Objectives:
Intrusion tolerance is a security and dependability paradigm that has been gaining momentum over the past decade. It lets system designers address both accidental faults and attacks in a seamless manner, which can complement the reach of classical security approaches. Intrusion tolerance assumes that: in part due to their complexity, systems remain to some extent faulty and/or vulnerable; attacks on components can happen and some will be successful; but automatic mechanisms can ensure that the overall system nevertheless remains correct and operational.
In distributed systems, the usual way to deploy intrusion tolerance services is through a middleware layer that manages n server replicas. Replicas perform the operations requested by the users, and rely on distributed protocols of the middleware to carry out coordination and cooperation actions. Given the malicious intelligence behind the expect threats, the protocols have to resist to a wide range of attacks, originating from the network, bad clients and corrupted replicas. The necessary number of replicas varies with system configuration, the baseline being that if one expects a number f of faults or intrusions, then the service should run a minimum of n = 3f+1 replicas.
Intrusion tolerant systems, therefore, can only remain correct if they are able to preserve in every instant a number of corrupted replicas smaller than the f threshold. This is a difficult task because adversaries are always discovering new forms of attack, and it can be exacerbated due to common-mode vulnerabilities. These vulnerabilities occur in all (or in a large subset of) replicas, and once found allow a speedy compromise of the system with minimal effort. Additionally, adversaries learn from past intrusions, which means that even if replicas are recovered, they will be rapidly corrupted unless they are restarted with diverse software (that does not contain the same vulnerabilities).
In this project, we want to investigate ways to obtain and integrate diverse software replica versions in intrusion tolerant systems. In the past, this subject has been mainly overlooked because research in distributed protocols has considered it an orthogonal issue. However, once the actual deployment of systems is considered, it becomes a fundamental problem that is actually quite hard to solve. Firstly, in almost all cases it is unfeasible to build several software versions due to cost, but even if it was possible, it is not clear that the outcome would acceptable (e.g., programmers tend to make similar mistakes). Therefore, one would always need to devise evaluation methods to confirm the vulnerability independence of replicas. Secondly, diversity increases the difficulty of ensuring replica execution determinism, a common assumption in intrusion tolerant systems. In these systems, malicious replica behavior is usually tolerated by running the same operation in all replicas and then by selecting the result which has more than f votes. This quorum might not be attainable because small changes on replicas’ executions can have an impact on the output result. Therefore, mechanisms will have to be devised to address this issue.
Contributions are expected in the following important areas:
- The project will investigate new techniques for the inclusion of diversity in intrusion tolerant services, in order to reduce the probability of occurring common mode vulnerabilities across multiple replicas. The project will consider different approaches to this objective, such as it will take advantage of the inherent diversity provided by software products that implement the same functionality.
- The project will implement the techniques and integrate them in a middleware that supports the execution of intrusion tolerant services. One should understand that this implementation poses a few research challenges because diversity undermines replica determinism, a primary assumption on the state machine replication paradigm. Non-determinism can be a problem even for a single program that runs multiple times (e.g., due to scheduling differences of the operations), therefore, it becomes much more complex to tackle when diversity is employed.
- The project will evaluate the merits of each technique to prevent or increase the difficulty of attacks. For software products that have been in the market for a while, one would like to develop metrics to measure vulnerability independence, for example, based on evidence collected from the analysis of bug reports. For cases where this data is unavailable, one would like to employ experimental techniques that look for common vulnerabilities (e.g., static analysis or attack injection).
Financing:
Project Name: Diverse – Diversidade para Sistemas Tolerantes a Intrusões
Sponsoring Body : FCT (PTDC/EIA-EIA/100894/2008)
União Europeia – Fundos Estruturais
Governo da
República Portuguesa