Agile Objects: Componentbased Inherent Survivability

1
Agile Objects Component-based Inherent
Survivability

• Andrew A. Chien and Jane W. Liu
• University of California, San Diego
• University of Illinois, Urbana-Champaign
• http//www-csag.ucsd.edu/projects/agileO.html
• DARPA ISO Intrusion Tolerant Systems PI Meeting
• February 22, 2000

2
Outline

• Agile Objects Approach
• Location Elusiveness
• Interface Elusiveness
• Detailed Technical Approach
• Previously Reported
• Progress in past six months
• Future Plans

3
Background/Existing Practice

• Static Distributed Software Architectures
  (nearly)
• Fixed points of access, deployment, resource
  dependence
• System/Firewall/Sandbox/Domain based Security
• Resource and containment oriented
• Security Architecture based on Anticipated
  Deployment Structures
• gt Flexibility and reconfiguration can enhance
  survivability
• Our Focus Flexible Configuration of Distributed
  C3I Systems (Real-time, High Performance,
  Mission-Critical Online systems)
• E.g. Aegis Battle Cruiser, Theatre
  Command/Information system, etc.

4
Focus Tolerance and Response

• Resource revocation due to loss
• Physical loss, destruction, crash (failure)
• Resource loss due to compromise
• Corruption, compromise, unacceptable risk
• Resources made undesirable due to changes in
  security status
• Under attack, detected assaults, partially
  compromised, loss of other security critical
  information
• Proactive reconfiguration in response to partial
  loss

5
Technical Objectives

• Flexible Configuration of Distributed C3I Systems
• Performance
• Application Architecture
• Security
• Location Elusiveness
• Survivability (resource loss or compromise)
• Continued Real-time performance
• Interface Elusiveness
• Survivability (automatic, distributed attack)
• Adaptive Interfaces/Security Mechanisms over
  Reconfiguration
• Dynamic Responses to Environmental Changes
• Prototypes and Demonstrations that support
  commercial APIs

6
Technical Approach
Agile Objects Middleware

• Increase application capability thru Enhanced
  Middleware for Distributed Objects and Components
• Benefit to Standard APIs
• Survivability thru Elusiveness
• Distributed Applications without fixed resources
  or configuration
• Security structures adapt to configuration/perform
  ance constraints
• Difficult to locate, target, identify, Difficult
  to compromise

7
Example Scenario

• Distributed object/Component applications
• Online reconfiguration enables a flexible dynamic
  response to resource or security change
• Response to critical events achieved in short
  time scales (seconds)
• Automatically reconfiguration maintains
  performance and security properties

8
Challenges

• Location Elusiveness Support rapid application
  mobility with
• Performance insensitivity
• Uniform resource access
• Continuous real-time performance
• gt make this real for significant distributed
  applications
• Interface Elusiveness Adapt security mechanisms
  and configuration
• Support very high speed networks
• Describe system application security requirements
• Manage and enforce security requirements,
  adapting in real time to match rapid changes

9
Detailed Technical Approach

• Location Elusiveness
• Theoretical and Analytical Foundations
• High Performance Distributed Objects
• Migration and Scalable Name Service
• Dynamic Open Real-time Systems
• Prototypes and Demonstrations
• High performance distributed objects
• Object Migration and Replication
• Open Real Time systems and Distributed Resource
  Managers
• Experiment with existing applications for
  transparent static redistribution
• Performance experiment and demonstrations with
  cluster/LAN and wide-area environments

10
Detailed Technical Approach (cont.)

• Interface Elusiveness
• Theoretical and Analytical Foundations
• Mutating Interfaces Space/Complexity/Performance
  (static)
• Mutating Interfaces Dynamic Coordination
  (dynamic)
• Mutating Interfaces Targeted (specific response)
• Prototypes and Demonstrations
• Interface Mutation Prototypes (range, correct
  operation)
• Dynamic Mutation (consistent operation,
  reconfiguration, resource adaptation)
• Demonstration and evaluation of several
  approaches for distributed coordination
• Demonstration and evaluation of targeted
  responses based in intrusion detection
  information
• Integrated Experiments

11
Progress

• Previously reported results (8/99)
• User-level networking performance
• Fast Remote RPC ( improving)
• Basic Real-time Framework
• Recent Results
• Multi-DCOM Prototype
• Elusive Interfaces Case Study
• Future Plans
• Experimentation with Multi-DCOM Prototype
• Elusive Interfaces Prototype

12
Multi-DCOM Infrastructure
Server 2
Client

• Generic Transparent Interface for Replication
• Based on DCOM infrastructure (binary modules of
  all derivations)
• Iterator based API compatibility and basis for
  extension and experimentation
• Experimentation framework for flexible
  replication (Fault and Intrusion Tolerance)
• Partial redundancy/threshold cryptography
  approaches (e.g. Pasis, etc.)

13
Elusive Interfaces
Specialized Cryptography Hardware
High Speed Net
Untrusted Net
Time-varying

• Distributed Object and Component Applications
  primitive pairwise relationships
• End-to-end encryption techniques practically
  incompatible with high speed networks
• Ideas
• Low-cost encryption techniques based on interface
  structure
• Adapt and manage automatically in response to
  changes
• Systematic analysis of opportunities, costs, and
  capabilities

14
Security Overhead

• SSL inline overhead (excluding initial exchange
  protocol)
• 4x fixed overhead 17x per byte costs (2Mbits)
• 56-bit keys, 500Mhz Pentium IIs, 100Mbit
  Ethernet
• Cleartext protocol stacks barely feed high speed
  networks

15
Case Study Elusive Interfaces

• European Molecular Biology Laboratorys
  Nucleotide Sequence Database (NSDB)
• 41 methods, 4 distinct interfaces, various
  numbers of arguments
• Wide range of data access mechanisms (standard
  queries) and attribute information
• Application at simple end of the spectrum

16
Dimensions of Interface Manipulation

• Method offset value
• Method offset spacing
• Method offset location (in message)
• Parameter location
• Parameter organization
• Parameter encryption
• Parameter buffering
• Flexible packetization
• Temporal variation
• . . .

17
Practical Encoding Space

• How large a space can we generate for an
  attacker?
• Analyze all possible configurations of the
  parameters
• Potential for obscuring application information
  (published interfaces)
• Incorrect probes all detected
• (details available in a forthcoming report)

18
Initial Observations

• Space is large and proportional to interface
  complexity (increasing?)
• Interface encoding to be performed a line speed
  using custom-generated code sequences
• Relationship to classical cryptography approaches
  needs to be developed (cost, difficulty of
  attack)
• Current manual experiments, Building a general
  prototype for broader experimentation

19
Agile Objects Project Plan
Location Elusiveness
Interface Elusiveness
High Performance RPC
Analytical Foundations Case Studies
Distribution Insensitivity (RPC Real-time
Scheduling)
Object Migration integrated with Distribution
Insensitivity
Mutation Prototype
Dynamic Mutation Prototype (online, reactive)
Location Elusiveness Demonstration
Interface Elusiveness Demonstration
Location Elusiveness Demonstration
Integrated Demonstration
20
Quantitative Metrics

• Location Elusiveness
• Speed of remote RPC, ratio of local/remote
• Time of application reconfiguration (physical
  network parameters, applications)
• Granularity/precision of real-time guarantees
• Interface elusiveness
• Size of reconfiguration space, range of
  techniques
• Reconfiguration Cost
• Reconfiguration Delay
• Scale of Demonstrations

21
Expected Major Achievements

• Location Elusiveness Distribution insensitive
  distributed applications
• High Performance RPC which enables flexible
  configuration
• Online Migration and Replication
• Real-time applications which reconfigure while
  maintaining performance guarantees
• Interface Elusiveness Characterize space of
  interface mutation and dynamic coordination
  mechanisms
• Crystallize a framework for adaptive interface
  mutation management (reconfiguration, cost,
  space)
• Configuration independent application security
  specifications
• Develop a range of targeted responses based on
  Intrusion Detection System status information
• Integrate techniques for a unified Agile Objects
  approach and demonstration