Transcript Document
CoBFIT: A component-Based
Framework for Intrusion
Tolerance
Author: HariGovind V. Ramasamy
Adnan Agbaria
William H. Sanders
Presented by: Keqiang Zhu
Intrusion Tolerance
Despite defense mechanisms and rigorous
testing, most systems remain at least
somewhat vulnerable
Protecting against all attacks is not practical
Assumes that over time, a subset of
vulnerabilities will be successfully exploited
by an attacker
Goal: Provide “acceptable” service despite
faults due to intrusions
Traditional Security + IT = defense-indepth (buying time by yielding space)
Motivation
Most of the implementation effort in
building IT system is not spent in the IT
functionality but in the support features for
IT
Different OS are design requirements for
most IT systems, and multiple teams
working on different platforms implemented
their own versions of support features
Hard to reuse the support features since
the various implementation tightly coupled
the support features with IT functionality
Motivation (cont.)
Lack of a convenient platform for
building and evaluating various
design choices for IT protocols
Frameworks for dependability exist
but they are mainly for crash-faulttolerant protocols that consider
benign faults, and don’t provide
specialized support for IT in the face
of malicious faults
Goals
Separate the support features that
facilitate the building of IT protocols
from the actual IT functionality
provided by the protocols
Goals
A software framework for intrusion
tolerance
Robust – the framework itself needs to be robust
to support robust IT protocols
Reconfigurable – need to provide the capability
to dynamically change system posture in the
face of attacks
Reusable – serve as a convenient platform for
building and testing a variety of IT protocols
without having to re-implement the support
features
Portable – to exploit diversity through OS
heterogeneity for IT benefits
Outline
CoBFIT Architecture
Framework Components
Example Framework Specialization:
an IT group communication system
Support provided by the CoBFIT
framework in the context of the
example
Summary and Future work
CoBFIT Architecture
CoBFIT Architecture (cont.)
Framework components implement the
structure of IT
Have primitives, abstractions, supporting
software mechanisms for IT
Provide Run-time support or development
support
Service components implement the
functionality of IT
Are specific to a particular domain of
applications
Have implementation of an IT protocol/algorithm
Outline
CoBFIT Architecture
Framework Components
Example Framework Specialization:
an IT group communication system
Support provided by the CoBFIT
framework in the context of the
example
Summary and Future work
Event Manager
Restricts communication between
service components strictly through
events
Publish-subscribe model
Components publish events they
generate to the Event Manager
Components subscribe to events they
are interested in handling (event
handlers) from the Event Manager
Event Manager (Cont.)
Detects, de-multiplexes, and
dispatches events to the interested
service components
Invocate orders of multiple event
handlers subscribed to the same
event determined through a
dependency graph
Event Manager: Dependency Graph
Nodes: service components in the
CoBFIT system
Edge from service component c1 to
another component c2 implies that
correct operation of c1 depends on
whether c2 correctly satisfies its
specified properties
Event handler of c2 invoked first,
followed by event handler of c1
CoBFIT GCS Service Components
Constructor
Is responsible for reconfiguring the
CoBFIT system
Creates all CoBFIT components
Hands over dependency graph to the
Event Manager
Constructor (cont.)
All CoBFIT components implement a
uniform component management interface
Has operation interfaces to (re)initialize,
shut down, suspend/resume and execution
Maintains a component repository
Implements rules to choose among multiple
scripts, each specifying different adaptation
strategies (e.g., which of the available
service components to link/unlink)
Failure Detection
Is the hub of communication for intrusion
detection
Identifies compromised subsystems so as
to repair, replace, or remove them.
Enforces a clean separation between failure
detection and failure response mechanisms
Serves as central sink for intrusion
detections from internal (servicecomponent-specific) and external (thirdparty IDSs) source failures
Failure Detection (cont.)
Processes the reports and implements
policies to determine which reports should
actually lead to system adaptation
Generates a Failure_Detect event to which
interested components can subscribe to
Allows service components to be more
independent of the specific failure detection
tools
Replication Manager
Redundancy by replication: important
design primitive used in many fault
and intrusion-tolerant systems
manages a replicated application
Each replica is a CoBFIT system
Each replica has a Replication
Manager
Replication Manager (cont.)
Replication Manager components at
various replicas
Communicate with each other to
reconfigure a replicated application
Translate high-level dependability
requirements specified at run-time to
particular replication configurations
Consensus
Builds block for many distributed
services (atomic multicast,
membership)
provides a consensus primitive that
can be used for constructing such
services
Cryptography
Provides a uniform way to access multiple
third-party cryptographic libraries
Defines interfaces for common crypto
operations, and adapts the interface of the
chosen cryptographic library to the defined
interface
Enhances reusability of service components
by making them independent of the
particular choice of crypto library
Network
Messages are special types of events used
by a CoBFIT system to communicate with
other CoBFIT systems or the outside world
A service component sends and receives
messages through the Network component
Provides portable, object-oriented wrappers
around platform specific low-level network
functions and data
Provides a uniform networking interface
independent of the particular platform or
underlying transport mechanism
Secure Data Manager
Provides "safe" classes (wrappers around
unsafe C/C++ standard library functions)
Classes for marshalling/de-marshalling,
buffering, fragmenting and reassembling
messages in an efficient manner without
making "deep" copies
Service component developer would use
these classes instead of the ones provided
by the standard library
Outline
CoBFIT Architecture
Framework Components
Example Framework
Specialization: an IT group
communication system
Support provided by the CoBFIT
framework in the context of the
example
Summary and Future work
CoBFIT GCS Service Components
CoBFIT GCS Service Components
Group Membership
Implements an intrusion-tolerant group
membership protocol
Is useful for removing fault members from the
group, adding new members to the group
Maintains consistent group membership
information across all correct group members
Subscribes to the Failure_Detect event
generated by Failure Detection (CoBFIT
framework component)
Removes group members for which the
Failure_Detect event has been generated from
the group
CoBFIT GCS Service Components
Reliable Multicast
All correct members deliver the same set of
multicast messages
Contents of a multicast message as delivered to
all correct processes is the same
Prevents situations in which a malicious group
member sends one payload to some group
members and another payload to other group
members for the same multicast message
CoBFIT GCS Service Components
Total Order
Ensures that if two correct group members deliver two application-level
multicast messages m1 and m2, then both members deliver the messages
in the same order
Is crucial in state machine replicated applications so that group members
(replicas) reach same state after executing an operation requested by a
multicast message
Protocol partitions the set of all possible multicast sequence numbers among
the group members; assigns one partition to each group member
Each replica generates messages with increasing sequence numbers from its
assigned partition without any gaps
Messages delivered in sequence number order
Protocol proceeds in global rounds, in which each group member sends
exactly one message per round (using sequence number from its assigned
partition)
If no application-level message to be sent in a round, a correct group
member is required to send null message with correct sequence number
A member that stalls the protocol by refusing send messages in a round will
be suspected, and reported to the Failure Detection component if more than
two-third group members suspect a group member, then that member will
be eventually removed from the group
CoBFIT GCS Service Components
Gossip
discovers new processes wanting to join
the group
If new process has proper credentials, it
is allowed to join the group
Group membership protocol updates the
group membership info at all correct
group members consistently to reflect
the addition of the new process to the
group
CoBFIT GCS Service Components
Heartbeat
If heartbeat from a process doesn’t
arrive in time, it is suspected
If more than two-third group members
suspect a member of crash, then that
member is removed from the group
CoBFIT GCS Service Components
CoBFIT GCS Service Components
Group membership and total order protocol
messages need to be consistently delivered
(with the same contents) at all correct
group members
Group membership needs Gossip to
discover new processes, and Heartbeat to
detect crashed group members
Total order protocol needs group
membership protocol to remove group
members that stall the protocol
Outline
CoBFIT Architecture
Framework Components
Example Framework Specialization:
an IT group communication system
Support provided by the CoBFIT
framework in the context of the
example
Summary and Future work
Support Provided by CoBFIT
Framework
All service components in the CoBFIT GCS
rely on
Cryptography component for digitally
signing/verifying messages
Secure Data Manager component for various
message marshalling/de-marshalling operations
Network component to communicate with peer
service components on remote CoBFIT systems
(replicas) belonging to the same group
Event Manager component for communication
with other service components within the same
CoBFIT system (replica)
Support Provided by CoBFIT
Framework
Group membership component depends on Failure
Detection component
to receive the Failure_Detect event based on which it removes
faulty members from the group
Service components
generate Suspect_Report event to identify a suspect group
member; handled by the Failure Detection component
Failure Detection components at various group members send
Suspect_Report events with each other
When a Failure Detection component receives Suspect_Report
events for a particular group member from the peer
components at more than two-thirds of the group members, it
generates a Failure_Detect event
Failure_Detect event is handled locally by the group
membership component to ensure that the “convicted” group
member is removed from the group membership
Outline
CoBFIT Architecture
Framework Components
Example Framework Specialization:
an IT group communication system
Support provided by the CoBFIT
framework in the context of the
example
Summary and Future work
Summary and future work
Summary
A framework that provides specialized support
for intrusion-tolerant services, facilitating their
development and run-time adaptation
Incorporates characteristics that are essential
for survivability in the face of attacks
Demonstrated how it can serve as a convenient
platform for building an IT group communication
system
Summary and future work
Future Work
Investigate decision procedures that strike a balance between
automated reconfiguration and unnecessary reconfiguration
(Constructor)
Provide a comprehensive library of safe classes (Secure Data
Manager)
Interface with multiple third-party IDSs, new policies for
analyzing intrusion reports that reduce reconfiguration
resulting from false positives (Failure Detection)
Translate high-level dependability requirements to replication
configurations tolerating different types of faults (Replication
Manager)
Make a widely used application IT-enabled using the CoBFIT
GCS
Explore additional supporting software mechanisms for IT that
can be added as framework components in the CoBFIT
framework