170 likes | 263 Vues
This project aims to design, prototype, and evaluate an architecture for building intrusion-tolerant systems useful in various contexts. It focuses on new techniques for high availability services and challenges in fault tolerance techniques. The SITAR approach emphasizes protection from external attacks and compromised components using redundancy, diversity, and dynamic reconfiguration strategies. State transition models and case studies are utilized to analyze system behaviors and vulnerabilities. The Acceptance Monitor architecture conducts proactive and reactive tests to ensure system security and reliability.
E N D
SITAR: A Scalable Intrusion Tolerant Architecture for Distributed Services Feiyi Wang, MCNC Kishor Trivedi, Duke University
Project Introduction • Project kickoff meeting: July 20, 2000 • Project duration: 36 months • Collaborator: Duke University • Means of collaboration • biweekly face-to-face meetings • frequent site visit • joint testbed • Security clearance: Daniel Stevenson has a top secret clearance, the rest of the team members do not.
SITAR Project Goals • To design, prototype and evaluate an architecture for building intrusion tolerant systems • useful for all-new system • useful for creating system out of COTS components • useful for hardening existing system • To develop new techniques that can be used in constructing high availability services, i.e., certain desirable service level can be maintained regardless of intrusions
Challenges • How some of the very basic techniques of fault-tolerance (e.g., redundancy and diversity) apply to our target? • How to deal with external attacks or compromised components which can exhibit unpredictable behaviors? • How to quantitatively measure the “capability of system to resist attacks”?
SITAR Approach Overview • SITAR Intrusion tolerance capability is tied to the functions and services provided • Focus on events that pose a threat to the specific functions or services to be protected. Impact >> Cause • Leverage well-developed techniques in fault tolerance and dependable systems research
SITAR Innovative Claims • Focus on a generic class of services provided by COTS components as target of protection • Deal with both external attacks and threats from internal, compromised components • Approaches • Utilize the basic techniques of fault tolerance - redundancy and diversity • Investigate dynamic reconfiguration strategies in this architecture • Use both model-based and measurement-based approaches to quantitatively evaluate intrusion tolerance capability of this architecture and carry out cost-benefit trade-off studies
Current Focus • Fault/intrusion and basic ITS model study • Proxy server and Acceptance monitor using Web server as an example • Cluster membership management and state information sharing
Basic ITS Model • We propose a state transition model as a framework for describing dynamic behavior of an intrusion tolerant system • The system enables multiple intrusion tolerance strategies to exist and supports different levels of security requirements • More details can be found in paper “Characterizing Intrusion Tolerant Systems Using A State Transition Model”, submitted to DISCEX II, 2001
State Transition Diagram for ITS G - good state V - vulnerable state A - active attack state MC - masked compromised state UC - undetected compromised state TR - triage state FS - fail secure state GD - graceful degradation state F - failed state
ITS Modeling: Case Studies • We have mapped several vulnerability case studies to the state transition model • The focus is on the observable impact: • compromise of confidentiality • compromise of data integrity • compromise of user/client authentication • DoS from external entities • DoS by compromising internal entities • Intrusion tolerance systems emerging from this study will be able to deal with previously unknown attacks as long as they produce similar impacts on our services
Case Study: ASP Vulnerability in IIS • Sample file showcode.asp is meant for viewing source code of sample application through a web browser • File showcode.asp doesn’t perform adequate security checking (no test for “..” in URL) so that anyone with a web browser can view any text file on the web server by using URL: http://target/msadc/Samples/SELECTOR/showcode.asp?source=/path/filename • Direct impact is compromise of confidentiality, and it leaves system in vulnerable state.
Case Study: ASP Vulnerability in IIS (cont’d) 1. Malicious input form of http://target/msadc/Samples/SELECTOR/showcode.asp?source=/path/filename 2. Restoration, reconfiguration mechanisms including remove showcode.asp, or restrict access only to /msadc as intended
Acceptance Monitor Model • In traditional fault tolerance context: an acceptance test is a developer-provided error detection measure for a software module. • In SITAR project, we perform both reactive and proactive acceptance test • Reactive tests include: • satisfaction of system requirement • accounting test • reasonableness test
Acceptance Monitor: Example Test • Probing analysis to COTS server will set up site-specific policy database, which indicates that certain document root • If a file requested is outside of scope configured, then we will drop this connection and trigger the alarm to re-configuration module to do further situation evaluation • Noted that we don’t need to know beforehand the showcode.asp vulnerability in this case
FY-2001 Plans • Develop a model of intrusion tolerance • Threat model • ITS architecture • Analysis/simulation-based tradeoff studies for different strategies • Submit preliminary architectural report • Create a prototype intrusion tolerant Web server system • Evaluate the prototype through experimental measurements/simulation/analytical models