Agile Objects: Component-based Inherent Survivability

University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group

Agile Objects: Component-based Inherent Survivability

Andrew A. Chien* and Jane W. Liu**

*University of California, San Diego

**University of Illinois, Urbana-Champaignhttp://www-csag.ucsd.edu/projects/agileO.html

DARPA ISO Intrusion Tolerant Systems PI Meeting

February 22, 2000

Andrew A. Chien – 2/22/2000

2University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group

Outline

• Agile Objects Approach» Location Elusiveness» Interface Elusiveness

• Detailed Technical Approach» Previously Reported» Progress in past six months

• Future Plans



Background/Existing Practice

• Static Distributed Software Architectures (nearly)» Fixed points of access, deployment, resource dependence

• System/Firewall/Sandbox/Domain based Security» Resource and containment oriented

• Security Architecture based on Anticipated Deployment Structures

• => Flexibility and reconfiguration can enhance survivability• Our Focus: Flexible Configuration of Distributed C3I Systems (Real-

time, High Performance, Mission-Critical Online systems)» E.g. Aegis Battle Cruiser, Theatre Command/Information system, etc.



Focus: Tolerance and Response

• Resource revocation due to loss» Physical loss, destruction, crash (failure)

• Resource loss due to compromise» Corruption, compromise, unacceptable risk

• Resources made undesirable due to changes in security status» Under attack, detected assaults, partially compromised, loss of other

security critical information» Proactive reconfiguration in response to partial loss



Technical Objectives

• Flexible Configuration of Distributed C3I Systems» Performance» Application Architecture» Security

• Location Elusiveness» Survivability (resource loss or compromise)» Continued Real-time performance

• Interface Elusiveness» Survivability (automatic, distributed attack)» Adaptive Interfaces/Security Mechanisms over Reconfiguration» Dynamic Responses to Environmental Changes

• Prototypes and Demonstrations that support commercial API’s



Technical Approach

• Increase application capability thru Enhanced Middleware for Distributed Objects and Components» Benefit to Standard API’s

• Survivability thru Elusiveness» Distributed Applications without fixed resources or configuration» Security structures adapt to configuration/performance constraints» Difficult to locate, target, identify, Difficult to compromise

Agile Objects Middleware



Example Scenario

• Distributed object/Component applications

• Online reconfiguration enables a flexible dynamic response to resource or security change

• Response to critical events achieved in short time scales (seconds)

• Automatically reconfiguration maintains performance and security properties

System#1 System#2 System#3

Evacuate #1

Reconfigure to new Resources



Challenges

• Location Elusiveness: Support rapid application mobility with» Performance insensitivity» Uniform resource access» Continuous real-time performance» => make this real for significant distributed applications

• Interface Elusiveness: Adapt security mechanisms and configuration» Support *very* high speed networks » Describe system application security requirements» Manage and enforce security requirements, adapting in real

time to match rapid changes



Detailed Technical Approach

• Location Elusiveness» Theoretical and Analytical Foundations

– High Performance Distributed Objects– Migration and Scalable Name Service– Dynamic Open Real-time Systems

» Prototypes and Demonstrations– High performance distributed objects– Object Migration and Replication – Open Real Time systems and Distributed Resource Managers– Experiment with existing applications for transparent static

redistribution– Performance experiment and demonstrations with cluster/LAN and

wide-area environments



Detailed Technical Approach (cont.)

• Interface Elusiveness» Theoretical and Analytical Foundations

– Mutating Interfaces Space/Complexity/Performance (static)– Mutating Interfaces Dynamic Coordination (dynamic)– Mutating Interfaces Targeted (specific response)

» Prototypes and Demonstrations– Interface Mutation Prototypes (range, correct operation)– Dynamic Mutation (consistent operation, reconfiguration, resource

adaptation)– Demonstration and evaluation of several approaches for distributed

coordination– Demonstration and evaluation of targeted responses based in intrusion

detection information

• Integrated Experiments



Progress

• Previously reported results (8/99)» User-level networking performance» Fast Remote RPC (+ improving)» Basic Real-time Framework

• Recent Results» Multi-DCOM Prototype» Elusive Interfaces Case Study

• Future Plans» Experimentation with Multi-DCOM Prototype» Elusive Interfaces Prototype



Multi-DCOM Infrastructure

• Generic Transparent Interface for Replication» Based on DCOM infrastructure (binary modules of all derivations)

• “Iterator” based API: compatibility and basis for extension and experimentation» Experimentation framework for flexible replication (Fault and Intrusion

Tolerance)» Partial redundancy/threshold cryptography approaches (e.g. Pasis, etc.)

Client Server #2

Server #1

Server #3



Elusive Interfaces

• Distributed Object and Component Applications: primitive pairwise relationships• End-to-end encryption techniques practically incompatible with high speed

networks• Ideas

» Low-cost encryption techniques based on interface structure» Adapt and manage automatically in response to changes» Systematic analysis of opportunities, costs, and capabilities

High Speed Net

Untrusted Net

Specialized CryptographyHardware

Time-varying



Security Overhead

• SSL inline overhead (excluding initial exchange protocol) » 4x fixed overhead; 17x per byte costs (~2Mbits)» 56-bit keys, 500Mhz Pentium II’s, 100Mbit Ethernet» Cleartext protocol stacks barely feed high speed networks

2 node latency

0

10

20

30

40

50

60

70

0 1024 2048 3072 4096 5120 6144 7168 8192

Bytes

ms

SSL

No SSL



Case Study: Elusive Interfaces

• European Molecular Biology Laboratory’s Nucleotide Sequence Database (NSDB)

• 41 methods, 4 distinct interfaces, various numbers of arguments

• Wide range of data access mechanisms (standard queries) and attribute information

• Application at simple end of the spectrum

EmblSeq Embl.getEmblSeq (string)

ULONG EmblSeq.getCountA ()ULONG EmblSeq.getCountC ()ULONG EmblSeq.getCountG ()ULONG EmblSeq.getCountT ()ULONG EmblSeq.getEntryVersion ()ULONG EmblSeq.getCheckSum ()ULONG EmblSeq.getBioSeqVersion ()ULONG EmblSeq.getLength ()

String EmblSeq.getEntryName ()String EmblSeq.getEntryStatus ()String EmblSeq.getDescription ()String EmblSeq.getMoleculeType ()String EmblSeq.getSeq ()String EmblSeq.getTopology ()String EmblSeq.getBioSeqId ()

RevisionList EmblSeq.getRevisions () String EmblSeq.getSubSeqByFeature (NucFeature)

tk_array EmblSeq.getAnySeq () String EmblSeq.getSubSeq (ULONG, ULONG)

StringList EmblSeq.getSecondaryIds ()StringList EmblSeq.getComments ()StringList EmblSeq.getKeyWords ()

DbXrefList EmblSeq.getDbXrefs ()DbXrefList EmblSeq.getReferences ()DbXrefList EmblSeq.getOrganisms ()

NucFeatureList EmblSeq.getNucFeaturesByKey (string)

Location EmblSeq.getLocalLocation (NucFeature)

NucFeatureList EmblSeq.getNucFeatures ()

Location EmblSeq.geReferenceLocation (string)

String NucFeature.getFeatureId ()String NucFeature.getKey ()

FeatureLocation NucFeature.getLocation ()

ULONG NucFeature.getFeatureVersion ()

Qualifier NucFeature.getQualifier (string)

DbXrefList NucFeature.getNucSeqs () QualifierList NucFeature.getQualifiers ()

String FeatureLocation.getLocationString ()String FeatureLocation.getSeq ()

NucFeature FeatureLocation.getNucFeature ()

LocationNodeList FeatureLocation.getNodes ()



Dimensions of Interface Manipulation

• Method offset value• Method offset spacing• Method offset location (in message)• Parameter location• Parameter organization*• Parameter encryption• Parameter buffering• Flexible packetization• Temporal variation• . . .



Practical Encoding Space

• How large a space can we generate for an attacker?» Analyze all possible configurations of the parameters» Potential for obscuring application information (published interfaces)» Incorrect probes all detected» (details available in a forthcoming report)

Encoding Space (NSDB)

No increase in Communication Traffic

106 – 108

Increasing Communication Traffic by adding Parameters

108 – 1016

(most benefits with a few parameters)



Initial Observations

• Space is large and proportional to interface complexity (increasing?)

• Interface encoding to be performed a line speed using custom-generated code sequences

• Relationship to classical cryptography approaches needs to be developed (cost, difficulty of attack)

• Current: manual experiments, Building a general prototype for broader experimentation



Agile Objects Project PlanLocation Elusiveness Interface Elusiveness

Integrated Demonstration

Interface Elusiveness Demonstration

Dynamic Mutation Prototype(online, reactive)

Mutation Prototype

Analytical Foundations &Case Studies

Location Elusiveness Demonstration

Location Elusiveness Demonstration

Object Migration integratedwith Distribution Insensitivity

Distribution Insensitivity(RPC & Real-time Scheduling)

High Performance RPC 2/00Status



Quantitative Metrics

• Location Elusiveness» Speed of remote RPC, ratio of local/remote» Time of application reconfiguration (physical network

parameters, applications)» Granularity/precision of real-time guarantees

• Interface elusiveness» Size of reconfiguration space, range of techniques» Reconfiguration Cost» Reconfiguration Delay

• Scale of Demonstrations



Expected Major Achievements

• Location Elusiveness: Distribution insensitive distributed applications» High Performance RPC which enables flexible configuration» Online Migration and Replication » Real-time applications which reconfigure while maintaining performance

guarantees

• Interface Elusiveness: Characterize space of interface mutation and dynamic coordination mechanisms» Crystallize a framework for adaptive interface mutation management

(reconfiguration, cost, space)» Configuration independent application security specifications

• Develop a range of targeted responses based on Intrusion Detection & System status information

• Integrate techniques for a unified Agile Objects approach and demonstration

Date post:	14-Jan-2016
Category:	Documents
Upload:	aolani
View:	21 times
Download:	0 times

Agile Objects: Component-based Inherent Survivability

Documents