DIVERSE: Diversity for Intrusion-Tolerant Systems
- Research Line(s): Fault and Intrusion Tolerance in Open Distributed Systems (FIT)
- Sponsor: FCT
- Project Number: PTDC/EIA-EIA/100894/2008
- Total award amount: 88.5K Euros
- Start Date: Jan. 2010
- Duration: 36 months
- Team at FCUL: 9 researchers, including Nuno Ferreira Neves, Paulo Verissimo, Miguel Correia, Alysson Bessani, João Antunes, Manuel Mendonça, Bruno Vavala, Henrique Moniz, Miguel Garcia
Intrusion tolerance is a security and dependability paradigm that has beengaining momentum over the past decade. It lets system designers address bothaccidental faults and attacks in a seamless manner, which can complement thereach of classical security approaches. Intrusion tolerance assumes that: inpart due to their complexity, systems remain to some extent faulty and/orvulnerable; attacks on components can happen and some will be successful; butautomatic mechanisms can ensure that the overall system nevertheless remainscorrect and operational.
In distributed systems, the usual way to deploy intrusion tolerance servicesis through a middleware layer that manages n server replicas. Replicas performthe operations requested by the users, and rely on distributed protocols of themiddleware to carry out coordination and cooperation actions. Given themalicious intelligence behind the expect threats, the protocols have to resistto a wide range of attacks, originating from the network, bad clients andcorrupted replicas. The necessary number of replicas varies with systemconfiguration, the baseline being that if one expects a number f of faults orintrusions, then the service should run a minimum of n = 3f+1 replicas.
Intrusion tolerant systems, therefore, can only remain correct if they areable to preserve in every instant a number of corrupted replicas smaller thanthe f threshold. This is a difficult task because adversaries are alwaysdiscovering new forms of attack, and it can be exacerbated due to common-modevulnerabilities. These vulnerabilities occur in all (or in a large subset of)replicas, and once found allow a speedy compromise of the system with minimaleffort. Additionally, adversaries learn from past intrusions, which means thateven if replicas are recovered, they will be rapidly corrupted unless they arerestarted with diverse software (that does not contain the samevulnerabilities).
In this project, we want to investigate ways to obtain and integrate diversesoftware replica versions in intrusion tolerant systems. In the past, thissubject has been mainly overlooked because research in distributed protocols hasconsidered it an orthogonal issue. However, once the actual deployment ofsystems is considered, it becomes a fundamental problem that is actually quitehard to solve. Firstly, in almost all cases it is unfeasible to build severalsoftware versions due to cost, but even if it was possible, it is not clear thatthe outcome would acceptable (e.g., programmers tend to make similar mistakes).Therefore, one would always need to devise evaluation methods to confirm thevulnerability independence of replicas. Secondly, diversity increases thedifficulty of ensuring replica execution determinism, a common assumption inintrusion tolerant systems. In these systems, malicious replica behavior isusually tolerated by running the same operation in all replicas and then byselecting the result which has more than f votes. This quorum might not beattainable because small changes on replicas’ executions can have an impact onthe output result. Therefore, mechanisms will have to be devised to address thisissue.
Contributions are expected in the following important areas:
- The project will investigate new techniques for the inclusion of diversityin intrusion tolerant services, in order to reduce the probability of occurringcommon mode vulnerabilities across multiple replicas. The project will considertwo fundamental approaches to achieve this objective: it will take advantage ofthe inherent diversity provided by software products that implement the samefunctionality, and it will develop ways to automatically introduce diversity inthe applications, for example, by exploring disparate configurations, input datamodifications, and control flow randomization.
- The project will implement the techniques and integrate them in a middlewarethat supports the execution of intrusion tolerant services. One shouldunderstand that this implementation poses a few research challenges becausediversity undermines replica determinism, a primary assumption on the statemachine replication paradigm. Non-determinism can be a problem even for a singleprogram that runs multiple times (e.g., due to scheduling differences of theoperations), therefore, it becomes much more complex to tackle when diversity isemployed.
- The project will evaluate the merits of each technique to prevent orincrease the difficulty of attacks. For software products that have been in themarket for a while, one would like to develop metrics to measure vulnerabilityindependence, for example, based on evidence collected from the analysis of bugreports. For cases where this data is unavailable, one would like to employexperimental techniques that look for common vulnerabilities (e.g., staticanalysis or attack injection).
- Miguel Garcia, Alysson Bessani, Ilir Gashi, Nuno Ferreira Neves, Rafael R. Obelheiro, “Analysis of OS Diversity for Intrusion Tolerance”, Software: Practice and Experience, vol. 44, no. 8, pp. 735–770, Jun. 2014.
- Miguel Garcia, Nuno Ferreira Neves, Alysson Bessani, “DIVERSYS: DIVErse Rejuvenation SYStem”, in NFORUM 2012 - Simpósio de Informática, Lisbon, Portugal, Sept. 2012.
- João Antunes, Nuno Ferreira Neves, “Using Behavioral Profiles to Detect Software Flaws in Network Servers”, in Proceedings of the International Symposium on Software Reliability Engineering (ISSRE), Nov. 2011.
- João Antunes, Nuno Ferreira Neves, “DiveInto: Supporting Diversity in Intrusion-Tolerant Systems”, in Proceedings of the Symposium on Reliable Distributed Systems (SRDS), Oct. 2011.
- Miguel Garcia, Alysson Bessani, Ilir Gashi, Nuno Ferreira Neves, Rafael R. Obelheiro, “OS Diversity for Intrusion Tolerance: Myth or Reality?”, in Proceedings of the International Conference on Dependable Systems and Networks - DSN'11. Hong Kong, China, June 2011., Jun. 2011.
- Miguel Garcia, Alysson Bessani, Nuno Ferreira Neves, “Diverse OS Rejuvenation for Intrusion Tolerance”, in Poster in Supplement of the IEEE/IFIP International Conference on Dependable Systems and Networks, Jun. 2011.
- João Antunes, Nuno Ferreira Neves, “Automatically Complementing Protocol Specifications From Network Traces”, in 13th European Workshop on Dependable Computing, May 2011.
- Henrique Moniz, Nuno Ferreira Neves, Miguel Correia, “Turquois: Byzantine Consensus in Wireless Ad hoc Networks”, in Proceedings of the International Conference on Dependable Systems and Networks (DSN), Chicago, USA, June 2010., Jun. 2010.
- Miguel Correia, Giuliana Santos Veronese, Lau Cheuk Lung, “Asynchronous Byzantine Consensus with 2f+1 Processes”, in Proceedings of the 25th Annual ACM Symposium on Applied Computing, March 2010., Mar. 2010.
BibTeXNavigators - DIVERSE project
|Current projects:||DiSIEM, IRCoC, NORTH, Abyss, SUPERCLOUD, COST Action IC1402, SEGRID|
|Past projects:||TCLOUDS, MASSIF, MAFTIA, RESIST NoE, KARYON, HIDENETS, CORTEX, CRUTIAL, TRONE, SITAN, ReD, DIVERSE, CloudFIT, READAPT, REGENESYS, RC-Clouds, TACID, DARIO, RITAS, AJECT, MICRA, DEAR-COTS, COPE, DEFEATS, MOOSCO, TOPCOM, BioBankCloud, PROPHECY, SAPIENT, SecFuNet, FTH-Grid, AIR-II, AIR, ESFORS, CaberNet, GODC, BROADCAST, CoDiCom, Delta-4, RAPTOR|