Aegis Research Corporation
Survivability Validation Framework for
Intrusion Tolerance Using
Masking, Redundancy and Dispersion
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Janet Lepanto
William Weinstein
The Charles Stark Draper Laboratory, Inc.
Aegis Research Corporation®
Aegis Research Corporation
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 1
Overview
Aegis Research Corporation
•
Technology description and survivability problem addressed
•
Assumptions
•
Impairments: threats, attacks, vulnerabilities
– Design/implementation
– Configuration/operation
•
Survivability attributes
•
Comparison with other systems
•
Survivability mechanisms
•
Rationale
– Goal vs. impairment matrix
– Verification techniques
•
Residual risks, limitations, caveats
•
Cost/benefit analysis
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 2
Technology Description and Survivability
Problem Addressed
Aegis Research Corporation
•
Apply fault-tolerant design concepts to provide intrusion tolerance for
a “service” site that supports external clients with web-based access
to information, databases, and applications services
•
Minimize loss of data confidentiality and integrity in the face of a
successful attack on one of the servers
•
Tolerate attacks whose specific signatures are not known a priori
•
Employ only a small set of trusted components to protect a large set
of untrusted unmodified COTS servers and databases
•
Employ redundancy for both intrusion tolerance and performance
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 3
Nominal Site Configuration
Aegis Research Corporation
Configuration
Manager
Gateway
Server
(1)
Server
(2)
Switched IP
External
Firewall
Switched IP
External WAN
Authentication
Server
Transaction
Mediator
Data
Base
Server
(N)
Trusted
COTS
Other
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 4
Technical Approach
Aegis Research Corporation
•
Mask fingerprints of gateway and origin servers so that an attacker cannot
probe over network to determine
– OS of gateway, or origin servers
– Implementation of any origin server
•
Distribute each client’s transactions among origin servers such that the
client cannot predict which server will handle a transaction
•
Periodically inspect each origin server for configuration anomalies that
might indicate that attack transactions have occurred
– Reconfigure server to “clean” state if anomalies are detected
•
Log transactions to back-end database so that data written by a
compromised origin server can be reconstructed
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 5
Assumptions
Aegis Research Corporation
A1
A2
A3
A4
A5
Succ essful attack wil l mo st l ikely requi re mult iple transaction s bet weenthe
attacker and a particul ar origin server
Rate o f attack t ransaction s w il l be relatively low b ecau se anat tack erdo esno t
want to be de tected
The “trusted” Gateway, T ransaction Moni tor and Con figu ration Manage r
platforms are strongly resistant to comp romise byana ttacker
Attacks exhib itingh ight ransaction rates w il l be add ressed byo the r means
Attack a ctiv ity wil l r esult ina signa ture o r con fi gurationanom alyth at c anbe
detected vi a digi tal forens ics
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 6
Impairments: Threats, Attacks, Vulnerabilities
Aegis Research Corporation
Design / Implementat ion
TAV- 1.1
Vulne rabil ityino rigin serve r operatingsy stem
TAV- 1.2
Vulne rabil ityin web server explo itab le u sing log ic with inanapp lic ation
TAV- 1.3
Vulne rabil ityinC GI s crip ts exploi tabl e us inglogi c within a script
TAV- 1.4
Vulne rabil ityin web server explo itab le byin jecting a n ew execu tabl e
TAV- 1.5
Vulne rabil ityinC GI s crip ts exploi tabl e byinj ectinga ne w execut able
TAV- 1.6
Vulne rabil ityinb ack-end d atab ase pla tform OS
TAV- 1.7
Vulne rabil ityinb ack-end d atab ase appl ication
Conf igura tion / Operation
TAV- 3.1
Attacke r mayl earnde tailso f ar chi tecture and impl emen tationvia weakn ess
in server pla tformand web server finge rprint m askingo r via sid e chann el
TAV- 3.2
Attacke r mayobt aina ccount n ame and pa ssword (for web serve r and /or
databa se) of a leg itimate us er and i mpersonat e tha t us er. U sers are no t
iss ued a ccount s directlyonthe server pla tformo r the trusted Gateway.
TAV- 3.3
Attacke r mayobt ain root p assw ord o f a serve r and imp erson ate sys adm in
TAV- 3.4
Sys tem admin istrato r inco rrectly configu res ano rigin serve r
TAV- 3.5
Sys tem admin istrato r inco rrectly configu res one o f t he t rusted el emen ts
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 7
Survivability Attributes
Aegis Research Corporation
•
Protects the confidentiality (C) and integrity (I) of site data from stealthy
attacks emanating from an external network
•
Does not address authentication (AU)
•
Does not address non-repudiation (NR)
•
DoS attack considerations
– Redundancy of Origin Servers provides a second order benefit
– Taking servers off-line when an anomaly is detected creates a potential
vulnerability (which is mitigated by smart configuration management)
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 8
Comparison with Other Systems
Aegis Research Corporation
•
Existing systems/practices
– Address known threats, attack profiles and vulnerabilities to achieve
confidentiality, integrity, authentication and non-repudiation
– Require significant/costly modifications to COTS systems, (e. g., operating
system modifications, special network cards)
– Do not address vulnerabilities or attacks that are unknown a priori
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 9
Survivability Mechanisms
Aegis Research Corporation
Conta inment
M1
Employa trus ted pl atform (“the Gateway” ) to p roxy net work l aye r
communi cations b etween exte rnalc lien ts and front -end web server pla tforms
M2
Employa trus ted pl atform (“the Transaction Monito r”) to p roxy t rans actions
betweenth e web s erve rs and ba ck-end da taba se p latforms
M3
Con figu re the site ne twork to al low n etwork-lay er conne ctiv ityonlyb etween
spec if ied p airs of pla tforms
M4
Do not a llo w web s erve r platforms to init iate conne ction s to, o r through, the
Gateway
Iden tity Masking
M5
Mask TC P/IP finge rprint o f the Gateway
M6
Mask O S/web server finge rprint o f the fr ont -end web server pla tforms
Tran saction Dispersion
M7
Disperse ex terna l client transaction s across a redund ant set o f fun ctiona lly
id enti calo rigin serve rs
M8
Employa v arie tyo f origin server imp lementa tion s (different pl atforms,
ope rating systems, and w eb s erve r app lic ation s)
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 10
Survivability Mechanisms (cont’d)
Aegis Research Corporation
System Monitoring
M9
Monito r the con fi gurationo f the o rigin serve rs for ano malou s characteristics
M10
Log the a ction s of each web serve r platform onthe b ack-end d atab ase p latforms
Rollbac k
M11
Recons truct d atab ase transaction s fr om the l ast point that the sys tem was known
to b e uncomp romised
System Con figu ration Management
M12
Remove pot enti ally comp romised w eb s erve rs fr omope ration, analy ze th e
ano malies, and recons truct withco rrect con fi guration
M13
Employa trus ted pl atform (“the Con fi gurationM anage r”) f or man agem ent o f
the Gateway, the T rans actionMon itor, and the web serve r platforms
M14
Serve r conten t updat e exe cuted v ia C M agen t
Policy
M15
Con figu re specifi c OS and w eb s erve r parame ters to p revent a ccess to ce rtain
priv ileg ed ope ration s fr om with ina co mpromi sed appli cation
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 11
Rationale: Goal vs. Impairment Matrix
Aegis Research Corporation
Design
AV
I
C
TAV- 1.1
M1, M5, M15, A31
TAV- 1.2
M6-13, A1 -2, A52
TAV- 1.3
M7, M9 -13, A1-2, A52
TAV- 1.4
M3-4, M6 -13, A1-2, A52
TAV- 1.5
M3-4, M7, M9-13, A1-2, A5 2
TAV- 1.6
M23
TAV- 1.7
not e 4
Operation
AV
I
C
TAV- 3.1
M1-4, M7 -135
TAV- 3.2
not e 6
TAV- 3.3
M1, M4, M7-137
TAV- 3.4
M9, M14 8
TAV- 3.5
not e 9
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
AU
NR
AU
NR
Slide 12
Rationale: Verification
Aegis Research Corporation
•
Verification techniques
• Subjecting the system to known scanning tools to determine if the
mechanisms to thwart those scans are implemented properly
• Subjecting the system to known attacks to evaluate how it reacts to
various types of attacks (e. g., measuring the relative time to success
for an attack directly on server X vs. the same attack on server X
operating in our OASIS architecture).
• Subjecting the system to modifications of known attacks developed
to exploit knowledge of the architecture and operation of the system
•
Metrics
– Impact of Draper-Aegis OASIS mechanisms on resistance to attack
– Relative time to achieve successful attacks
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 13
Residual Risks, Limitations, Caveats
Aegis Research Corporation
•
Forms-based HTML provides external client access to back-end database,
and also can move files between clients and back-end file systems, and
support interactions between clients and back-end applications
– Significant system functionality and flexibility can be provided by the
HTTP protocol
– Utility of dispersion w.r.t. other protocols is TBD
•
Need to evaluate if/to what extent Gateway and the Transaction Mediator
could be bottlenecks for high performance sites
•
If rollback is done only for transactions from compromised server, no
guarantee that information in the database will remain self-consistent
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 14
Cost/Benefit Analysis
Aegis Research Corporation
•
Time
– Attacker is delayed
– Attacker must complete exploit within bounded window to avoid detection
•
Development
– One-time development cost of trusted elements and agent software for origin server platforms
•
Implementation
– Acquisition and implementation incur cost of redundant origin servers and trusted elements
(compared to cost of functionally equivalent site without our mechanisms)
•
Operation
– Maintenance cost of maintaining redundant origin servers and trusted elements scales with
number of redundant versions
•
Functionality Impact
– Development cost to accommodate additional protocols
•
Responsiveness of system
– Transaction delays induced by proxy operations have negligible impact due to hardware speed
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001
Not for Public Release
Slide 15