures

Commands

Operator

Administrator

Intelligence

Analysis

Development

Trust boundary

DuringAttack

Beforeand

AfterAttack

Survivability Architecture (Physical View)

Field Reconfiguration Controller

Mediator + AuthorityMediator + Authority

ConfiguredComponents

ActivatedSystem

ActivatedSystem

Event Service

Coordination Service

DepotCIDF

ModelsAgentsAgents ModelsAgentsAgents

ConfiguredComponents

Reconfiguration control and/or data channel

Event channel

Application control and/or data channel

Component activation

Component deactivation

Standard reconfiguration interface

ModelsAgents

ComponentsDepot

ModelsAgents

Components

Mediator

Field Reconfiguration Controller

Mediator

Integrated Technology Strategy

Application reconfiguration for survivability– RAPTOR modeling system– Survivability specification

Agent-based software configuration and deployment– Software Dock software deployment system– Siena wide-area event notification service

Agent and information security– Secure, flexible information access – Trusted code on untrustworthy platforms

RAPTOR Modeling System

Arbitrary network topologies

Large model support

Demonstration:– FedWire

payment system– 10 000 banks– Terrorist bombs– Coordinated

attacks Windows 2000

platform Available for

download soonVulnerabilities

NetworkTopology

NodeSemantics

Symptoms

Network Model

Visualization

Run-timeinput

Modelspecification

Software Dock

Release

Retire

Install

Update Reconfig Adapt Activate Remove

Deactivate

Development

Producer-side

Consumer-side

EventService

Field docks represent the consumer and provide an interface to the consumer site

Wide-area event service provides connectivity

Agents provide deployment process functionality

Release docks represent the producer and are a repository of configurable releasesRelease

Dock

FieldDock Field

DockAgent

Agent

Agent

Agent

Agent

Agent

Agent

Automated wide-area software deployment

Declarative family configurability

Comprehensive life cycle coverage

Secure, Flexible Information Access

Publisher 1

Publisher n

Owner 1

Owner n

Agent Mediator

Authority

Trusted Untrusted Sometimes trusted

Mediators provide to agents information obtained from model owners via publishers

Two complementary forms of security:– Publishers answer queries from mediators, and are untrusted, online, and

distinct from owners; they use no secret keys– Authorities, under administrative control, can certify and revoke owner keys

and privileges

Evaluation

Continuous assessment– Increasingly sophisticated models– Increasingly capable prototypes

Scenario-based approach– Increasingly complex attacks– Informed by interaction with domain experts

» banking and finance, power, transportation» security threats and vulnerabilities

Symptom and vulnerability injection Metrics: speed, precision, and availability