tolerating intrusions through secure system reconfiguration dennis heimbigner and alexander wolf...
DESCRIPTION
Posturing Anticipated Attacks Anticipated Attacks Intelligence Information Intelligence Information Vulnerability Analysis Vulnerability Analysis Operational Experience Operational Experience Analysis Posture AttackedThreatenedOver hardened Secure System Configuration/ Reconfiguration Secure System Configuration/ Reconfiguration No requirement to mask faultsTRANSCRIPT
Tolerating Intrusions ThroughSecure System Reconfiguration
Dennis Heimbigner and Alexander WolfUniversity of Colorado at Boulder
John KnightUniversity of Virginia
Prem Devanbu, Michael Gertz, and Karl LevittUniversity of California at Davis
Distributed ActiveMngmt. & Control(before/during/after)
ATTACKS
Intrusion ToleranceMechanism
Critical System Secure System
Configuration/Reconfiguration
Project Overview
Solution RequirementsTimely
AssuredMediated
Automated
Driving PrinciplesBend, don’t break
Proactive and reactiveSpecification/model-based
Dynamic tolerance evolution
Critical SystemsFamilies
DistributedNetworked
Componentized
ConfigurabilitySpecifications
PrivilegeSpecifications
SurvivabilitySpecifications
Posturing
AnticipatedAttacks
IntelligenceInformation
VulnerabilityAnalysis
OperationalExperience
Analysis
PosturePosture
PosturePosture
Posture
Attacked Threatened Over hardened
Secure SystemConfiguration/
Reconfiguration
No requirement to mask faults
Survivability Architecture (Logical View)
Reactive
ActiveControl
Proactive
ActiveManagement
NewPostures
Commands
Operator
Administrator
Intelligence
Analysis
Development
Trust boundary
DuringAttack
Beforeand
AfterAttack
Survivability Architecture (Physical View)
Field Reconfiguration Controller
Mediator + AuthorityMediator + Authority
ConfiguredComponents
ActivatedSystem
ActivatedSystem
Event Service
Coordination Service
DepotCIDF
ModelsAgentsAgents ModelsAgentsAgents
ConfiguredComponents
Reconfiguration control and/or data channel
Event channel
Application control and/or data channel
Component activation
Component deactivation
Standard reconfiguration interface
ModelsAgents
ComponentsDepot
ModelsAgents
Components
Mediator
Field Reconfiguration Controller
Mediator
Integrated Technology Strategy
Application reconfiguration for survivability– RAPTOR modeling system– Survivability specification
Agent-based software configuration and deployment– Software Dock software deployment system– Siena wide-area event notification service
Agent and information security– Secure, flexible information access – Trusted code on untrustworthy platforms
RAPTOR Modeling System
Arbitrary network topologies
Large model support
Demonstration:– FedWire
payment system– 10 000 banks– Terrorist bombs– Coordinated
attacks Windows 2000
platform Available for
download soonVulnerabilities
NetworkTopology
NodeSemantics
Symptoms
Network Model
Visualization
Run-timeinput
Modelspecification
Software Dock
Release
Retire
Install
Update Reconfig Adapt Activate Remove
Deactivate
Development
Producer-side
Consumer-side
EventService
Field docks represent the consumer and provide an interface to the consumer site
Wide-area event service provides connectivity
Agents provide deployment process functionality
Release docks represent the producer and are a repository of configurable releasesRelease
Dock
FieldDock Field
DockAgent
Agent
Agent
Agent
Agent
Agent
Agent
Automated wide-area software deployment
Declarative family configurability
Comprehensive life cycle coverage
Secure, Flexible Information Access
Publisher 1
Publisher n
Owner 1
Owner n
Agent Mediator
Authority
Trusted Untrusted Sometimes trusted
Mediators provide to agents information obtained from model owners via publishers
Two complementary forms of security:– Publishers answer queries from mediators, and are untrusted, online, and
distinct from owners; they use no secret keys– Authorities, under administrative control, can certify and revoke owner keys
and privileges
Evaluation
Continuous assessment– Increasingly sophisticated models– Increasingly capable prototypes
Scenario-based approach– Increasingly complex attacks– Informed by interaction with domain experts
» banking and finance, power, transportation» security threats and vulnerabilities
Symptom and vulnerability injection Metrics: speed, precision, and availability