Intrusion Tolerance Using Masking, Redundancy and Dispersion

1. Aegis Research Corporation Aegis Research Corporation Intrusion Tolerance UsingMasking, Redundancy and Dispersion DARPA ITS PI Meeting – Honolulu – July 17-21, 2000 Janet Lepanto Bill Weinstein The Charles Stark Draper Laboratory, Inc. Aegis Research Corporation®

2. Technical Objectives • Develop an ITS architecture that supports layered defenses and provides resilience to attacks • Limit an attacker’s ability to ascertain the current state of the system configuration • Enable a system to tolerate subtle attacks whose characteristics are not known a priori • Guarantee data integrity in the face of a successful attack on one of the servers

3. Technical Approach • Adapt key concepts from fault-tolerant computing to address subtle attacks that may elude firewalls and algorithms that look for patterns of abnormal behavior • Masking faults so that their effects do not propagate to the system “output” • Rollback of execution to an uncompromised system state to recover from the effects of a fault • Synchronization to enable voting among redundant copies of data • Incorporate these concepts in an ITS composed largely of untrusted unmodified COTS servers and databases augmented by a small set of trusted components • Test these concepts in a series of phased experiments

4. Basic Architecture Configuration Manager Authentication Server External WAN Server (1) Gateway DataBase TransactionMediator Server (2) External Firewall Switched IP Switched IP Server (N) Trusted COTS Other

5. Servers (Set 1) Servers (Set 2) Servers (Set 3) Web Server (1) Web Server (1) Web Server (1) Web Server (1) Web Server (1) Web Server (1) TransactionMediator TransactionMediator TransactionMediator DataBase DataBase DataBase Switched IP Switched IP Switched IP Extended Architecture Configuration Manager External WAN Authentication Server Gateway External Firewall Switched IP Trusted COTS Other

6. Experiment Plan • Four phases of experiments will test the response of our ITS mechanisms to Red Team attacks • Initial mechanisms for attack disruption (Year 1) • Initial mechanisms for system recovery (Year 2) • Refined mechanisms for attack disruption and system recovery –Initial mechanisms for synchronization and voting (Year 3) • Refined mechanisms for synchronization and voting for distributed servers (Year 4)

7. Risk Management • Primary Risks • Dispersion of application transactions within a single session • Rapid validation of server configuration • Efficient synchronization and voting in a transaction-oriented environment • Risk Mitigation • Aegis has performed configuration analyses and has begun preliminary work in fingerprint modification • Dispersion techniques are employed today for load balancing; the challenge in the proposed application is to reduce the granularity at which dispersion is done • Draper has successfully applied synchronization, voting, and rollback in fault-tolerant system designs

8. Quantitative Metrics • Percent of successful Red Team attacks • Time to achieve successful Red Team attacks • Impact of ITS mechanisms on system performance

9. Expected Major Achievements • Verification that attacks can be impeded by dispersion • Demonstration that data integrity can be maintained in the presence of unknown system vulnerabilities or unrecognized attack signatures • Demonstration that data integrity can be maintained in the event of a successfully completed attack on a single server

10. Task Schedule Task Name CY 2000 CY 2001 CY 2002 CY 2003 CY 2004 7 10 1 4 7 10 1 4 7 10 1 4 7 10 1 4 7 Phase 1 – Basic Architecture Initial Mechanisms Attack Disruption 1.1 Dev & Implmt Fingerprint Masking 1.2 Dev & Implmt Dynamic Assign 1.3 Dev & Implmt Config Evalution 1.4 Integration & Experimentation 1.5 Program Management Initial Mechanisms System Recovery 2.1 Dev & Implmt Transaction Mediator 2.2 Dev & Implmt Assess & Rollback 2.3 Integration & Experimentation 2.4 Program Management Phase 2 – Extended Architecture Refined Mechanisms Attack Disruption 3.1 Refine Fingerprint & Dynam Assign 3.6 Dev Sync of Redundant Databases 3.2 Implement Sync & Voting 3.3 Refine Config Assessment 3.4 Integration & Experimentation 3.5 Program Management Refined Mechs Sync & Voting Distrib Sys 4.1 Refine Sync & Voting 4.2 Implmt Distribution of Servs & DBs 4.3 Integration & Experimentation 4.5 Program Management

11. Technology Transfer • Mechanisms for technology transfer to DARPA, other government agencies, the Services, and industry include • Formal documentation of the development and analysis of the prototype algorithms at the conclusion of each phase of our proposed effort • Documentation of the results of experiments • Technical papers published in the open literature and presented at conferences and workshops • Leveraging our Team’s link to government agencies with vested interests in ITS technology • Supporting government source selection for manufacturing and licensing our ITS technology

12. Required Support from DARPA PM Coordination of experiments in the DARPA Technical Integration Center (TIC) facility

13. Conclusion • Problem • How can we tolerate unknown attack signatures and attacks that exploit unknown system vulnerabilities? • Approach • Adapt concepts that have been successfully implemented in Byzantine fault-tolerant systems • Benefits • Development and maintenance required for a relatively small number of trusted elements in the network architecture • COTS elements can be upgraded/improved with minimal impact on system security • Protects against “new” attacks