university of california, san diego computer science and engineering concurrent systems architecture...
TRANSCRIPT
University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Agile Objects: Component-based Inherent Survivability
Andrew A. Chien
[email protected], UCSD
Jane Liu (UIUC) -> Riccardo Bettati (Texas A&M) http://www-csag.ucsd.edu/projects/agileO.html
AFRL F30602-9-1-0534
DARPA ISO Intrusion Tolerant Systems PI Meeting
Year 1 Progress Report, July 19, 2000
Andrew A. Chien – 7/20/2000
2University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Outline
• Motivation and Goals• Agile Objects
» Location Elusiveness» Interface Elusiveness
• Status• Plans
Andrew A. Chien – 7/20/2000
3University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Background/Existing Practice
• Static Distributed Software Architectures (nearly)» Fixed points of access, deployment, resource dependence
• System/Firewall/Sandbox/Domain based Security» Resource and containment oriented
• Security Architecture based on Anticipated Deployment Structures
• => Flexibility and reconfiguration can enhance survivability• Our Focus: Flexible Configuration of Distributed C3I Systems (Real-
time, High Performance, Mission-Critical Online systems)» E.g. Aegis Battle Cruiser, Theatre Command/Information system, etc.
Andrew A. Chien – 7/20/2000
4University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
AO Focus: Tolerance and Response
• Resource loss due to compromise» Detected security breach, autonomic response network partition
• Resources made undesirable due to changes in security status» Under attack, detected assaults, partially compromised, loss of
other security critical information
» Information about attack methods and systems targeted
» Proactive reconfiguration in response to partial loss
Andrew A. Chien – 7/20/2000
5University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Traditional Static Distributed System Design
and Config
• Applications Design implicitly assumes distribution and security environment, as well as Specific Resources (and types)
• Difficult to reconfigure, requalify» Complex schedulability analysis and resource matching
• DARPA ITO/Quorum techniques improve situation, but require significant application involvement and management of environment
• => High Performance RPC enables…
Andrew A. Chien – 7/20/2000
6University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Distribution Independent Design
• Identical Application Design can be Deployed in Multiple Configurations» Identical design effort (same performance abstractions ensured by the middleware layer) –
rate-based real-time performance at component level» Identical performance experienced by users of the applications» Configurations can be chosen based on many criteria: survivability, load balance, hardware
reliability, etc.
• => Online Migration and Flexible Replication enables…
Deployment #2
Deployment #3 Deployment #4
Deployment #1
Andrew A. Chien – 7/20/2000
7University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Location Elusive Applications
• Extend distribution flexibility to runtime» Transparent online reconfiguration; functionality and performance invisible to
distributed application and its users (Location Elusiveness)
• Respond to dynamic changes in runtime environment (failures, attack, security)» Without major additional design effort» Useful for commodity and legacy software
Andrew A. Chien – 7/20/2000
8University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Flexible Security Reconfiguration
• Integrated security mechanisms with high performance RPC/distributed objects (Elusive Interfaces)
» Exploit computer manipulable interfaces and data reorganization
• Adaptive security management for Agile, highly decentralized applications» Rapidly and continuously changing environment and configurations
Nasty VirusAttack
Elevated Security Barrier
Change of ProtocolandChange of Interface
Andrew A. Chien – 7/20/2000
9University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Technical Objectives• Agile Objects enables Elusive Distributed Applications• Location Elusiveness
» Seamless boundary between Component and Distributed Object applications» Rate-based real-time framework allows distributed reconfiguration in performance
transparent fashion» Replication supports fault tolerance, rapid reconfiguration, multi-version assurance and
survivability
• Interface Elusiveness» Integrates security mechanisms with traditional object interface marshalling to achieve high
performance– An adaptive security mechanism (there are many)
» Adaptive security required with rapidly changing application configuration– => also rapidly changing surrounding resource and security environment
• Transparent automatic reconfiguration maintains performance and security properties» No major additional application programming effort» Can incorporate commodity software modules without major effort
• Respond to critical Assurance and Survivability events fast (<< seconds)
Andrew A. Chien – 7/20/2000
10University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Assumptions and Scope
• What threats/attacks is your project addressing?» Any that lead to compromise of nodes, networks, services
» esp. object/component interface based attacks
• What assumptions does your project make?» Only some resources are compromised; segregation possible
» Some warning (could be noisy) => Low impact techniques to respond
• What policies can we enforce?» Application configuration <-> Level of compromise of resources
– Reflect Infocon level or resource status *fast*
» Many that drive reconfiguration, decouple reconfiguration from complex analysis and performance
Andrew A. Chien – 7/20/2000
11University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Challenges
• Location Elusiveness: Support rapid application mobility with» Performance insensitivity
» Uniform resource access
» Continuous real-time performance
» => make this real for significant distributed applications
• Interface Elusiveness: Adapt security mechanisms and configuration» Support *very* high speed networks
» Characterize EI interface configuration spaces and develop innovative configuration mgmt and adaptation
» Manage and enforce security requirements, adapting in real time to match rapid changes
Andrew A. Chien – 7/20/2000
12University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Work Completed
Agile Objects Project Plan
High Performance RPC Analytical Foundations & Case Studies
Distrib. Insensitivity Elusive Interface Prototype
Agile Object Migration (RT) Dynamic Mutation (online, reactive)
Name Service for Elusive Applications Elusive Interface System
Elusive Location Demonstration Elusive Interface Demonstration
Agile Objects Application Demonstrations
Object Replication
Location Elusiveness Interface Elusiveness
Andrew A. Chien – 7/20/2000
13University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Expected Major Achievements
• Location Elusiveness: Distribution insensitive distributed applications» High Performance RPC which enables flexible configuration» Online Migration and Replication » Real-time applications which reconfigure while maintaining performance
guarantees
• Interface Elusiveness: Characterize space of interface mutation and dynamic coordination mechanisms» Crystallize a framework for adaptive interface mutation management
(reconfiguration, cost, space)» Configuration independent application security specifications
• Develop a range of targeted responses based on Intrusion Detection & System status information
• Integrate techniques for a unified Agile Objects approach and demonstration
Andrew A. Chien – 7/20/2000
14University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Quantitative Metrics
• Location Elusiveness» Speed of remote RPC, ratio of local/remote» Time of application reconfiguration (physical network
parameters, applications)» Granularity/precision of real-time guarantees
• Interface Elusiveness» Size of reconfiguration space, range of techniques» Reconfiguration Cost» Reconfiguration Delay
• Scale of Demonstrations
Andrew A. Chien – 7/20/2000
17University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Progress
• Previously reported Accomplishments» User-level networking performance» Fast Remote RPC (+ improving)
– 40 microseconds; as fast as local
» Basic Real-time Framework » Multi-DCOM Prototype» Elusive Interfaces Framework
• Recent Accomplishments (since 2/00)» Elusive Interfaces Prototype» Experimentation with Multi-DCOM Prototype
Andrew A. Chien – 7/20/2000
18University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Elusive Interfaces
• Distributed Object and Component Applications: primitive pairwise relationships• End-to-end encryption techniques practically incompatible with high speed
networks• Ideas
» Low-cost encryption techniques based on interface structure» Adapt and manage automatically in response to changes» Systematic analysis of opportunities, costs, and capabilities
High Speed Net
Untrusted Net
Specialized CryptographyHardware
Time-varying
Andrew A. Chien – 7/20/2000
19University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Security Overhead
• SSL inline overhead (excluding initial exchange protocol) » 4x fixed overhead; 17x per byte costs (~2Mbits)» 56-bit keys, 500Mhz Pentium II’s, 100Mbit Ethernet» Cleartext protocol stacks barely feed high speed networks
2 node latency
0
10
20
30
40
50
60
70
0 1024 2048 3072 4096 5120 6144 7168 8192
Bytes
ms
SSL
No SSL
Andrew A. Chien – 7/20/2000
20University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
network
Elusive Interfaces
• EI Transformations» Size preserving: Method offset, offset range, parameter location, parameter organization, etc.» Non-size preserving: parameter buffering, message buffering» Sequence: Dynamic variation of interface over lifetime of connection...
• Low cost due to word-level transformations, bury in (de)marshalling• Vary transformation based on expected attack modes
» Active attacks: NumFormats» Passive attacks: NumMethods
client server
EI module EI module
Andrew A. Chien – 7/20/2000
21University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
• February 2000 PI Meeting» Analytic analysis of these approaches » Large Elusive interfaces space for realistic interfaces
– Simple systems, 106 – 1016 configurations» Report available from http://www-csag.ucsd.edu/projects/AgileO.html
• July 2000 PI Meeting» Prototype and evaluation
Andrew A. Chien – 7/20/2000
22University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Elusive Interfaces Prototype
• Java RMI• Berkeley’s secure NinjaRMI (authentication and encryption
infrastructure)• Implementation
» RMI compiler which generates mutations in stub and skel files
» Transport layer uses secure key-exchange, followed by mutated data stream
• Limitation: single, fixed sequence of changes
client server
EI stub EI skel
network
Andrew A. Chien – 7/20/2000
23University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Elusive Interfaces is:• within 3% of plain text• 11 - 56x faster than Triple-DES
Explain performance anomaly
Median RMI Time
0.1
1
10
100
1000
0 4096 8192 12288 16384
# ints in array parameter
mill
ise
co
nd
s
Ninja RMIElusive Interfaces3DES, 168 bit key
Elusive Interfaces Latency
Andrew A. Chien – 7/20/2000
24University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Elusive Interfaces Parameter Complexity
EI scales with complexity of interface0 to 64 int ratio is 1 : 1.47
RMI Latency is low
RMI Time
0.1
1
10
100
1000
0 16 32 48 64
# of parameters
mill
isec
on
ds
Ninja RMI
Elusive Interfaces
3DES, 168 bit key
Andrew A. Chien – 7/20/2000
25University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Multi-DCOM Transparent Multicast
(Interception)
ClientClient
ProxyProxy Stub 1Stub 1 Stub 2Stub 2
MSRPCMSRPCMSRPCMSRPC
InterceptorInterceptorInterceptorInterceptor
Proxy 1Proxy 1 Proxy 2Proxy 2
• Transparency• Independent of MSRPC and COM• Universal technique (also applies to network monitoring...)• Interoperable with existing software• Flexibility and Customizability
Andrew A. Chien – 7/20/2000
26University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Multi-DCOM Translucent Replication
• Prototype and Replication Control Tool complete• Performance overhead minimal for interception, linear in
number of replicas maintained• Translucent replication interface enables
» Execution of legacy COM/DCOM applications without change
» Construction of replication aware applications – From source– As simple increments by using wrappers
• Demonstration on Microsoft Corporate Benefits Program» Binaries only, no source code changes to make this work
• => use for experiments in ITS based on lightweight replication
Andrew A. Chien – 7/20/2000
27University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Summary and Future Plans
• Progress on both Location and Interface Elusiveness • Richer Elusive Interfaces System
» Efficient algorithms to generate mutated interfaces» Dynamic selection of mutations; understand relation to encryption» High Speed Networks; IDS Driven Adaptation
• Experimentation with Replicated DCOM infrastructure» Agile Objects Migration System
– Online Migration, Continuous Performance
» Agile Objects Name Service– High performance, scalable, survivable location
• Exploitation of PASIS as a secure, robust back-end distributed storage service» Matches needs of these highly decentralized applications
Andrew A. Chien – 7/20/2000
28University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Technology Transfer
• Publication of Results, Talks, Demonstrations» Application Demonstrations: Use of commodity API’s enables use
of significant applications
• Software releases• Research and Industrial community
– Example Microsoft (Jim Gray, Mike Jones, Rod Gamache), Jane Liu as technology transfer targets
» Code releases for Object Replication, Object Migration, Elusive Interfaces
• Close Interaction with vendors of the COTS source bases• Microsoft (DCOM work)• Sun/Javasoft (Java work)
• Build on previous relationship and successful transfers