Survival by Defense-Enabling - ACM Digital Library

Survival by Defense-Enabling* Partha Pal BBN Technologies 10 Moulton Street Cambridge, MA 02138 ppal@bbn,com

Franklin Webber BBN Technologies 10 Moulton Street Cambridge, MA 02138 fwebber @ bbn.com

ABSTRACT

be used because of the m a n y applications that already target them, b u t are unlikely to be redesigned to be more trustworthy. Similarly, although there are m a n y IDSs available today, they mostly work off-line, without any direct r u n t i m e interaction or coordination with the applications (and with other IDSs) t h a t they aim to protect. Furthermore, many of the IDSs have questionable accuracy: sometimes they miss real attacks and sometimes they raise false alarms. In short, attack prevention is not absolute and attack detection is not perfect. We therefore, ask the following question: what, ff anything, can be done to tolerate and survive cyber attacks assuming that the envixonment in which applications will r u n offers flawed protection and imperfect intrusion detection? I n principle, the answer is "close to nothing". A determined attacker can, with sufficient work, defeat whatever flawed protection is offered by the operating systems or networking, thus gaining privileges that can be used either to kill the system completely or to corrupt it in some other way. Although one might try to protect data using encryption a n d digital signatures that are computationally infeasible to break[16], when t h a t data is processed by the system it will almost certainly become vulnerable to an attacker with enough privilege: note t h a t encrypted data is worth]esa unless it is decrypted at some time, and it can be read at that time by a privileged attacker; also note that digitally signed d a t a must be re-signed when it is modified, and an attacker who gains the privilege to re-sign data can forge new, corrupt d a t a as well. I n practice, though, an attacker may not have the skill, perseverance, preparation, or time needed to carry out the attacks that are possible in the worst case. Some attackers rely on prepackaged attack "scripts" and do not have the skill to repair the scripts ff they fail. It may be possible to p u t various kinds of obstacles a n d diversions in their path. A n attacker who meets unexpected obstacles may look elsewhere for easier targets rather t h a n persevere in an attack. A n attacker who is not prepared in advance to circumvent the protection in a specific system will be more likely to trigger intrusion detection alarms[8]. In any case, the more time an attacker takes, the more vulnerable he is to being detected and stopped b y system admluistrators. These are the factors t h a t our =defense enabling" approa¢.~, a|rnq to exploit. We make a distinction between survival by protection, which seeks to prevent the attacker from gaining privileges, and survival by defense, which includes protection b u t also seeks to fTustrate an attacker in case protection falls and the attacker gains some privileges anyway. Protection mechanisms are static and pro-active; de-

Attack survival, which means the ability to provide some level of service despite an ongoing attack by tolerating its impact, is an i m p o r t a n t objective of security research. In this paper we present a new approach to survivability and intrusion tolerance. Our approach, which we call "survival by defense" is based on the observation t h a t m a n y applica. tions can be given increased resistance to malicious attack even though the e n v i r o n m e n t in which they r u n is untrustworthy. This paper describes the concept of "survival by defense" in general and e x p l a ~ s the assumptions on which it depends. We will also explain the goals of survival by defense a n d how they can be achieved.

1.

Richard Schantz BBN Technologies 10 Moulton Street Cambridge, MA 02138 [email protected]

INTRODUCTION

Malicious attacks on computer systems are at the core of security research, and there have been various approaches to deal with the problem. One approach, which sets its goal at attack prevention, defines security policies identifying what needs protection and t h e n a t t e m p t s to implement that protection in hardware and software. This approach has lead to the development of what is known as a trusted computing base (TCB)[17]. Another approach, which is primarily concerned about attack detection and situational auJareness, has lead to the development of various intrusion detection systems (IDS). Neither of these approaches is perfect. The TCB is trusted not to violate the security policy itself, and, in most systems, it is also trusted to prevent other, possibly malicious, software from violating the policy. In practice, most computer systems today have no such t r u s t e d computing base. I n fact, m a n y of the world's computer systems today r u n operating systems and networking software that are far f~om the TCB ideal. These systems m a y lack any security policy, can be damaged using well-known attacks, and therefore cannot be trusted to protect anything. These systems will continue to *This work is sponsored by D A R P A in parts under contracts No. F30602-00-C-0172 and No. F30602-99-C-0188. Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or dislfibutedfor profit or commercial advantage and that copies bear this notic~ and the full citation on the first page. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. NSPW'OI. September 10-13e', 2002, Cloudcrofl,New Mexico, USA_ Copyright 2002 ACM 1-58113-457-6/01/0009...$5.00.

71

fense m e c h a n i s m s e n h a n c e t h e p r o t e c t i o n m e c h a n i s m s w i t h a d y n a m i c s t r a t e g y for r e a c t i n g to a p a r t i a l l y successful a t tack. B o t h p r o t e c t i o n a n d d e f e n s e a i m t o keep a s y s t e m f u n c t i o n i n g (i.e., s u r v i v a l ) , b u t p r o t e c t i o n t e n d s t o b e allo r - n o t h i n g , e i t h e r it works or it d o e s n ' t , w h e r e a s defense c a n choose f r o m a m o n g a r a n g e of r e s p o n s e s , s o m e m o r e a p p r o p r i a t e a n d cost-effective t h ~ a o t h e r s u n d e r different circumstances.

2.

fail t o d e l i v e r a n y service a t all. A n a p p l i c a t i o n c a n b e c o m e c o r r u p t d u e t o v a r i o u s causes: • e i t h e r b e c a u s e of a n a c c i d e n t , s u c h as a h a r d w a r e failuxe, or b e c a u s e of m a l i c e ; • e i t h e r b e c a u s e flaws i n its e n v i r o n m e n t or i n its o w n i m p l e m e n t a t i o n c a u s e it t o m i s b e h a v e . T h e flaws i n t h e e n v i r o n m e n t a n d t h e i m p l e m e n t a t i o n c a n b e e x p l o i t e d b y a m a l i c i o u s a t t a c k e r t o c a u s e a loss of p r o t e c t i o n t h a t allows t h e a p p l i c a t i o n t o b e d a m a g e d . I n t h i s p a p e r we focus o n c o r r u p t i o n t h a t r e s u l t s f r o m a

" S U R V I V A L B Y D E F E N S E " O F CRITICAL APPLICATIONS

malicious attack e ~ l o i t i n 9 f l a ~ s in an application's environ-

"Survived b y defense" is n o t a silver b u l l e t for d e f e n d i n g all a p p l i c a t i o n s i n general. D i f f e r e n t a p p l i c a t i o n s h a v e different s~trvivability n e e d s a n d w i l l i n g n e s s t o b e a r t h e a s s o c i a t e d cost. S o m e t i m e s , t h e requirement.~ m a y conflict w i t h each o t h e r . T h e r e f o r e , a u n i f o r m d e f e n s e for all a p p l i c a t i o n s is p r a c t i c a l l y i m p o s s i b l e . I n oux work, we focus o n t h e specific n e e d of a specific t y p e of a p p l i c a t i o n s n a m e l y , t h e correct functioning of o n e or m o r e critical a p p l i c a t i o n s . T h e s e app l i c a t i o n s are critical i n t h e s e n s e t h a t t h e f u n c t i o n s t h e y i m p l e m e n t are t h e m a i n p u x p o s e of t h e c o m p u t e r s y s t e m o n which they run. Defending other applications in the same e n v i r o n m e n t x is n o t a p r i m a r y g o a l N e i t h e r is d e f e n d i n g t h e a p p l i c a t i o n ' s e n v i r o n m e n t itself, e.;g., t h e o p e r a t i n g s y s t e m s a n d networks t h a t s u p p o r t the critical applications. Defendi n g t h e e n v i r o n m e n t is i m p o r t a n t o n l y so far as it helps t o d e f e n d t h e critical a p p l i c a t i o n s the~,-qelves. T h i s i m p l i e s t h a t t h e defense e n a b l i n g t e c h n o l o g y m a y deploy additional m e c h a n i s m s in the application's environm e n t , b u t it is u s e d i n t h e contexi; of d e f e n d i n g t h e critical a p p l i c a t i o n . N o t e t h a t we are a s s u m i n g we c a n m o d / f y or e x t e n d t h e d e s i g n a n d i m p l e m e n t a t i o n of t h e c r i t i c a l applic a t i o n s . T h i s is i n s h a r p c o n t r a s t w i t h t h e d e s i g n a n d i m p l e m e n t a t i o n of t h e e n v i r o n m e n t , w h i c h we a s s u m e is ~lrnost c o m p l e t e l y b e y o n d o u r c o n t r o l . Z[n o t h e r words, we m u s t live w i t h flaws i n t h e e n v i r o n m e n t b u t , b e c a u s e o u r goal is d e f e n d i n g c r i t i c a l a p p l i c a t i o n s , we will e x p e n d t h e effort o n t h e a p p l i c a t i o n t o m a s k t h e impa~:t of t h e i r e x p l o i t a t i o n b y t h e a t t a c k e r . D e f e n s e e n a b l i n g is o r g a n i z e d a r o u n d t h e application to be defended r a t h e r titan a r o u n d the operating s y s t e m s a n d n e t w o r k s t h a t s u p p o r t it. T h i s follows s i m p l y because the application can be modified whereas the envir o n m e n t , for t h e m o s t p a r t , cann¢,t z. T h e e x i s t e n c e of m i d d i e w a r e is a n a d v a n t a g e i n t h i s c o n t e x t , b e c a u s e it p r o v i d e s a m e a n s t o i n c o r p o r a t e a n d c o o r d i n a t e t h e c a p a b i l i t i e s of the defense m e c h a n i s m s with the application with m i n i m a l m o d i f i c a t i o n of t h e a p p l i c a t i o n itself. A n a p p l i c a t i o n t h a t does n o t f u n c t i o n c o r r e c t l y is corrupt. A c o r r u p t a p p l i c a t i o n m i g h t deliver b a d service or it m i g h t

m e n t . W e a s s u m e t h a t t h i s is b y fax t h e m o s t likely c a u s e of c o r r u p t i o n a n d so t h e o t h e r c a u s e s will b e n e g l e c t e d i n this p a p e r . T h i s a s s u m p t i o n is r e a s o n a b l e b e c a u s e :

• Malicious attacks, w h i c h a r e d i r e c t e d a n d i n t e n t i o n a l , are far m o r e effective i n c o r r u p t i n g a n a p p l i c a t i o n them a c c i d e n t , w h i c h are r a n d o m . • F l a w s i n t h e application's implementation c a n b e corr e c t e d m o r e easily t h a n flaws i n t h e application's environment, a n d t h e l a t t e r are likely t o b e b e t t e r k n o w n to attackers a n d exploited by them. G i v e n t h i s u n d e r s t a n d i n g of c o r r u p t i o n , t h e goal of surv i v a l b y defense is t o delay or p r e ~ e n t c o r r u p t i o n of critical applications. Note t h a t the u l t i m a t e way to prevent this k i n d of c o r r u p t i o n is t o p r e v e n t t h e a t t a c k e r f r o m g a i n i n g t h e p r i v i l e g e r e q u i r e d t o c o r r u p t c r i t i c a l a p p l i c a t i o n s , which, as we e x p l a i n e d earlier, h a p p e n s t o b e t h e goal of s u r v i v a l by protection. Defense enabling, therefore, can be divided i n t o two c o m p l e m e n t a r y goals: 1. T h e a t t a r ~ e r ' s a c q u i s i t i o n of privileges m u s t b e slowed d o w n . T h i s i s s u e is d i s c u s s e d i n s e c t i o n 3. 2. T h e defense m u s t r e s p o n d a n d a d a p t t o t h e p r i v i l e g e d a t t a c k e r ' s a b u s e of r e s o u r c e s . M e c h a n i s m s for d o i n g t h i s are t h e t o p i c of s e c t i o n 4. T h e first goal m a k e s t h e p r o t e c t i o n i n t h e a p p l i c a t i o n ' s env i r o n m e n t last l o n g e r . T h e s e c o n d goal m a k e s t h e a t t a c k e r w o r k h a r d e r t o use n e w l y - g a i n e d privileges t o c o r r u p t a critical a p p l i c a t i o n . B e c a u s e we h a v e a s s u m e d t h a t a c q u i s i t i o n of privilege b y a n a t t a c k e r c a n n o t b e c o m p l e t e l y p r e v e n t e d or d e l a y e d i n d e f i n i t e l y , b o t h goals are n e e d e d for defense. W e say t h a t a n a p p l i c a t i o n is defense-enabled if m e c h a n i s m s axe i n p l a c e t o c a u s e m o s t a t t a c k e r s to t a k e signific a n t l y l o n g e r t o c o r r u p t it t h a n w o u l d b e n e c e s s a r y w i t h o u t t h e m e c h a n i s m s . I n o t h e r words, a n a t t a c k e r m u s t n o t o n l y defeat p r o t e c t i o n m e c h a n i s m s i n t h e e n v i r o n m e n t , he m u s t s p e n d a d d i t i o n a l t i m e d e f e a t i n g defense m e c h a n i s m s a d d e d t o t h e a p p l i c a t i o n . S e c t i o n 5 e x p l a i n s t h a t m a n y defense m e c h a n i s m s will t e n d t o b e p l a c e d i n t o middleware[2], w h i c h is n o t p a r t of t h e e n v i r o n m e n t ( i n t h e t r a d i t i o n a l sense we h a v e d e f i n e d it h e r e ) b u t is still s e p a r a t e f r o m t h e app l i c a t i o n ' s f u n c t i o n a l i t y . T h i s s e p a r a t i o n keeps t h e defense m e c h a n i s m s f r o m c o m p l i c a t i n g each a p p l i c a t i o n ' s d e s i g n a n d allows for e a s y r e u s e i n m u l t i p l e a p p l i c a t i o n s .

X T h r o u g h o u t t h e p a p e r we will tu~e t h e t e r m s environment, operatin 9 er~vironment or s y s t e ~ in.fTaJ~ruc~ur~ t o m e a n mostly the hardware, and networking and operating system software. W e will also a s s u m e t h e e x i s t e n c e of m i d d l e w a r e , a cJass of software d e s i g n e d to m a n a g e t h e c o m p l e x i t y a n d h e t e r o g e n e i t y a s s o c i a t e d w i t h a n i n t e r - n e t w o r k e d a n d dist r i b u t e d e n v i r o n m e n t [2], d e f i n e d as a s o f t w a r e layer a b o v e the operating system b u t below the application programs to provide a common and transparent programming abstract i o n across a d i s t r i b u t e d s y s t e m . 2 O n e c a n , however, a d d m e c h a n i s m s like I D S s a n d firewalls t o incxease t h e e n v i r o n m e n t ' s l e ~ l of p r o t e c t i o n , i n d e p e n d e n t of a n d w i t h o u t t h e c o n t r o l of c r i t i c a l a p p l i c a t i o n s . Defense e n a b l i n g does n o t d i s c o u n t s u c h m e a s u r e s , b u t w a n t s t o u s e t h e i r services i n a p p l i c a t i o n ' s d e f e n s e as well.

3.

ACQUISITION OF PRIVILEGE

I f privileges c o u l d b e o b t a i n e d i n s t a n t l y , t h e a t t a c k e r c o u l d i m m e d i a t e l y g r a b all t h e p r i v i l e g e s n e e d e d t o s t o p all app l i c a t i o n p r o c e s s i n g a n d t h u s d e n y all service. N o defense

72

would be possible a g a ~ s t this unlimited attack. Therefore, defense enabling depends on slowing t h e spread of privilege to attackers to such degree t h a t it renders ineffective the objective of shutting down critical services instantaneously. I n order to prevent quick spread of privilege, we divide the system into several security domains, each with its own set of privileges. The intent is to force t h e attacker to take more time accumulating the privileges needed to corrupt the applications. 'This will be true if:

defense enabling m u s t make it h a r d for an attacker to get this privilege. Ideally, one would want t h e privileges to be diserete and the acquisition process be i n d e p e n d a n t because t h a t will gauarntee an increase in attacker's risk and cost. However, this ideal goal can only be reached partially as explained below. In the sequence of anonymous, domainuser, domainadmin privileges, each subsumes the preveous ones, so if an attacker gains d o m a i n a d m i n privilege he does not need to obtain anonymous or domain user privelege. Domain privilege does not i m p l y application level privilege (or vice versa), as explained later, it is possible to obtain application level privilege if the attacker gains domain admin privilege. On the other hand, a malicious intruder will attack a critical application by collecting the m i n i m u m privileges needed to damage its integrity or to stop it from providing service. Attackers typically gain new privilege b y converting from another privelege using some flaws in the environment as opposed to directly obtaining the desired level of privilege. In this sense t h e independance goal is partially achieved. Using t h e set of privileges j u s t listed, there are three ways for an attacker to gain new privileges:

• Each critical application has parts t h a t are intelligently distributed across m a n y domains so t h a t privilege in a set of several domains is needed to corrupt it. This distribution of p a r t s will be discussed in section 4. • T h e attacker cannot accumulate privileges concurrently in any such set of domains. This constraint will be discussed later in this section. A security domain m a y be a network host, a L A N consisting of several hosts, a router, or some other structure. The domains are chosen and configured to make best use of the e . ~ t i n g protection in the environment to limit the spread of privilege. The domains must not overlap; for example, if the domains are sets of hosts then each host is in exactly one domain. Each security d o m a i n m a y offer m a n y different kinds of privilege. T h e following hierarchy, described in order of increasing privilege (i.e., each of these privileges subsumes all the previous ones), is a minimal set t h a t is typical in m a n y domains:

1. C a s e 1: by converting d o m a i n or anonymous user privilege into domain a d m i u i s t r a t o r privilege (e.g,, exploiting bugs in t r u s t e d services, such as ssndmaJ.1, t h a t have domain a d m i n i s t r a t o r privilege already); 2. C a s e 2: by converting domain a d m i n i s t r a t o r privilege in one domain into domain a r i m l u ~ t r a t o r privilege in another (e.g., using '~root" in one domain to log in as "root" in another);

s a n o n y m o u s u s e r p r i v i l e g e : allows interaction with servers in a security domain only via network protocols such as H T T P t h a t do not require the client to be identified;

3. C a s e 3: by converting domain a d m i n i s t r a t o r privilege into application-level privilege (e.g., using '~root" privilege to invoke unauthorized application commands).

• d o m a i n u s e r p r i v i l e g e : allows access only to a welldefined set of d a t a a n d processes in one particular security domain (e.g., the user m u s t "log in" to get this access);

The attacker must be slowed down or prevented from gaining new privileges in each of these ways. How to do this will d e p e n d on the n a t u r e of the domains a n d therefore no generally-applicable rules can be given. However, security domains t h a t are sets of network hosts are a very common situation a n d the following discussion is applicable in this context. The general idea is to enginee~ lots of c o m p l e ~ t i e s and obstacles in the privilege escalation process so t h a t t h e attacker work load a n d likelyhood of triggering detection is increased. In the first case, t h e attacker tries to convert domain or anonymous user privilege into d o m a i n administrator privilege by exploiting operating system security flaws.. As explained in section 1, we assume this will always be possible. We also assume t h a t it takes some time, possibly only a m a t t e r of minutes, b u t it is not instantaneous. The time it takes can be m a x i m i z e d by careful configuration of hosts and ftrewalls, for example, by applying the latest operating system patches, disabling or blocking unnecessary network protocols, a n d making t h e password file unreadable. In the second case, our objective will be achieved if the attacker is prevented from converting a~lmlnistrator privilege in one domain into v~hninistrator privilege in another. This can be done by proper host configuration and administration, and having a heterogeneous environment with various t y p e s of hardware and operating systems. For example, hosts in different domains m u s t n o t respect each other's priv-

• d o m a i n a d m i n i s t r a t o r p r i v i l e g e : allows reading a n d writing of any d a t a and s t a r t i n g and stopping any processing in one particular security domain (e.g., "root" privilege on Unix hosts). In addition, we propose to create a new kind of privilege in each domain to i m p e d e the attacker's progress towards collecting privileges: s

a p p l i c a t i o n - l e v e l p r i v i l e g e : allows interaction with a defeuse-enabled application using application-level protocols (e.g., C O K B A calls t h a t query the application or issue commands).

Application-level privilege di~ers from other kinds of privilege in t h a t (a) it is not p a r t of t h e environment but is created specifically to defend an application (b) it uses cryptographic techniques (which will be described later) (c) it does not subsume any of t h e other kinds of privilege and it is not not subsumed by any of them. In particular, gaining domain a d m i n i s t r a t o r ('~root") privilege does not guarantee application-level privilege; this will be explained shortly. However, an attacker with application-level privilege would find it easy to control, and thus corrupt, an application. So

73

lieges. T h i s forces t h e a t t a c k e r t o s t a r t f r o m s c r a t c h w h e n t r y i n g t o g a i n p r i v i l e g e in each d o m a i n . Once having become a domain administrator, the attacker can quickly damage application processes in that domain simply by stopping them. With this privilege, he can bypass t h e o p e r a t i n g s y s t e m access c o n t r o l s t h a t w o u l d n o r m a l l y p r e v e n t t h i s d a m a g e . T h i s damas;e, t h o u g h , is cont~d~aed b e c a u s e t h e a p p l i c a t i o n is d i s t r i b u t e d a c r o s s m a n y s e c t t r i t y domains. I n t h e t h i r d case, a d e f e n s e - e n a b l e d a p p l i c a t i o n m u s t use cryptographic techniques to prevent the attacker from gaini n g a p p l i c a t i o n - l e v e l p r i v i l e g e . A n a~.tacker h a v i n g t h i s p r i v i lege w o u l d b e w o r s e t h a n an a t t a c k e r w h o b e c o m e s a d o m a i n administrator because direct attachs on the application cann o t b e c o n e n e d t o a single s e c u r i t y d o m a i n a n y m o r e : w i t h a p p l i c a t i o n - l e v e l p r i v i l e g e , t h e a t t m t e r m a s q u e r a d e s as p a r t of t h e a p p l i c a t i o n itself, b y p a s s i n g its access c o n t r o l s a n d c a u s i n g i t to b e h a v e i n c o r r e c t l y h y s e n d i n g i t b o g u s c o m mands and data, which the application itself propagates a c r o s s t h e b o u n d a r i e s b e t w e e n s e c u r i t y d o m a i n s . T h e following t e c h n i q u e s a r e t h e r e f o r e e s s e n t i a l for e v e r y defenseenabled critical application:

unreasonable assumption. On the other hand, some attacks c a n b e a u t o m a t e d a n d c a r r i e d o u t m a n y t i m e s in p a r a l l e l , so in t h e w o r s t c a s e t h e a t t a c k e r c a n v i o l a t e a n a s s u m p t i o n o f s t a g i n g . T h i s w o r s t case c a n b e m a d e less likely b y d e s i g n ing an application to use a diverse set of security domai~ Diversity means the attacker may need to prepare separate a t t a c k s for e a c h k i n d of d o m a i n . I t m a y also b e p o s s i b l e t o enforce s t a g i n g b y c o n f i g u r i n g firewalls so t h a t a n a t t a c k e r c a n n o t access r e m o t e d o m a i n s a t all w i t h o u t first g a i n i n g p r i v i l e g e s in n e a r b y ones. T h i s p a p e r d o e s n o t a d d r e s s t h e issue h o w t o e n f o r c e s t a g i n g b u t h e n c e f o r t h a s s u m e s t h a t only staged attacks are possible. This section has shown how defense enabling makes an a t t a c k e r t a k e l o n g e r to c o l l e c t p r i v i l e g e s . T h e n e x t s e c t i o n s h o w s h o w t h i s e x t r a t i m e c a n b e u s e d for defense.

4.

CONTROL OF RESOURCES

In the traditional approach to computer security, the def e n d e r is g i v e n a d d i t i o n a l p r i v i l e g e i n i t i a l l y , w h i c h is u s e d for s e t t i n g u p s t a t i c p r o t e c t i o n b o t h for c r i t i c a l a p p l i c a t i o n s a n d for e n s u r i n g t h a t t h e a t t a c k e r m u s t n e v e r g e t d o m a i n a d m i n i s t r a t o r p r i v i l e g e for h i m s e l f . I n c o n t r a s t , d e f e n s e ena b l i n g a s s u m e s t h e a t t a c k e r will e v e n t u a l l y g a i n d o m a i n a d m i n i s t r a t o r p r i v i l e g e i n s o m e s e c u r i t y d o m a i n s , a n d in t h o s e d o m a i n s t h e a t t a c k e r a n d d e f e n d e r will b e in s y m m e t r i c a l positions. What then? Section 3 showed how the defender cam s e t u p a n e w k i n d o f p r i v i l e g e a t t h e a p p l i c a t i o n level and try to protect it using cryptography. But the defender c a n also u s e d o m a i n a d m i n i s t r a t o r p r i v i l e g e t o d i s p u t e t h e a t t a c k e r ' s c o n t r o l of d o m a i n s . T h i s is e s p e c i a l l y i m p o r t a n t in l i g h t of t h e o b s e r v a t i o n t h a t t h e a t t a c k e r a n d t h e c r i t i c a l a p p l i c a t i o n s c o m p e t e over s y s t e m r e s o u r c e s : t h e a p p l i c a t i o n needs them and the attacker attempts to take them away from the application. This section discusses the capabilities that can be used to tip the balance away from the attacker. They include:

• Application processes must be started with authentic a t i o n , e.g., e x e c u t a b i e s a r e s t o r e d o n d i s k e n c r y p t e d with passwords known only to authorized users and other application processes; s A l l c o m m u n i c a t i o n b e t w e e n a p p l i c a t i o n p r o c e s s e s is digitally signed with private keys known only to the a p p l i c a t i o n i t s e l f a n d uses s e q u e n c e n u m b e r s t o p r e vent replay. T h e s e t e c h n i q u e s will m a k e i t h a r d for a n a t t a c k e r , e v e n o n e w i t h d o m a i n a d m i n i s t r a t o r p r i v i l e g e , t o m a s q u e r a d e as p a r t of t h e a p p l i c a t i o n . A s s u m i n g t h e e n c r y p t i o n is u n brealc~ble, t h e a t t a c k e r will b e u n a b l e t o c o r r u p t t h e a p p l i c a t i o n p r o c e s s ' c o d e o n disk. A ~ s u m i n g t h e d i g i t a l s i g n a t u r e s a r e u n b r e a k a b l e , t h e a t t a c k e r wilt b e u n a b l e t o d i s r u p t c o m m u n i c a t i o n s. H o w e v e r , s o m e o n e w i t h d o m a i n srlrninistrator privilege could gain application-level privilege with e n o u g h effort. F o r e x a m p l e , w i t h a d m i n i s t r a t o r p r i v i l e g e , o n e c a n r e a d t h e core i m a g e of a r u n n i n g p r o c e s s , m o d i f y i t to change the process' behavior, or search it to find the priv a t e k e y s u s e d for d i g i t a l s i g n a t m - e s . T h i s a t t a c k c o u l d b e m a d e h a r d e r w i t h t e c h n i q u e s for c o n c e a l i n g or r a n d o m i z i n g t h e l o c a t i o n o f d a t a , e.g., p a s s w o r c ~ , w i t h i n a c o r e i m a g e . I n p r a c t i c e , h o w e v e r , t h e effort n e e d e d for t h i s k i n d of a t t a c k is l i k e l y t o b e m u c h g r e a t e r t h a n t h e effort n e e d e d s i m p l y t o kill all a p p l i c a t i o n p r o c e s s e s i ~ t h e d o m a i n , followed b y a t t a c k s on o t h e r d o m a i n s . Finally, the attacker must not be able to gather privileges in m a n y d o m a i n s c o n c u r r e n t l y . T h i s c o n s t r a i n t m e a n s t h a t a n a t t a c k o n a n a p p l i c a t i o n in m u l t i p l e d o m a i n s c a n n o t go j u s t as f a s t as a n a t t a c k o n o n e single d o m a i n . A n a t t a c k t h a t p r o c e e d s s e q u e n t i a l l y , r a t h e r t h a n c o n c u r r e n t l y , is c a l l e d a sLaged a t t a c k . D e f e n s e e n a b l i n g reties o n a n a t t a c k e r u s i n g o n l y s t a g e d a t t a c k s . W e ,:an e i t h e r s i m p l y a s s u m e t h a t a t t a c k e r s a r e l i m i t e d t o s t a g e d a t t a c . b or we c a n t r y to make the alternative harder to accomplish. As a practic a l m a t t e r , m o s t a t t a c k e r s will g a t h e r p r i v i l e g e s s e q u e n t i a l l y as t h e y e x p l o r e a s y s t e m ' s infras~.ructure, so t h i s is n o t a n

•

s a t a logical level~ b e c a u s e t h e a t t a c k e r c a n d i s r u p t t h e p h y s i c a l c o m m u n i c a t i o n b y c u t t i n g t h e cables, for i n s t a n c e .

74

of redundancy: Creating multiple security dom a i n s is n o t b y i t s e l f sufficient t o force t h e a t t a c k e r t o s p e n d m o r e t i m e c o l l e c t i n g p r i v i l e g e s : if s o m e d o m a i n w e r e a s i n g l e p o i n t o f f a i l u r e for t h e a p p l i c a t i o n , t h e a t tacker would need only to gain domain administrator p r i v i l e g e in t h a t d o m a i n a n d kill a p p l i c a t i o n p r o c e s s e s t h e r e . C l e a r l y t h e a p p l i c a t i o n m u s t b e d i s t r i b u t e d redundantly across the domains. T h e s i m p l e s t s o l u t i o n is t o r e p l i c a t e e v e r y e s s e n t i a l p a r t o f t h e a p p l i c a t i o n a n d p l a c e t h e r e p l i c a s in diff e r e n t d o m a i n s . D o i n g t h i s t u r n s t h e p r o b l e m o f defense i n t o a p r o b l e m o f f a u l t t o l e r a n c e , w h e r e a "fault" is t h e c o r r u p t i o n o f a s i n g l e r e p l i c a b y t h e a t t a c k e r . T h e r e p l i c a s m u s t b e c o o r d i n a t e d to e n s u r e t h a t , as a g r o u p , t h e y will n o t b e c o r r u p t e d w h e n t h e a t t a c k e r s u c c e e d s in c o r r u p t i n g s o m e o f t h e m . M a n y p r o t o c o l s for f a u l t t o l e r a u t r e p l i c a c o o r d i n a t i o n exist[15], [5],[12], [14]. T h e f a u l t t o l e r a n c e p r o b l e m t o solve b e c o m e s h a r d e r o r e a s i e r d e p e n d i n g o n w h e t h e r t h e a t t a c k e r is a b l e t o gain application-level privilege. If the attacker cannot gain application-level privilege then application replic a s will, a t w o r s t , c r a s h w h e n c o r r u p t e d , a n d so i t will n o t b e n e c e s s a r y for t h e a p p l i c a t i o n t o use t h e m o r e expensive protocols that protect against ~Byzantine" c o r r u p t i o n [ 3 ] . If, o n t h e o t h e r h a n d , t h e a t t a c k e r d o e s Use

gain application level privilege, such expensive protocols become necessary. I n one of our research efforts, we assume attackers c a n n o t get application level privilege a n d in another we relax t h a t assumption and explore the use of hybrid-mode fault-tolerance and dynamic switching between tolerating crash and Byzantine failures of application replicas.

application level QoS mgmt level infrastructure level

R e d u n d a n c y is not necessarily restricted to r e d u n d a n t processes (replicas as described above) or hosts and security domains. C o m m u n i c a t i o n r e d u n d a n c y in the form of r e d u n d a n t b a n d w i d t h or alternate network path must also be used by the defense.

Defeat I Work Around Attack I Attack retry failed redirect reqst; request degrade srvc reserve CPU, migrate bandwidth replicas block IP change ports, sources protocols

Guard Against Future Attack increase self-checking tighten crypto, access control configure IDSs

T a b l e 1: A c l a s s i f i c a t i o n o f d e f e r m i v e a d a p t a t i o n s discuss the various ways defensive a d a p t a t i o n can be used in application's survival. Note t h a t it is possible for the attacker to defeat or abuse any of these capabilities if he manages to acquire sufficient privilege. For instance, with d o m a i n privilege, he can perhaps jeopardize the replication mechanism by shutting down the replication m a n a g e m e n t components t h a t r u n in that domain. Similarly, with application privilege he can defeat the application level self-checking which a~ects the application across domain boundaries. We assume that it is not possible to prevent attacks on defense mechanisms t h a t offer these capabilities, j u s t as much as it is not possible to prevent the attacks on the application t h a t these mechanisms aim to protect. However, we have showed t h a t the attacker's acquisition of privilege can be prevented or slowed down earlier, which makes such attacks on the capabilities more difllcult a n d time consuming. Note also that, even though protection of defense mechanisms ar.e not perfect, they raise the bar t h a t an attacker has to overcome in order to successfully stop a critical application from functioning.

M o n i t o r i n g : As with any other conflict situation, information superiority is an advantage. Therefore, it is i m p o r t a n t that the defense is aware of incidents in the environment t h a t are related to attacks and their impact on the system resources. Intrusion detection systems (IDSs)[8] can be used, to collect d a t a at the infrastructure level a b o u t possible attacks. D a t a collected at the application level is also desirable, though, because it can give a more comprehensive view of the n a t u r e of the attack and more insight into potential remedies, and because it is more relevant to the needs of the application. Two kinds of monitoring are imp o r t a n t at the application level: 1. Quality of Service (QoS): whether the application is getting the QoS it needs from its environment a n d whether it is providing the QoS required by its users. A decrease of either QoS measure is a potential indication of a possible attack.

5.

2. Self-checking: whether the application continues to satisfy invariants specified by its developers. A violation of such invariants is an indication that the application is corrupt, possibly because the attacker has gained application-level privilege.

USE OF DEFENSIVE ADAPTATION IN APPLICATION'S SURVIVAL

One can t h i n k of multiple dimensions in which defensive a d a p t a t i o n c~n be used. The level of system architecture at which these adaptations work is one such dimension. At the top end along this "dimension are defensive adaptations involving the application itself: for instance, in the face of an attack the application m a y find an alternate way to proceed or degrade its service expectations. At the other end along this dimension are defensive adaptations t h a t involve services from the operating system and network level, such as changing the details of how application components communicate a m o n g themselves. Between these two are defensive adaptations t h a t m a n i p u l a t e QoS m a n a g e m e n t facilities to obtain the QoS it needs. I n another dimension, adaptations dither according to how aggressively the attack can be countered. At best, the attack can be defeated, i.e., the effect of the attack on the application can be completely canceled. Second best is for the application to work a r o u n d the attack, avoiding its effects. Finally, if the attack can neither be defeated nor its effects avoided the application can make changes to protect against similar attar.ks in the future. Table 1 shows some example adaptations based on the two dimensions described above. The table is not intended to be comprehensive: u n d o u b t e d l y others can be invented or would be available with specific operating systems. There m a y also be other useful categories; for example, the table does not show any a d a p t a t i o n involving "honeypots" where an attacker is lured into wasting effort on a decoy. Attacks can be thought of as two broad kinds:

A d a p t a t i o n : It should be obvious t h a t survival is impossible without adaptation. The consequence of attacker's abuse of the obtained privilege is, almost always, some change in the application's environment ranging from loss or corruption of application components to loss or corruption of resources need by the application. If the application is not able to adapt to the changed situation, the application will not be able to survive. This kind of a d a p t a t i o n m a y take various forms. If the attacker denies resources to a critical application, for example by flooding communication channels, the defense mechanism m a y try to adapt to restore the QoS it needs or the application may adapt to live with the reduced resource (thereby degrading the service it offers). If the source of an attack can be diagnosed with high confidence, resources can be denied to the attacker, for example, by killing the attacker's processes. Each of these capabilities are worth separate discussions. We have discussed how to use replication and intrusion detection services to develop adaptive applications t h a t survive certain kinds of attacks in [10]. We will outline our work on use of mixed mode fault tolerance in intrusion tolerance in an upcoming p a p e r [6], a n d in the next Section, we briefly

75

1. d i r e c t a t t a c k s a g a i n s t t h e a p p l i c a t i o n , for e x a m p l e b y disrupting the communication between its parts;

adaptive response. For instance, consider an attacker whose o b j e c t i v e it is t o c u t off a p a r t i c u l a r i n t e r - o b j e c t i n t e r a c t i o n b y f l o o d i n g a n a p p r o p r i a t e n e t w o r k s e g m e n t . I f t h e defensive adaptation responds with establishing a bandwidth reservat i o n , t h i s a t t a c k will b e t h w a r t e d a t first. I f h o w e v e r , t h e r e s p o n s e is p r e d i c t a b l e , t h e a t t a c k e r m a y c o m e w i t h a t w o s t a g e s t r a t e g y : in t h e first s t a g e , h e will e i t h e r e x p l o i t t h e r e s e r v a t i o n m e c h a n i s m t o e s t a b l i s h a l a r g e r e s e r v a t i o n for himself or attack the bandwidth management mechanism t o m a k e i t ineffective. T h e n i n t h e s e c o n d s t a g e , he will f l o o d t h e n e t w o r k . To c o p e w i t h t h i s k i n d o f p l a n n e d a t t a c k s , s o m e u n c e r t a i n t y n e e d s t o b e i n j e c t e d in t h e d e f e n s e so t h a t t h e a d a p t i v e r e s p o n s e is n o t p r e d i c t a b l e t o t h e a t t a c k e r . T h i s u n c e r t a i n t y c a n c o m e f r o m s o m e s e c r e t t h a t is not known to the attacker or can be based upon some nondeterminism incorporated in the adaptation mechanism. In genera/, uncertainty seems to enhance the value of defensive adaptation, especially in the context of planned and coordinated attacks. T h e d e f e n s e s t r a t e g y of a p a r t i c u l a r c r i t i c a l a p p l i c a t i o n may involve use of multiple defensive adaptations. Incorpor a t i n g m u l t i p l e m e c h a n i s m s r e q u i r e d for i n d i v i d u a l d e f e n s i v e a d a p t a t i o n i n t o a single a p p l i c a t i o n c a n g r e a t l y c o m p l i c a t e t h e a p p l i c a t i o n ' s d e s i g n . F o r t u n a t e l y , e v e r y one of t h e s e m e c h a n i s m s is o r t h o g o n a l t o a n a p p l i c a t i o n ' s f u n c t i o n a i i t y l i.e., t h e a p p l i c a t i o n s h o u l d c o m p u t e t h e s a m e r e s u l t s r e g a r d less o f w h e t h e r o r h o w m a n y d e f e n s e a d a p t a t i o n s h a v e b e e n used. In other words, every one of these adaptations changes how an application computes its results, not what results are c o m p u t e d . T h i s o r t h o g o n a l i t y allows t h e d e s i g n of defenses t o b e s e p a r a t e d fTom t h e d e s i g n o f f u n c t i o n a l i t y . S e p a r a t i n g t h e d e s i g n of t h e f u n c t i o n a l (or b u s i n e s s ) aspects of the application from the design of defensive adapt a t i o n is g o o d s o f t w a r e e n g i n e e r i n g . I t is o n l y n a t u r a l t o p u t t h e l a t t e r i n t o m i d d l e w a r e [2], w h i c h a c t s as a n i n t e r mediary between the application and the infrastructure and provides various services to the application transparently. I n a d d i t i o n , a d v a n c e d m i d d l e w a r e s u c h as Q u O ( s h o r t for Q u a l i t y O b j e c t s ) i l l ] , p r o v i d e s s u p p o r t for a d a p t i v e b e h a v ior a n d Q o S awaxenees w h i c h is e s p e c i a l l y useful for d e f e n sive a d a p t a t i o n a n d m o n i t o r i n g . T h i s w a y t h e f u n c t i o n a l i t y and the defense mechanisms can be developed in a decoupled manner. Ideaiiy, defensive strategies and mechanisms w o u l d b e r e u s a b l e for m a n y d i f f e r e n t a p p l i c a t i o n s . I n fact, in m o s t cases, t h e r e s e e m s t o b e a f a i r l y g e n e r a l a n d r e u s a b l e m e c h a n i s m t h a t i n t e r p r e t e s or e n f o r c e s a p p l i c a t i o n specific p a r a m e t e r s o r rules. F o r i n s t a n c e , t h e s~=-e access c o n t r o l m e c h a n i s m c a n b e u s e d in d i ~ e r e n t a p p l i c a t i o n s w i t h differe n t access c o n t r o l policies. H o w e v e r , t h e r e a r e cases w h e r e the mechanisms are more closely tied with the application. F o r e x a m p l e , s e l f - c h e c k l n g o f a p p l i c a t i o n i n v a r i a n t s will d e pend on application-specific data structures.

2. i n d i r e c t a t t a c k s , i n w h i c h r e s o u r c e s n e e d e d b y t h e a p plication are denied.

This categorization provides the third dimension for classifying defensive a d a p t a t i o n s : s o m e w o r k a g a i n s t d i r e c t a t t a c k s a n d s o m e a g a i n s t i n d i r e c t a t t a c k s . D i r e c t a t t a c k s are c o u n t e r e d b y t h e m e c h a n i s m s w o r k i n g a t t h e a p p l i c a t i o n level, p l u s t h e u s e o f encryp.tion. A n i n d i r e c t a t t a c k m i g h t b e c o u n t e r e d b y m e c h a n i s m s t h a t a r e a t v a r i o u s levels o f t h e s y s t e m a r c h i t e c t u r e , b u t g e n e r a l l y , lower-level m e c h a n i s m s a r e m o r e f o c u s e d . F o r e x a m p l e , c o n f i g u r i n g a firewall t o b l o c k p a c k e t s f r o m a p a r t i c u l a r so~arce is a h i g h l y f o c u s e d defense, b u t o n e t h a t n e e d s d e t a i l e d i n f o r m a t i o n a b o u t t h e a t t a c k t o h a v e b e e n c o l l e c t e d first. A t t h e Q o S level, f l o o d ing the network can be countered by bandwidth reservation, over-consumption of CPU through s£heduling and priorities, crashing of a node running an application component by migrating the component elsewhere, and relatively privileged o p e r a t i o n s c a n b e d i s a b l e d w i t h access c o n t r o l if t h e r e is a high risk that they might be used maliciously. W h e t h e r i t c a n b e u s e d for p r o t e c t i o n f r o m a t t a c k as well as for r e s p o n s e t o a t t a c k , o r j u s t for r e s p o n s e alone, s e e m s t o be yet another way to classify defensive adaptation. Mecha n i s m s n e e d e d t o s u p p o r t s o m e o f 'the d e f e n s i v e a d a p t a t i o n d e s c r i b e d in t a b l e 1, c a n a~so b e u s e d for p r o t e c t i o n . F o r i n s t a n c e , o n e c a n s t a r t w i t h a h i g h level o f s e l f - c h e c k i n g o r a v e r y t i g h t access c o n t r o l o r a C P U o r b a n d w i d t h r e s e r v a t i o n . W h i l e t h i s m a y offer b e t t e r p r o t e c t i o n t o b e g i n w i t h , s o m e o f t h e m c o m e w i t h a h i g h p r i c e t a g . F o r i n s t a n c e , a n H3S c o n figured to be very sensitive to attack, has significant costs a n d so n e e d s t o b e u s e d s p a r i n g l y . A n o t h e r c a s e in p o i n t is t h e u s e o f B y z a n t i n e t o l e r a n c e -~echniques in r e p l i c a t i o n m a n a g e m e n t : a l t h o u g h it will offer b e t t e r p r o t e c t i o n a g a i n s t c o r r u p t i o n it m a y b e i m p r a c t i c a l l y e x p e n s i v e t o r e p l i c a t e all c o m p o n e n t s o f a n a p p l i c a t i o n in a B y z a n t i n e - t o l e r a n t m o d e . T h i s is o n e o f t h e p r i m a r y r e a s o n s w e a r e i n v e s t i g a t i n g a d a p t i v e u s e o f m i x e d - m o d e r e p l i c a t i o n [6], w h e r e o n l y s o m e of t h e a p p l i c a t i o n c o m p o n e n ' t s will b e r e p l i c a t e d , a n d tolerance-modes can be switched between crash and Byzant i n e . F u r t h e r m o r e , r u n n i n g in Ubest p r o t e c t i o n n m o d e m a y i m p e d e t h e n o r m a l f u n c t i o n i n g of t h e s y s t e m in s o m e eases a n d so s h o u l d b e u s e d o n l y w h e n n e c e s s a r y . FOr i n s t a n c e , disabling highly privileged operations may be the safest opt i o n , b u t o p e r a t o r s a n d a r l r n i ~ i s t r a t o r s will n e e d t h e s e t o perform their tasks. These observations point out the importance of the capability to change between various modes and the associated trade-offs, which are fundamental to our survival by defense approach. D e f e n s i v e a d a p t a t i o n , as d e s c r i b e d so far, is m o s t l y r e s c . ~ e , i.e., t h e s e a d a p t a t i o n s t a k e p l a c e in r e s p o n s e t o s o m e triggers (most often the monitorinl~ mechanisms are respons i b l e for g e n e r a t i n g t h e t r i g g e r s ) . D e f e u s i v e a d a p t a t i o n c o u l d b e p r o - a c t i v e as w e l l , in w h i c h c a s e t h e a d a p t a t i o n t a k e s p l a c e w i t h o u t a n y e x t e r n a l t r i g g e r , F o r e x a m p l e , a client c a n p e r i o d i c a l l y c h a n g e t h e s e r v e r i t t a l k s to, o r a s e r v i c e p r o v i d e r p e r i o d i c a l l y c h a n g e s t h e p o r t t h r o u g h w h i c h it offers i t s services. T h i s k i n d o f a ~ . a p t a t i o n is g e n e r a l l y a p p r o p r i a t e for l i m i t i n g t h e a t t a c k e r ' s k n o w l e d g e a b o u t t h e critical system. A d e t e r m i n e d a t t a c k e r c a n p o t e n t i a l l y o v e r c o m e t h e effects of d e f e n s i v e a d a p t a t i o n if h e c a n e a s i l y p r e d i c t t h e

6.

ISSUES AND LIMITATIONS

T h e u s e o f d i s j o i n t s e c u r i t y d o m a i n s n o t o n l y r e s u l t s in red u n d a n c y ( t h a t t h e r e a r e m u l t i p l e d o m a i n s ) b u t also h e t e r o g e n i e t y ( s i n c e g a i n i n g access t o o n e d o m a i n d o e s n o t g u a r a n t e e t h e s a m e in o t h e r d o m a i n s ) . T h i s is h e l p f u l in t e r m s r e p l i c a t i n g a p p l i c a t i o n c o m p o n e n t s s i n c e t h i s m a k e s i t diffic u l t t o s u c c e s s f u l l y a t t a c k m u l t i p l e r e p l / c a s . O u r u s e of a p p l i c a t i o n level r e p l i c a t i o n is f u r t h e r s u p p o r t e d b y d y n a m i c a d a p t a t i o n t e c h n i q u e s ( s u c h as c h o o s i n g t h e p l a c e t o s t a r t a new replieca unprredictable).

76

CONCLUSION

8.

O u r approch to prevent quick spreading of privilege by using security domains a n d application level privilege can be combined with t r a d i t i o n a l mechanims like firewalls, even though a firewall can be a single point of failure. However, unlike firew-ails, our application level privilege mechanism involves c r y p t o g r a p h i c keys. We assume t h a t t h e signstures are unforgeable. We also assume t h a t the keys are d i s t r i b u t e d a-priori in a t r u s t e d manner. T h e reliance on c r y p t o systems is a limitation [1], b u t addressing it is bey o n d t h e scope of our work. In addition, in the context of a mission critical application t h e overhead associated with enforcing the application level privilege m a y i m p a c t its performance level. Defense-enabling makes use of t h e capabilities of various defense mechanisms. However, it is not simple to combine multiple mechanisms in a defense s t r a t e g y since different mechanisms m a y have conflicting goals a n d assumptions. A l t h o u g h the defense m e c h a v l r , s used in a defense enabled application is coordinated at r u n t i m e by t h e Q u O adaptive middleware, t h e initial work of designing a n d implementing a defense s t r a t e g y t h a t involves selection of a p p r o p r i a t e mechanism, potential conflict analysis and resolution has to be done m a n u a l l y by an expert. Finally, defense-enabling relies on the fact t h a t attacks proceed sequentially so t h a t t h e application have time to make defensive response. As n o t e d in Section 3, there are attacks t h a t m a y not follow sequential stages. For instance, D D O S attacks involving a t t a c k b o t s or zombies can all attack a t a r g e t simultaneously. However, if we consider the act of placing zombies as p a r t of t h e a t t a c k we can clearly see a sequence of gaining privilege, inserting processes and t h e n triggering t h e attack. T h e p r o b l e m here is that. t h e most of the p r e p a r a t o r y sequences of such an a t t a c k can go u n d e t e c t e d a n d can be carried over a large period of t i m e making it h a r d to correlate. One aproach we are exploring in this regard is to employ a u t o n o m o u s low level mechanisms t h a t perform knee-jerk reaction to anomalies within a host. The idea is t h a t each host will act on its own as soon as it sees an anomaly w i t h o u t the need for a coordinated detection and corelation of events. For example, as soon as it sees an anomalous file in a local disk it m a y erase t h a t file. This reaction will t h e n be followed up b y more coordin a t e d d o m a i n or system-wide responses taken at t h e higher levels. For instance multiple ocurrance of such a mysterious file m a y lead to isolating t h a t host from its domain.

We are i m p l e m e n t i n g technology for defense enabling under t h e D A R P A project t i t l e d "Applications t h a t Particip a t e in their Own Defense" ( A P O D ) . T h e defense strategies have been i m p l e m e n t e d using the Q u O adaptive middleware[ll]. T h e i m p l e m e n t a t i o n is discussed in detail in

[13].

T h e "Intrusion Tolerance b y U n p r e d i c t a b l e A d a p t a t i o n " ( I T U A ) project[4], also being c o n d u c t e d at B B N Technologies, in cooperation with University of Illinois and T h e Boeing Company, is exploring two r e l a t e d issues: 1. Tolerating p l a n n e d a n d c o o r d i n a t e d attacks by making defensive responses u n p r e d i c t a b l e to t h e attacker, 2. Tolerating attacks t h a t can gain application-level privilege a n d take control over application components , b y using t h e services of a h y b r i d - m o d e fault-tolerance mechanism. Defense enabling can increase an application's resistance to malicious a t t a c k in an environment t h a t offers only flawed protection. This increased resistance means t h a t an attacker m u s t work h a r d e r and t a k e more t i m e to c o r r u p t t h e application. This, in turn, m e a n s greater survivability for t h e application on its own a n d an increased chance for system a~4mlnistrators t o d e t e c t a n d t h w a r t t h e a t t a c k before it succeeds.

9.

10.

ADDITIONAL AUTHORS

A d d i t i o n a l authors: Joseph Loyall (BBN Technologies, email: j l o y a l l @ b b n . c o m ) , l ~ n a J d W a t r o ( B B N Technologies, email: rwatro@bbn, cos), W i l l i a m Sanders (University of Illinois at U r b a n a - C h a m p a i g n , email: w h s 0 c r h c . u i u c , edu), Michel Cukier (University of Illinois at U r b a n a - C h a m p a i g n , email: c u k i e x ' @ c r h ~ . n i u c . a d u ) and J e a n n a Gossett (The Boeing Company, email: Jeanna.Gossett@tfi/.Boeing.coln)

11. 7.

ACKNOWLEDGMENTS

T h e authors would like to t h a n k other m e m b e r s of the B B N staff, Chris Jones, Michael Atighetchi, Tom Mitchell, John Zinky, P a u l I~ubel, D a v i d K a r r , Craig Pd3ctrigues and Ron Scott, a n d m e m b e r s of t h e University of Illinois t e a m J a m e s Lyons, P r a s h a n t Pemdey, and Hari Kamasaany, for discussions t h a t led to t h e conclusions in this paper.

RELATED WORK

REFERENCES

[1] P~. Anderson. V~lty c r y p t o s y s t e m s fail. In Preceedinga

of the First Conference on Computer and Communic4ation Security, Nov. 1993. VA, USA. [2] D. Bakken. Middle6Jare. W a s h i n g t o n S t a t e University.

MAFTIA[7~ is an E S P R I T project developing an open architecture for transactional operations on t h e Internet. M A F T I A models a successful a t t a c k on a security domain, leading t o corruption of processes in t h a t domain, as a '~ault"; t h e architecture t h e n exploits approaches to fault tolerance t h a t a p p l y whether t h e faults have an accidental or malicious cause. T h e M A F T I A architecture appears to be an example of defense enabling. O t h e r projects have similar goals. T h e "Survivability Architectures"[9],[18] project aims to s e p a r a t e survivability requirements from an application's functional requirements. "An A s p e c t - O r i e n t e d Security Assurance Solution" is a D A R P A - f u n d e d project at Cigital Labs t h a t uses aspectoriented p r o g r a m m i n g to i m p l e m e n t security-related code transformations on an application program.

htt p : / / w w w , eecs.wsu.edu/-~bakken/middlewarearticle-bakken.pdf. [3] M. Barborak, A. D a h b u r a , a n d M. Malek. The consensus p r o b l e m in fault-tolerant computing. A C M Oomp. Suru., 25(2), 1993. [4] B B N Technologies. The Intrusion Tolerance by

Unpredictable Adaptation Project. http://www, dist-systems.bbn.com/projects/ITUA. [5] M. Castro a n d B. Liskov. P r a c t i c a l Byzantine fault tolerance. In Proceedinga oJ the 3rd USENIX

symposium on Operating Systems design and implementation, Feb. 1999.

77

[6] M. Cukier a n d et at. Overview of the I T U A project. In

[7] [8] [9]

[10]

[11]

[12]

[13]

[14]

[15] [16] [17] [18]

In FaJt Abatracts of the Dependable ,qystems and Nehvorka (DSN 01) Conference., J u n e 2001. Goteborg, Sweeden. I S T P r o g r a m m e FtTD Research Project IST-1999-11583. Malicious- and Accidental-Faul~ Tolerance.for Interne~ Applications. h t t p : / / m a f t i a . o r g . S. Kent. On t h e trail of intrusions into information systems. IEEE 3pectrum, Dec. ")000. J. Knight et al. Architectural approa~_h to information survivability. Technical report, "University of Virginia, Sept. 1997. J. Loyall, P. P. Pal, Ft. Schmatz, a n d F. Webber. Building a d a p t i v e a n d agile applications using intrusion detection a n d response. In Proceedings of the Networked and Distributed Systems Security fNDSS) Con]erence, Feb. 2000. San Diel~-o, California. J. Loyall, K. Schantz, J. Zinky, a n d D. Bakken. Specifying and m e a s u r i n g quali~y of service in distributed object systems. In J!st IEEE l , tl ,qT]mp. on Object- Oriented Real- Time Dia;~ributed Computing (I,qORC'98), Apr. 1998. Kyoto, J a p a n . L. Moser, P. Mellier-Smith, P. ] . ~ a r a ~ i m h a n 7 L. Tewksbury, and V. Kalogeraki. Eternal: F a u l t Tolerance a n d live u p g r a d e s fro" d i s t r i b u t e d object systems. In Proceedinga oI the DARPA Information Burvivability CYonJerence and Ezposition, Jan. 2000. Hilton Head, South Carolina. P. Pal, F. Webber, h/I. Atighetc3d, Ft. Schautz, and J. Loyall. Defense enabling using advanced middleware: An example. To a p p e a r in the Proceedings of DIILCOM'01, Oct. 2001. M. Keiter. Secure agreement protocols: Reliable and atomic group multicast in Ftz~tpart. In Proceedings o] the 2rid A C M conference on computer and communication ~ecurity, Nov. 1994. F. Schneider. I m p l e m e n t i n g fault-tolerant services using the s t a t e machine approE~h: A tutorial. A C M Uomp. Surv., 22(4), 1990. B. Schneier. Applied Cryptography. J o h n Wiley & Sons, Inc., 1996. US D e p a r t m e n t of Defense. Trusted Computer Syate~n Evaluation Criteria (O~nge Book), 1985. DoD 5200.28-STD. C. Wang. A security azchitectxtre for survivable systems. Technical r e p o r t , University of Vixginia, Ja~. 2001. P h D Thesis.

78