The MAFTIA conceptual model and architecture deliverable describes the basic concepts of dependability and intrusion tolerance that underpin all of the MAFTIA work. These concepts and architectural principles reflect the experience gained from prototyping and validating selected components of the overall MAFTIA architecture.
Chapter 2 is taken from [Avizienis et al. 2001] and presents the latest version of the dependability concepts and gives a brief state of the art. This includes an analysis of the relationship between the terms dependability, survivability, and trustworthiness, all of which are seen to be essentially the same concept.
Chapter 3 refines the core dependability concepts in the context of malicious faults. The chapter begins with a discussion of security policies and the relationship between security goals, properties, and rules. It is argued that a security failure only occurs if a security goal is violated, although violation of a security rule may lead the system into a state in which it is more liable to a security failure. There is also a discussion of the possible faults that can lead to security failures. The chapter continues by examining the distinction between intrusions, attacks, and vulnerabilities, and taxonomy of different kinds of malicious logic has been added. There is also a discussion of how the traditional methods of building dependable systems, namely fault prevention, fault tolerance, fault removal, and fault forecasting, can be re-interpreted in a security context, which results in the identification of ten distinct security methods.
Chapter 4 introduces the topic of intrusion tolerance and shows how intrusion-detection systems relate to the traditional dependability notions of error detection and fault diagnosis. It goes on to present a framework for building intrusion-tolerant systems. The idea is that components in the overall system may be internally or externally monitored for erroneous behaviour. Some components may be intrusion-tolerant in that they can autonomously recover from detected errors. Detected errors are reported to a security administration component of the system that is responsible for diagnosis and managing intrusions at the system-wide level. There is also a discussion of the role of the system security officer and the security subsystem in error detection, fault handling, and corrective maintenance.
Chapter 5 provides an overview of the MAFTIA architecture. It includes a discussion of the models and assumptions on which this architecture is based, together with an explanation of the various layers of the MAFTIA middleware and run-time support mechanism. There is also a description of the various intrusion-tolerance strategies that can be used to build intrusion-tolerant services. One of MAFTIA's guiding architectural principles is the notion of trusted components that are only trusted to the extent of their trustworthiness. It is argued that this is an important new and innovative way of thinking about architectures for intrusion-tolerant systems, and the description of the MAFTIA architecture is presented in these terms. The chapter is intended to summarise some of the key ideas underpinning the MAFTIA architecture, and thus serves as an introduction to some of the other deliverables, which go into more technical detail about these topics.
Chapter 6 discusses the formalisation of MAFTIA concepts and architectural principles, and introduces the work done on verification and assessment of secure systems, highlighting the novel contributions of MAFTIA in this area. In terms of the basic dependability concepts discussed in Chapter 3, the purpose of verification and assessment is vulnerability removal. The chapter has been updated to reflect the latest results of this work, and also contains a substantial new section on issues surrounding the formalisation of security policies. The work on verification and assessment is discussed in much more detail in other MAFTIA deliverables.
Chapter 7 concludes the deliverable with a summary of what has been achieved and a glossary of the terms used is given at the end of the report.