Skip to main content
European Commission logo print header

Malicious- and Accidental-Fault Tolerance for Internet Applications

Deliverables

MAFTIA has served, among other things, to explore two recent key ideas on distributed systems architecture. First it enabled us to study the concept of wormholes, which are enhanced subsystems that provide components with a means to obtain a few simple privileged functions and channels to other components, with "good'' properties otherwise not guaranteed by the "normal'' weak environment. For example, providing timely or secure functions in, respectively, asynchronous systems or environments prone to malicious failures. Second, it let us explore the concept of architectural hybridization, a well-founded way to substantiate the provision of those "good'' properties on "weak'' environments. For example, if we assume that our system is essentially asynchronous and Byzantine-on-failure, we should not simply (and naively) postulate that at some point in time parts of it would start behaving synchronously or securely. Instead, we should build those parts in a way that substantiates our claim with high confidence. These two ideas were exploited during the specification and development of a security kernel called Trusted Timely Computing Base (TTCB), which has innovative features. Firstly, it is a distributed subsystem with its own secure network. Secondly, the TTCB is real-time, that is, a synchronous subsystem capable of timely behaviour. These two characteristics together are uncommon in security kernels. Thirdly, the TTCB can be implemented using only COTS components.
This result consists of methods and tools to design and build intrusion detection systems (IDS) that cannot be easily defeated by attackers. Three main issues are addressed: - IDSs are known to generate an extremely large number of false positives. The main problem is that true positives can easily get lost within the noise of false positives. By analyzing historical alarms, root causes of false positives are identified and translated into filtering rules that can be used to discard in real time any further occurrences of related false positives. - Detection by a single IDS can quite often be circumvented by attackers. By combining IDSs of various types we are able to build an IDS that has a larger detection coverage and is less prone to missing attacks. - Intrusion detection can be seen as a distributed application whose components themselves may be vulnerable to attacks. By deploying various techniques, e.g. replication, combination of various IDSs, or reliable group communication as developed in other Maftia work packages, we are able to build more dependable IDSs. A demonstrator of an intrusion-tolerant IDS has been built.
The MAFTIA transactional support activity service is intended to support both applications built using the MAFTIA middleware and other activity support services, for example it can be used to guarantee the atomicity of updates to a replicated authorisation server. From a user's point of view, the transaction support service appears to be a CORBA-style transaction service; this is because its intrusion-tolerance is a property of the implementation rather than of its interfaces. Typically transaction support services can provide the ''all or nothing'' property in the face of software or hardware failure. As transactions progress all participants keep local durable logs that can be used to restart the transaction after a crash. Also replication can be used to provide high availability for the objects that are changed during the execution of a transaction. However, in the MAFTIA project we extend the definition of fault tolerance to include tolerance of malicious faults. To do this we apply the general MAFTIA architectural principle of distributing trust by replicating the servers implementing the transaction service and the resource managers. A laboratory prototype of MAFTIA's intrusion tolerant transaction service has been constructed using the group communication protocols running over the TTCB, and a simple demonstrator application has been built.
This result consist of a cryptographic model, the so-called ''secure reactive system model'', which can be used to rigorously model complex systems, to define their security requirements and to rigorously prove that the system fulfils its security requirements. A composition theorem allows proving the correctness and security of complex system in a modular way: One first proves that the system's sub-components fulfil their specification. Then, one can prove the security of the overall system by assuming that all sub-components fulfil their specification, i.e., by substituting all sub-components by their specification. Finally, the composition theorem guarantees that substituting the specification of sub-components by their implementation preserves the proven properties of the overall system. The secure reactive system model has been used to rigorously prove the security of cryptographic protocols, such as certified mail and key establishment protocols. It can be applied in any critical application area of secure and dependable systems, which require high certainty in the system's correctness and security.
This document provides an analysis of MAFTIA's intrusion tolerance capabilities at an architectural level. We first summarise the various architectural concepts and mechanisms that MAFTIA has developed for constructing intrusion tolerant systems. We then present a realistic ''use case'' for the MAFTIA architecture, based on a simplified but realistic e-commerce application. Using a methodology based on fault trees, we provide a representative but by no means complete set of attack scenarios, which we then analyse in order to highlight the ways in which MAFTIA's architectural mechanisms support the construction of intrusion tolerant Internet applications. Finally, we conclude the document with a discussion of the overall MAFTIA approach to achieving intrusion tolerance, identifying the key architectural components, and highlighting areas for future research.
The results consist of a suite of modelling techniques and conventions that were developed to formalise and verify reactive distributed protocols, such as we see in the MAFTIA project. This 'suite' was then applied to selected MAFTIA protocols - firstly in order to verify those particular protocols, but also because many of the techniques in question were best demonstrated by way of example. The suite was developed with the aim of making it easier to develop models of project-related protocols in a consistent and modular manner. All the techniques are phrased in the Communicating Sequential Processes (CSP) language, and supported by the automated CSP checker FDR. We now briefly describe list some of the main techniques. (i) Modelling synchronous and asynchronous protocols 'safely' (i.e. avoiding false positive verifications of particular dependability properties) and with respect to the formalisations of 6.1. (ii) Verifying living properties of protocols running over 'eventual delivery' networks. (iii) Approaches to modelling dynamic corruption and stop-failures. (iv) Application of techniques to the full or partial verification of several MAFTIA protocols, including contract-signing protocols and two TTCB services.
The Trusted Timely Computing Base (TTCB) is a simple component providing a small set of basic secure and time services. It aims at building a new style of protocols to achieve intrusion tolerance, which for the most part execute in insecure, arbitrary failure environments, and resort to the TTCB only in crucial parts of their operation. The services provided by the TTCB can be utilized in a useful way by the entities of the host (e.g., processes) because, by construction, the TTCB was implemented with the following fundamental objectives in mind: 1) The TTCB is a distributed component, with limited services and functionality, that resides inside potentially insecure hosts, yet is and remains reliable, secure and timely; and 2) it is possible to ensure correct-reliable, secure, timely-interactions between entities in the host, and that component. A set of secure group communication protocols was developed taking advantage of the services offered by the TTCB. When compared with previously published results, the new protocols have showed significantly better performance because they usually have smaller message complexities, a reduced number of rounds, and do not have to resort to public key cryptography. During the duration of the project were developed protocols for the following problems: - Reliable multicast - Atomic multicast - Consensus - Membership service
The MAFTIA conceptual model and architecture deliverable describes the basic concepts of dependability and intrusion tolerance that underpin all of the MAFTIA work. These concepts and architectural principles reflect the experience gained from prototyping and validating selected components of the overall MAFTIA architecture. Chapter 2 is taken from [Avizienis et al. 2001] and presents the latest version of the dependability concepts and gives a brief state of the art. This includes an analysis of the relationship between the terms dependability, survivability, and trustworthiness, all of which are seen to be essentially the same concept. Chapter 3 refines the core dependability concepts in the context of malicious faults. The chapter begins with a discussion of security policies and the relationship between security goals, properties, and rules. It is argued that a security failure only occurs if a security goal is violated, although violation of a security rule may lead the system into a state in which it is more liable to a security failure. There is also a discussion of the possible faults that can lead to security failures. The chapter continues by examining the distinction between intrusions, attacks, and vulnerabilities, and taxonomy of different kinds of malicious logic has been added. There is also a discussion of how the traditional methods of building dependable systems, namely fault prevention, fault tolerance, fault removal, and fault forecasting, can be re-interpreted in a security context, which results in the identification of ten distinct security methods. Chapter 4 introduces the topic of intrusion tolerance and shows how intrusion-detection systems relate to the traditional dependability notions of error detection and fault diagnosis. It goes on to present a framework for building intrusion-tolerant systems. The idea is that components in the overall system may be internally or externally monitored for erroneous behaviour. Some components may be intrusion-tolerant in that they can autonomously recover from detected errors. Detected errors are reported to a security administration component of the system that is responsible for diagnosis and managing intrusions at the system-wide level. There is also a discussion of the role of the system security officer and the security subsystem in error detection, fault handling, and corrective maintenance. Chapter 5 provides an overview of the MAFTIA architecture. It includes a discussion of the models and assumptions on which this architecture is based, together with an explanation of the various layers of the MAFTIA middleware and run-time support mechanism. There is also a description of the various intrusion-tolerance strategies that can be used to build intrusion-tolerant services. One of MAFTIA's guiding architectural principles is the notion of trusted components that are only trusted to the extent of their trustworthiness. It is argued that this is an important new and innovative way of thinking about architectures for intrusion-tolerant systems, and the description of the MAFTIA architecture is presented in these terms. The chapter is intended to summarise some of the key ideas underpinning the MAFTIA architecture, and thus serves as an introduction to some of the other deliverables, which go into more technical detail about these topics. Chapter 6 discusses the formalisation of MAFTIA concepts and architectural principles, and introduces the work done on verification and assessment of secure systems, highlighting the novel contributions of MAFTIA in this area. In terms of the basic dependability concepts discussed in Chapter 3, the purpose of verification and assessment is vulnerability removal. The chapter has been updated to reflect the latest results of this work, and also contains a substantial new section on issues surrounding the formalisation of security policies. The work on verification and assessment is discussed in much more detail in other MAFTIA deliverables. Chapter 7 concludes the deliverable with a summary of what has been achieved and a glossary of the terms used is given at the end of the report.
This result consists of an intrusion tolerant distributed authorization service for Internet applications, its design and implementation. This authorization service implements a fine grain protection, in order to satisfy as much as possible the least privilege principle. The authorization schemes are flexible and richer than the simple client-server model, thus enabling multi-party transactions to be handled. The authorization service is implemented by a distributed authorization server, which is made accident- and intrusion- tolerant, and by local reference monitors, possibly supported by Java smart cards. The authorization server is in charge of generating authorization proofs for composite operations in the system (i.e., operations involving several object method executions). In order to tolerate the failure of (or the intrusion into) a small number of authorization sites, these sites achieve consensus through the use of Byzantine agreement protocols, and generate authorization proofs through threshold signature algorithms. On the application hosts, each authorization proof is received and verified locally by means of the reference monitor (implemented by a local Java object and by the Java smart card). The software implementing the authorization server and the local reference monitor has been completely developed. It makes use of asynchronous secure group communication protocols (see 2.3).
This result consists of secure intrusion-tolerant replication architecture for coordination in asynchronous networks subject to Byzantine faults. It contains a number of group communication primitives, such as binary and multi-valued Byzantine agreement, reliable and consistent broadcast, and an atomic broadcast protocol. Atomic broadcast provides secure state-machine replication. The protocols are designed for an asynchronous wide-area network, such as the Internet, where messages may be delayed indefinitely; the servers do not have access to a common clock, and up to one third of the servers may fail in potentially malicious ways. Security is achieved through the use of threshold public-key cryptography, in particular through a cryptographic common coin based on the Diffie-Hellman problem that underlies the randomized agreement protocols. A prototype implementation of the protocols has been realized.
A distributed certification authority or DCA for short has been developed. The DCA does not store its secret signing key at a single location, which might be compromised by an attacker. Instead, it uses threshold cryptography and secure replication protocols to distribute the power of issuing a certificate among a group of servers, which may only be connected by an asynchronous network like the Internet. DCA issues certificates for encryption public keys and for digital signature (verification) public keys. A distributed optimistic fair exchange service or DFE for short has been developed. The fair exchange problem lies on the basis of commercial interactions between two parties: how the participants can exchange two valuable tokens in such a way that either both get the item they bargained for or neither does. DFE uses the concept of optimistic fair exchange, where a third party mediates the exchange but is only involved when the transaction fails, either to abort a transfer when the initiating party is not releasing the valuable item, or to force a conclusion of the transaction if the first party has released the good but the second is trying to avoid the promised payment or simply if some of the protocol messages are lost or deleted by a faulty network. DFE implements the third party by a group of servers of which some might be corrupted and collaborate with corrupted clients. DFE uses a distributed signature scheme and secure coordination protocols to tolerate such faults.

Searching for OpenAIRE data...

There was an error trying to search data from OpenAIRE

No results available