1 / 13

Motivation

Motivation. Mission critical applications being developed using CORBA on COTS platforms CORBA Security protects at middleware level, but applications vulnerable to O/S and network attacks Fault Tolerant CORBA does not protect against malicious faults. Technical Objectives.

phil
Download Presentation

Motivation

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Motivation • Mission critical applications being developed using CORBA on COTS platforms • CORBA Security protects at middleware level, but applications vulnerable to O/S and network attacks • Fault Tolerant CORBA does not protect against malicious faults

  2. Technical Objectives • Provide intrusion tolerance for CORBA applications • System level approach • Middleware • Eliminate reliance on any single server • secure, reliable group communication directly between clients and replicated servers • Detect Byzantine (arbitrary) faults in servers • Support heterogeneity (diversity of implementation) • Boundary controllers (firewalls) • Protocol inspection • End-to-end authentication between clients and servers

  3. Existing Approaches • OMG supports Fault Tolerance for CORBA • Not intrusion tolerant • Not fully interoperable • No firewall support • Prior and Current Research • Avoided ORB changes by intercepting process level communications; forces homogeneous server implementation • Use of “primary” or “lead” server; cannot tolerate Byzantine faults • Ensemble, Maestro, AQuA, Rampart, Eternal, others

  4. Technical Approach • Leverage prior work on fault tolerant CORBA; secure, reliable, authenticated multicast; total ordering; Byzantine fault detection • Active replication of servers with voting • Protect client and server hosts with application proxy firewall; include firewall in multicast group • Integrate with open-source ORB • Detect value faults above CDR encode/decode layer • Replace transport layer with secure, reliable, authenticated multicast • Handle duplicate requests and replies

  5. Server Application Code IT ORB Server Application Code IT ORB Server Application Code IT ORB Conceptual Overview Client Application Code IT ORB Value Fault Detection / Voting Redundant Msg. Exclusion Encode/Decode Time, Crash, other Fault Detection Secure, Reliable, Auth. Multicast Server-Side Firewalls Redundant Servers Client-Side Firewall Firewall M-Cast GIOP Proxy Firewall Secure, Reliable, Auth. Multicast GIOP Proxy Firewall M-Cast GIOP Proxy Firewall M-Cast GIOP Proxy

  6. Approach -- What’s Different ? • All servers are equal • eliminate need for “primary” or “lead” server • Detect value faults in the ORB • encoding of CORBA messages depends on the source platform (i.e, byte ordering) • permits heterogeneous implementations • Application proxy firewall integrated into the architecture • better protection for COTS client and server hosts • end-to-end authentication of client and server • may have better performance than IIOP/SSL proxies

  7. Risks and Mitigation Plans • Performance of secure, reliable, authenticated multicast • Mitigation Plan: • Evaluate and experiment with existing research prototypes • Design replaceable transport layer • Take advantage of research advances as they become available • Defense against DoS attacks by compromised servers • Mitigation Plan: • Rely on intruder tracing (IDIP?) to find source and block

  8. Expected Achievements • At least one implementation of an ORB on two more more heterogeneous platforms that tolerates Byzantine faults • Integrated application proxy firewall support to protect COTS client and server hosts • Understand trade-off between performance and degrees of intrusion tolerance

  9. Metrics • Cost/benefit of redundant servers • Tolerance of Byzantine faults (number of faulted servers) vs. impact on throughput due to additional replication • Throughput measured by operations per second • Countermeasure Characterization using either IA or IASET methodology • Experimentation at the TIC to validate countermeasure claims

  10. Policy Issues • Assumptions • Other mechanisms enforce QoS and QoP policies • CORBA Security could be added to architecture to provide other services (access control, audit, non-repudiation, etc.) • Can integrate with intruder tracing mechanisms (e.g., IDIP) to handle denial of service attacks • Enforcement Mechanisms • Need policy for group membership: servers, clients, and firewalls • Standard firewall permit/deny policy extended for secure, reliable, authenticated multicast

  11. Schedule

  12. Technology Transfer • Work with OMG to revise existing specifications, create new specifications • Fault Tolerance specification • Unreliable Multicast specification • Firewall specification • Joint experimentation with other DARPA and DoD programs • Conferences and workshops

More Related