MILCOM 2001 October 30 -- page 1 Defense Enabling Using Advanced Middleware: An Example Franklin Webber, Partha Pal, Richard Schantz, Michael Atighetchi,

MILCOM 2001 October 30 -- page 1

Defense Enabling Using Advanced Middleware: An Example

Franklin Webber, Partha Pal, Richard Schantz, Michael Atighetchi, Joseph Loyall

BBN Technologies

QuOQuO


Defense-Enabled Software Applications

Some software applications can be given increased resistance to malicious attack even though the environment in which they run is untrustworthy.

Any such application is “defense-enabled”.


Research On Defense Enabling

Sponsored by DARPA/ATO

Part of Fault-Tolerant Networking Program


A Distributed Military Application


A Cyber-Attack


An Abstract View

Attacker

Data Processing(Fusion,Analysis,Storage,

Forwarding,etc.)

DataUser

DataSource


Traditional Security

AttackerApplication

PrivateResources

PrivateResources

LimitedSharing

Trusted OSs and Network


Most OSs and Networks In Common Use Are Untrustworthy

AttackerApplication

PrivateResources

PrivateResources

LimitedSharing

OSs and Network


Cryptographic Techniques Can Block (Most) Direct Access to Application

AttackerApplication

PrivateResources

PrivateResources

LimitedSharing

OSs and Network

Crypto

OSs and Network


Attacker

Raw ResourcesCPU, bandwidth, files...

OSs and Network IDSs Firewalls

Firewalls Block Some Attacks;Intrusion Detectors Notice Others

Application

Crypto


ApplicationAttacker

Raw ResourcesCPU, bandwidth, files...

QoS Management

Crypto

OSs and Network IDSs Firewalls

Defense-Enabled Application CompetesWith Attacker for Control of Resources


QuO Adaptive Middleware Technology

QuO is DARPA Quorum developed middleware that provides:•interfaces to property managers, each of which monitors

and controls an aspect of the Quality of Service (QoS)offered by an application;

•specifications of the application’s normal and alternateoperating conditions and how QoS should dependon these conditions.

QuO has integrated managers for several properties:•dependability (DARPA’s Quorum AQuA project)•communication bandwidth

(DARPA’s Quorum DIRM project)•real-time processing

(using TAO from UC Irvine/WUStL)•security (using OODTE access control from NAI)

QuOQuO


QuO adds specification, measurement, and adaptation into the distributed object model

ApplicationDeveloper

MechanismDeveloper

CLIENT

Network

operation()

in args

out args + return value

IDLSTUBS

IDLSKELETON

OBJECTADAPTER

ORB IIOP ORBIIOP

CLIENT OBJECT(SERVANT)OBJECT(SERVANT)

OBJREF

CLIENT

DelegateContract

SysCond

Contract

Network

MECHANISM/PROPERTYMANAGER

operation()

in args


IDLSTUBS

Delegate

SysCond

SysCond

SysCond

IDLSKELETON

OBJECTADAPTER

ORB IIOP ORBIIOP


OBJREF

ApplicationDeveloper

QuODeveloper

MechanismDeveloper

CO

RB

A D

OC

MO

DE

LQ

UO

/CO

RB

A D

OC

MO

DE

L


The QuO Toolkit Supports Building Adaptive Apps or Adding Adaptation to Existing Apps

• QuO aspect languages– Contract description language and

adaptive behavior description language

– Code generators that weave QuO code into Java and C++ applications

• System Condition Objects– Provide interfaces to resources,

managers, and mechanisms

• QuO Runtime Kernel– Contract evaluator– Factory object which instantiates

contract and system condition objects

• Instrumentation library• QuO gateway

– Insertion of special purpose transport layers and adaptation below the ORB

QuO GatewayQuO Gateway

IIOPGlue

Control

Clie

nt-S

ide

OR

B

IIOP Group Replication (AQuA)

WAN

Bandwidth Reservation (DIRM)

IIOP over TCP/IP (default)

IIOPGlue

Control

IIOP

Serv

er-S

ide

OR

B

CLIENT

DelegateContract

SysCond

Contract

Network

MECHANISM/PROPERTYMANAGER

operation()

in args


IDLSTUBS

Delegate

SysCond

SysCond

SysCond

IDLSKELETON OBJECT

ADAPTER

ORB IIOP ORBIIOP


OBJREF

CORBA IDL

CodeGenerators

CodeGenerators

Contract DescriptionLanguage (CDL)

Adaptation SpecificationLanguage (ASL)

QuO RuntimeQuO Runtime

Delegates Contracts


Implementing Defenses in Middleware

•for simplicity:•QoS concerns separated from functionality of application.•Better software engineering.

•for practicality:•Requiring secure, reliable OS and network support is not currently cost-effective. •Middleware defenses will augment, not replace, defense mechanisms available in lower system layers.

•for uniformity:•Advanced middleware such as QuO provides a systematic way to integrate defense mechanisms.•Middleware can hide peculiarities of different platforms.

•for reuseability•Middleware can support a wide variety of applications.


Security Domains Limit the Damage From A Single Intrusion

hackeddomain

host

router

domain

host

router

domain

host

host

host

host


Replication Management Can Replace Killed Processes

hackeddomain

host

router

domain

host

router

domain

host

host

host

host

application component replicas

QuO replica management


Bandwidth Management Can Counter Flooding Between Routers

hackeddomain

host

router

domain

host

router

domain

host

host

host

host

QuO bandwidth management

RSVP reservation


Other Defense Mechanisms

• Dynamically change communication ports• Dynamically change communication protocols


A Defense Strategy Coordinates Defense Mechanisms

• “if several IDS alarms on host H, tighten firewall on H”

• “if multiple crashes on host H, move application process replicas elsewhere”

For example:

Applications we have defense-enabled use a varietyof such rules, implemented in QuO.


Validation

• Effectiveness of individual defense mechanisms has been tested in-house.

• Effectiveness of combined defense strategies will be measured by Red Team experiments.


Conclusion

The technique of defense enabling is likely to increase the survivability of military applications and, because defenses are implemented in middleware, can be applied with relatively little effort.

MILCOM 2001 October 30 -- page 1 Defense Enabling Using Advanced Middleware: An Example Franklin Webber, Partha Pal, Richard Schantz, Michael Atighetchi,

Documents