University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Agile Objects: Component-based Inherent Survivability
Andrew A. Chien* and Jane W. Liu**
*University of California, San Diego
**University of Illinois, Urbana-Champaignhttp://www-csag.ucsd.edu/projects/agileO.html
DARPA ISO Intrusion Tolerant Systems PI Meeting
February 22, 2000
Andrew A. Chien – 2/22/2000
2University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Outline
• Agile Objects Approach» Location Elusiveness» Interface Elusiveness
• Detailed Technical Approach» Previously Reported» Progress in past six months
• Future Plans
Andrew A. Chien – 2/22/2000
3University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Background/Existing Practice
• Static Distributed Software Architectures (nearly)» Fixed points of access, deployment, resource dependence
• System/Firewall/Sandbox/Domain based Security» Resource and containment oriented
• Security Architecture based on Anticipated Deployment Structures
• => Flexibility and reconfiguration can enhance survivability• Our Focus: Flexible Configuration of Distributed C3I Systems (Real-
time, High Performance, Mission-Critical Online systems)» E.g. Aegis Battle Cruiser, Theatre Command/Information system, etc.
Andrew A. Chien – 2/22/2000
4University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Focus: Tolerance and Response
• Resource revocation due to loss» Physical loss, destruction, crash (failure)
• Resource loss due to compromise» Corruption, compromise, unacceptable risk
• Resources made undesirable due to changes in security status» Under attack, detected assaults, partially compromised, loss of other
security critical information» Proactive reconfiguration in response to partial loss
Andrew A. Chien – 2/22/2000
5University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Technical Objectives
• Flexible Configuration of Distributed C3I Systems» Performance» Application Architecture» Security
• Location Elusiveness» Survivability (resource loss or compromise)» Continued Real-time performance
• Interface Elusiveness» Survivability (automatic, distributed attack)» Adaptive Interfaces/Security Mechanisms over Reconfiguration» Dynamic Responses to Environmental Changes
• Prototypes and Demonstrations that support commercial API’s
Andrew A. Chien – 2/22/2000
6University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Technical Approach
• Increase application capability thru Enhanced Middleware for Distributed Objects and Components» Benefit to Standard API’s
• Survivability thru Elusiveness» Distributed Applications without fixed resources or configuration» Security structures adapt to configuration/performance constraints» Difficult to locate, target, identify, Difficult to compromise
Agile Objects Middleware
Andrew A. Chien – 2/22/2000
7University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Example Scenario
• Distributed object/Component applications
• Online reconfiguration enables a flexible dynamic response to resource or security change
• Response to critical events achieved in short time scales (seconds)
• Automatically reconfiguration maintains performance and security properties
System#1 System#2 System#3
Evacuate #1
Reconfigure to new Resources
Andrew A. Chien – 2/22/2000
8University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Challenges
• Location Elusiveness: Support rapid application mobility with» Performance insensitivity» Uniform resource access» Continuous real-time performance» => make this real for significant distributed applications
• Interface Elusiveness: Adapt security mechanisms and configuration» Support *very* high speed networks » Describe system application security requirements» Manage and enforce security requirements, adapting in real
time to match rapid changes
Andrew A. Chien – 2/22/2000
9University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Detailed Technical Approach
• Location Elusiveness» Theoretical and Analytical Foundations
– High Performance Distributed Objects– Migration and Scalable Name Service– Dynamic Open Real-time Systems
» Prototypes and Demonstrations– High performance distributed objects– Object Migration and Replication – Open Real Time systems and Distributed Resource Managers– Experiment with existing applications for transparent static
redistribution– Performance experiment and demonstrations with cluster/LAN and
wide-area environments
Andrew A. Chien – 2/22/2000
10University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Detailed Technical Approach (cont.)
• Interface Elusiveness» Theoretical and Analytical Foundations
– Mutating Interfaces Space/Complexity/Performance (static)– Mutating Interfaces Dynamic Coordination (dynamic)– Mutating Interfaces Targeted (specific response)
» Prototypes and Demonstrations– Interface Mutation Prototypes (range, correct operation)– Dynamic Mutation (consistent operation, reconfiguration, resource
adaptation)– Demonstration and evaluation of several approaches for distributed
coordination– Demonstration and evaluation of targeted responses based in intrusion
detection information
• Integrated Experiments
Andrew A. Chien – 2/22/2000
11University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Progress
• Previously reported results (8/99)» User-level networking performance» Fast Remote RPC (+ improving)» Basic Real-time Framework
• Recent Results» Multi-DCOM Prototype» Elusive Interfaces Case Study
• Future Plans» Experimentation with Multi-DCOM Prototype» Elusive Interfaces Prototype
Andrew A. Chien – 2/22/2000
12University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Multi-DCOM Infrastructure
• Generic Transparent Interface for Replication» Based on DCOM infrastructure (binary modules of all derivations)
• “Iterator” based API: compatibility and basis for extension and experimentation» Experimentation framework for flexible replication (Fault and Intrusion
Tolerance)» Partial redundancy/threshold cryptography approaches (e.g. Pasis, etc.)
Client Server #2
Server #1
Server #3
Andrew A. Chien – 2/22/2000
13University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Elusive Interfaces
• Distributed Object and Component Applications: primitive pairwise relationships• End-to-end encryption techniques practically incompatible with high speed
networks• Ideas
» Low-cost encryption techniques based on interface structure» Adapt and manage automatically in response to changes» Systematic analysis of opportunities, costs, and capabilities
High Speed Net
Untrusted Net
Specialized CryptographyHardware
Time-varying
Andrew A. Chien – 2/22/2000
14University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Security Overhead
• SSL inline overhead (excluding initial exchange protocol) » 4x fixed overhead; 17x per byte costs (~2Mbits)» 56-bit keys, 500Mhz Pentium II’s, 100Mbit Ethernet» Cleartext protocol stacks barely feed high speed networks
2 node latency
0
10
20
30
40
50
60
70
0 1024 2048 3072 4096 5120 6144 7168 8192
Bytes
ms
SSL
No SSL
Andrew A. Chien – 2/22/2000
15University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Case Study: Elusive Interfaces
• European Molecular Biology Laboratory’s Nucleotide Sequence Database (NSDB)
• 41 methods, 4 distinct interfaces, various numbers of arguments
• Wide range of data access mechanisms (standard queries) and attribute information
• Application at simple end of the spectrum
EmblSeq Embl.getEmblSeq (string)
ULONG EmblSeq.getCountA ()ULONG EmblSeq.getCountC ()ULONG EmblSeq.getCountG ()ULONG EmblSeq.getCountT ()ULONG EmblSeq.getEntryVersion ()ULONG EmblSeq.getCheckSum ()ULONG EmblSeq.getBioSeqVersion ()ULONG EmblSeq.getLength ()
String EmblSeq.getEntryName ()String EmblSeq.getEntryStatus ()String EmblSeq.getDescription ()String EmblSeq.getMoleculeType ()String EmblSeq.getSeq ()String EmblSeq.getTopology ()String EmblSeq.getBioSeqId ()
RevisionList EmblSeq.getRevisions () String EmblSeq.getSubSeqByFeature (NucFeature)
tk_array EmblSeq.getAnySeq () String EmblSeq.getSubSeq (ULONG, ULONG)
StringList EmblSeq.getSecondaryIds ()StringList EmblSeq.getComments ()StringList EmblSeq.getKeyWords ()
DbXrefList EmblSeq.getDbXrefs ()DbXrefList EmblSeq.getReferences ()DbXrefList EmblSeq.getOrganisms ()
NucFeatureList EmblSeq.getNucFeaturesByKey (string)
Location EmblSeq.getLocalLocation (NucFeature)
NucFeatureList EmblSeq.getNucFeatures ()
Location EmblSeq.geReferenceLocation (string)
String NucFeature.getFeatureId ()String NucFeature.getKey ()
FeatureLocation NucFeature.getLocation ()
ULONG NucFeature.getFeatureVersion ()
Qualifier NucFeature.getQualifier (string)
DbXrefList NucFeature.getNucSeqs () QualifierList NucFeature.getQualifiers ()
String FeatureLocation.getLocationString ()String FeatureLocation.getSeq ()
NucFeature FeatureLocation.getNucFeature ()
LocationNodeList FeatureLocation.getNodes ()
Andrew A. Chien – 2/22/2000
16University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Dimensions of Interface Manipulation
• Method offset value• Method offset spacing• Method offset location (in message)• Parameter location• Parameter organization*• Parameter encryption• Parameter buffering• Flexible packetization• Temporal variation• . . .
Andrew A. Chien – 2/22/2000
17University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Practical Encoding Space
• How large a space can we generate for an attacker?» Analyze all possible configurations of the parameters» Potential for obscuring application information (published interfaces)» Incorrect probes all detected» (details available in a forthcoming report)
Encoding Space (NSDB)
No increase in Communication Traffic
106 – 108
Increasing Communication Traffic by adding Parameters
108 – 1016
(most benefits with a few parameters)
Andrew A. Chien – 2/22/2000
18University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Initial Observations
• Space is large and proportional to interface complexity (increasing?)
• Interface encoding to be performed a line speed using custom-generated code sequences
• Relationship to classical cryptography approaches needs to be developed (cost, difficulty of attack)
• Current: manual experiments, Building a general prototype for broader experimentation
Andrew A. Chien – 2/22/2000
19University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Agile Objects Project PlanLocation Elusiveness Interface Elusiveness
Integrated Demonstration
Interface Elusiveness Demonstration
Dynamic Mutation Prototype(online, reactive)
Mutation Prototype
Analytical Foundations &Case Studies
Location Elusiveness Demonstration
Location Elusiveness Demonstration
Object Migration integratedwith Distribution Insensitivity
Distribution Insensitivity(RPC & Real-time Scheduling)
High Performance RPC 2/00Status
Andrew A. Chien – 2/22/2000
20University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Quantitative Metrics
• Location Elusiveness» Speed of remote RPC, ratio of local/remote» Time of application reconfiguration (physical network
parameters, applications)» Granularity/precision of real-time guarantees
• Interface elusiveness» Size of reconfiguration space, range of techniques» Reconfiguration Cost» Reconfiguration Delay
• Scale of Demonstrations
Andrew A. Chien – 2/22/2000
21University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group
Expected Major Achievements
• Location Elusiveness: Distribution insensitive distributed applications» High Performance RPC which enables flexible configuration» Online Migration and Replication » Real-time applications which reconfigure while maintaining performance
guarantees
• Interface Elusiveness: Characterize space of interface mutation and dynamic coordination mechanisms» Crystallize a framework for adaptive interface mutation management
(reconfiguration, cost, space)» Configuration independent application security specifications
• Develop a range of targeted responses based on Intrusion Detection & System status information
• Integrate techniques for a unified Agile Objects approach and demonstration