Arun Sood Task Technologies Ltd {Professor & Chair, CS, GMU}

Self Cleansing Intrusion Tolerance (SCIT) for Computing and Communications Critical Infrastructure Protection Arun Sood Task Technologies Ltd {Professor & Chair, CS, GMU} Work done with Yih Huang, Asst Prof, CS, GMU Patent applied for by GMU SCIT for Computing and Comm Critical Infrastructure Protection

Overview • Context of the problem • Intrusion Tolerance – systems view • Self Cleansing Intrusion Tolerance (SCIT) • Reduced vulnerability through diversity • Demos / Prototypes • SCITizable servers • Conclusions SCIT for Computing and Comm Critical Infrastructure Protection

Typical Approach for System Security • Perimeter defense • Firewalls • Intrusion detection systems • Layered defense • Network layer • Processor based • Overall strategy • Protect, Detect, React cycle SCIT for Computing and Comm Critical Infrastructure Protection

Firewall IDS Firewall Firewall IDS P1 P3 P4 P2 IDS Firewall IDS System Security External Network Firewall IDS SCIT for Computing and Comm Critical Infrastructure Protection

Firewalls • Firewalls • Network Address Translation • Packet filtering: filter out unwelcome traffics • Stateful monitoring of connections • Limited functionality • Problems • Firewalls can be hacked • Port settings can be changed • Firewalls can participate in Denial of Service attacks SCIT for Computing and Comm Critical Infrastructure Protection

IDS • Intrusion Detection Systems • Usually adopt Perceive, Plan, and Act (PPA) cycle • Multiple levels of resolution • Iterative application • Signature matching • Anomaly detection/misuse detection • False alarms usually overwhelm the system (not solved yet) • Fusion algorithms • Better at false alarms • Multiple points of monitoring • Not trivial what to fuse SCIT for Computing and Comm Critical Infrastructure Protection

IDS – Problems • Trade-off between probability of detection and false alarms • Typically false alarm rates are too high • The hardware / software costs are manageable • Monitoring of the IDS is labor intensive and can be very expensive • Unaffordable by small users • Doctors office vs hospitals • Weakest link determines overall security • Underlying assumption – all intrusions can be detected SCIT for Computing and Comm Critical Infrastructure Protection

IDS Problems (Continued) • Eternal race with hackers • Software has to be constantly updated to catch up with new hacking techniques • Do we know all hacking techniques? • “There are unknown unknowns”, Donald Rumsfeld SCIT for Computing and Comm Critical Infrastructure Protection

Intrusion Tolerance - Our Approach • Add an additional layer of defense • Focus on protecting the computing resources • Underlying concepts • Zero trust • Systems view • Loss curve • Hacking takes time • SCIT: Self-Cleansing Intrusion Tolerance SCIT for Computing and Comm Critical Infrastructure Protection

Pessimistic Assumptions – Zero Trust • There will be unknown types of attacks. • There will be attacks beneath the radar of intrusion detection systems. • What could be done about unknown and/or undetected attacks? • One issue: we are protecting against external intruders, what about internal threats? Zero trust has two faces. SCIT for Computing and Comm Critical Infrastructure Protection

In Short • We merely acknowledge a fact of life • You can never be certain. • Examples • The intranet passwords of many multinationals were learned by purchasing second-hand hard drives on ebay. • Social engineering targets humans, not machines. SCIT for Computing and Comm Critical Infrastructure Protection

Systems Motivation • High Availability, Fault Tolerance, Reliable Systems • Based on improving system performance • Rely on redundancy • Reliability formulated with time as an important parameter – MTTF, MTTR • Can we use redundancy to improve system security? SCIT for Computing and Comm Critical Infrastructure Protection

Relationship with High-Availability (HA) Computing • With HA, a backup is always ready to replace a failed primary server. • Many mature HA products available for a wide range of network servers. • Implications: Industrial strength solutions are readily available for server switchovers SCIT for Computing and Comm Critical Infrastructure Protection

HA and SCIT • HA systems are SCIT ready. • Just deliberately introduce “failures” to force switching • Indeed, our prototypes borrow many ideas/codes from HA. SCIT for Computing and Comm Critical Infrastructure Protection

Intrusion Containment Loss (Dollars, Information) High loss threshold Low loss threshold Intruder Residence Time SCIT for Computing and Comm Critical Infrastructure Protection

Steps in a typical crime Planning (meeting) Purchases ($) Formulate orders Give orders Avoid detection (survival planning) Training / education Reconnaissance Surveillance Practice Implement Crime steps {Kim Rossmo, Prof of Criminology, Texas State Univ.} SCIT for Computing and Comm Critical Infrastructure Protection

BEGINNERS "STEP BY STEP" SECURITY GUIDE, v0.1.32 – June 1998 • Hacking into a Computer System • Two main approaches • Authenticate • Exploit a weakness • Hide: avoid trace back • Information gathering (traceroute, whois, finger) • Port scan (determine services being run: ftp{21}, telnet{23}, etc) • Find server type • Login with root privileges • www.cyberarmy.com/tute/ SCIT for Computing and Comm Critical Infrastructure Protection

What does this mean? • Hacking into a server takes time • Time has been reduced because of tools • Hackers’ task is more complex if the hacker is not familiar with the server software • SCIT objective is to make the hackers task more difficult SCIT for Computing and Comm Critical Infrastructure Protection

SCIT: Self-Cleansing Intrusion Tolerance • After a system has communicated with the outside world, it is assumed comprised. • Our pessimistic assumption • It is brought off-line for integrity checking and system cleansing. • A backup takes over. • The newly cleansed system becomes the backup. • The process repeats itself. SCIT for Computing and Comm Critical Infrastructure Protection

SCIT supplements IDS, Firewall • SCIT does not replace existing intrusion defenses. • Rather, it adds another line of defense. • The stronger the existing defenses, • the longer the low loss threshold, • the more effective the SCIT system. SCIT for Computing and Comm Critical Infrastructure Protection

SCIT works with Data Security • Integrity of system and critical data are traditionally protected by • Encryption • Digital signatures • System auditing • These mechanisms can be integrated with self-cleansing cycles. • Our prototype shows that the integration strengthens both. SCIT for Computing and Comm Critical Infrastructure Protection

Diversity Reduces Vulnerability • In recent cyber attacks, ISPs using multiple platforms/OSes were far more resilient than others • Diversity increases hackers’ time to “conquer” • Additional management overhead is justified by increase in security • Some applications will work under multiple servers • Java • Apache, Tomcat • Virtual machines • Multiple OS on the same platform • VMware • More complex environments increase difficulty of conquering the target server SCIT for Computing and Comm Critical Infrastructure Protection

Strategies for Increased Diversity Tomcat Tomcat Linux Windows VM ware Linux Intel hardware SCIT for Computing and Comm Critical Infrastructure Protection

Diversity and SCIT • SCIT approach works perfectly with diversity. • Different servers use different platforms, OSes, vendors, and configurations. • Many services are supported by more than one platforms/vendors: Java, Apache, Tomcat • Switching among more than 2 servers • 1-out-of-N in cleansing: maximize throughput • 1-out-of-N in service: maximize security • M-out-of-N allows tradeoffs • Enclaves: server within servers SCIT for Computing and Comm Critical Infrastructure Protection

Diversify Platforms SCIT Web Server Apache on top of Linux Server Microsoft IIS on top of Windows Server SCIT for Computing and Comm Critical Infrastructure Protection

1-out-of-N in Self-Cleansing Cleansing Serving Serving • Work load sharing among multiple working servers • High performance • Cost effective yet secured thru cleansing SCIT for Computing and Comm Critical Infrastructure Protection

1-out-of-N in Service Serving Cleansing Cleansing • Shortest hacking time windows • A hacker stays on one server for only seconds • Highest security but expensive SCIT for Computing and Comm Critical Infrastructure Protection

Enclaves • Both the industry and academics have studied server enclaves: • Virtual machine • User-mode Linux • Root jails and its variants • Basic Idea is to have the service running • Inside a virtual environment • On top of a physical platform SCIT for Computing and Comm Critical Infrastructure Protection

Enclaves IIS Apache Windows Linux Linux Server Windows Server SCIT for Computing and Comm Critical Infrastructure Protection

Software-Level Cleansing • Kill the current server application and relaunch it. • Can use different vendor’s implementations in different “incarnations.” Apache IIS Apache IIS SCIT for Computing and Comm Critical Infrastructure Protection

Multilevel SCIT • Software-level SCIT supports higher switching - cleaning rate • Hardware-level SCIT supports lower switching - cleaning rate SCIT for Computing and Comm Critical Infrastructure Protection

Endless Possibilities • These approaches produce endless combinations. • When switching from one configuration to another, it is as if the system morphs. • The result is a most hostile environment for hackers. SCIT for Computing and Comm Critical Infrastructure Protection

Results of diversity • Adds a level of confusion for the hacker • Increases the time for the defender to act • Increases the fixed cost • Hardware • Software • Labor • Diversity may reduce operating costs SCIT for Computing and Comm Critical Infrastructure Protection

Universal SCIT Solutions ? • Having all those platforms working together is not trivial. • We do not expect universal solutions. • Rather, we focus on tailored solutions for critical networking components: • Firewalls, web servers, file servers, DNS, security gateways (IPsec), … • Each component a research challenge of its own SCIT for Computing and Comm Critical Infrastructure Protection

SCIT Demos: We have built … • SCIT Firewalls • Rebooting to self-cleanse • Entirely “stateless” • SCIT Web Servers • Rebooting to self-cleanse • Digital signals for integrity checking • Do not abandon customers on switching SCIT for Computing and Comm Critical Infrastructure Protection

SCIT Firewall SCIT Firewall SCIT Firewall f-box 1 f-box 1 Inbound traffic Inbound traffic f-box 2 f-box 2 (a) f-box 1 in operation (b) f-box 2 in operation SCIT for Computing and Comm Critical Infrastructure Protection

Discussion: Firewall • Negligible impact on client’s performance. • Self-cleansing cycle is 90 seconds. • Potential to reduce time • Shared SCIT strategies • Occasional packet losses are observed in transition periods. • In current prototype rebooting is the system cleansing mechanism. SCIT for Computing and Comm Critical Infrastructure Protection

Web Defacing Attacks • Subvert the contents of a web site • Potential consequence • Denial of services • Stepping stones to even more critical systems SCIT for Computing and Comm Critical Infrastructure Protection

SCIT Web Server W-box 1 W-box 1 W-box 2 W-box 2 (a) W-box 1 in operation (b) W-box 2 in operation SCIT for Computing and Comm Critical Infrastructure Protection

Challenges • Should not abandon customers when a server box goes down. • New customers must be directed to the new server box. • Similar challenges present in many other servers. SCIT for Computing and Comm Critical Infrastructure Protection

Component Technologies • Use the ? (VRRP) protocol (RFC 2338) to share the server IP address • Digital signatures generated by tripwire for integrity checking • Signature keys recreated upon each rebooting • Protecting static HTML pages and systems files by signing respective directories. SCIT for Computing and Comm Critical Infrastructure Protection

Testbed SCIT for Computing and Comm Critical Infrastructure Protection

Life Cycle • Check signature integrity, using previous keys. • Generate new keys and re-sign web pages with new keys. • Claim server IP address by VRRP. • Probe the other box, until a response is received. • Reboot and return to step 1. SCIT for Computing and Comm Critical Infrastructure Protection

Prototype in Operation Server booting, validating signatures Active: Monitoring Other server NFS server SCIT for Computing and Comm Critical Infrastructure Protection

Performance • Rebooting cycles are around 7 minutes. • To evade signature checking, the hacker has to break a set of keys every cycle – almost impossible • Dependent on the hardware • Handles 100 to 105 calls per second • On average, 1.833 calls lost per server switching SCIT for Computing and Comm Critical Infrastructure Protection

Discussion: Web server • Rebooting cycles are around 5 minutes. • Depends on processor speed • Signature checking detects compromised data. • To evade signature checking, the hacker has to break a set of keys every cycle – challenging problem for hacker SCIT for Computing and Comm Critical Infrastructure Protection

Arun Sood Task Technologies Ltd {Professor & Chair, CS, GMU}