DARPA BAA0015
Intrusion Tolerance
Intrusion Tolerance Based on Intelligent
Compensating Middleware
(July , 2001)
F. Anjum
A. Ghosh
G. DiCrescenzo
M. Rathi
A. Umar
R. Zbib
Goal: Make COTS Middleware Intrusion Tolerant
a) Make the middleware code, data, and messages intrusion tolerant
b)Plug-in generic IT functionality (FRS) into COTS middleware (interceptors)
c) Provide intrusion tolerance as a service to apps (API)
Middleware
Basic
Distributed
Applications
Advanced
Applications and Services
Specialized
Applications
(e.g.. Extended enterprises)
“Higher Level” Middleware
(e.g., B2B workflow and supply chains)
Special Purpose Middleware
(e.g., wireless/VOIP/EC middleware)
Basic Middleware
(e.g., Web servers, CORBA, MOM)
Middleware
Platforms
(e.g., J2EE,.Net,
EAIs)
also known as
“app servers”
Network Services (e.g., TCP/IP)
Doc Name – 2
Technical Approach: Four Tasks
Impact analysis
Software
FRS
Algorithms
Assumptions
ICM architecture
•Enterprise applications increasingly
dependent on middleware stack
•Middleware is target for attacks (code red)
•Users can tolerate degraded performance
in certain conditions
•A small subset of systems in the
Doc Name – 3
network are trustworthy
Task 2: FRS Algorithms
 Assume we can estimate characteristics of computer systems
– Probability of Unavailability of a data fragment on a computer (u)
– Probability of Compromise of a data fragment on a computer (c)
 Given this, algorithms should calculate
 How many fragments of a data item to make
 How many copies (replicas) of each fragment
 How should these fragment copies be distributed (scatterd) amongst the
computer systems given their characteristics
Doc Name – 4
FRS metrics
 Developed a metric to compare the different
algorithms
– Intrusion Tolerance Metric
– IMFRS = f(u, c, F, R, S)
IMFRS shows probability of Unavailability of a data item plus
probability of Compromise of a data item
 Example:
– Machine outside firewall (c is high)
– Reduce c of a data item by usimg different FRS
 Use proposed metric to design efficient FRS
algorithms
 Used simulations to study IMFRS
 Details in past and upcoming reports
Doc Name – 5
Dynamic Intrusion Tolerance Schemes
 Only static schemes considered so far in the literature
– FRS techniques developed in this and other projects
– Shamir’s secret sharing, Rabin’s information dispersal (Cryptographic)
 Fragments or shadows do not change servers
– even when server characteristics (u, c) change
 Can we improve the system strength by dynamic schemes?
– Where fragments or shadows migrate over their lifetime
– Mobile software code then used to carry the fragments
 Started Investigations in
– Novel dynamic notions of
 Secret sharing
 Information dispersal
– Construction of protocols for these two notions
– Construction of non-cryptographic FRS protocols
– Comparison of these two in a dynamic setting
Doc Name – 6
Task 3-4: ICM Architecture
 Make middleware intrusion tolerant: Lower level services to
– Adapt & plug-in new/alternate middleware dynamically (interceptors)
– Protect middleware by FRSing middleware data, code, messages
 Make apps intrusion tolerant: High level services (API)
– Protect apps by FRSing app data, code, messages
 Intrusion manager to invoke FRS services at Startup, Normal Run Time,
Under attack
 Apply to diverse middleware: CORBA, MOM, WAP, VOIP, EAI, COM+,
SOAP, etc
 Developed a prototype to demonstrate proof of concept (CORBA, MOM)
for asynch/synch communications
 Gained many insights about middleware services and what is missing
(e.g., better interception)
Doc Name – 7
Intelligent Compensating Middleware for
Intrusion/Assault Tolerance (High Level View)
Applications
Intrusion
Triggers
ICM (API)
•FRS Routines
•Persistent
Normal
•Non-persistent
COTS
Middleware
•Adapters
App IT
Middleware
IT
Network Services
“ICM External Architecture”, Data Item: A002, Work Completed
under the Project "A Comprehensive Approach for Intrusion Tolerance
Based on Intelligent Compensating Middleware", BAA00-15, March 2001.
Doc Name – 8
Prototype
 Developed a proof of concept prototype
 Generic approach for CORBA and MOM
 Developed generic FRS proxies that work both for CORBA and
MOM
– code FRS (persistent)
– data FRS (persistent)
– message FRS (non-persistent)
 Developed FRS Java API
– Simple API for fragmenting data
– Currently using to fragment the code
– Can be used for plugging in different FRS algorithms
 Current demo is ICM agnostic (I.e., apps do not issue ICM calls)
 We can use ICM aware later (I.e. apps issue calls to do FRS)
Doc Name – 9
PROTOTYPE: ICM: Synchronous Middlewares
(CORBA)
Persistent FRS Proxy
Client
Server
CORBA Environment
ORB Core
Intrusion
triggers
CORBA Proxy
CORBA Proxy
Transport Proxy
Transport Proxy
Non-persistent FRS
Non-persistent FRS
Proxy
Proxy
Doc Name – 10
ICM: Asynchronous Middlewares (MQ Series)
Persistent
Client
FRS Proxy
MQ Environment
Server
Server Queue
Client Queue
Intrusion
Message Channel
triggers
MQ Proxy
Transport Proxy
MQ Proxy
Transport Proxy
Non-persistent FRS
Non-persistent FRS
Proxy
Proxy
Doc Name – 11


FRS JAVA API
Objective: Make FRS commonly available
Open Java API:
– Persistent FRS. e.g.
– frsProxy.store(byte[] data)
– frsProxy.retreive(dataID)
– Non-persistent FRS (messages). e.g.
– frsProxy.receiveMessages( ),
– frsProxy.sendMessage(messageID, message)


Uses the Java Factory design paradigm to create and run new FRS
algorithm implementations
Independent of FRS algorithm implementations
– New implementations can be added and easily plugged into the
architecture.
– Implementations are instantated by sending them arguments through a
hashtable


Architecture becomes a framework for experimenting with new FRS
algorithms
Implemented several FRS algorithms, implementing more.
Doc Name – 12
TASK1: Summary of Impact Analysis
XML
CORBA
MOM
Telecom
Middleware
WAP Platform
EAI Platform
ASP Platforms
Emarket
Platforms
Supply chain
Platform
Components with Possible Impact
High
Vulnerability
DTDs/Schemas,
Invalid XML transactions -Trading
XML documents
on networks can stop or can be
diverted
Orb core, Servants CORBA-based apps unreliable
MOM Queue
MOM-based applications unreliable
manager
Softswitch, VOIP Serious impact on telecom facilities
Gateways
and services
WAP Gateway
WAP-based services destroyed
EAI Broker
Mission critical enterprise
applications cannot operate
ASP Host
Can impact multiple enetrprises.
Emarket Catalogs Emarket trading comes to halt
and transactions
Supply Chain
Supply chains stop
controller, SCM
servers
“Intrusion Threats In Emerging Middleware Platforms: Impact Analysis”,
Data Item: A002, Work Completed under the Project "A Comprehensive Approach for
Intrusion Tolerance Based on Intelligent Compensating Middleware", BAA00-15.
Doc Name – 13
Prototype II: Pattern-based Intrusion Analysis
Industry (business) Patterns
• Two, three, n tiered
• Interaction with existing systems
• Loose versus tight coupling
Application patterns
Infrastructure needed
• networks, middleware
Solution Patterns
Other
Analyzers
(Integration,
COTS middleware
selection,
outsourcing, etc)
• Internal Services
• External (with consumers)
• External (with partners/suppliers))
Intrusion/Security
Analyzer
•
•
•
•
•
Transaction volume
Transaction value
no of partners
Level of trust between partners
Others
•Possible impact of intrusion
•Suggested approaches
IBM's business patterns:
http://www-106.ibm.com/developerworks/patterns/
Doc Name – 14
Summary: Potentially High Payoff in developing a generic
approach to make COTS Middleware IT
Impact analysis
Report Completed,
Discex paper
Prototype: pattern-based
FRS algorithms
Reports and papers
(Dec 2001)
ReportMarch 2001
Two papers
Published
Generic architecture
(CORBA, MOM,VOIP)
developed,
preparing papers
Software
Prototype1
(July 2001)
Prototype 2
(July 2002)
Report - March 2001(paper)
Report - Dec 2001(paper)
ICM architecture
Doc Name – 15
Task Schedule
GFY 2000
TASKS
3Q
4Q
GFY 2001
1Q
2Q
3Q
GFY2002
4Q
1Q
2Q
3Q
GFY 2003
4Q
1Q
2Q
3Q
4Q
Task 1
Impact
Analysis
Task 2
Architecture
Task 3
Software
Task 3-Opt
Task 4
Evaluation
Of FRSA
Task 5
(opt.)
Managemen
t
Doc Name – 16
Lessons Learned/Path Forward
 Key Point: Applications as well as middleware can be made IT
through FRS (application aware and unaware)
 FRS has several interesting areas of investigations:
– Persistent versus non-persistent FRS,
– Dynamic FRS can benefit intrusion tolerance plus cryptography
– Metrics can be developed/used to determine best schemes
 Middleware architectures and prototyping
– Interceptors/exits are of key importance for adaption/plug-in
 CORBA provides best interceptors, but not enough (cannot intercept
ORB)
 Some middleware (e.g., MS) do not provide any interceptors/exits
– Middleware semantic model can be used to reason about security
(e.g. role of directory for binding and message transfer)
– CORBA versus DCOM similarities/dissimilarities
– MQ client interception: MQ does not give us any information about
which receiving application is going to pick up the message
 Impact analysis - Pattern-based approach may be useful
 Next Step: Refine/apply to a wide range of COTS middleware
Doc Name – 17
Publications/Reports
 “ICM External Architecture”, Data Item: A002, Work Completed under the
Project "A Comprehensive Approach for Intrusion Tolerance Based on Intelligent
Compensating Middleware", BAA00-15, March 2001.
 “Intrusion Tolerance through FRS”, Data Item: A003, Work Completed under
the Project "A Comprehensive Approach for Intrusion Tolerance Based on
Intelligent Compensating Middleware", BAA00-15, March 2001
 “Intrusion Threats In Emerging Middleware Platforms: Impact Analysis”, Data Item:
A001, Work Completed under the Project "A Comprehensive Approach for Intrusion
Tolerance Based on Intelligent Compensating Middleware", BAA00-15, Dec. 2000
 Ghosh, Anjum, Umar, Zbib, Rathi, “On efficient schemes for Intrusion Tolerance”,
Infocom 2001 submitted
 Anjum, Ghosh, Umar, Zbib, “On Metrics for Intrusion Tolerance and Efficient
Fragmentation-Redundancy-Scattering schemes”, IEEE ICON 2001, accepted.
 Umar A, Anjum F, Ghosh A, Zbib R, “Intrusion Tolerant Middleware” Discex (Defense
Information Security Exchange), June 2001.
 Umar A, Anjum F, Ghosh A, Zbib R , “Intrusion Tolerant Information Distribution in the
Battlefield” 4th ATIRP Conference, March 2001
 Anjum, A., “Intrusion Tolerance Schemes to Facilitate Mobile e-commerce”, (IEEE
ICPWC Dec 2000)
 Anjum, A. and Umar, A., “Agent-based Intrusion Tolerance Using Fragmentation
Redundancy”, (IEEE WCNC Sept 2000)
Doc Name – 18
Questions?
Doc Name – 19