Transcript Document

CoBFIT: A component-Based
Framework for Intrusion
Tolerance
Author: HariGovind V. Ramasamy
Adnan Agbaria
William H. Sanders
Presented by: Keqiang Zhu
Intrusion Tolerance
 Despite defense mechanisms and rigorous
testing, most systems remain at least
somewhat vulnerable
 Protecting against all attacks is not practical
 Assumes that over time, a subset of
vulnerabilities will be successfully exploited
by an attacker
 Goal: Provide “acceptable” service despite
faults due to intrusions
 Traditional Security + IT = defense-indepth (buying time by yielding space)
Motivation
 Most of the implementation effort in
building IT system is not spent in the IT
functionality but in the support features for
IT
 Different OS are design requirements for
most IT systems, and multiple teams
working on different platforms implemented
their own versions of support features
 Hard to reuse the support features since
the various implementation tightly coupled
the support features with IT functionality
Motivation (cont.)
 Lack of a convenient platform for
building and evaluating various
design choices for IT protocols
 Frameworks for dependability exist
but they are mainly for crash-faulttolerant protocols that consider
benign faults, and don’t provide
specialized support for IT in the face
of malicious faults
Goals
 Separate the support features that
facilitate the building of IT protocols
from the actual IT functionality
provided by the protocols
Goals
 A software framework for intrusion
tolerance
 Robust – the framework itself needs to be robust
to support robust IT protocols
 Reconfigurable – need to provide the capability
to dynamically change system posture in the
face of attacks
 Reusable – serve as a convenient platform for
building and testing a variety of IT protocols
without having to re-implement the support
features
 Portable – to exploit diversity through OS
heterogeneity for IT benefits
Outline
 CoBFIT Architecture
 Framework Components
 Example Framework Specialization:
an IT group communication system
 Support provided by the CoBFIT
framework in the context of the
example
 Summary and Future work
CoBFIT Architecture
CoBFIT Architecture (cont.)
 Framework components implement the
structure of IT
 Have primitives, abstractions, supporting
software mechanisms for IT
 Provide Run-time support or development
support
 Service components implement the
functionality of IT
 Are specific to a particular domain of
applications
 Have implementation of an IT protocol/algorithm
Outline
 CoBFIT Architecture
 Framework Components
 Example Framework Specialization:
an IT group communication system
 Support provided by the CoBFIT
framework in the context of the
example
 Summary and Future work
Event Manager
 Restricts communication between
service components strictly through
events
 Publish-subscribe model
 Components publish events they
generate to the Event Manager
 Components subscribe to events they
are interested in handling (event
handlers) from the Event Manager
Event Manager (Cont.)
 Detects, de-multiplexes, and
dispatches events to the interested
service components
 Invocate orders of multiple event
handlers subscribed to the same
event determined through a
dependency graph
Event Manager: Dependency Graph
 Nodes: service components in the
CoBFIT system
 Edge from service component c1 to
another component c2 implies that
correct operation of c1 depends on
whether c2 correctly satisfies its
specified properties
 Event handler of c2 invoked first,
followed by event handler of c1
CoBFIT GCS Service Components
Constructor
 Is responsible for reconfiguring the
CoBFIT system
 Creates all CoBFIT components
 Hands over dependency graph to the
Event Manager
Constructor (cont.)
 All CoBFIT components implement a
uniform component management interface
 Has operation interfaces to (re)initialize,
shut down, suspend/resume and execution
 Maintains a component repository
 Implements rules to choose among multiple
scripts, each specifying different adaptation
strategies (e.g., which of the available
service components to link/unlink)
Failure Detection
 Is the hub of communication for intrusion
detection
 Identifies compromised subsystems so as
to repair, replace, or remove them.
 Enforces a clean separation between failure
detection and failure response mechanisms
 Serves as central sink for intrusion
detections from internal (servicecomponent-specific) and external (thirdparty IDSs) source failures
Failure Detection (cont.)
 Processes the reports and implements
policies to determine which reports should
actually lead to system adaptation
 Generates a Failure_Detect event to which
interested components can subscribe to
 Allows service components to be more
independent of the specific failure detection
tools
Replication Manager
 Redundancy by replication: important
design primitive used in many fault
and intrusion-tolerant systems
 manages a replicated application
 Each replica is a CoBFIT system
 Each replica has a Replication
Manager
Replication Manager (cont.)
 Replication Manager components at
various replicas
 Communicate with each other to
reconfigure a replicated application
 Translate high-level dependability
requirements specified at run-time to
particular replication configurations
Consensus
 Builds block for many distributed
services (atomic multicast,
membership)
 provides a consensus primitive that
can be used for constructing such
services
Cryptography
 Provides a uniform way to access multiple
third-party cryptographic libraries
 Defines interfaces for common crypto
operations, and adapts the interface of the
chosen cryptographic library to the defined
interface
 Enhances reusability of service components
by making them independent of the
particular choice of crypto library
Network
 Messages are special types of events used
by a CoBFIT system to communicate with
other CoBFIT systems or the outside world
 A service component sends and receives
messages through the Network component
 Provides portable, object-oriented wrappers
around platform specific low-level network
functions and data
 Provides a uniform networking interface
independent of the particular platform or
underlying transport mechanism
Secure Data Manager
 Provides "safe" classes (wrappers around
unsafe C/C++ standard library functions)
 Classes for marshalling/de-marshalling,
buffering, fragmenting and reassembling
messages in an efficient manner without
making "deep" copies
 Service component developer would use
these classes instead of the ones provided
by the standard library
Outline
 CoBFIT Architecture
 Framework Components
 Example Framework
Specialization: an IT group
communication system
 Support provided by the CoBFIT
framework in the context of the
example
 Summary and Future work
CoBFIT GCS Service Components
CoBFIT GCS Service Components
 Group Membership
 Implements an intrusion-tolerant group
membership protocol
 Is useful for removing fault members from the
group, adding new members to the group
 Maintains consistent group membership
information across all correct group members
 Subscribes to the Failure_Detect event
generated by Failure Detection (CoBFIT
framework component)
 Removes group members for which the
Failure_Detect event has been generated from
the group
CoBFIT GCS Service Components
 Reliable Multicast
 All correct members deliver the same set of
multicast messages
 Contents of a multicast message as delivered to
all correct processes is the same
 Prevents situations in which a malicious group
member sends one payload to some group
members and another payload to other group
members for the same multicast message
CoBFIT GCS Service Components

Total Order








Ensures that if two correct group members deliver two application-level
multicast messages m1 and m2, then both members deliver the messages
in the same order
Is crucial in state machine replicated applications so that group members
(replicas) reach same state after executing an operation requested by a
multicast message
Protocol partitions the set of all possible multicast sequence numbers among
the group members; assigns one partition to each group member
Each replica generates messages with increasing sequence numbers from its
assigned partition without any gaps
Messages delivered in sequence number order
Protocol proceeds in global rounds, in which each group member sends
exactly one message per round (using sequence number from its assigned
partition)
If no application-level message to be sent in a round, a correct group
member is required to send null message with correct sequence number
A member that stalls the protocol by refusing send messages in a round will
be suspected, and reported to the Failure Detection component if more than
two-third group members suspect a group member, then that member will
be eventually removed from the group
CoBFIT GCS Service Components
 Gossip
 discovers new processes wanting to join
the group
 If new process has proper credentials, it
is allowed to join the group
 Group membership protocol updates the
group membership info at all correct
group members consistently to reflect
the addition of the new process to the
group
CoBFIT GCS Service Components
 Heartbeat
 If heartbeat from a process doesn’t
arrive in time, it is suspected
 If more than two-third group members
suspect a member of crash, then that
member is removed from the group
CoBFIT GCS Service Components
CoBFIT GCS Service Components
 Group membership and total order protocol
messages need to be consistently delivered
(with the same contents) at all correct
group members
 Group membership needs Gossip to
discover new processes, and Heartbeat to
detect crashed group members
 Total order protocol needs group
membership protocol to remove group
members that stall the protocol
Outline
 CoBFIT Architecture
 Framework Components
 Example Framework Specialization:
an IT group communication system
 Support provided by the CoBFIT
framework in the context of the
example
 Summary and Future work
Support Provided by CoBFIT
Framework
 All service components in the CoBFIT GCS
rely on
 Cryptography component for digitally
signing/verifying messages
 Secure Data Manager component for various
message marshalling/de-marshalling operations
 Network component to communicate with peer
service components on remote CoBFIT systems
(replicas) belonging to the same group
 Event Manager component for communication
with other service components within the same
CoBFIT system (replica)
Support Provided by CoBFIT
Framework

Group membership component depends on Failure
Detection component


to receive the Failure_Detect event based on which it removes
faulty members from the group
Service components




generate Suspect_Report event to identify a suspect group
member; handled by the Failure Detection component
Failure Detection components at various group members send
Suspect_Report events with each other
When a Failure Detection component receives Suspect_Report
events for a particular group member from the peer
components at more than two-thirds of the group members, it
generates a Failure_Detect event
Failure_Detect event is handled locally by the group
membership component to ensure that the “convicted” group
member is removed from the group membership
Outline
 CoBFIT Architecture
 Framework Components
 Example Framework Specialization:
an IT group communication system
 Support provided by the CoBFIT
framework in the context of the
example
 Summary and Future work
Summary and future work
 Summary
 A framework that provides specialized support
for intrusion-tolerant services, facilitating their
development and run-time adaptation
 Incorporates characteristics that are essential
for survivability in the face of attacks
 Demonstrated how it can serve as a convenient
platform for building an IT group communication
system
Summary and future work

Future Work






Investigate decision procedures that strike a balance between
automated reconfiguration and unnecessary reconfiguration
(Constructor)
Provide a comprehensive library of safe classes (Secure Data
Manager)
Interface with multiple third-party IDSs, new policies for
analyzing intrusion reports that reduce reconfiguration
resulting from false positives (Failure Detection)
Translate high-level dependability requirements to replication
configurations tolerating different types of faults (Replication
Manager)
Make a widely used application IT-enabled using the CoBFIT
GCS
Explore additional supporting software mechanisms for IT that
can be added as framework components in the CoBFIT
framework