Arial Narrow bold 38 pt'

1
INTRUSION TOLERANT SYSTEMSWORKSHOPWilliamsburg
, Virginia 5 - 6 October 1999
Jaynarayan H. Lala ITS Program Manager Information
Systems Office
2
ITS WORKSHOP AGENDA (1 of 2)

• Tuesday 800 - 1230 PRESENTATIONS
• Workshop Goals, DARPA IAS ITS Programs J.
  Lala
• Intrusion Detection State-of-the-Art
  Challenges R. Maxion
• ABFT Other Error Detection Techniques J.
  Abraham
• Security Fault Tolerance Perspectives J.
  Rushby
• Mission Safety-Critical Architectures L. Alger
• Threats to Information Systems D. Faatz
• Abstractions for Building Fault-Tolerant Distr.
  S/W R. Schlichting
• Attack / Intrusion Tolerance D. Powell
• State Restoration D. Siewiorek
• DICOTS and Stackguard C. Landwehr

3
ITS WORKSHOP AGENDA (2 of 2)

• Tue 130 - 430 Working Group Sessions
• Tue 430 - 530 Working Group Preliminary
  Reports
• Wed 800 - 1130 Working Group Sessions
• Wed 1130 - 1230 Working Group Final Reports

4
PRESENTATION OUTLINE

• Workshop Goals
• DARPAs Information Assurance Survivability
  Programs Overview
• Intrusion Tolerant Systems Program Overview
• Bridging Fault Tolerance Intrusion/Attack
  Tolerance

5
WORKSHOP GOALS

• Bring together experts from dependable computing
  / fault tolerant domain and security domain to
  exchange ideas that might benefit ITS program
• Several prior attempts at exploring applicability
  of fault tolerance technology to information
  assurance problems
• Matching solutions from one domain to problems
  from the other domain has not been a successful
  endeavor
• One possible reason both disciplines are very
  broad

6
WORKSHOP FOCUS

• Current workshop is very narrowly focused on
• Applicability of fault tolerance techniques
  designed for accidental and (unintentional)
  design faults to certain subset of information
  assurance (availability integrity) with respect
  to intentional faults and attacks
• Specifically, use of redundancy, in all its
  forms, for detecting abnormal behavior and
  tolerating intentional faults and attacks
• Workshop focus is NOT on reconciling terminology
  of the two communities or solving fault tolerance
  problems.

7
INFORMATION ASSURANCE SURVIVABILTY (IAS)
PROGRAMS OVERVIEW

• Jay Lala, Douglas Maughan, Cathy McCollum,
• Sami Saydjari, Mike Skroch, Brian Witten
• Project Managers
• Information Systems Technology Offices

Detection
Prevention
Tolerance
Attacks
8
Challenging questions Commanders attack triage
questions

• Am I under attack ?
• What is the nature of the attack ?
• Class, mechanism, from where ?
• What is mission impact ?
• Urgency, damage assessment control, initial
  response
• When did attack start ?
• Follow-on damage assessment, what have I done
  wrong ?
• Who is attacking
• What are they trying to do, what is their next
  step ?
• What can I do about it ?
• Course of action analysis, collateral damage
  risk, reversibility of action
• Can I survive the attack?
• Long term solution

Currently, we are Blind and Powerless at all
echelons
9
Strategic cyber defense - a map history
NSA Crypto
10
Information Assurance SurvivabilityOverview
Command Control
Action Fabric
Science
11
Autonomic Information Assurance (AIA)
Multidimensional Policy

• Control systems for directing adaptive defense
• Modeling is imperative
• Correction Function
• Multidimensional Policy
• State Estimation

12
Cyber Command and Control (CC2)
Information is the foundation on which we fight,
yet...
We are POWERLESS to defend it
We are BLIND to the information situation
Kinetic actions
Develop effective IA visualization
frameworks Model information flow and mission
dependencies Assess damage to own information
and functions Fuse external situation and system
state information Identify information gaps and
task cyber sensors Infer and project adversary
intent
Develop mission-based utility models Construct IA
tactics and strategies from mechanisms Isolate
new attack mechanisms and create countermeasures
Determine possible plans and game out against
adversary moves Model IA behavior with adaptive
and autonomous elements Execute courses of action
conditioned on monitoring of outcomes
Decisions
Applications and Information
Networks and Hosts
13
Strategic Intrusion Assessment (SIA)
Goal Discern and assess coordinated attacks
from analysis of observed/reported activities,
enabling response at appropriate level -
autonomic or human command control - through

• Detector Coordination
• Build on CIDF to allow sharing of events and
  analysis
• Exploit global information at local detector
• Filter false alarms, focus local detection
• Correlation Inference
• Algorithms to correlate and analyze sensor
  information
• Automated planning techniques to track attack
• Hypothesize adversary goals and predict actions
• Attack Forensics
• Damage Determination
• Exploit automated learning techniques for damage
  assessment
• Evidence Collection

14
IA Science Engineering Tools (IASET)
We dont understand the science of IA in systems.
Problem area definition
Approach
15
IA Science Engineering Tools (IASET)
We dont know how to design and assess IA in
systems.
Problem area definition

• Common environment
• to model system and implicit IA knowledge of
  designers
• maintain and distribute wisdom gained - dont
  repeat mistakes
• change fundamental approach to IA design and
  assessment

Approach

• Common environment
• publish IA design/assess high-level ontology
  methodology
• identify then select mechanics for software
  integration platform
• demonstrate environment with real programs,
  DARPA others

16
INTRUSION TOLERANT SYSTEMSPROGRAM OVERVIEW
17
BACKGROUND

• So far, emphasis has been on making information
  systems secure by keeping intruders out.
• Confidentiality and integrity have been achieved
  by encrypting critical information and limiting
  access to it only to authenticated users.
• Trusted computing bases, highly classified
  limited access networks, boundary controllers, in
  conjunction with physical security, have met the
  security needs of a relatively small community of
  highly sensitive users.

18
BACKGROUND

• Costs of these techniques, as measured in
  performance, functionality and affordability,
  have been high.
• Commercial marketplace now dominated by COTS
  components
• the control over the detailed design of hardware,
  software and architecture necessary to implement
  these techniques is no longer cost-effective

19
INTRUSION TOLERANT SYSTEMS

• Premise
• Attacks will happen some will be successful
• Attacks may be coordinated across multiple sites

• Hypothesis
• Attacks can be detected, contained, and
  tolerated, enabling continued correct progress of
  mission critical applications

20
INTRUSION TOLERANT SYSTEMS

• Programmatic/Technical Approach
• Identify processing system and network
  vulnerabilities
• Develop innovative technologies to solve
  well-defined portion of vulnerabilities
• Apply systems engineering discipline rigorously
• Borrow heavily from practices and principles used
  successfully to engineer fault tolerant computers
  for mission- and life-critical applications
• Support DARPAs Strategic Cyber Defense vision
• Transition to commercial practice

12
21
INTRUSION TOLERANT SYSTEMS

• Definition An intrusion tolerant system is one
  that can continue to function correctly and
  provide the intended services to the user in a
  timely manner even in the face of an attack.

• Goal To conceive, design, develop, implement,
  demonstrate, and validate tools and techniques
  that would allow fielding of intrusion tolerant
  systems.

22
DEPENDABILITY PROPERTIES

• Availability is the readiness for usage.
• Reliability is the continuity of service.
• Maintainability is the ease of performing
  maintenance actions.
• Safety is the avoidance of catastrophic
  consequences on the environment.
• Security is the prevention of unauthorized access
  (Confidentiality) and/or handling of information
  (Integrity).
• Dependability Basic Concepts Terminology,
  J.C.Laprie (Ed), Springer-Verlag, New York, 1992

8
23
INFORMATION ASSURANCE ATTRIBUTES

• Availability Timely, reliable access to data and
  services
• Integrity No unauthorized modification
  (including destruction) of data
• Identification Authentication Certainty of
  user or receiver identity and authorization to
  receive specific categories of information
• Confidentiality No unauthorized disclosure
• Non-repudiation Proof of message receipt and
  sender identification, so neither can deny having
  processed the data
• DoD Directive 12/9/96 S-3600.1 Subject
  Information Operations

24
INFORMATION ASSURANCE

• Information Operations that protect and defend
  information and information systems by ensuring
  their availability, integrity, authentication,
  confidentiality, and non-repudiation.
• This includes providing for restoration of
  information systems by incorporating protection,
  detection, and reaction capabilities.
• DoD Directive 12/9/96 S-3600.1 Subject
  Information Operations

25
ITS PROGRAM EMPHASIS

• Availability (Protection against
  Denial-of-Service Attacks)
• Integrity

26
FAULT CLASSIFICATION ITS SCOPE
27
ITS TECHNICAL APPROACHES CURRENT PROJECTS

• Eleven projects that span formal methods to
  sand-boxing techniques
• Proof Carrying Code
• Execution Time Monitors Wrappers, Software
  Insertion
• Fragmentation Encoding
• Watermarks

28
CURRENT PROJECTS
29
TAXONOMY OF CURRENT PROJECTS
30
BRIDGING FAULT TOLERANCE INTRUSION / ATTACK
TOLERANCE
31
PARALLELS TO FAULT TOLERANCE

• Many of the functions that must be performed to
  tolerate intentional faults/attacks are the same
  as those required to tolerate accidental faults.
• Many hard problems have been solved in the
  design, development and implementation of these
  functions.

32
FAULT TOLERANCE-SECURITY KNOWLEDGE EXCHANGE

• Security community should become aware of the
  required functions and techniques as well as the
  problems posed and solutions discovered.
• Fault tolerance community should become familiar
  with the types of intentional faults/attacks to
  which information infrastructure is vulnerable so
  as to adapt solutions to security domain.

33
EXAMPLES OF FAULT TOLERANCE FUNCTIONS TECHNIQUES
34
FAULT TOLERANCE FUNCTIONS EXAMPLES

• Error/Damage Confinement
• Error Detection
• Error Isolation/ Identification
• Error Masking
• Fail-Silent
• Fail-Stop
• Graceful Degradation
• State Restoration
• Reconfiguration
• Repair / Replacement

35
ERROR DETECTION / ISOLATION

• Hardware Self-Tests / Software Check-Sums
• Algorithm Based Fault Tolerance
• Value Domain Checks
• Time Domain Checks
• Heartbeat Monitors
• Redundant Computation Comparison
• Self-Checking Pair
• Temporal Redundancy
• Analytical Redundancy
• Design Diverse Redundancy
• ..

36
STATE RESTORATION

• Check-Point / Rollback
• Roll-Forward
• Switch to Backup
• Hot, warm, cold
• Majority Vote Restore
• Repair / Replace Restart
• Software Rejuvenation

37
CHALLENGES

• What fault tolerance functions are relevant to
  intrusion / attack tolerance? What additional
  functions must be performed by ITS?
• Can FT techniques be adapted to intrusion/attack
  tolerance? If yes, how? If not, what innovative
  techniques are necessary to tolerate attacks
  /intrusions?
• What additional vulnerabilities do these
  techniques introduce that can be exploited by
  attackers?
• How to counter these additional vulnerabilities?