A Comprehensive Approach for Intrusion Tolerance Based on Intelligent Compensating Middleware Amjad Umar Farooq Anjum Rabih Zbib Abhrajit Ghosh DARPA BAA0015.

A Comprehensive Approach for Intrusion Tolerance Based on Intelligent Compensating Middleware

Amjad UmarFarooq Anjum

Rabih ZbibAbhrajit Ghosh

DARPA BAA0015

Intrusion Tolerance

Doc Name – 2

Some Examples (from “Dark”) Situation: XML “Trade Languages” in many industry segments based

on a common DTD. DTD is used to validate the information being exchanged between trading partners. – Threat: Someone modifies the DTD (or DTD parser) so that every transaction

becomes invalid Situation: Pub/subscribe for Integration. Many organizations, such as

JBI (Joint Battlespace Infosphere), are beginning to use publish/subscribe platforms.– Threat: someone damages/modifies the P/S channel

Situation: components (EJBs, CORBA components) are being positioned to develop many applications. Vendors are providing EJBs for industry segments (Financial). Components are “dropped in” to containers that provide security, transaction etc. – Threat: someone contaminates container disabling industry segments

Other examples: – “electronification” of supply chains – call agent for VOIP

JBI web site: http://www.sab.hg.af.mil/archives/index.html

Doc Name – 3

Background and ScopeMotivated by

– Army Fed Labs (ATIRP) -- Information distribution in battlefields – Ebusiness “Frontiers” - Extended enterprises, large scale integration– Telcommunications - OSSs, call agents

Common problem: getting uniformity out of non-uniformity (same COTS from same supplier with different capabilities at different sites)

What threats/attacks is your project considering– Focus on assault tolerance (“threat model”)– Vicious attack to damage/disable (attacks may be subtle)– Explore “dark points” (e.g., attacks on emerging COTS with heavy use)

What assumptions does your project make– Very knowledgeable attacker (can infer what you are relying on to conduct

operations)– Knows your weak points (e.g., middleware stack)

What policies can your project enforce – Concentrate on “continue to operate as long as possible” and higher

Doc Name – 4

EC Middleware

Network Services(PSTN, IP, NGN,,)

IntrusionTolerance

General Purpose Middleware

Higher Level Middleware (“Upperware”)

Trading Hubs,Large collaborative systems

Web AppMS Office

Software

Infrastructure

Applications are increasingly relying on layers of technologies

Operating Systems, DBMS,,

E-Purchasing

Doc Name – 5

Sidebar: IT infrastructure needed to support Modern Apps (a Checklist)NGE Specific (“Advanced”) Middleware

Middleware to support mobilityCollaborative computing software that spans multiple organizationsWorkflow and transaction management across multiple enterprises that cooperate in virtual operationsClearinghouse/Auctioning /electronic marketplaces supportEC middleware such for advertising, browser / navigation, negotiation and trading, purchase and delivery,Invoicing/billing, payment and reconciliation, EDI, directories, catalogs,Gateways and interfaces of NGE with traditional systems (EAIs, ERPs)

Basic EC specific Middleware :- Catalogs

EDITransaction Management

- Queued Messaging/Transactions- Transaction Services for Web Commerce- Object transaction services- Internet transaction services

Advanced General Purpose Middleware- Distributed Object Technologies (Java, CORBA, DCOM)- Message oriented middleware for wrappers- Workflow Management (simple, single organization)- Transaction Management (Transaction Services for Web Commerce, Object transaction services, Internettransaction services)- Enterprise Application Integrators (EAI)- Wireless Middleware- Collaborative services support- Groupware- Additional security and management support- Remote Operation Infrastructure (CORBA/DCOM/RPC)

Basic General Purpose Middleware- File Transfer, Telnet- Messaging and Email services- Web services (HTML, XML, HTTP, Java Applets, Browsers and W3 Servers)- Remote Data Access Infrastructure (SQL/ODBC/JDBC) for accessing data- Remote processing access (e.g. Sun RPC, Sockets)- Basic security services (e.g. SSL)- Service Management Systems to support and manage the infrastructure

Network servicesVPN servicesVoice/data integrationIP routers and GatewaysNetwork segments LANs, MANS, WANSNetwork elements (Frame relay, ATM, DSL, Sonet,,)

Doc Name – 6

Problem Statement and Approach

Intrusion tolerant systems must, as stated in the BAA00-15 PIP, be able to– maintain the integrity of application data and programs– assure high availability under information attacks

Our Approach: Attempt to address both issues a) For integrity of application data and programs, we

attempt to provide capabilities to make the application programs and data

intrusion tolerant. integrity of “behaviour of application” by assuring intrusion

tolerance of middleware itself.

b) For high availability, our focus is also on middleware since availability of network, hardware, and system software is discussed heavily elsewhere.

.

Doc Name – 7

Reality Check: How To Introduce Intrusion Tolerance in Middleware (any COTS) Given:

- a set of requirements R (e.g., intrusion/assault tolerance) - M middleware components are available (M > 200)- m middleware components (where m < M) that do not

satisfy R

Find the most practical approach to satisfy R Possible approaches:

• Extend the non-conforming m middleware components to satisfy R (not doable).

• Imbed the functionality in the applications (not advisable). • Build completely new middleware M’ (not advisable). • * Build intelligent compensating middleware (ICM) that

provides the missing functionality and interworks with m through an open API

Doc Name – 8

Intelligent Compensating Middleware for Intrusion/Assault Tolerance (Detailed View)

Applications

H-API COTS Middleware

Network Services

L-API

B1

B2

B3

A1

A2

A3, C

C

•Arrows A1, A2, A3 indicate Path A (ICM as a lower level service)•Arrows B1, B2, B3 indicate Path B (ICM as a higher level service)•Arrow C indicates Path C (ICM invoked by intrusion triggers in random order)

IntrusionTriggers

C

C

OperationalKnowledgebase

FRS (Fragmentation, Replication,scattering)

Scheduler

ICM

IT Components. R, F, S, A. Encryption

Doc Name – 9

Policies (Specified in Operational Knowledgebase)

No IT R FRS FRSANoEncryption P-Policy 0 P-Policy 2 P-Policy 4 P-Policy 6Encryption P-Policy 1 P-Policy 3 P-Policy 5 P-Policy 7

Protection policies can be described for•applications (by users or system administrators)•middleware also (by system administrators)

Recovery Policies to specify level of recovery from intrusions

Protection Policy (secrecy, IT)

R-Policy 0 R-Policy 1 R-Policy 2 R-Policy 3 R-Policy 4Stop, sendmessage

Stop,reload,continue

Continueto allowshutdown

Continueas long aspossible

Continueunder allconditions

Compensation

CompensationRecovery policies can beinferred from Protection Policiesand vice versa

Doc Name – 10

An XML-CORBA Example

Client Server

CustomerInformation

CORBA ServicesCORBA Services•Basic services (finding and invoking objects)Basic services (finding and invoking objects)•Thread services (create and manage threads)Thread services (create and manage threads)•Object life cycle services (create, destroy objects) Object life cycle services (create, destroy objects) •Naming services (facilitate portable names)Naming services (facilitate portable names)•Others: Event, Trading, transactions, Persistence,,Others: Event, Trading, transactions, Persistence,,

IDL (XML) IDL (XML)

XMLSupportMiddleware

Applications

Oracle

P-Policy R-Policy

App 6 (FRSA) 4(always)CORBA 4 (FRS) 4(always)XML 1(E) 2 (graceful

shut down)

Doc Name – 11

ICM higher layer servicesPurpose:

Make application itself intrusion tolerant Level of intrusion tolerance is specified by protection policies

How will it work (example: FRSA specified) : – Startup: FRSA the application - data and DTD (one copy in highly

secure site) – Normal runtime: keep updating FRSs (based on policy) – Under attack - indicated by triggers (recovery policy is “Continue

under all conditions”):No damage to application ; no action required (pass to monitor)partly damaged - isolated (database destroyed, or DTD overwritten):

use replicated database or DTDpartly damaged but unpredictable or severely damaged - attempt to

rebuild/reconstruct. Give up with messages to roll back, restart

Doc Name – 12

ICM lower layer servicesPurpose:

Make COTS middleware intrusion tolerant Level of intrusion tolerance is specified by protection policies

How will it work (example: CORBA =FRS, XML =E specified) : – Startup: FRS the CORBA middleware, encrypt XML middleware – Normal runtime: keep updating FRSs of CORBA and verifying XML

– Under attack - indicated by triggers (recovery policy is “Continue as long as possible” and “graceful shutdown”):No damage to middleware; no action required partly damaged - identified (directory destroyed): restore replicated directorypartly damaged but unpredictable or severely damaged

– for XML, send message, reload – for CORBA.

Switch to another middleware (e.g., MOM) to continue operationICM itself takes over completely in case of disasters (can send/receive info through an open API invoked through interceptors)

Doc Name – 13

Operational Knowledgebase - Rules for operation

ProtectionPolicy

Startup Normal Runtime Sample IntrusionRecovery rules

Policy 0 Nothing Nothing Stop, send a message

Policy 1 Encryption Verify for authorizedaccess

Stop, reload

Policy 2 Replicate Update replicatedcopies

Switch to replicatedcopy

Policy 3 Encrypt, replicate Verify,Update replicatedcopies

Switch to replicatedcopy

Policy 4 Fragment, replicate,scatter

Maintain operationalview of FRS

Reconstruct fromFRSd

Policy 5 Encrypt, FRS Verify, Maintainoperational view ofFRS

Reconstruct fromFRSd

Policy 6 Fragment, replicate,scatter, adapt

Maintain operationalview of FRSA

Switch to anothermiddleware, ifpossible

Policy 7 Encrypt, Fragment,replicate, scatter,adapt

Maintain operationalview of FRSA

Switch to ICM as afall-back middleware

Also contains what needs to be compensated where

Doc Name – 14

Scheduler and TriggersScheduler:

– Invoked by the triggers (subscriber)– consults the knowledgebase to determine what

to do – invokes high level for app– invokes low level for middleware

Intrusion Triggers Intrusion

Channel

OperationalKnowledgebase

H-API

L-API

Scheduler

IT Components. R, F, S, A. Encryption

detect intrusions•publish intrusions as events

• No damage•Modified (isolated)•Modified (not isolated)•Disaster

Admnistrator

Publisher Subscribers

Nodamage

Doc Name – 15

Intrusion Tolerant Components

Fragmentation

Redundancy

Scattering

Encryption

AgentsOthers

Use the EJB (CORBA Component) type model“Intrusion Tolerant Container”Components dropped in the container

Core-ICM

Middleware

Doc Name – 16

Work Done So Far (since June 22) Task 1: Impact Analysis

– Several cases gathered about various newer COTS and possible threats Task 2: Architecture Specification

– Rough outline prepared Task 3: Software prototyping

– A simple prototype working (inherited from Army)– Compensates/adjusts for wireless/wired networks and network congestions – Examining how to extend it

Task 4: FRSA Evaluation – Quantify the level of intrusion tolerance achieved based on

Degree of Fragmentation Degree of Redundancy Degree of Scattering

– Collaboration between Agents to achieve the given level of intrusion tolerance– The combined effect of FRS schemes and cryptographic schemes– Analytical models to evaluate tradeoffs (

Task 5: Operational Management (optional) – Some initial thoughts (from OSSs)

Doc Name – 17

D. Schedule of Milestones

GFY 2000 GFY 2001 GFY2002 GFY 2003

TASKS 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q 1Q 2Q 3Q 4Q

Task 1

ImpactAnalysis

Task 2Architecture

Task 3Software

Task 3-Opt

Task 4Evaluation

Of FRSA

Task 5(opt.)Management

Doc Name – 18

Technology Transfer Publicize the results of the work in academic/industrial conferences Investigate the possibility of initiating an Intrusion Tolerance Task

Force in OMG (we are already active members of the OMG Fault Tolerance Task Force)

Work with DARPA to identify potential transition to military customers. In particular, Army Research Lab, JBI, National Security Agency and CECOM

Leverage Telcordia’s industrial position to pursue the following avenues:

Work with some vendors to introduce the results of our research directly into the future COTS middleware.

Utilize the concepts and software produced by this research in building the future intrusion tolerant telecommunications operation support systems (OSSs).

Build intrusion tolerance as a consulting offer that will promote the practice of intrusion tolerance.

Doc Name – 19

Risks and Issues

Difficult to keep up with emerging COTS (will have to be selective)

May have to change direction of research somewhat due to industry evolution (not sure about DARPA process)

Some spaces may be too dark for DARPA

Doc Name – 20

ConclusionsFocus on :

– Dependability from undependable COTS – Assault tolerance (“threat model”)– Explore “dark points” (e.g., attacks on emerging COTS with

heavy use) Approach: intelligent compensation to introduce IT on

– applications– middleware

Main interest in building flexible architectures that can automatically adjust/compensate for missing functionalities in available COTS

Doc Name – 21

Backup stuff

Doc Name – 22USWeb Professional Certification Legacy Systems and the Web

Middleware

Definition: MIDDLEWARE is a set of common business/industry-unaware services enabling applications and end users to interact with each other across a network.

It resides above the network and below the business-aware application software.Examples: email, Web, CORBA, distributed transaction processors, data

replicators, workflow systems, collaborating systems More than 200 middleware packages (Gartner)

Application

Middleware

Network

Application

Middleware

Network

Doc Name – 23

•Runs on trusted machines

• Compensation at startup, normal runtime, intrusion recovery

Intelligent Compensating Middleware for Intrusion/Assault Tolerance (High Level View)

Applications

COTS Middleware

Network Services

B1

B2

B3

A1

IntrusionTriggers

C

OperationalKnowledgebase

ICM

Intended for large scale systemsDifferent levels of compensation needed at different sites

Publishintrusionevents

A2

A3