DPASA – Designing Protection & Adaptation Into a
Survivability Architecture
Client Zone
JBI Management Staff
ExecutiveZone
CrumpleZone
OperationsZone
JBI Core
Quad 1 Quad 2 Quad 3 Quad 4
Network
Access Proxy (Isolated Process Domains in SE-Linux)Domain6
First Restart Domains Eventually Restart HostLocal
Controller
RMI
STCPTCP
PS Sensor Rpts
TCP UDP
IIOP
PSQImplPSQImpl
IIOP
TCP
DC
Eascii
Domain1 Domain2 Domain3 Domain4 Domain5Forward/Ratelimit
Proxy LogicInspect / Forward / Rate Limit
Client Zone
JBI Management Staff
ExecutiveZone
CrumpleZone
OperationsZone
JBI Core
Quad 1 Quad 2 Quad 3 Quad 4
Network
Access Proxy (Isolated Process Domains in SE-Linux)Domain6
First Restart Domains Eventually Restart HostLocal
Controller
RMI
STCPTCP
PS Sensor Rpts
TCP UDP
IIOP
PSQImplPSQImpl
IIOP
TCP
DC
Eascii
Domain1 Domain2 Domain3 Domain4 Domain5Forward/Ratelimit
Proxy LogicInspect / Forward / Rate Limit
Access Proxy (Isolated Process Domains in SE-Linux)Domain6
First Restart Domains Eventually Restart HostLocal
Controller
RMI
STCPTCP
PS Sensor Rpts
TCP UDP
IIOP
PSQImplPSQImpl
IIOP
TCP
DC
Eascii
Domain1 Domain2 Domain3 Domain4 Domain5Forward/Ratelimit
Proxy LogicInspect / Forward / Rate Limit
JBI critical mission objectives
JBI critical functionality
Initialized JBI provides essential services
Authorized publish processed successfully
ConfidentialityDataflow Timeliness Integrity
(from functional model execution)
Functional model assumptions hold
JBI mission awareness
CA1: Origin of Attacks on Clients
CA2: Attack Propagation from Clients
CA3: Client Process Corruption
PA1: Client-Core
Communication I & C
PA2: Alternate Path
Availability
QA1: QIS Incorruptibility
QA2: QIS Communication
Cutoff
QA3: QIS Input
Integrity
QA4: QIS Function
Correctness
AA1: AP Function
Correctness
AA2: AP Application-layer Integrity
AA3: AP Application-layer Confidentiality
AA4: Origin of Attacks on
Access Proxy
AA5: Attacks from AP
AA6: DoSfrom Compromised
Core
AA7: AP Process Corruption
AA8: DoSPrevention by Access Proxy
DA1: DC Communications
GA1: Process Corruption on Guardian
DA3: Process
Corruption on DC
GA2: Attacks from Guardian
DA2: Origin of Attacks on DC
SA1: Origin of Attacks on PSQ Server
SA2: Attacks from PSQ Server
SA3: IO Integrity in PSQ Server
SA4: Client Confidentiality in PSQ Server
SA5: IO Authenticity
SA6: Network-layer I & C
SA7: Process Corruption in PSQ Server
SeA1: Attacks from IDS Sensor
SeA2: Sensor False Alarm
Rate
SeA3: Sensor Detection Delay
SeA4: Sensor Detection Probability
SeA5: Process
Corruption in Sensor
AcA1: Process Corruption in Actuator
AcA2: Attacks from Actuator
LA1: Process Corruption in
Local Controller
LA2: Attacks from Local Controller
CoA1: CorrleatorFalse Alarm
Rate
CoA2: Origin of Attacks on Correlator
CoA3: Attacks from Correlator
CoA4: Alert IntegrityMA1: SM Byzantine Agreement
MA2: Origin of Attacks on
SM
MA3: Attacks from SM
PsA1: ADF Policy Server
Input Correctness
PsA1: ADF Policy Server
Synchronization
ScA1: Process Corruption in Subscribed
Client
System Connectivity
Physical Topology
Network Topology Restricted Routing No Tunneling Attacks
Process Isolation
SELinux Trusted Solaris Windows 2000
Type Enforcement Hardened Kernel Hardened Kernel Kernel Loadable
Wrappers
VMWareover SELinux
Platform Mechanisms Component-specific policy
Private Key Confidentiality
No Unauthorized Direct Access
Keys Protected from Theft
DoDCommon Access Card (CAC)
PKCS #11 Tamperproof
Keys Not Guessable
Algorithmic Framework
Key Length Key Lifetime
No Unauthorized Indirect Access
Physical Protection of CAC device
Protection of CAC Authentication Data
No Compromise of Authorized Process Accessing CAC
No Cryptography in Access Proxy
Not Preconfigured
Not Reconfigurable
ADF NIC services protected
ADF Correctness
ADF NIC Physical Security
ADF NIC Firmware Initialization
ADF Key Initialization
ADF Agent Initialization
ADF Protocol Correctness
ADF Host Independence
ADF Agent Correctness
VPG Integrity VPG Confidentiality
Policy Server Integrity
ADF Policy Correctness
Correctness of Registration Protocol
Correctness of Reattachment
Protocol
Hard-wired Configuration
Electrically Isolated
Physically Protected
Connectivity Physical Integrity
Electrical Integrity
Gate Configuration and
Truth Table
Proxy Protocol Configuration
Can Identify Malformed Traffic
Correctness of Flow Control Mechanisms
Bidirectional Flow Control
Correctness of Certificate Exchange
IDS Experimental Evaluation
Correctness of Modified ITUA Protocols
Functional model faithful to design
IDS objectives
Notification Confidentiality
IO Confidentiality (end-to-end)
Confidential info not exposed
Unauthorized activity properly rejected
Authorized join/leave processed successfully
Authorized query processed successfully
Authorized subscribe processed successfully
JBI properly initialized
Design Team Review
JBI critical mission objectives
JBI critical functionality
Initialized JBI provides essential services
Authorized publish processed successfully
ConfidentialityDataflow Timeliness Integrity
(from functional model execution)
Functional model assumptions hold
JBI mission awareness
CA1: Origin of Attacks on Clients
CA2: Attack Propagation from Clients
CA3: Client Process Corruption
PA1: Client-Core
Communication I & C
PA2: Alternate Path
Availability
QA1: QIS Incorruptibility
QA2: QIS Communication
Cutoff
QA3: QIS Input
Integrity
QA4: QIS Function
Correctness
AA1: AP Function
Correctness
AA2: AP Application-layer Integrity
AA3: AP Application-layer Confidentiality
AA4: Origin of Attacks on
Access Proxy
AA5: Attacks from AP
AA6: DoSfrom Compromised
Core
AA7: AP Process Corruption
AA8: DoSPrevention by Access Proxy
DA1: DC Communications
GA1: Process Corruption on Guardian
DA3: Process
Corruption on DC
GA2: Attacks from Guardian
DA2: Origin of Attacks on DC
SA1: Origin of Attacks on PSQ Server
SA2: Attacks from PSQ Server
SA3: IO Integrity in PSQ Server
SA4: Client Confidentiality in PSQ Server
SA5: IO Authenticity
SA6: Network-layer I & C
SA7: Process Corruption in PSQ Server
SeA1: Attacks from IDS Sensor
SeA2: Sensor False Alarm
Rate
SeA3: Sensor Detection Delay
SeA4: Sensor Detection Probability
SeA5: Process
Corruption in Sensor
AcA1: Process Corruption in Actuator
AcA2: Attacks from Actuator
LA1: Process Corruption in
Local Controller
LA2: Attacks from Local Controller
CoA1: CorrleatorFalse Alarm
Rate
CoA2: Origin of Attacks on Correlator
CoA3: Attacks from Correlator
CoA4: Alert IntegrityMA1: SM Byzantine Agreement
MA2: Origin of Attacks on
SM
MA3: Attacks from SM
PsA1: ADF Policy Server
Input Correctness
PsA1: ADF Policy Server
Synchronization
ScA1: Process Corruption in Subscribed
Client
System Connectivity
Physical Topology
Network Topology Restricted Routing No Tunneling Attacks
Process Isolation
SELinux Trusted Solaris Windows 2000
Type Enforcement Hardened Kernel Hardened Kernel Kernel Loadable
Wrappers
VMWareover SELinux
Platform Mechanisms Component-specific policy
Private Key Confidentiality
No Unauthorized Direct Access
Keys Protected from Theft
DoDCommon Access Card (CAC)
PKCS #11 Tamperproof
Keys Not Guessable
Algorithmic Framework
Key Length Key Lifetime
No Unauthorized Indirect Access
Physical Protection of CAC device
Protection of CAC Authentication Data
No Compromise of Authorized Process Accessing CAC
No Cryptography in Access Proxy
Not Preconfigured
Not Reconfigurable
ADF NIC services protected
ADF Correctness
ADF NIC Physical Security
ADF NIC Firmware Initialization
ADF Key Initialization
ADF Agent Initialization
ADF Protocol Correctness
ADF Host Independence
ADF Agent Correctness
VPG Integrity VPG Confidentiality
Policy Server Integrity
ADF Policy Correctness
Correctness of Registration Protocol
Correctness of Reattachment
Protocol
Hard-wired Configuration
Electrically Isolated
Physically Protected
Connectivity Physical Integrity
Electrical Integrity
Gate Configuration and
Truth Table
Proxy Protocol Configuration
Can Identify Malformed Traffic
Correctness of Flow Control Mechanisms
Bidirectional Flow Control
Correctness of Certificate Exchange
IDS Experimental Evaluation
Correctness of Modified ITUA Protocols
Functional model faithful to design
IDS objectivesIDS objectives
Notification ConfidentialityNotification
ConfidentialityIO Confidentiality
(end-to-end)IO Confidentiality
(end-to-end)
Confidential info not exposed
Confidential info not exposed
Unauthorized activity properly rejected
Unauthorized activity properly rejected
Authorized join/leave processed successfully
Authorized join/leave processed successfully
Authorized query processed successfully
Authorized query processed successfully
Authorized subscribe processed successfullyAuthorized subscribe
processed successfully
JBI properly initializedJBI properly initialized
Design Team Review
JBI critical mission objectives
JBI critical functionality
Initialized JBI provides essential services
Authorized publish processed successfully
ConfidentialityDataflow Timeliness Integrity
(from functional model execution)
Functional model assumptions hold
JBI mission awareness
CA1: Origin of Attacks on Clients
CA2: Attack Propagation from Clients
CA3: Client Process Corruption
PA1: Client-Core
Communication I & C
PA2: Alternate Path
Availability
QA1: QIS Incorruptibility
QA2: QIS Communication
Cutoff
QA3: QIS Input
Integrity
QA4: QIS Function
Correctness
AA1: AP Function
Correctness
AA2: AP Application-layer Integrity
AA3: AP Application-layer Confidentiality
AA4: Origin of Attacks on
Access Proxy
AA5: Attacks from AP
AA6: DoSfrom Compromised
Core
AA7: AP Process Corruption
AA8: DoSPrevention by Access Proxy
DA1: DC Communications
GA1: Process Corruption on Guardian
DA3: Process
Corruption on DC
GA2: Attacks from Guardian
DA2: Origin of Attacks on DC
SA1: Origin of Attacks on PSQ Server
SA2: Attacks from PSQ Server
SA3: IO Integrity in PSQ Server
SA4: Client Confidentiality in PSQ Server
SA5: IO Authenticity
SA6: Network-layer I & C
SA7: Process Corruption in PSQ Server
SeA1: Attacks from IDS Sensor
SeA2: Sensor False Alarm
Rate
SeA3: Sensor Detection Delay
SeA4: Sensor Detection Probability
SeA5: Process
Corruption in Sensor
AcA1: Process Corruption in Actuator
AcA2: Attacks from Actuator
LA1: Process Corruption in
Local Controller
LA2: Attacks from Local Controller
CoA1: CorrleatorFalse Alarm
Rate
CoA2: Origin of Attacks on Correlator
CoA3: Attacks from Correlator
CoA4: Alert IntegrityMA1: SM Byzantine Agreement
MA2: Origin of Attacks on
SM
MA3: Attacks from SM
PsA1: ADF Policy Server
Input Correctness
PsA1: ADF Policy Server
Synchronization
ScA1: Process Corruption in Subscribed
Client
System Connectivity
Physical Topology
Network Topology Restricted Routing No Tunneling Attacks
Process Isolation
SELinux Trusted Solaris Windows 2000
Type Enforcement Hardened Kernel Hardened Kernel Kernel Loadable
Wrappers
VMWareover SELinux
Platform Mechanisms Component-specific policy
Private Key Confidentiality
No Unauthorized Direct Access
Keys Protected from Theft
DoDCommon Access Card (CAC)
PKCS #11 Tamperproof
Keys Not Guessable
Algorithmic Framework
Key Length Key Lifetime
No Unauthorized Indirect Access
Physical Protection of CAC device
Protection of CAC Authentication Data
No Compromise of Authorized Process Accessing CAC
No Cryptography in Access Proxy
Not Preconfigured
Not R e c o n f i g u r a b l e
ADF NIC services protected
ADF Correctness
ADF NIC Physical Security
ADF NIC Firmware Initialization
ADF Key Initialization
ADF Agent Initialization
ADF Protocol Correctness
ADF Host Independence
ADF Agent Correctness
VPG Integrity VPG Confidentiality
Policy Server Integrity
ADF Policy Correctness
Correctness of Registration Protocol
Correctness of Reattachment
Protocol
Hard-wired Configuration
Electrically Isolated
Physically Protected
Connectivity Physical Integrity
Electrical Integrity
Gate Configuration and
Truth Table
Proxy Protocol Configuration
Can Identify Malformed Traffic
Correctness of Flow Control Mechanisms
Bidirectional Flow Control
Correctness of Certificate Exchange
IDS Experimental Evaluation
Correctness of Modified ITUA Protocols
Functional model faithful to design
IDS objectives
Notification Confidentiality
IO Confidentiality (end-to-end)
Confidential info not exposed
Unauthorized activity properly rejected
Authorized join/leave processed successfully
Authorized query processed successfully
Authorized subscribe processed successfully
JBI properly initialized
Design Team Review
JBI critical mission objectives
JBI critical functionality
Initialized JBI provides essential services
Authorized publish processed successfully
ConfidentialityDataflow Timeliness Integrity
(from functional model execution)
Functional model assumptions hold
JBI mission awareness
CA1: Origin of Attacks on Clients
CA2: Attack Propagation from Clients
CA3: Client Process Corruption
PA1: Client-Core
Communication I & C
PA2: Alternate Path
Availability
QA1: QIS Incorruptibility
QA2: QIS Communication
Cutoff
QA3: QIS Input
Integrity
QA4: QIS Function
Correctness
AA1: AP Function
Correctness
AA2: AP Application-layer Integrity
AA3: AP Application-layer Confidentiality
AA4: Origin of Attacks on
Access Proxy
AA5: Attacks from AP
AA6: DoSfrom Compromised
Core
AA7: AP Process Corruption
AA8: DoSPrevention by Access Proxy
DA1: DC Communications
GA1: Process Corruption on Guardian
DA3: Process
Corruption on DC
GA2: Attacks from Guardian
DA2: Origin of Attacks on DC
SA1: Origin of Attacks on PSQ Server
SA2: Attacks from PSQ Server
SA3: IO Integrity in PSQ Server
SA4: Client Confidentiality in PSQ Server
SA5: IO Authenticity
SA6: Network-layer I & C
SA7: Process Corruption in PSQ Server
SeA1: Attacks from IDS Sensor
SeA2: Sensor False Alarm
Rate
SeA3: Sensor Detection Delay
SeA4: Sensor Detection Probability
SeA5: Process
Corruption in Sensor
AcA1: Process Corruption in Actuator
AcA2: Attacks from Actuator
LA1: Process Corruption in
Local Controller
LA2: Attacks from Local Controller
CoA1: CorrleatorFalse Alarm
Rate
CoA2: Origin of Attacks on Correlator
CoA3: Attacks from Correlator
CoA4: Alert IntegrityMA1: SM Byzantine Agreement
MA2: Origin of Attacks on
SM
MA3: Attacks from SM
PsA1: ADF Policy Server
Input Correctness
PsA1: ADF Policy Server
Synchronization
ScA1: Process Corruption in Subscribed
Client
System Connectivity
Physical Topology
Network Topology Restricted Routing No Tunneling Attacks
Process Isolation
SELinux Trusted Solaris Windows 2000
Type Enforcement Hardened Kernel Hardened Kernel Kernel Loadable
Wrappers
VMWareover SELinux
Platform Mechanisms Component-specific policy
Private Key Confidentiality
No Unauthorized Direct Access
Keys Protected from Theft
DoDCommon Access Card (CAC)
PKCS #11 Tamperproof
Keys Not Guessable
Algorithmic Framework
Key Length Key Lifetime
No Unauthorized Indirect Access
Physical Protection of CAC device
Protection of CAC Authentication Data
No Compromise of Authorized Process Accessing CAC
No Cryptography in Access Proxy
Not Preconfigured
Not Reconfigurable
ADF NIC services protected
ADF Correctness
ADF NIC Physical Security
ADF NIC Firmware Initialization
ADF Key Initialization
ADF Agent Initialization
ADF Protocol Correctness
ADF Host Independence
ADF Agent Correctness
V P G I n t e g r i t y VPG Confidentiality
Policy Server Integrity
ADF Policy Correctness
Correctness of Registration Protocol
Correctness of Reattachment
Protocol
Hard-wired Configuration
Electrically Isolated
Physically Protected
Connectivity Physical Integrity
Electrical Integrity
Gate Configuration and
Truth Table
Proxy Protocol Configuration
Can Identify Malformed Traffic
Correctness of Flow Control Mechanisms
Bidirectional Flow Control
Correctness of Certificate Exchange
IDS Experimental Evaluation
Correctness of Modified ITUA Protocols
Functional model faithful to design
IDS objectivesIDS objectives
Notification ConfidentialityNotification
ConfidentialityIO Confidentiality
(end-to-end)IO Confidentiality
(end-to-end)
Confidential info not exposed
Confidential info not exposed
Unauthorized activity properly rejected
Unauthorized activity properly rejected
Authorized join/leave processed successfully
Authorized join/leave processed successfully
Authorized query processed successfully
Authorized query processed successfully
Authorized subscribe processed successfullyAuthorized subscribe
processed successfully
JBI properly initializedJBI properly initialized
Design Team Review
DemonstratesADF based protectionDJM: signing and signature
checking, authentication, RBAC, semantic and behavioral checks, FT
protocolsAdaptive response: rapid reaction, IO rejection, quad
isolation, dynamic clients, fall back
R o u t e r 1
C A FC l i e n t
A O D BC l i e n t
W e a t h e rC l i e n t
W 0W 01 0 M b p s R o u t e r 2 A t t a c k e r
Q u a d 2 Q u a d 3 Q u a d 4
H u b
M a n a g e d S w i t c h
N I D S H u b
Q u a d 1
1 0 0 M b p s
1 0 0 M b p s
R o u t e r 1
C A FC l i e n t
A O D BC l i e n t
W e a t h e rC l i e n t
W 0W 01 0 M b p s R o u t e r 2 A t t a c k e r
Q u a d 2 Q u a d 3 Q u a d 4
H u b
M a n a g e d S w i t c h
N I D S H u b
Q u a d 1
1 0 0 M b p s
1 0 0 M b p s
Enough proof of concept implementations developed to show 3 AFRL
clients running a simplified scenario over 4 quad core
DPASA W/O Signature Verification
0
200
400
600
800
1000
1200
0 100 200 300 400 500 600 700
Publications
Late
ncy(
ms)
Series1
Testbed configuration
Screenshots and performance graph
The DPASA IT-JBI design provides critical functionality with
high probability even when under heavy successful attack.
Total number of intrusions versus MTTD_A (min)
0
100
200
300
400
500
600
700
800
900
10 100 1000 10000 100000
MTTD_A (min)
Tota
l Num
ber
of In
trusi
ons
12 hour mission 24 hour mission 48 hour mission
98% of all publishes successful when new vulnerabilities are
discovered, on the average, once a day or less often during a
12-hour mission. (An extremely high new vulnerability discovery
rate; CERT data suggest MTTDA ~ 6000 min.)
At this new vulnerability discovery rate, system provides
correct functionality even when about 10 intrusions occur during a
12-hour mission.
Fraction of successful publishes versus MTTD_A (min)
0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
10 100 1000 10000 100000
MTTD_A (min)
Frac
tion
of S
ucce
ssfu
l Pub
lishe
s
12 hour mission 24 hour mission 48 hour mission