Intrusion Tolerant Distributed Object Systems


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Intrusion Tolerant Distributed Object Systems

  1. 1. Pride In Performance Data Sheet Information System Security Operation Intrusion Tolerant Distributed Object Systems Providing High Reliability for Mission-Critical Information Systems Overview detect and mask faulty values. Intrusion prevention mechanisms and Provided that no more than f simultaneous technologies cannot always prevent a well- failures occur, the ITDOS also guarantees funded and persistent adversary from service availability, integrity, and penetrating information systems. Mission-critical communications confidentiality. However, there systems require intrusion tolerance in order to is a caveat to the confidentiality guarantee. provide correct system operation even after an Since symmetric keys protecting the traffic attacker has successfully breached the provide confidentiality, a compromised server prevention mechanisms. Distributed object has access to all of the traffic within groups of middleware is considered the most general kind which that server is a member, until the keys of middleware, and the Common Object can be reissued without the participation of the Request Broker Architecture (CORBA©) is a faulty server. Furthermore, an undetected widely adopted standard for distributed object malicious server can leak server state to middleware. unauthorized recipients. The goal of the Intrusion Tolerant Distributed While the underlying BFTM protocol provides Object Systems (ITDOS) framework is to create some defense against DoS attacks against an architecture for distributed object systems individual replication domain elements, it is not that can provide high reliability for mission- resilient against unrestricted DoS attacks on the critical information systems by tolerating network. The ITDOS firewall proxy helps Byzantine (arbitrary) faults in object servers. mitigate network attacks from external sources, CORBA systems are one of the potential but cannot eliminate the threat from internal architectures that can be supported by the hosts. ITDOS. From a system-level point of view, the System Model ITDOS provides additional security in the form of a firewall proxy that can monitor Byzantine fault- The concept of operations for the ITDOS is fairly tolerant multicast (BFTM) messages at the simple. An ITDOS client invokes an operation on enclave boundary and minimize the impact of an ITDOS server. The server carries out that certain denial of service (DoS) attacks. operation and returns a result to that client. Objectives The ITDOS modifies the traditional notion of a server, in that it is an asynchronous system of The objective of the ITDOS framework is to deterministic communicating state machines. protect against any threats that would cause an That system contains not more than f observable deviation in expected client or server simultaneously faulty processes and at least 3f + behavior. The ITDOS relies upon the underlying 1 processes in all. The ITDOS requires a BFTM protocol to tolerate f simultaneous minimum of 3f+1 replicated state machines to protocol failures and the voting mechanism to tolerate arbitrary behavior by f state machines. Each state machine in the system is This work sponsored by DARPA through Air Force implemented as a server; the server hosts Research Laboratory (AFRL), Contract Number F30802- objects for access by clients, which can 00-C-0183, with McAfee Research, which is now the Security Research Division of SPARTA..
  2. 2. Pride In Performance Intrusion Tolerant Distributed Object Systems Providing High Reliability for Mission-Critical Information Systems themselves be servers. Furthermore, each state regulate replication domain formation, replication machine for a given system hosts the same domain membership, and connection objects as the others in that system. The ITDOS establishment between clients and servers. The performs voting in middleware to support Group Manager also provides symmetric heterogeneous implementations. Therefore, all session keys (called communication keys), that invocations on objects must pass through the protect communications. middleware layer equally. The primary function of the ITDOS firewall proxy We term an individual process in the system that is to limit the impact of DoS attacks inside an implements a particular well-defined state enclave hosting ITDOS clients and servers. machine, a replication domain element. The This differs from traditional proxies that form collection of replication domain elements TCP connections on each side of the firewall running the same state machine is a replication and then inspect each packet as it traverses the domain. firewall. The proxies typically apply source and destination rules to permit or deny packets. This The ITDOS uses active replication to maintain type of inspection and packet blocking cannot be the same state in each replication domain implemented for the ITDOS for several reasons. element; a client request is delivered to each First, ITDOS communications are replication domain element in a replication connectionless, using UDP multicast, so source domain by a totally ordered, BFTM protocol. authentication would require digital signature Each replication domain element executes the validation. Secondly, the underlying BFTM invocation and returns its result to the client in protocol used by the ITDOS assumes that if one the same fashion. correct process delivers a message, all will In this system, faulty processes in a replication eventually deliver it. domain are detected primarily by processes This ITDOS proxy allows legitimate retry external to it; either by clients receiving a faulty messages to traverse the firewall while blocking result, or other servers receiving a faulty most messages that may be part of a denial of request. Once a replication domain element is service attack. The firewall limits DoS attacks, determined to be faulty, it must be removed from particularly replay flooding attacks, by caching a its replication domain to preserve confidential hash of each message it receives and communications. comparing the hashes to newly received The Group Manager handles replication domain messages. If the proxy receives multiple copies membership and virtual connection of a particular message more than a threshold management in the ITDOS. It consists of a number of times, only a percentage of those messages are allowed to enter the enclave. replication domain of Group Manager processes. These processes work together to Singleton Client Configuration Redundant Client Application Server-Side Servers Code Firewalls Server Client-Side Application Firewall Firewall Code Group Middleware ITDOS Mgr Proxy IT Middleware Firewall Voter Server ITDOS Firewall Application ITDOS Code Group Marshalling Proxy Mgr Proxy IT Middleware (Secure, Secure, Reliable Reliable Server Multicast Multicast) Firewall Application Code Group ITDOS IP Multicast Proxy Mgr IT Middleware For more information call us at 410-872-1515, send an e-mail to, or visit us on the Web at SPARTA, Inc. 7075 Samuel Morse Drive, 2nd Floor, Columbia, MD 21046