CS448/548 Sequence 16© 2008 A.W. Krings!We will now look at a low level approach to survivability!There are some definite potential problems –During the presentation, think maliciously and identify the weaknesses.Discussion1CS448/548 Sequence 16© 2008 A.W. KringsRedundancy: A Curse or Blessing?!Recall what we said about Redundancy:!Recovery requirements imply Redundancy!Three Types of Redundancy–Information Redundancy»add information"e.g. error correction, authentication, codes–Time Redundancy»repeat event in time"e.g. multiple sensor readings (of same sensor)–Spatial Redundancy»physical redundancy, local or distributed"e.g. NMR, k-of-N 2CS448/548 Sequence 16© 2008 A.W. KringsPutting it back together...!How does one combine results from redundant operations? !Fault-Tolerant Agreement–From Majority Voting to Byzantine Agreement (started with Lamport paper)–Many flavors»Network Topology"bus, ring»Network Protocols"ATM, TCP/IP, multicast»Communication Type"symmetric, asymmetric3CS448/548 Sequence 16© 2008 A.W. KringsThe BRANS Approach!BAM = Byzantine Agreement Module–Survivability Cluster4CS448/548 Sequence 16© 2008 A.W. KringsAn Example: DNS !DNS (Domain Name Service)–Resolves addresses»snake.cs.uidaho.edu = 129.101.55.119»DNS server maintains database of mappingsResolve: snake129.101.55.1195CS448/548 Sequence 16© 2008 A.W. KringsAn Example: DNS !Intruder changed DNS entry129.101.55.119Resolve: snake129.101.55.119BAMVotingBAMSnake = 129.101.55.119BAMSnake = 129.101.55.119BAMSnake = 129.101.55.119Snake =129.101.55.226CS448/548 Sequence 16© 2008 A.W. KringsAgreement Requirements–Solutions with lowest overhead are applied, e.g.»simple majority voting, »Byzantine agreement with early stopping»full Byzantine agreement. –Individual critical functionalities use those solutions that minimally satisfy their agreement requirements.Note: in the previous example a simple majority suffices, however, if the DNS table needs to be updated, stronger agreement solutions are needed that require the 4 computers shown.7CS448/548 Sequence 16© 2008 A.W. KringsDiscussion–Lets play “Devil’s Advocate”8CS448/548 Sequence 16© 2008 A.W. KringsSystems under Attack!How does one tell if a system is under attack?–IDSs?–How “real-time” should Real-Time be?–Decide on a “Level of Abstraction” to be considered.9CS448/548 Sequence 16© 2008 A.W. KringsSystems under Attack!How can the Whittaker approach be modified to help attack recognition?–observing»dependencies»profiles»timing behavior»…10CS448/548 Sequence 16© 2008 A.W. KringsSystems under Attack!We will look at two examples, one is bottom-up and the other top-down.–The next discussion is based on the paper»"A Two-Layer Approach to Survivability of Networked Computing Systems", by Krings A.W, et.al., International Conference on Advances in Infrastructure for Electronic Business, Science, and Education on the Internet, L'Aquila, Italy, Aug 06 - Aug 12, pp. 1-12, 2001.!We will compare the basic approach with the concepts of the Whittaker paper.11CS448/548 Sequence 16© 2008 A.W. KringsObjective!Achieve Survivability of Critical Functionalities–ultimate goal, holy grail (very general, very difficult)!“Some Attacks can be dealt with at Lowest Level”!Standard User Environment!Implementing Survivability Mechanism –at the lowest level of abstraction –suitable for class of attacks with distinct signatures–survivability handlers & response agents12CS448/548 Sequence 16© 2008 A.W. KringsAssumptions!Anything is possible! »and it will happen!!Intrusions will occur sooner or later!Mechanisms that empower can be used against you13CS448/548 Sequence 16© 2008 A.W. Krings!Target System–Typical desktop computer–Mostly operated by single individual–Standard applications»browser, email, ftp, telnet, multi-media, text processor, etc.!System Characteristics–Low utilization!»linux top command–“Idle Profile” of system is surprisingly cleanStandard User Environment14CS448/548 Sequence 16© 2008 A.W. Krings!Off-line Design Process–clean system environment (off-line, no applications)–creation of attack signature database–attack signatures aid in identification of critical functions–implementation of reactionary mechanisms »low level (kernel handlers) »high level (migratory agents) »a priori matching of critical functionalities with critical functionsOff-line and On-line Survivability15CS448/548 Sequence 16© 2008 A.W. Krings!On-line (real-time) Protective Capabilities–real-time attack recognition –at high level»recognition triggers response agents–at kernel level»survivability handlers get invoked (independent of attack recognition)Off-line and On-line Survivability16CS448/548 Sequence 16© 2008 A.W. KringsCurrently profiled in kernelNetwork InterfaceCritical FunctionalitiesPIII-PC - RedHat 6.2 /2.2.16LANTarget of Survivability FeaturesCritical Functionalities in Protocol StackSystem Architecture17CS448/548 Sequence 16© 2008 A.W. Krings!Real-time PotentialLevels of Abstraction18CS448/548 Sequence 16© 2008 A.W. KringsReal-time !Low-level Event Handlers–Survivability handlers–Currently used for kernel instrumentation–Case study: Early Stopping Agreement!High-level Reactionary Control–Implements high-level survivability features»e.g. filtering, patching, early warning–Migratory Autonomous Agent System»Small specialized program to perform specific task»Off the shelf technology, (Aglets)Two Layers of the Architecture19CS448/548 Sequence 16© 2008 A.W. Krings!System ComponentsSurvivability Architecture Overview20CS448/548 Sequence 16© 2008 A.W. KringsProfiles!We view a system as a collection of profiles of its functionalities Pik is the number of functionalities active during !t!Functionality Profilefj(!t) is the number of times identity Fj has been invoked during !t21CS448/548 Sequence 16© 2008 A.W. KringsAttack Signatures!Atomic Attacks Ai–the smallest attack technology unit–e.g. a port sweep, sequence of unsuccessful login attempts!Attack Signature Si–the portion of a profile that is attributable to Ai " is a one-to-one mapping from indices of Si to indices of the identities Fj profiled fj(!t) is the number of times identity Fj has been called during !t22CS448/548 Sequence 16© 2008 A.W. Krings!Attack Signature over Time–Example: “teardrop” (overlapping IP(TCP) fragments are formatted to cause