Survival by Defense-Enabling

1
Survival by Defense-Enabling

• Partha Pal, Franklin Webber, Richard Schantz
• BBN Technologies LLC
• Proceedings of the Foundations of Intrusion
  Tolerant Systems(2003)
• Presented by J.H. Su

2
Authors(1/3)

• Partha Pal
• a Division Scientist at BBN Technologies. His
  research interest is in the area of survivable
  distributed systems.

3
Authors(2/3)

• Franklin Webber
• a software engineer, have primarily been
  supporting BBN Technologies doing DARPA-sponsored
  research on strengthening the resistance of
  computer systems to malicious attack.

4
Authors(3/3)

• Richard Schantz
• Works At Intelligent Distributed Computing
  Department in BBN.

5
Outline

• Introduction
• Survival by Defense of Critical Application
• Acquisition of Privilege
• Control of Resources
• Use of Defensive Adaptation in Applications
  Survival
• Issues and Limitations
• Related Work
• Conclusion

6
Introduction(1/4)

• Attack survival
• The ability to provide some level of service
  despite an ongoing attack by tolerating its
  impact.

7
Introduction(2/4)

• Attack prevention
• Lead to the development of what is known as a
  trusted computing base (TCB).
• Attack detection and situational awareness
• Lead to the development of various intrusion
  detection system (IDS).

8
Trusted Computing Base (TCB)

• Confidentiality
• Authentication
• Integrity

9
Introduction(3/4)

• Drawback
• In fact, many of the worlds computer systems
  today run operating systems and networking
  software that are far from the TCB ideal.
• IDS mostly works off-line, without any direct
  runtime interaction or coordination with the
  applications (and with other IDSs) that they aim
  to protect.

10
Introduction(4/4)

• Survival by protection
• Seeks to prevent the attacker from gaining
  privileges
• Survival by defense
• Includes protection but also seeks to frustrate
  an attacker in case protection fails and the
  attacker gains some privileges anyway

11
Survival by Defense of Critical Application(1/5)

• Focus on
• The specific need of a specific type of
  applications.
• What is a critical applications?
• These applications are critical in the sense that
  the functions they implement are the main purpose
  of the computer system on which they run.

12
Survival by Defense of Critical Application(2/5)

• Assumption
• We can modify or extend the design and
  implementation of the critical applications.

13
Survival by Defense of Critical Application(3/5)

• Corruption
• An application that does not function correctly
• Reasons of Application corrupt
• An accident, such as a hardware failure, or
  because of malice
• Flaws in its environment or in its own
  implementation cause it to misbehave.

14
Survival by Defense of Critical Application(5/5)

• The Goal
• The attackers acquisition of privileges must be
  slowed down.
• The defense must respond and adapt to the
  privileged attackers abuse of resources.

15
Acquisition of Privilege(1/4)

• Divide the system into several security domains,
  each with its own set of privileges
• The domains are chosen and configured to make
  best use of the existing protection in the
  environment to limit the spread of privilege.
• The domains must not overlap.
• Each security domain may offer many different
  kinds of privilege.
• The attacker cannot accumulate privileges
  concurrently in any such set of domains.

16
Acquisition of Privilege(2/4)

• Kinds of Privilege
• anonymous user privilege
• domain user privilege
• domain administrator privilege
• application-level privilege

17
Acquisition of Privilege(3/4)

• Three ways for an attacker to gain new privileges
• Convert domain or anonymous user privilege into
  domain administrator privilege.
• Convert domain administrator privilege in one
  domain into domain administrator privilege in
  another.
• Convert domain administrator privilege into
  application-level privilege.

18
Acquisition of Privilege(4/4)

• Solution for Case1
• Careful configuration of hosts and firewalls.
• Solution for Case2
• Proper host configuration and administration
• Having a heterogeneous environment with various
  types of hardware and operating systems.
• Solution for Case3
• Use cryptographic techniques

19
Control of Resource(1/3)

• The attacker and the critical applications
  compete over system resources
• Use of redundancy
• Monitoring
• Adaptation

20
Control of Resource(2/3)

• Use of redundancy
• Replicate every essential part of the application
  and place the replicas in different domains.
• The replicas must be coordinated to ensure that,
  as a group, they will not be corrupted when the
  attacker succeeds in corrupting some of them.

21
Control of Resource(3/3)

• Monitoring
• QoS
• Self-checking
• whether the application continues to satisfy
  invariants specified by its developers.

22
Use of Defensive Adaptation in Applications
Survival(1/4)

• A classification of defensive adaptations
• Dimension1The level of system architecture at
  which these adaptations work .
• Dimension2how aggressively the attack can be
  countered.

23
Use of Defensive Adaptation in Applications
Survival(2/4)
Defeat Attack Work Around Attack Guard Against Future Attack
Application level Retry failed request Redirect request degrade service Increase self-checking
QoS management level Reserve CPU, bandwidth migrate replicas Tighten cryptographic, access control
Infrastructure level Block IP sources Change ports, protocols Configure IDSs
24
Use of Defensive Adaptation in Applications
Survival(3/4)

• The importance of the capability to change
  between various modes and the associated
  trade-offs.
• Defensive adaptation is mostly reactive.
• Defensive adaptation could be pro-active.

25
Use of Defensive Adaptation in Applications
Survival(4/4)

• Make these adaptive responses unpredictable.
• some uncertainty needs to be injected.
• Separate the design of the functional (or
  business) aspects of the application from the
  design of defensive adaptation.
• Put the latter into middleware.
• reusable for many different applications.

26
Issues and Limitations

• The reliance on crypto systems.
• It is not simple to combine multiple mechanisms
  in a defense strategy.
• selection of appropriate mechanism, potential
  conflict analysis and resolution has to be done
  manually by an expert.
• Relies on the fact that attacks proceed
  sequentially

27
Related Work

• MAFTIA
• an ESPRIT project developing an open architecture
  for transactional operations on the Internet.
• The Survivability Architectures project
• Aims to separate survivability requirements from
  an applications functional requirements.
• The An Aspect-Oriented Security Assurance
  Solution project
• implement security-related code transformations
  on an application program.

28
Conclusion

• We are implementing technology for defense
  enabling under the DARPA project titled
  Applications that Participate in their Own
  Defense (APOD).
• Defense enabling can increase an applications
  resistance to malicious attack.
• Greater survivability for the application on its
  own and an increased chance for system
  administrators to detect and thwart the attack
  before it succeeds.

29
Thanks for your listening