Intrusion Accessibility Architecture: Concept & Design
Summary
In terms of error tolerance and security, there is an important research part of the distributed computing system architecture, methodology and algorithms. Although they have different research methods in the past, the problems to be solved have similarity. In traditional reliability studies, errors have become an important part of many solutions. In the traditional security-related research work, there is almost no exception to intrusion detection. In the past ten years, invasion (IT) is a new method that slowly forms and has recently made progress. Allowing the intrusion, but tolerate such intrusions, rather than doing everything possible to prevent every invasion: The system triggers a series of mechanisms that prevent the security system failed invasion produced. This article describes the basic concepts of intrusion tolerance to investigate them and traditional errors and security. We discussed the main strategies and mechanisms to build intrusion tolerance systems, and introduced the latest research progress of distributed intrusion tolerance systems.
Translation: Cheng Xiaosong East China University of Technology Computer Application Technology
table of Contents
1 Introduction ............................................................................................................... .. ...... 3
2 Injection Disjection Case 3
2.1 Summary of the traditional error tolerance and security ..................................................................... .............. 4
As a general framework for the reliability 2.2 ............................................................... ..................... 4
2.3 ............................................................ .. the problem to be solved........................ .................................
3 Invasion Concept 7
3.1 AVI complex error model ............................................................ ......................... .. 7
3.2 Trust and trustworthiness ............................................................ ........................ . . ... 8
3.3 coverage and separation of concerns ............................................................................. 10
4 IT framework and mechanism 11
4.1 security and fault tolerance communications............................................ ...........................
4.2 Software-based intrusion tolerance................................... ......... ...... .................
4.3 hardware-based intrusion tolerance ............................................................... ..................... 12
4.4 Audit and intrusion detection ...................................................................................................................
4.5 Some safety frames under the point of view of the intrusion, ......... ................................................................. Intrusion error ..............................................................................
4.7 Intrusion detection mechanism ...............................................................................
5 Intrusion Tolerance Strategy 16
5.1 Error avoidance and error tolerance........................................ ...................
5.2 Confidential operation............................................. ..................................
5.3 Improve non-stop operations............................................ ..........................
5.4 Reconfigure operation........................................ ......................
5.5 Restable operation........................................... .....................
5.6 Troubleshooting......................................... ........................
6 pair malicious error modeling 18
6.1 Any fault assumption............................. ....................................................................................................... 19
6.2 Considering the useful mixing fault assumption...................................... .....................
7 Construct Intrusion Toleration System 20
7.1 (almost) does not assume it.................................... ....................................................................................................................................................................................................................................................................................
7.2 Unexpected hypothesis, or the power of the faith................... ........ The architecture mixture....................................... . . . . . . . . .. . . . . . . . . . . . . . . . . . . . . . . . . twenty two
7.4 Prevention, tolerance, some stimulation................................ . . . . . . . . . . . . . . . . . . . twenty two
7.5 Use trust components........................................ . . . . . . . . . . . . . .. . . . . . . twenty three
8 System Example 24
8.1........................................... . . . . . . . . . . . . . . . . . . . . . . . . . . . twenty four
8.2 maftia............................................................... ..........................
8.2.1
The mixed architecture system in practice.. .............................................
8.2.2
Worm. ................ 27
9 conclusions 29
1 Introduction
In the field of reliability and errors, security and information security, there is an important research part of the distributed computing system architecture, methodology and algorithm. In most cases, these studies are usually applicable in many fields, such as information infrastructure; web-based commercial sites, embedded systems. Their operations have become a factor that needs to be considered, and is currently the use, compression design cycle and openness. Although they have different research methods until this situation has changed, the problem to be solved has similar properties: Although we usually so-called errors (accidents or malicious attacks), still maintain the system correctly; Make sure that when the system fails (the reason is still unexpected or malicious errors), they do not have hazards. Traditional reliability, mainly in distributed settings, error compatibility has become an important part of many known solutions many years ago. Traditional security related work has less exceptions to have on the side focus of the other aspect, namely, the intrusion prevention or intrusion detection of the systemic form of the invasion sign is not included. In the past decade, a new research method slowly formed, and recently received a very eye-catching momentum: Intrusion (IT), a series of errors including intentional and malicious mistakes Collection (we can collect them as intrusion) - the concept of reactions, hindrance, recovery, and hiding -, if you do not consider these intrusion on system status, then they will have problems in system security properties. In short, we don't try to stop every invasion, replaced by allowing these invasions to endure on it: the system has special methods to trigger a mechanism to prevent the system failure caused by the invasion.
Distribution and error tolerance have a close relationship: on the one hand, it is used to achieve adaptation to universal mode errors, and / or in an aspect of embedding errors to reduce the greater error probability generated by the distribution. In contrast, security and distribution also have a close relationship with some errors: a geographic separation and separation of information and processing, making attackers more difficult. This implies (distributed) malicious mistakes, A.K.A (distributed) invading tolerance is an obvious method for achieving security processing. If this is so obvious, why doesn't it happen early?
In fact, the word "invading tolerance" was used in the paper [19], and a special system was developed in the Delta-4 project. In the next few years, under the concept of IT, mainly in the agreement, many independent research work [10, 34, 23, 2, 27, 4, 22], but until recently, this area has achieved Broken progress. In both sides of the Atlantic, two major projects, OASIS and MAFTLA have studied IT on the concept, mechanism, and architecture. One major reason is that the emergence of malicious errors makes a basic issue of distributed systems. On the other hand, traditional error tolerance follows a framework, which does not fully apply to intentional and malicious errors. These issues will be discussed below.
The purpose of this paper is to try to systematically systemize these new concepts and design principles. The paper expounds the basic concepts of invasion (IT), examining them and traditional error tolerance and security, and is pointed out of the main problems in the IT development process. We discuss the main strategies and mechanisms of building IT systems and introduce the latest developments in the distributed IT system architecture. In order not to be confused, we assume that a "architecture" is a combination of components. Components have functionality and non-functionality properties, as well as an interface, which is manifested by this interface. The components are located in a topology of a given architecture and interact (generally in general) through algorithms, and the global system properties are generated in these interactions. 2 Injection disable case
Reliability has been defined as the characteristics of a computer system, so it is possible to set trust in the service provided in the system. Just as the system is visible to its users, the service provided by the system is its behavior; the user is another system (human or physical), which interacts with the former.
Reliability is the main part of the study, which includes a series of examples, errors in these examples, and it is less exception to incidents [19,17] produced under the framework of accidental errors, but we will coherent The way to reveal the essential concepts that can be applied to malicious mistakes.
2.1 Traditional error tolerance and security summary
Gray explained: "Why do computers have something wrong?"; Although all work may be wrong, people seem to be too high to estimate the quality of the computing system they rely on. This is also true for distributed systems. As Lamport "Distributed System, a system that hinders you work, because this system's failure you may never have heard." Assuming that the machine is independently faulty, as an initial state, it is assumed that a system reliability (<1) is the product of the reliability of each component, and some of the opportunities in some components in the distributed system are much larger than a single system. . If the component affects other components in the event of a fault, then the situation is even worse.
Malignant damage makes the problem of reliability of distributed systems more difficult: Distributed protocols achieve string; due to the occurrence of the contradiction between the wrong identity or content, it is no longer considered as "low probability", so the fault itself is more severe; Controlled by high IQ opponents, they may happen in the system's most discomfort.
This affects the theory of traditional error tolerance, long-term convinced: traditional error tolerance, the error type and distribution follow statistically definable mode. The environment can be defined in random meanings. Essentially, you can rely on: predefined and static error models and environmental assumptions. When you talk about the wrong tolerance (FT) from malicious error, the first question is: How to model an attacker thinking?
Let us now use traditional security ideas to examine this problem. Typical security attributes are: confidentiality, use this method to protect a service or one piece of information is not unauthorized access; authenticity, use this method to protect a service or a message is true, not forged; integrity, in this way Protecting a service or a paragraph of information is not revised or undetected; availability, using this method to ensure that a service or a segment does not reject those access through verification. An ideal design is designed to ensure that all or these properties are part.
Traditionally, safety has gradually become a combination of the three aspects of the invasion of the initial unacuzzing software that prevents certain identified attacks. For example, in order to protect confidentiality, it is incredible to read any confidential data. That is to say, safety is based on preventing this model. However, let us assume that it is imagined to have tolerance mode [1]. Ÿ 假 假定 (and approved) The system is still vulnerable to some extent;
Ÿ 假 假 (,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,,
Ÿ Make sure the entire system is still reliable and running.
Then you can put forward another question: How do we make confidentiality and integrity under the premise of reading modified data?
2.2 Reliability as a general framework
We observe the famous Fault-Error-Failure sequence in Figure 1. The purpose of reliability is to prevent system failure. This fault is caused by remote, it is possible to be an error (such as a vulnerability in the program, or configuring an error), if it is activated (eg, the program executes the wrong code location), then in the system state will result in an error occurrence . If nothing is done, then we will find this fault during the system running.
Therefore, achieving the reliability means a comprehensive use of various technologies, including error prevention, how to prevent errors, incorrectly; error removal, how to reduce errors (quantity, severity); error forecast, how to Evaluate the occurrence, generation, and results of the error; the end is the error tolerance, that is, how to ensure the correct service in the event of an error. Thus, when facing malicious errors (invasive and attacks), the reliability means that traditional prevention and removal of erroneous techniques containing tolerance technology.
Figure 1: Fault-> Error-> Failure sequence
Next we analyze the basis of standard and distributed error tolerance, let's take a look at how they apply in this new scenario:
Ÿ Topology separation, the purpose is to achieve errors independent and degradation.
Ÿ Copy, regardless of software or hardware, as one of the forms of redundancy, with thick or fine efforts.
Ÿ Conflatability, through a large number of hypothetical errors, a large number of copies, copy control types (activity, semi-activity, passive, joint statement, voting rules)
Ÿ The resources are optimized, and the software to the hardware component mapping and gradually increased F / T categories (negligence, concluded, arbitrary).
From attack efficacy, the topology separation makes intruders' intrusive behavior more difficult. For example, you can pass a number of sites confidential content to get part of the confidential content without leaking the entire confidential content. From integrity and availability, copying makes components more stronger recoverability for damages, but if there is a violation of intuition), it can be beneficial to confidentiality and authenticity. If we think about the execution of replicated decisions (For example, do you want to submit a piece of data, or do not perform verification. For example, a single invasive site will not be able to determine the verification of a piece of data. For different intensity and different types of invasionable recovery capabilities, Configuration is the key to implementing this recovery capability (F 1 copy to resist the attack of the service,
3F
1 can recover byzantine errors, push them in this class, and it is also the key to achieving different recovery types (not only the fastest activation, including semi-activity and passive). The optimization of resources has lowered the cost of implementing intrusion. This method looks convincing, but under specific conditions, how to tolerate to attack, defects, invading such scenarios?
2.3 Waiting for the problem
Let us analyze some questions to be solved, these issues are generated when an intrusion disabled is analyzed in a safe or wrong tolerance.
First of all, what is the risk of intrusion? Risk to the probability of intrusion and a comprehensive measurement method of their severity. In other words, it is the impact of these intrusion caused. The former is affected by two factors in combination: threat levels of systems that have been exposed or communicated; it is susceptible to aggressiveness. The measurement of a system potential insecurity (in other words, the difficulty of ensuring its security) is dependent on: the number and type of system defects (vulnerability); and the possibility of these existence (Threat). Popular, the probability of intrusion is determined by the probability of sensitive attacks for system defects. The latter, the influence is measured by intrusion costs in the system operation. This cost can be used in several forms (economical, politics, etc.).
Consider the following two example systems:
The Vavault system of the VAULT system vVault = 0.1, since it has the high adaptation, its designer uses it to serve anonymous requests on the Internet, do not control anything to visit it, that is, it The threat level that will face is very high, TVault = 100.
Sieve system, just opposite, it is an vulnerable system, vsieve = 10, so its designer protects it, put it under the firewall, and controls its access, transforming into threat level Indicates that Tsieve = 1.
Which system is running lower? Consider the product of threats and vulnerable attacks in our theoretical example: use us to calculate the assumption value of each system, although the susceptibility of the SIEVE system is one hundred times more of the Vault system, but two systems Got the same result (10).
Should we do our best to reduce the risk? Is that really feasible? This is the traditional attack and the amount of aggressiveness, the ability and severity of the infrastructure faced by the system. The problem is that there is no way to reduce these to any low, because the following reasons: the cost of spend is too large and / or too complex (for example, too long code, hardware constraint); some attacks come from being deployed The type of service (for example, public anonymous server on the Internet); some vulnerable aggressiveness is the properness of the system design (for example, competition caused by mechanisms in some operating systems).
Even if we can reduce the risk to zero, do you want it? Talking about acceptable risks should be possible: the so-called acceptable risk is the value of the fault probability that we can accept under the premise of the value of the service or data we have to protect. Because it has established a standard for preventing / removing residual errors within the wrong mistake, it has established a standard, so when we build intrusion tolerance, this will cultivate our reasoning. If we consider hackers or invaders, they also have intrusion costs, which can be measured with time, energy, money or integration. By establishing relationships in invasive costs and asset value, it can be clearly seen as "acceptable risks", then we can use a further wizard to assume the system. According to reports, the security port layer (SSL) ensures the security client-server interaction between the browser and the WWW server. Is SSL really safe? When the user is not quantified to the end, it will tend to recognize the interaction is safe (assuming is prone to the degree of attackers). Some companies have established their business servers with SSL, some servers complete the important financial transactions on the Internet (high-level threat). Netscape's SSL is cracked, just because one of the bugs allow copy session keys, which will crack any communication. After 40 bits of key (according to the US's export restriction on the encryption material, the password length) can be cracked, so that the revised version is at least twice. This initial situation causes a high risk.
Is SSL safe enough? Netscape released an SSL revision version and reported that it takes at least $ 10,000 to crack an Internet session during calculation. Compared to the value of the system, the cost of invading a system makes the architect to make a risk assessment. Someone spent 10,000 euros to crack the system, and finally got a bonus of 100 euros, which was done a loss of money. This gives an acceptable risk of definition. Unfortunately, these assessments may fail: Shortly after Netscape announced, a student used a high-performance desktop graphics workstation, just spent $ 600 and cracked the system. However, there is a problem with the principles and attitudes of Netscape, but what they do is too idealized.
Telling - How to prevent "How to change - prevent '? Tradition,' tampering - prevent 'means that the component is shielded, for example, it cannot be penetrated. However, in order to deal with some components are not the embarrassment of "perfect" anti-tribute, experts in this field introduce a changed name, "anti-tamper" to express the fact. However, the latter is not strictly worried, resulting in the "watch manufacturer syndrome" we said:
Ÿ "Is this watch a waterproof?"
Ÿ "No, it is resistant to water."
Ÿ "In short, I can assume that I can swim with it!"
Ÿ "Yes, you can! But ... I am not very sure ..."
In the case where another vague term is not introduced, the "disadvantage" concept that can be measured will prevent tampering needs to be defined. How is a kind of business trusted while it is not trusted? Traditionally, in terms of security, the purpose is to establish trust between components, but the value of the object we trust is usually not analyzed. This has led to our so-called "uncally confident symptoms":
Ÿ "I trust Alice!"
Ÿ "Well, Bob, you shouldn't this, she is not trustworthy."
where is the problem? Bob passed some trust in some high-level (for example, Alice). But it should be vigilant against the fact that he has forgotten (for example, Alice can fake certificates). It is necessary to establish a distinction between components and what components can provide. How do we model hackers? Since the hacker is a malfunction of the system attack, the error model should be a description of his / her. Then, traditional modeling methods will result in "behavioral hacker syndrome":
Ÿ "Hello, I want to be your hacker today, this is a list of things that I promise will not do."
"Thank you, this is some additional attacks, we hope that you don't try these attacks."
Therefore, it is an urgent need to be urgently needed, which is an urgent need to be airable. This critical issue that appears in this section will also mention the remaining chapters of the paper.
3 Invasion Concept
What is intrusion tolerance? As mentioned above, in terms of security tolerance: Suppose the system still has a certain vulnerability, assuming that the attack of the component or subsystem is still possible, and some attacks will be successful; to ensure the overall system Still safe and operational, in other words:
Ÿ Error - malicious and other - happen;
Ÿ They produce errors, for example, the security hazard of the component level;
Ÿ Error handling mechanism to ensure security failure is prevented
Obviously, a complete method will block, remove, predict, and tolerance in the field of traditional reliability.
3.1 AVI Composite Error Model
Systems or components have failed mechanisms, security policies, and many reasons, which are widely used, from internal errors (for example, internal defects), to external, interactive errors (eg, attacks), their combinations, their combinations Component failures can be directly caused (for example, intrusion). The invasion has the following two reasons:
Defect - calculation or errors in the communication system, which can be utilized by malicious attempts.
Attack - to the malicious intentional map of calculation or communication system, with the intent of looking for defects within the system, they will result in:
Intrusion - a malicious operability caused by the successful invasion of system defects
Different types of errors that have an impact on security failures are necessary. Figure
2A
The basic sequence of these three types of errors is shown: attack → defect → intrusion → fault. The definition relationship between the three attacks / defects / invades is our so-called AVI composite error model. The AVI sequence can be recuned in the event chain generated by the intruder, also known as intrusion activities. For example, a particular defect generated by the previous successful attack may have been introduced in the invasion.
Defects are original errors, essential requirements, descriptions, design, or constructive errors (for example, code error allows programs in the Unix system with root setuid, simple password, unprotected TCP / IP ports) with root setuid, simple password, unprotected TCP / IP ports in UNIX systems. These are normal accidents but may be caused by the intended behavior, as indicated by the above section. Attack is an interactive error, and its malicious attempt is to activate one or more of these defects. (For example, port scans, mail viruses, malicious Java small applications, or ActiveX controls).
The successful attack event activated by defects is called invasion. This further typically characterized by the fault is incorrect in the system. This state may have many forms (for example, unauthorized privileged accounts accessed in telnet, hackers have abnormal access licenses for system files) Intrusion, it means that these errors can be found by intrusion detection, and they can be recovered or hidden. However, if the errors caused by the invasion, some or a number of security attribute failures may occur. Figure 2: (a) AVI composite error model; (b) block security failure
Why is a composite model? The AVI model is a special case of these ordinary Fault → Error → Failure sequences, which has many advantages. First, it accurately describes the mechanism of intrusion: there is no corresponding attack, a specific drawback is harmless; the invasion is not related to the defect of the target. Second, through some technical synthesis, it provides a constructive wizard to establish reliability to resist malicious errors. First, we can prevent some attacks from occurring, reducing the hazard level, as shown in Figure 2B. Attack prevention can be performed, for example, by hiding password files in the UNIX system, making it unauthorized user access, or separating a model of the system part (for example, the parts are in the firewall and cannot be accessed by the Internet, Attacks from Internet are blocked). We can also achieve attack cancellation, which is consisting of trying to stop the ongoing attack. However, it is impossible to prevent all attacks, thus reducing threat levels should be combined with the degree of defects, through defect prevention, such as adopting best practices when designing and building systems, or eliminating defects (eg, debug, patch, and terminating Module, etc.), for example, when it is stopped from attacking a specific disadvantage. The techniques described above indicate that the intrusion blocking of this, for example, prevents the occurrence of intrusion errors.
Figure 2B illustrates that it is impossible to ensure that it is impossible to ensure that it is impossible to prevent the ideal prevention. The reason is obvious: the processing of all attacks is impossible, or because not all attacks are known or new attacks may occur; it is impossible to remove or block new defects. Because these invasions can still avoid blocking processes, in order to prevent system failure, as shown, it is necessary to invade this form. As will be explained later, these can assume a number of forms: for the detection of (eg, invading account activity, Trojan horse activity); recovery (for example, listening and neutralizing intruder behavior); or disguise (for example, several The vote between components, including a small number of invasive components).
3.2 Trust and trustworthy
Adjective "trusted" and "trusted" are an important part of the debate on the reliability of the system. So far, they are often inconsistent and unique in contexts about security. However, the concept of "trust" and "confident" can be generally pointed to general attributes is not just safe; there is a definite relationship between them - in a sense, they and "trust" And "trust", these two words are closely related.
Trust - Refers to a component to trust to another component, subsystem, or a set of properties (functional or non-functional) of the system.
As a result, a trusted component has a set of properties dependent by another component (or some components). If A trust B, A is accepted, and the violations in the attributes in B may harm the correct operation of A. It is noted that trust is absolutely absolute: a to the trust of B is expressed by the function of the function trusted by A to B (for example, smart card: p1-give a correct signature for each input) The average of P2-10 hours has no fault time (for a specific threat level ..)). The attributes of B trusted by A may not be quantified or qualitatively corresponding to the actual properties of B. However, in order to make the relationship implied by trust, the trust should be placed within the confrequently recognized range of components. In other words, trust, B is reliable, and should be placed in the measure of B reliability.
Trusted - components, subsystems, or systems to meet the metrics of the property set (functional or non-functional).
The credibility of components is undoubtedly defined by how it protects the security of its architecture, constructors, constructors, and non-functional property sets, and appropriate evaluation. The smart card used to achieve the above example is actually satisfying or exceeding P1 and P2 under normal operating conditions.
The above definition has an important position for design intrusion tolerance (desirable): trust is absolute, from quantity or quality, it may have several degrees; it is not only related to security attributes, facts It is associated with an arbitrary attribute (eg, a time axis); trust and trusted aspects are directed to the complementary aspects of design and confirmation processes. In other words, when a trust B, a pair B has some assumptions. B The trusted measurement metrics have a hypothetical coverage.
In fact, the trust and trusseability can be separated separately. The trust chain or layer can be defined, which formally expressed, and verify this process. As a supplement, it should be ensured that the components related to the above process are given the necessary trustedness. This change process participates in the design and verification of components, or the confirmation / authentication of the existing components (for example, testing equipment). These two terms have established separations for failure mode: higher level algorithm or assertions (for example, verification / authorization logic); separation of their infrastructure (eg, entering the city / server / communication).
Invading reliance strategy should rely on these concepts. Ask the "trust a trusted component" reveals the following to the guidelines for the constructor of complex system components: The part is trustworthy according to their trusted degree; for how to deal with trust on the part (for example, Establish an error tolerance algorithm), and how to implement or indicate that it is trusted (for example, building components). The actual application of these guidelines will be exemplified in the subsequent section.
Let us look back from these concepts, and then review the device that prevents tampering, preventing tampering is the properties of the protected system / components, such as its attack model is those that can only regular interfaces. The component may not be perfect, we will measure the related trustable equivalence of it and the components, trust in the concept of preventing the coverage of the tampering assumption, rather than using "resistance to tampering".
As an example, assume that the implementation of the authorization service uses Javacards to store the key. We assume that Javacards is to prevent tampering, so we declare that they are trusted rather than give these keys to unauthorized one. Therefore, we have established authorization services based on trust Javacards, just within a certain extent of their trust, Javacards prevents tampering from a given coverage. For example, a general estimate should be made to the Adaptability of Javacards in a specific environment (attack model), for example, time and computing power. 3.3 Covering and separation of relationships
Let us analyze how to establish a correct trust under the AVI model. Suppose the component C has asserted that P has a coverage PR, which defines the trusteability of the component,
However, it is also possible that B is trust in greater extent than it should trust C: The degree of trust placed on C is higher than its trustedness, perhaps because of the wrong or negligence of the latter. Any errors that use this part, it can lead to unexpected errors.
Figure 3: Establish trust
Finally, the statement that may occur to C trusplicability is wrong (regarding the assertion P, or its overlay PR, or both). The component is more dealt with a more bad, earlier, or more frequent manner as stated in a statement that is more than its adaptability. In this case, even if B is trust in degree
Since this separation of "OEM" or "COTS" method, this separation of stake-resistant relationship is very important in building a reliable system based on components; if "purchases" with a part with a certain specification, "manufacturer" Even if only another project design team is finally being responsible for the part to meet the specifications.
Finally, what does the component B trusted part C mean? This means that the component B performs some assumptions to C. Incident, it is assumed that a collection B has an element (B1 ~ BN), which runs a specific algorithm generating attribute set A, and in the runtime environment consists of a collection C containing elements (C1 ~ CN). . This module idea is enough for distributed systems, but not limited to distributed system I envisages the environment as shown
3A
As shown: Build C to provide a set of properties, called H. This is shown as the support environment in which B operation is located, as shown in the shaded portion in Fig. 3B.
B trust C is observed to provide an algorithm that h :: b dependent on the environment h to achieve an algorithm that guarantees attribute A. Similarly, the user trust the latter to provide A. If there is no further discussion, this trusted chain will be: if C is trusted to provide H, then B is trusted to provide A.
Now let us observe the trustic this aspect. H endes with probabilityation pre-environments Hypothesis coverage:
Pre = Pr (H | f), F - arbitrary error
PRE draws CVC (to protect attribute H).. Given H, A has a determined probability (if the algorithm is certain and correct, it can be 1, if it is the immediate or design error, less than 1), coverage, PRO or operation assumption Coverage:
Pro = Pr (A | H) Pro calculates confidence of B protection attribute A (given H as an environment). Thus, the trusteecability of the individual components B (given H, protecting property a) will have PRO.
As with our recommendations, these equations should add restrictions on the extent of trust relationship. B should trust C in H with confidence Pre <1. However, since the user's trust in B is contained by B to C, it is constrained by C trussed constraints, the user should trust the degree of confidence in A. B is not isolated:
PRA = Pro × pre = Pr (a | h) × PR (H | f) = Pr (A | F), F - arbitrary error
The result chain can be carried out. PRA is a user who satisfies attribute A by the B and C constitutes a system, in other words, it calculates its trusted trustability.
4 IT framework and mechanism
After introducing the concept of intrusion tolerance, in this section, we briefly analyze the main framework of IT. The system architect can use this framework to build intrusion tolerance system: Reliable error tolerance communication; software-based intrusion Hardware - based intrusion; audit and intrusion detection. We will also analyze the famous security framework from the perspective of intrusion. Subsequently, in order to recover from intrusion, we will review the error handling mechanism.
4.1 Security and fault messaging
This is a framework that is about ensuring the main part of the invading tolerance communication protocol. In essence, with this framework is a safe passage, a safe suit and a traditional error tolerance. Typically, the security channel is to make routine communication between the main nodes or those for the concept of sessions or connections, have a long-lived meaningful communication. For example, file transfer or remote session. They are in an adaptability / speed balance. Because they are online operation, it is possible to use physical or virtual encryption simultaneously. Safety channels take security guarantees for each session, and usually use symmetrical communication packages, signatures or encryption and (Mac) channel validation. The security kit is mainly used for emitting transmission, such as email. They are safely guaranteed to each message and may integrate symmetry and asymmetric encryption (also called mixed encryption) as improved performance, especially for which large amounts of messages communication.
Some technologies help errors tolerate the design of the communication protocol. How to choose the answer mainly depends on the following questions: What is the fault category of communication network components?
For architects, this has established a basic connection between security and error tolerance. In traditional error tolerance, missing false models (crash, negligence, etc.) are common. In IT, the fault mode assumes that the AVI error model should be oriented, and the attributes of the special components may limit the part of the initial hypothesis: any fault (omitting and asserting a combination of aromation behavior). In fact, this is the most appropriate baseline model that is malicious intelligence.
4.2 Software-based intrusion
The main purpose of software-based error tolerance is to use software tolerate hardware errors. Another important aspect is that the purpose of software error tolerance is to tolerate software design errors through design diversity. Finally, it is well known that it is very efficient by copying software-based error tolerance to handle instantaneous and interrupt software errors.
Software-based error tolerance is the basic module of FT, this basic module is the main example of distributed error tolerance. The main participants are software modules, and the number and location of the module in multiple sites of the system depends on the reliability of reliability.
From the IT angle, we can analyze what you can do. In the case of design or configuration errors, simple replication does not have a significant role: Errors will systematically appear in all replicas. From an aggressive point of view, this is true: it will exist in all of the copies. However, universal mode symptoms under AVI models involve invasion, or attack-defect ratio rather than single defects. This gives the architect some opportunities. Just take into account the problem and universal mode attacks of general mode defects, for example, the clones of all (the same) copying can be targeted automatically and synchronously. The design of the design should be applied, such as by using an unused operating system, not only the probability of universal mode defects (traditional methods) can also reduce universal mode attacks (by forcing attackers to master the attack on not only one architecture). )The probability. Furthermore, the probability of universal mode intrusion is reduced, as in hope.
This can take further measures: use different system architectures, test execution results rather than assertion of the expected results. For example, each of the specific components has different programmers team design and development. Software design diversity is quite expensive (even if there is only one team to develop, the development cost of most software products is still very large), unless there is sufficient fees, otherwise, there are few software design diversity.
However, even if the same components can be simply replicated, how is it produced? When the components have sufficiently high trusteism, attacking one of the successful part of the component (for example, "to break the" it) is made. In this case, we should apply the traditional principles of the reliability of the retrofit set, and the reliability of the copy set is much higher than the reliability of single copy. For example, a simple replication can be attacked by enabling an attacker to have a synchronous attack difficulty in all resembles.
WARNING will be used to get an exact formula. Formulas in accordance with the rule are assumed to be independent fault mode. In IT, our view is between the two: they are neither independent, nor universal mode. In fact, what is still a research topic. To keep up with this method, we cannot forget the need to consider the wrong models that follow malicious behavior in the previous section. That is the copy management (eg, election) standards should usually include determining (value domain) behavior and tiny type (for example, inconsistent or byzantine)
Finally, since the same components can be located in different hardware or different operating system architecture, and this inherent "diversity" is enough tolerate, especially those that will lead to intermittent behavior mistake. This concludes that a short intermittent error is even a malicious error, such as low-intensity sporadic attacks, can also be used in this way.
As the first step of intrusion activities, the introduction of defects (further utilization by subsequent attacks) can also be discussed from the viewpoint of attacker capabilities. However, it can be introduced in a secret manner, unlike those attacks that need to be synchronized, and this causes this attack potentially difficult to estimate, which is more dangerous than the originally analyzed defects.
4.3 Hardware-based intrusion
Software and hardware-based error tolerance is not an incompatible design architecture. In a modular and distributed system environment, today's error tolerance The hardware should be seen as a method for building fault control components. In other words, components can prevent such faults. This helps to establish improved trust-based levels, but also help to use the corresponding improvement trust to achieve a more effective error tolerance system.
Distributed algorithms that canlerant any errors are huge in resources and time. For more efficient, the use of hardware components with enhanced controlled error modes is usually desirable. As a method of providing an infrastructure, the protocol is recovered in this infrastructure, but this It does not mean that the system has slightly downgraded the recovery of malicious errors. 4.4 Audit and Intrusion Detection
Recording system activities and time are a good manager, there are daily records in many operating systems. By analyzing the log, there is a subsequent diagnosis on the problem and their reasons. The audit tracking is a vital framework in the security field.
Not only is the technical reason, but also the cause of responsibility, it is important to track events and activities within a given time period, theme, object, service, or resources. In addition, all behaviors, instead of only a few resources, can be audited is critical. The size of the final audit should be associated with the particle size of the system possible attack. Since intruders may try to delete their traces, the log should be to prevent tampering, but there is nothing in most operating systems. .
Intrusion Detection (ID) is a traditional architecture in the security domain, which contains various methods to detect the appearance or possibility of intrusion. The ID can be performed at runtime or offline. Therefore, the intrusion detection system (IDS) is a regulatory system that monitors record system activity, which is to detect, resist (more suitable for real-time) any or all: attacks (such as port scan detection), defects (for example,, Scanning) and invading (eg, related engines).
NSA defines the ID (1998): Refers to detect the technique of invasion to computers or networks by observing behavior, security logs, or auditing data. Either for illegally enterprises or attempts is either manually either through a software expert system, such an expert system operates on log or online available information.
In terms of IT, aspects need to be mentioned is the two bits of error detection and incorrect diagnosis, usually hidden in the current ID system. Why happen, why is it so important? The reason happens because the fundamental purpose of IDS is to improve prevention and trigger manual recovery. The reason is because if you look forward to automatic recovery (wrong tolerance), there is no need to distinguish: in accordance with the security policy, what is an error, according to the system error model, what is wrong. Errors (eg, attack, defects, intrusion) to be diagnosed so that they can take measures (for example, make passivation, removal). The error is to be detected so that they can be automatically processed in real time (recovery, hiding).
In order to better understand the problem, consider the following cases, there is an intranet in one organization to connect into the public Internet via EXTRANET, and there is an IDS: (a) IDS detects a port scan for the EXTRANET host; b) IDS detects a port scan from the Internet; (c) IDS detects a port scan from Intranet to the internal host. (A), (b), (c) What is the difference between (c)? In fact, (a) must now consider "normal" internet behavior, at most an attack is not an invading, if an error model is included, for example, a threshold or mode is given to external behavior. On the other hand, if the security policy (such as expected ...) does not allow scans from the Internet to the internal port, then (b) suggests an error (outside the protection mechanism). Finally, (c) also indicates an error because we still look forward to the security policy to disable port scans from the internal. The ID as an error detection is detailed later. It proposes a detection of an incorrect state from malicious behavior in the system calculation, such as modifications to file or messages, and breaks through the system through cache overflow. As an ID of the wrong diagnosis, there are other objectives, the same, both behavior should be mixed. Ignore the error processing mechanism (recovery or hide), the management subsystem has an extremely important behavioral W.R.T. Error diagnosis. As an aspect of a traditional ID, it is suitable for error handling. It can also be used to issue warnings that may occur (defect diagnostics, attack forecasts), and used to evaluate the success of invaders based on part or subsystems (intrusion diagnosis).
Diagnostics can be given before the error occurs. For example, we can obtain an adaptive measure (affected by method coverage) by activating errors (eg, defect scanning) and post-processing (predicted their influence). In other words, by analyzing external behavior, we can try to predict attacks (such as external port scan analysis).
4.5 Some security architectures under the IT angle
Some mechanisms (secure channels and packages, verification, protection, encrypted communication) that belong to the security field (secure channels, authentication, protection, encrypted communication) can be reviewed from the IT perspective, thus forming a useful conceptual tool for constructing an IT system.
Figure 4: Tunnel, safety channel and package
Safety tunnel, for example, those with secure IP-OVER-IP channels on the Internet, are intrusion blocking devices (Figure 4): Although there is an invading attempt, they have enhanced confidentiality and integrity between access points (sometimes Authenticity). A given range of coverage is through: tunneling methods and recovery (elastic) of the access point gateway.
Figure 5: Firewall
The firewall is an intrusion blockade (Figure 5): They prevent attacks on the internal machine, which may use defects to cause invasion. Their coverage: is given by firewall functional semantics, as well as the resilience (elastic) of the fort.
Provide authentication mechanisms and protocols between two or more entities (signature, Message Verification Code (MAC)) is also an intrusion block device (Figure 6A)
: They enhance reliability, prevent participants or data sources from being forged. Coverage passes: Signature / Verification Method.
Finally, some password protocols are important to recurrent invading tolerance structures. It looks like a block, self-enhancement agreement such as a Byzantine protocol or atomic multicast (Figure 6B), is an intrusion tolerance device: they perform error processing
Figure 6: (a) Authentication; (b) Communication and Agreement
Or shield (
3F
1,
2F
1, F 1, according to the error model) and guarantee the message delivery during actual invasion. The coverage is determined by: Semantic, intrinsic model assumptions. The trusted third-party (TTP) protocol is also an intrusion tolerance device, which implements error processing / shielding, but they have TTP to achieve the correct operation (Figure
7A
). The coverage is determined by the semantics of the protocol function, the essential model assumption, the recovery force of TTP. Finally, the threshold password protocol is also an intrusion tolerance device (Fig. 7B): When there is no error assumption that the valve value of the F 1 is not exceeded in n intrusion, performing error processing / shielding. Their coverage is: the semantics of the encryption function, the violent crack recovery force, the essential model assumptions.
Figure 7: (a) trusted third party agreement; (b) threshold encryption
4.6 Treatment from an intrusion error
Let's review the classification of the error mechanism that derived from intrusion. In essence, we discuss the typical error handling mechanism used by the wrong tolerance, look at IT: error detection; error recovery; and error shield.
Error detection is involved in the detection of errors after the invasion activation. Its purpose is to restrain it to avoid spread; trigger error recovery mechanism; trigger error handling mechanism. Examples of typical errors are: Byzantine news; change files or memory variables; false OS account; running sniffings, worms, viruses.
Once the error is detected, error recovery is involved in recovery from errors. Its purpose is to provide the right service even if there is an error; recover from the infringement. Examples of reverse recovery are: The system rolls back to a known correct state in front and then continues to run; encounters the system of DOS (Denger) attack, re-execute the affected operation; detect the system, suspended, Reinstall these files, roll back to the last correct point. Positive recovery is also used: The system enters a guarantee that provides the correct service status; system detection invasion, considering damaged operation, increase the security level (increasing threshold / quota; update the key); system detection invasion, downgrade running but true Safe mode of operation.
As frequently occurring, when the error is not reliable or a large delay, the error shield will be the preferred mechanism. Systematic use redundancy provides the correct service and does not feel the presence of the fault. For example: the operation election of the system; BYZANTINE protocol and interaction connection; split-redundancy - scattering; sensing correlation (consistency for inaccurate values).
4.7 Intrusion Detection Mechanism
Depending on the methodology, traditional ID systems belong to one of two types (or a mix): behavioral (or abnormal) detection system; based on knowledge (or misuse) detection system. Behavioral (abnormal) detection system is characterized by unwanted knowledge of special attacks. They have knowledge about the normal behavior of monitoring systems, for example, through extensive training in the correct operation of the system. As their advantage: They don't need the database that needs to be updated in time. The disadvantages: it is very likely that the use is not presented, then they do not provide information (diagnostics) to the type of invasion, only some of the abnormal conditions occur.
Knowledge (misuse)-based system depends on known attack character libraries. When a behavior and a feature match are, a warning is generated. The advantage is that warning is diagnostic information for the cause. The main disadvantages are the possibility of missing warnings. For example, unknown attacks (incomplete databases) or new attacks (for old or new defects).
From an IT perspective, each class error detection mechanism can be combined. Combining the ID and automatic recovery mechanisms is a research topic in close work.
The system is systematically used as shown in Figure 8. The system activity mode compares and compares with reference mode: normal and exceptions. Once you match any exception mode, an error is reported (this is similar to the misuse type). Similarly, once the system behavior exceeds normal mode, an error will be reported (this is an irregular category). It is noted that both methods are seamlessly connected.
Figure 8: Intrusion detection methodology
Modern intrusion detection should indicate whether the error is from malicious behavior. In fact, the detector for errors caused by malicious errors should detect errors caused by non-malicious errors. This will focus on the result - some faults that can be observed in part to provide the correct service - rather than the cause. When designing an error model (AVI-attack, defect, intrusion), the possible cause must have been defined before. For example, an abnormal behavior of the component is detected in a BYZANTINE fault detector in a distributed system, such as to send inconsistent data to different participants. Regardless of whether it is caused by malicious entities, it is not related. The quality of this detector should have parameters: error alarm rate; missing alarm rate; detection delay.
5 intrusion tolerance strategy
Intrusion Complementary Policy is the conventional incorrect tolerance and security strategy. Strategy is condition in several factors, such as: operation type, fault category (eg, intruder capabilities); fault cost (eg, limited to acceptable risks); performance; cost; available technology. Technically, in addition to some basic trade-offs, it is basically necessary to make such a trade-off in any design. For an invasion system design, it is a major policy choice to develop some main lines, which is also our part to discuss Content. We describe the strategic main line we think that the IT system architect we think is in the form of a list of IT system architects we think. Once the strategy is defined, the design should be carried out with the approach, which is recommended by several intrusion disabled architectures just introduced.
5.1 Error avoids VS. Error tolerance
In view of the remainder and the purpose of operation, the first question we consider is the system structure. This involves balancing between errors (blocking or removing) and errors.
On the other hand, this involves the "zero-defect" of gold targets in many traditional security designs. When it is assumed that there is a calculated nucleus, it is not affected by hackers, and the trusted computational basis is dependent on this assumption. A few years later, such strategies in general system design are impossible to see this view: the system is too complicated for the entire design and constructors to be mastered. On the other hand, this balance also involves attack prevention. Reduce the threat level by reducing the risk of intrusion, reinforcing the system's recovery. However, this is also a very limited solution because it is obvious reason. For example, the firewall is blocked from attacking the internal network while it will inevitably make many channels being turned off (for external connectivity). However, we should also avoid the extremes of the opposite of the range - the worst assumption of the system components and the attack is serious - the "minimum hypothesis" comment is correct unless the threat of operation is correct. This is because random fault protocols usually spend huge in terms of performance and complexity.
Use some strategy options such as trusted components - such as the system and its operating critical part - possible protocols that can produce performance. If you select by an tolerance (rather than blocking), you can achieve higher levels of reliability. However, the situation is that these components have been trusted (equivalent to the trust of them, just as previously discussed), that is, their error behavior is indeed limited to a subset of possible errors. We can prevent or remove errors, defects, attacks, intrusion, or other errors (eg, missing, time limits, etc.) to achieve this.
When architecture is a system, error tolerance, and error prevention / elimination (by abstract level) and modular (component) use is a basic policy proportion, but it is very effective in IT systems. This method has been taken in previous architectural works, gives the nature of the relevant errors, this method has a very important role in IT.
5.2 confidential operation
When the policy objective is confidential, the system is more suitable for errors shielding, taking a scheme, although not authorized read data segments, but not exposed any useful information or. Alternatively, this solution is realized by a threshold for a given allowable access information requires a quota. It is also possible to depends on error detection / recovery. However, the characteristics of confidentiality (read once, permanently reading ...), usually in the form of positive recovery, rather than reverse recovery, such as presented in the future improper reading . Their detection wait time is also very small, so you can reduce the risk of error propagation and if system failure (actually, it is the time of information exposure).
5.3 Ideal non-stop operation
When the small fault is also unacceptable, the system must be constructed as an error barrier like a traditional error tolerance. The collection of a given fault assumption is required to provide enough space to implement this goal. On the other hand, it is also necessary to use the appropriate protocol to realize systemic error shielding under the desired error model (for example, byzantine- recovery, TTP, etc.). However, non-pause availability to resist the attack of the refusal service is still a less right goal in the open system.
5.4 Reconfigurable operation
Non-paused operations are huge, so many services take a relatively inexpensive redundant management scheme, based on error recovery rather than error shielding. These alternative methods are characterized by obvious presence of small faults. Essential strategy is what we are talking about, proposed in services for availability or integrity, such as transaction databases, web servers, and more. This strategy is based on intrusion detection. In this case (higher threat level), the error symptom triggers a reconfiguration process, which automatically replaces a correct component, or tells an appropriate correct configuration. Correct configuration. For example, if a database recipient is attacked and is paralyzed, then another backup will replace it. During reconfiguration, the service may temporarily stop or perform degradation, this duration relies on the recovery mechanism. If the AVI sequence can be repeated (for example, when the attack is continuous), the service is possible to obtain the configuration of the DD level QoS to obtain recovery, which depends on the policy used (for example, temporarily terminating a service that contains unable to remove defects, or switch It is more recovery but slower protocols).
5.5 recoverable operation
Interrupt avoidance is not always mandatory, so there is a cheaper and simpler system. In addition, in the open system (Internet), most of the rejecting services are generally difficult to achieve interrupt avoidance.
Suppose one component crashes under the attack. If there is a set of preprocesses for the part, you can still get an intrusion tolerance design: (a) failure needs to spend a lower limit TC; (b) spending a ceiling time TR to recover; (c) The duration of the interrupt is required for the program. Listed short enough.
Unlike traditional FT recoverable operations, traditional FT recoverable operations (c) only depend on (b) only (b), where the effectiveness of the system is defined in a more detailed manner, according to the severity and duration of the attack, It is proportional to the threat level. First, for a given attack severity, (a) determines the reliability of the system in the case of attack. If the attack duration is less than TC, then the system will not even collapse. Second, (a) and (b) determine the time of service recovery. For a given attack duration TA, the system is either recovered after TR (TC TR), either in TC = (TC TR) as a cycle, looping interrupt (longer attack).
In addition, the crash caused by malicious causing causing incorrect calculations. It can be implemented through several technologies, and we will propose safety checkpoints and logging in these technologies. Recoverable operations can be implemented in invading tolerance. In distributed settings, these mechanisms may require a security protocol. This application involves applying a minimal amount of redundancy using an apparent temporary service interrupt. This strategy is also used for long-term running programs, such as data mining or scientific computing, where effectiveness is not as effective as interactive programs, but integrity is the main consideration.
5.6 Troubleshooting
In a particular case, once the system can no longer tolerate the occurrence of errors, it is necessary to prepare an emergency action to be executed, for example, cannot afford the current threat level. This strategy is taken to prevent the system from developing to a potential incorrect situation, encounter difficulties, or unexpected damage. In this case, it is best to turn off the system immediately, which is the so-called fault security. This strategy is usually in the system of security and task, it is also equally important in invading tolerance. It is a supplement to other strategies described above.
6. Malicious error modeling
One aspect of all error tolerance architecture is an error model. The system architecture is based on the error model, and the component interaction is also defined on my model. Regardless of the value domain or the time domain, the wrong my model is prerequisitable by correctness, and dominate the system configuration, such as layout, component selection, redundancy level, algorithm type, and so on. The error model of a system is based on the assumptions of the failed method of system components.
What is malicious? The answer to this question is in the main points of the debate on "sufficient" intrusion error model. The term "malicious" itself has a strong hint, meaningful to causing a special attempt to damage. But how do we model attackers' thinking and ability? In fact, many jobs are concentrated on the "intention", but from IT's point of view, we should focus on "Results". That is to say, to draw what should be taken from "malicious" concept is a definition of its goal: try to use any possible way to a given service within the range of invaders. The destruction of all properties.
Traditionally, the fault assumption is essentially divided into two types: a constrained fault assumption, and any fault assumption.
A constrained fault assumption gives a quantitative and qualitative boundary for component failures. For example, a fault assumption may indicate that the part is only a time-limited failure, and it does not exceed F components in a reference interval that will fail. As a choice, they allow value to fail, but the components are not allowed to generate or fake messages, nor allowing other components to imitate, seek, or send contradictions. Because they have failed in most cases, how often the system works very well, so this approach is reality in front of unexpected errors. However, according to the definition of maliciousness on the upper surface, it hardly infers a malicious error.
Any fault assumption is ideal indicating the non-qualified and quantitative component fault boundary. In this case, an arbitrary failure means that interactions can be generated anywhere and any syntax and semantic (form and meanings) at any time. Any fault assumes ideal ideal for malicious concepts, but they are extremely expensive in performance and complexity, so they are not adapted. Today's online applications are user needs.
Obviously, it should be understood in the area of the component-related mode of operation. For example, the possible fault mode of interaction between distributed system components is likely to be limited to a combination of timelines, forms, meaning, and these interactions (we call them messages). On the other hand, the actual system based on any fault assumption must give the number of fixed components to the boundary of quantitative and qualitative boundary, or at least the weighing of the resolution and unexpected production of the number of faults.
Note that the problem is how much representative is compared to the situation that happened in the reality. That is the coverage problem we assume. Therefore, how to continue?
6.1 Any fault hypothesis
Consider high value or key operations, such as financial transactions; contract signing; provide long-term certificates; national secrets. Should not be enrolled due to the risk of failure for hypotheses. Although performance is likely to decrease, consider any failure assumption, according to any fault adaptive construction block (for example, the Byzantine Agreement Protocol) build system proved to be correct.
As a result, there is no hypothesis for the presence of trusted components, such as secure kernels or other failures - control components. Similarly, a method of time-independent or asynchronous must be followed, for example, for the timeline, because the time limit assumption is sensitive to the attack. This limits the classification of applications that can be proposed under these assumptions: asynchronous models cannot solve synchronization issues. In practice, many of the gradually formed applications, especially the applications on the Internet, especially the applications on the Internet, and the needs of interactive or critical tasks. The timeline is part of the desired character, is both because of the needs of user dominance services (such as network transaction processing servers, multimedia drawing, synchronization groups, securities transaction servers), but also for force security (for example, air traffic control). So we should look for an optional error model framework to meet the needs of malicious errors.
6.2 Considering the useful mixing fault assumption
Hybrid assumptions combined with several false modes are what we want. There is a subject of research to the beginning of a mixed fault model. This mixed fault model assumes different fault type distributions for different nodes. For example, some nodes are assumed to be arbitrary and other assumes that are assumed to be faulty only by crash. This probability foundation of this distribution is difficult to relate in malicious intelligence, unless their behavior is limited in some ways. Consider a part or subsystem, make specific constraint failures. The unpredictable and weakness of a given attack, for the hypothesis behavior, how we enhance the credibility of the part, that is, this hypothesis coverage?
A composite (AVI) error model with a mixed failure assumption is an example, in which the appearance of defects and the degree of attack changes in the attack and intrusion. Some parts of the system will not be uncompectedly displayed, and other parts of the system will still allow any behavior. In some works, this is best described as a mixture of architecture, in which the system components are architectural and constructed, and the fault assumptions are indeed enhanced, and therefore also instantiates. That is (see Chapter 3) The part is made into sufficient trusted trust and the constrained fault assumptions implicitly hidden.
Since the malicious error is relatively, some parts are constrained by the constrained fault model define the system errors that the components can be generated, then the architect's task is getting simpler. In fact, the form of error prevention is performed in system level: some system error types do not appear at all. The invasion mechanism is now designed using a mixture of any fault (constrained fault or non-trust) and constrained fault (or) components.
Mixed failure hypothesis is also the key to the safety timing operation. Regarding the timeline and time limit fault, the mixed structure produces local synchronous form: (i) Some subsystems show the constrained fault mode thus providing time control services in a secure manner; (ii) the latter auxiliary system meets the time axis requirements; (iii) Constrained failures in these requirements, but time-controlled fault detection can be implemented with the assistance of trusted components.
7 build an invasion tolerance system
In this chapter, we will discuss some concepts on building intrusion tolerance systems.
7.1 (almost) no hypothesis
Unconstrained faults or any troubleshooting method to implement an IT architecture is based on the possibility of almost unlocked behavior (errors, synchronization), which is to maximize coverage. It provides a conceptual simple architecture to provide activity, develop and argue in the form of probability under certain conditions under certain conditions.
Random BYZANTINE Agreement Agreement is a typical protocol example of this method. They cannot be terminated in non-zero probability, but this probability can be ignored. In fact, the protocol to use the password usually has the possibility of residual failure, which is determined by the length of the key. Of course, at least some components are correct for a whole system for providing a useful service. This method is essentially parameterized: for arbitrary assumptions of the number f., If there is enough correct participant, it will still be correct. Alternatively, a fairly recovery protocol can still be reached under the premise of almost no hypothesis. There are some favorable conditions for security distributed systems, which is why continuing to study this method. In fact, it is also worthwhile to resume the sacrificial performance or time, such as a very critical operation (key distribution, contract sign, etc.).
Figure 9 illustrates this principle with a simple term. From now on, the metaphor started: gray represents hostile, malicious, white represents benign, correct. Figure
9A
Indicates that participants are limited to a hostile asynchronous environment. It is not credible with the body and the communication environment. Participants may be malicious, usually the only assumptions are the number of non-normal behavior participants. Figure 9B illustrates such an agreement to respond to environmental defects to ensure that participants jointly provide the correct service (white shadow).
For a protocol that provides the correct service, it must deal with any partial and environmental failure. For example, the component CK is malicious, but this may be because the part itself or the host C is adjusted, or because the intruder in the communication system imitates that behavior.
Figure 9: Any troubleshooting method
7.2 Unexpected hypothesis, or the strength of the faith
As a choice, the IT architecture may select a fault-control method. Sometimes, in the case of confirming, it is a good way to assume that the environment is benign. When the environment is quite clear, for example, from statistical measurements, it is usually done when unexpected errors. Is this a reasonable method for malicious misfortune?
Figure 10: Unreasonable hypothesis
Figure
10A
Note Participants are in a moderately assumed a benign environment (depending on our metaphor, those areas in the nature, with a little dark part). For example, it is usually considered to be trusted by an individual host (partial environment), although untrusted communication environments, there is a hypothetical attack model. Some user participants may be malicious.
Execution must work most of the cycles. However, for the hypothesis behavior (or worse, in trust ...) other than statistical evidence, it can be deceived by the invader attack runtime environment by enforcement, for this situation, we It should not be surprised. Thus, in a sense, the latter behavior is worse than the hypothesis (for example, the host is not so trusted, or communication support is more intense than the hypothesis model), as shown in Figure 10B, for one Attack, the environment shown is actually more than in the figure
10A
The initial idea is more aggressive.
As a result, the assumption that is not strictly proven is in many cases, may result in the lack of trusted trustfulness for the attributes of the components or subsystems (in our example, participants and protocols covered by dark shadows) (coverage) ). This may have questions, because there is no hypothesis that is not assumed, in other words, the agreement is not ready, or it is possible to be utilized by malicious intelligence. The result will be unpredictable. Let's discuss a correct way.
7.3 Mixing of architecture
For building errors - control IT systems, mixing of architecture is a reliable guideline. We all hope that there is no risk of lack of coverage, avoiding an extremely feature of arbitrary assumptions. It is assumed that some methods are trusted, as seen above, by making the trusted component becomes sufficiently credible, the mixing of the architecture can realize the method of using the trusted part. Essentially, architects try to make a black box with a benign behavior and is omitted or weakly fault - silent categories. These can have different capabilities (eg, synchronous or asynchronous, partial or distributed), may exist in different abstraction levels. Compared to a non-confident environment, a good method is to disguise them into runtime environment components, which can be invoked by the system and provide credible results. Of course, the fault-constrained design can generate an error-tolerance agreement, which is more efficient than true assumptions, but there is better robustness than non-forced restriction fault protocols.
The tolerance attitude is characterized by a few aspects when designing a mixed IT system:
Ÿÿ From the environment to other components as small as possible;
Ÿ 只 As long as you do need, make assumptions to behavior (trusted) components or some environments;
Ÿ By constructing, strengthen the assumptions for trusted components;
Ÿ The traditional prevention method is different. The credible part does not participate in all operations, and they only assist the key steps of implementation;
Ÿ Agreement allows for unconvisible environments, single part can crash, wrong me (intrusion) can happen;
Ÿ The correct service is based on the distributed error tolerance mechanism, for example, the agreement and replication of the participants on several hosts.
7.4 Block, tolerant, a bit of fun
When implementing trustworthy components, architects should remember some of our best discussed: Block and tolerance balance. Let us analyze the operation principle of the trusted third-party protocol (TTP), as shown
11A
As shown, participants Alice, Paul and Bob are allowed to allow an IT protocol between them, and trust TTP components Trent, Trent provides some services to assist in the agreement in invading. There is still little asked by it in the figure: TTP is trusted?
F Figure 11: (a) TTP protocol; (b) strengthen TTP trusted
In fact, TTP is a very good example to illustrate the trust of the trusted part (usually?) Exceeding its trustability.
Figure 11b We uncover TTP "cover" and how to prevent and tolerate good combination of how to embody its trusted. First, we need to authenticate based on certificates to prevent some faults from interacting at the point-to-point interaction between participants and TTPs (for example, pretending, forgery). Then, if the TTP is copied, in the case of redundancy, it is resurable for systemic accidents, and there is a certain attack degree for the TTP server copy. In addition, if a malicious error occurs in the subnet of the server copy, the copy should communicate through a self-enhancement protocol with a Byzantine recovery force.
Users don't have to realize the common additional complexity and TTP assignment of errors. In fact, we should "cover the cover" so that participants see the logical entities they trust (as shown
11A
Indicated). However, through the study level (TTP) research, we have implemented trusted behavior that is considered higher levels (system). Note that in fact, we have prevented some system errors. This type of blocking / tolerance can be used in an example in an example. Recently, a wide range of research in manufacturing trusted TTP, such as by recursive use of invasion tolerance mechanism. 7.5 Using trusted components
As we saw in the previous section, when building an IT system, the relationship between the trust / trustworthy is widely used. However, it is necessary to mention the example of special trusted components here.
If supported by local accessible components, the IT protocol can combine very high efficiency and high recovery force. For example, the concept of security core in IT corresponds to a trusted fault that performs some security-related functions in the remaining environment - controls the local subsystem.
Figure 12: Using the trusted part: (a) local; (b) distributed
This can be extended to a number of functions, such as time maintenance, or fault detection. In terms of that sense, local trustwall will package and provide a set of functions in a trustworthy manner, in order to be considered in the hostility environment. Use of credible hardware (eg, smart cards, appliance boards) can be used to enhance the trusteability of these special components. Figure
12A
In, we see an example of an architecture with an LTC (local trustworthy component). Internal component communication should ensure that the correct components can trust the attribute of the LTC when malicious miscarriage. On the other hand, the implementation of the LTC should ensure malicious components, such as the figure.
12A
The one of the right side, does not destroy the operation of the LTC, make it a mistake.
Figure 12b is a distributed trusted component (DTC). Because it not only assumes local trustworthy, it also assumes the trusted channel between the LTC, so it enhances the power of the LTC. This makes distributed trusts for low level operations to become possible (eg, distribution of message verification code MACS). It can be constructed with a second network copy of a private control channel, such as a host.
DTC can use many method auxiliary agreements, we will discuss in the later chapters of this article, but the basic principles are as follows:
Ÿ 协 Agreement participants must exchange messages in a dangerous environment, some even malicious and deceived (normal network);
Ÿ There is a channel of the correct participants trusted, even for special and short instants, they can use this channel to contact each other;
Ÿ They can use this channel to synchronize, walk, and reached a match, walk, and agreement on the key factors implemented by the agreement, limiting the ability from malicious participants byzantine.
8 system instance
The term "invading tolerance" initially appeared in the paper of Fraga and Powell. Subsequently in Delta-4 - Pieces - Redundancy - Disperse - Developing an invader distributed server composed of a group of unsafe sites.
In the following years, some independent IT protocols and systems have gradually occurred. BFT is an efficient state-machine replication algorithm. It can be used to implement intrusion to finger the NFS server. Rampart provides tools to build an IT distributed service: reliable multicast, atomic multicast, and member protocol. Securerge is a view-synchronization group communication system, which is based on a flag single loop protocol. You can implement a state-machine replication method with Rampart and Securerge. The FleEt uses the Byzantine quota system to build an IT data store for data abstraction, such as variables and locks, respectively, and Java objects. The CLIQUES protocol is consistent with the dynamic process group. As recently, two projects of Oasis and Maftla are studying intrusion, and some results, we will be detailed in later. 8.1 Oasis
Organically Assured and Survivable Information System (OASIS) is a research plan for US DARPA, its purpose is to provide "continuous service for maintaining key task functions in front of the information system for information systems in known or future defense capabilities in known or future defense capabilities. ". This plan is very concerned about intrusion. Its goal is:
Ÿ Build an invasion tolerance system based on potential defective components
Ÿ 表 Characteristics of the cost-effectiveness of the tolerance mechanism
Ÿ Develop assessment verification methods to assess intrusion tolerance mechanisms.
OASIS has funded more than about 30 items. It is unrealistic to explain all of these items, so we review several representative projects we find interesting projects.
Intrusion Tolerance By Unpredictable Adaptation (ITUA) The purpose is to develop an intermediate to help design an application tolerate the determined attack type. The ITUA architecture consists of security domains, and the security domain has abstract the concept of boundaries. The attacker wants to cross the boundary. (For example, a local area network protected by firewall). Injection tolerance applications usually adapt to it when an attack occurs. ITUA proposes non-predictable adaptation as a method to tolerate an attempt to predict and utilize the adaptive attack. The adaptive in iTUA is managed by the Quo Intermediate Parts, and the group communication is implemented as an intrusive tolerance in the overall kit.
In order to build an intrusion tolerance system, the invasion architecture has the goal of development based on the system architecture concept. In order to support insecure networks (such as Internet) security group applications, this project has developed a middleware IT Enlaves. IT-enclaves has several leaders in n> =
3
fly
The maximum number of F is allowed in 1. Leaders provide all group management services: user authentication, members join leave, group key generation, distribution, and update. Each member of the group and
2
fly
1 leader has contact.
CoCA is an online authentication authorization system for a local area network or a wide area network. CoCA uses server copy to achieve availability and intrusion. The certificate it produced is signed with a threshold algorithm. CoCA assumes that an attacker spends a certain amount of time to destroy some servers, so if the change in time (before pinching is safe). Copy is based on the BYZANTINE quota system.
The purpose of Integrity Through Mediated Interfaces project is to provide data integrity. This method uses an integrity manager to monitor the program of operational data, and record all data transformations. There are several applications generated, including reconstructing damaged data. The project designed a protective seal for the COTS application, which can be used as the purpose mentioned above, or protect the environment from malicious code (mail attachments, macro, etc.).
ITDBMS is designed with an experimental intrusion tolerance database system that uses COTS to provide comprehensive, integrated, efficient IT database management system solutions. This approach takes a multi-storey defense strategy that combines a variety of mechanisms: transaction layer intrusion detection, intrusion isolation, intrusion shield, fault positioning and tightness, and self-stability. Agile object is an architecture for building an intrusion tolerance application based on location, interface, and dynamic evading concept. The location escape refers to the ability of application components to avoid attacks and damaged nodes and across different hosts. The interface escapes allows the middleware to automatically change the excuse of the component. Dynamic evading refers to the ability to manage location and excuse escape dimension.
8.2 MAFTIA
Malicious- and Accidental-Fault Tolerance for Internet Applications (Maftia) is the most recently completed EU IST project, which is to build large-scale distributed applications, systematically study "tolerance example". This project has a comprehensive research method including accidents and malicious errors. Maftia follows three main action routes:
Ÿ System architecture framework and concept model definition;
Ÿÿ mechanism and protocol design;
Ÿ Form verification and evaluation;
The first route purpose is to develop a series of coherent concepts for an architecture that can tolerate malicious errors. The definition of the core collection of intrusion tolerance concept has been expanded. This core set corresponds to the concept of traditional reliability. The AVI composite error model mentioned above is also defined here. Other related work include synchronous and topologies definitions, the establishment of intrusion detection, definition of the MAFTIA node architecture. The architecture includes components such as trusted and unbelievable hardware, local and distributed trusted components, operating systems, and runtime environments, software, and more.
Most Maftia research works on the second line, the IT mechanism and the design of the agreement. Partial research work for Maftia middleware: Architecture and protocol definitions. As long as the asynchronous protocol package, including reliable, atom, and causal multicast is defined by taking a BYZANTINE adaptivity of a probabilistic solution. For the protocol based on the time-control model, research work, this time-controlled model mainly depends on an innovative concept, that is, the concept of insects, which strengthens the subsystem, which provides a method to the component to get some simple Privilege functions or channels of other components, but also provide "good" attributes, otherwise it cannot be guaranteed by the "normal" weak environment. For example, the trusted timely calculation group developed in Maftia (see two sections) is based on the insect hole concept, which provides a timely and secure function in an environment where asynchronous and byzantine failure. The system architecture mixed with earlier discussed is used to achieve TTCB. In the MAFTIA middleware environment, IT transaction processing services that support multi-party transactions are also designed.
As a mechanism for invasion, it is also a service that has an intrusion tolerance, and the intrusion detection is assumed. It has been studied similar to the problem of high-false packets and combined with several IDS.
The trusted third party (TTPS) such as certification rights, is an important build block in today's Internet. MaFia designed a general distributed certification authorization, in order to achieve intrusion, this certification authorized use of threshold secrets and IT protocols. At the same time, another TTP is also developed, distributed optimized reasonable exchange services.
Maftia defines a licensing service based on fine-grained protection, such as authorization services based on protection of object methods. Authorization Services is a distributed TTP that can be used to authorize or deny authorizations that combine several methods calls. Service relies on local security core.
Article 3 The work route is the core concept of formula MAFTIA and verification assessment of reliable middleware. New stringent models for related system security have been developed, and the protocol is also developed by CSP and FDR. In the next section, we explained in more detail our own research work: the construction of the application architecture mixed principle is constructed, and the agreement using TTCB insects.
8.2.1
System architecture mixing in practice
The trusted timely calculation base (TTCB) is a real-time security insect hole. TTCB is a simple component that provides a limited service set. Its architecture is shown in Figure 13. Its goal is to provide support for the implementation of the IT protocol and support the system architecture mixing method described above.
Figure 13: System architecture with TTCB
The experimental TTCB is implemented based on the COTS component. The host is a normal Pentium computer with real-time core, RT-Linux or RTAI. The host interconnects through two high-speed Ethernet area networks. An effective load network equivalent to Figure 13 and the other is a TTCB control channel. Therefore, there is a configuration for local environments, such as sites, campuses, and so on. WAN configurations are also possible, as discussed in [39].
The design has two aspects of functionality and non-power. Next we describe the function of TTCB - its service - discusses how security and timely (real-time) are strengthened in TTCB-based COTS. TTCB offers a limited service set. From a program design perspective, they are a set of functions in the library, and the process can be called in a usual manner. We use the term "process" to describe any behavior using TTCB services: an ordinary process, thread, or another software component.
TTCB provides three security-related services. Local authentication services allow process and TTCB secure communication. The service verifies the local TTCB before the process and applies a simple verification key establishment protocol to create a shared symmetrical key between the two. Symmetrical keys are used to ensure all they have further communications. Each local TTCB has a set of asymmetric keys, we assume that the process is trying to get the correct copy of a local TTCB public key. The credit aggamic service is the main structural block of the IT protocol. The service provides a value, which is obtained from a value protocol proposed from a set of processes. Services and intend to replace the load system heavy agreement protocol: it works with the "small" data block (now 160), TTCB has limited resources to execute it. The service provides a set of features that can be used to calculate the results. For example, it can choose from the value raised by more processes. One parameter of the service is a timestamp, this timestamp display service starts the last moment of execution. This prevents unlimited malicious processes to perform delays. The last security-related service is a random number generation service, which provides a uniform distribution random number. These numbers can be used as a key such as a password primitive such as a verification protocol.
TTCB also provides four time services. The trusted absolute timestamp service provides a global meaningful timestamp. This feature is used to get a timestamp is possible because the local TTCB clock is synchronized. The trusted duration measurement service measures the execution time of the operation. Is the fault detection service inspection and whether the local or distributed operation is executed within a time interval. The letter is trusted to perform a special operation of the service in the TTCB within the TTCB.
The confidentiality service and the trusted timing fault detection service are distributed, so they are implemented using the communication protocol running on the TTCB control channel. Here we don't cheat these protocols.
RT-Linux and RTAI are two similar Linux projects. Linux is modified so that real-time executives can control hardware to enhance real-time behavior of some real-time tasks. The RT task is defined as a special Linux that can be loaded into the core module, so running within the core. The scheduler is changed in a prioritized manner and is changed to confiability to accommodate different scheduling methods. Linux runs as a low priority task, and its interrupt scheme is changed to be interrupted by RT-Linux / RTAI. The local part of COTS-based TTCB is mainly a (non-real time) local core module, this core module handles service requests, and the collection of two or more RT tasks, this collection performs all time limit operations. Local TTCB is protected by protecting the core. From a secure point of view, RT-Linux / RTAI and Linux are very similar. Their main defects are the ability to control any resource in the system. This defect is usually easily utilized, for example, using actual conditions. Linux's ability is and process-related privilege or access control lists These control lists allow for fine-grained control of how they use certain objects. However, the actual way to use this mechanism is usually quite basic. There is a system-wide capability limit to limit the ability to be kept by any system process. Removing a capability from that collection means that it is forbidden to use an object until the next restart is basically, this mechanism can protect the local TTCB. From the capacity limit collection, CAP SYS MODULE will organize any process inserted into the code within the core. Remove CAP Sys Rawio We can organize any processes to read and modify core memory.
For COTS-based TTCB we assume that the control channel cannot be physically accessed. Therefore, in its access point, safety must be guaranteed. More precisely, we must prevent invaders to read or modify control channel access points. This can be achieved by removing the control network device from the core. Therefore, only the code in the core can be accessed, for example by local TTCB.
In a COTS-based TTCB, the control channel is a swap fast Ethernet area network. Timeability of network packets is guaranteed in the prevention package conflict, and the package conflict may cause unpredictable delays. This requires: (1) Only one host can be connected to each switch port (cannot use Hub); (2) The communication load must be controlled. The first demand is obvious. The second can be resolved by an access control mechanism, considering resource capabilities (cache and bandwidth), to accept or reject execution.
This is a brief statement on the implementation of COTS-based TTCB design. Further details, including the reinforcement of TTCB properties, and discussions implemented on other networks or local architectures can be found in [13].
8.2.2
A worm hole perception agreement
This section will present an IT protocol based on TTCB insect fondles. This protocol illustrates the method based on mixed fault assumptions: Suppose most systems fail in any manner, and assume that the insect well is secure, for example by crashing. The system is also assumed to be asynchronous, except that TTCB is synchronized.
The agreement is a reliable multicast, a classic problem in a distributed system. Every execution of multicast has a send process to drink several acceptance processes. In the remainder of this section, we perform a classic distinguishing result of a message from the network accepted the message - the results of the agreement.
Reliable multicast protocol enhances the following two properties: (1) All correct process delivery; (2) If a correct sender sends a message, all correct processes are delivered to this message. These rules do not imply that the delivery can be guaranteed to the delivery of malicious senders. However, one of the two things will happen, or the correct process will never complete the execution of the protocol without passing any messages, or if they are aborted, they will deliver the same message. There is no hypothesis for the behavior of malicious (receiving) processes. They can decide to deliver the correct message, a clear message, or do not deliver any messages.
Protocol-BRM (Byzantine Reliable Multicast) - is performed by a set of distributed processes. These processes can have any faults, for example, they can crash, delay, or messages that do not send some messages, generated and protocols, or collision with other processes with malicious attempts. Their communications can also be arbitrarily attacked: the message can be damaged, removed, introduced, and playback.
Let us observe the process failure mode in more detail. A process is basically correct, if it abides by the agreement until the protocol is aborted. Therefore, a process fault is if it crashes or deviates from the protocol in the protocol. There are also some additional situations, in which case we can consider the process failure. Before TTCB, each process has a identifier associated with a shared key. If that pair (ID key) is obtained by an attacker, the process can be disguised before TTCB, so this fault condition must be considered.
In another case, we consider the process failure is a communication between the process and other processes when an attacker is interrupted. The protocol of the asynchronous system is generally assumed that the message is repeated and eventually received (reliable channel). In practice, usually a delayed service is worthless. Therefore, BRM forwards the message at a certain number of times, so we assume that "isolation" process is faulty. In the channel, it is only tends to errors other errors, which is usually considered to be in a baseline time interval, and no more than the OD strip is destroyed / lost. OD is an omission level that can be tested in a specific network to determine OD with the expected probability. For malicious mistakes, if a process still does not accept the message after the sender retrans into od 1 time, there is reason to assume that the process crashed, or it is attacked. In any case, we believe that the accepted process has failed, but readers should pay attention to OD just a parameter of the protocol. If you set OD to a
Figure 14: BRM protocol
Higher value, the BRM starts to express a protocol that assumes a reliable channel.
In the form, a reliable multicast protocol has the following properties. The predicate sender (M) provides a message domain to the sender, and the group (m) gives the relevant process "group", for example, senders and recipients (note that the sender is also a delivery person).
Ÿ Positiveness: If a correct process is multichating a message M, some of the correct process in group (m) finally deliver M.
Ÿ Agreement: If a correct process delivers a message m, all the processes in the group (M) finally delivered M.
Integrity: For any message M, each correct process P delivers a message once, and only when P is in group (M), the sender (m) is also correct, then M has a sender (M) pre-pre- multicast.
The implementation of the BRM is shown in Figure 14. Through the TTCB protocol, the sender is safely transmitted a message has a hash value to the recipient. Then the service multicast message OD 1 time. The hash code is used by the recipient to ensure the integrity and authenticity of the message. When they get a correct message copy, multicast OD 1 time. The pseudo code is quite directly, so we do not detail, recommend readers' reference [12].
Figure 15 illustrates the behavior of the protocol. The horizontal line indicates the execution time of the process. The thick line generally represents TTCB, even if each process calls a separate local TTCB on its host (using this representation mode). The sender calls the TTCB protocol, then multicast messages twice (od = 1). These messages are received in the following manner: P2
Figure 15: Execution of the protocol
A copy of the two messages, the first copy of P3 received is destroyed, the second part is good, P4 does not receive the first copy, and the second is received. Example assume that the first message sent to P3 is only destroyed in the data portion, in view of this reason, it can still determine this protocol instance. When the message arrives, the recipient calls the TTCB protocol to get the result with a reliable H (M) value. The process P2 and P3 get this value almost immediately after the end of the agreement. They use hash to choose what they receive is correct, then they will give all other recipients. When P4 receives the first message from the protocol, it is subsequently requested to ask the protocol. Then, more broadcast this message. Bracha and TOUEG have been explained, assuming arbitrary errors, if f = (n-1) / 3 is incorrect in a system with N processes, then want to send reliable multicast is impossible. Similar to the unexpected error tolerance protocol, BRM limits the number of process failures: for F errors, BRM needs n> = f 2 processes, not n> =
3
fly
1. In fact, BRM does not introduce the minimum number of correct processes. If less than two correct processes, we say that the number of processes must be n> = f 2 is meaningless. N> = f 2 is also constraints for reliable multicast with arbitrary errors in the synchronous system.
The fact that BRM uses TTCB aphids makes it easy to use asymmetric passwords, asymmetric passwords are a difficult gate in the IT protocol. BRM Tests with COTS-based TTCB. Waiting time of 5 processes (one process) ranges from 8 to 10 milliseconds. This is a few times more than the asynchronous agreement in the literature. Now, the initial implementation of TTCB, the agreement is seen as the main overhead of the protocol, and a faster design is in progress. When we increase the number of related processes, use asymmetric encryption protocols, the same significant degradation, while TTCB-based protocols are only slightly degraded.
9 conclusions
We have introduced an overview of the main concepts and design principles related to the invasion tolerance architecture. Our point is that the intrusion of the main research part as a knowledge is that it will temporarily become the main driving force in the development of reliability .. The challenges proposed by the mistakes under the "Malicious Intelligence" view have caused many difficulties, such as uncertainty, adaptive, non-complete knowledge, interference, and so on. Under such strong advancement, researchers have been looking for answers, sometimes in a new name or reliability, such as reliability or durability. We believe that mistakes have witnessed the development of the earth and will have its applicability in all areas. We know that when we are not talking about accidental mistakes, attacks or invasion, we have achieved the purpose, but just (another time) ... is a mistake.
references
[1] Adelsbach, A., Alessandri, D., Cachin, C., Cree, S., DESWARTE, Y., KURSAWE,
K., Laprie, J.c., Powell, D., Randell, B., Riordan, J., Ryan, P., Simmonds, W.,
Stroud, R., Ver'ıssimo, P., Waidner, M., WESPI, A .: Conceptual Model and ArchitectureCtecture
Of Maftia. Project Maftia IST-1999-11583 Deliverable D21. (2002)
Http://www.research.ec.org/maftia/deliverables/d21.pdf.
[2] Alvisi, L., Malkhi, D., Pierce, E., REITER, M.K., Wright, R.N .: Dynamic Byzantinequorum Systems. In: Proceedings of The IEEE International Conference On Depndable
Systems and networks. (2000) 283-292
[3] Amir, Y., Kim, Y, Nita-Rotaru, C., SCHULTZ, J.,
STANTON
, J., TsuDik, g .: extluoring
Robustness in Group Key Agreement. in: Proceedings of the 21th IEEE International
Conference on distributed computing systems. (2001) 399-408
[4] Ateniese, G., Steiner, M., Tsudik, G .: New Multi-Party Authentication Services and
Key Agreement Protocols. IEEE J. OF SELECTED AREAS On Communications 18 (2000)
42
[5] Avizienis, A., Laprie, J.c., Randell, B.: Fundamental Concepts of DependAbility.
Technical Report 01145, LaaS-CNRS,
Toulouse
,
France
(2001)
[6] Bracha, G., TouEg, s .: Asynchronous Consens and Broadcast Protocols. Journal of
THE ACM 32 (1985) 824-840
[7] Cachin, C., Correia, M., Mccutcheon, T., Neves, N., Pfitzmann, B., Randell,
B., SCHUNTER, M., Simmonds, W., Stroud, R., Ver'ıssimo, P., Waidner,
M., Welch,
I.
: Service and Protocol Architecture for the Maftia
MiddleWare. Project Maftia IST-1999-11583 Deliverable D23. (2001)
http://www.research.ec.org/maftia/deliverableables/d23final.pdf.
[8] Cachin, C., Poritz, J.A .: Hydra: Secure Replication on The Internet. In: Proceedings
Of The International Conference On Depndable Systems and NetWorks. (2002)
[9] CaNetti, R., Gennaro, R., Herzberg, A., NAOR, D .: Proactive Security: long-term
Protection Against Break-ins. RSA Cryptobytes 3 (1997) 1-8
[10] Castro, M., Liskov, B .: Practical Byzantine Fault Tolerance. In: Proceedings of The
THIRD SYMPOSIUM ON OPERATING SYSTEMS Design and Implementation. (1999)
[11] Connelly, K., Chien, A.a .: Breaking The Barriers: High Performance Security FORHIGH Performance Computing. In: Proc. New Security Paradigms Workshop. (2002)
[12] Correia, M., Lung, L.c., Neves, N.f., Ver'ıssimo, P .: Efficient Byzantine-Resilient
Reliable Multicast On A Hybrid Failure Model. in: Proceedings of the 21st IEEE SYMPOSIUM
On Reliable Distributed Systems. (2002) 2-11
[13] Correia, M., Ver'ıssimo, P., Neves, N.f .: The Design of a cots Real-time Distributed
Security Kernel. in: Proceedings of the Fourth European dependable computing
CONFERENCE. (2002) 234-252
[14] Cukier, M.,
Lyons
, J., Pandey, P., Ramasamy, H.V., Sanders, W.H., PAL, P., Webber,
F., Schantz, R., LoyAll, J., WaTro, R., Atighetchi, M., Gossett, J .: Intrusion Tolerance
Approaches In Itua (Fast Abstract). in: Supplement of the 2001 International INTERNATIONAL
Conference on Deprondable Systems and NetWorks. (2001) 64-65
[15] Debar, H., WESPI, A .: Aggregation and Correlation of Intrusion Detection Alerts. In:
4th Workshop on Recent Advances in Intrusion Detection. Volume 2212 of Lecture
NOTES IN Computer Science. Springer-Verlag (2001) 85-103
[16] DESWARTE, Y., Blain, L., Fabre, J.c .: Intrusion Tolerance in Distributed Computing
Systems. in: Proceedings of the 1991 IEEE SYMPOSIUM ON Research In Security and
PRIVACY. (1991) 110-121
[17] DOBSON, J., Randell, B .: Building Reliable Secure Computing Systems Out of Unreliable
Insecure Components. in: Proceedings of the International Symposium on Security, INTERNATIONAL SYMPOSIUM
And Privacy, IEEE (1986) 187-193
[18] Dutertre, B., Crettaz, V., Stavridou, v .: Intrusion-Tolerant Enclaves. In: Proceedings
Of The IEEE International Symposium on security and privacy. (2002)
[19] Fraga, J.S., Powell, D .: A Fault- and Intrusion-Tolerant File System. In: Proceedingsof The 3rd International Conference On Computer Security. (1985) 203-218
[20] Gray, J .: Why Do Computers Stop and What Can BE DONE ABOUT IT? IN: Proceedings of
The 5th IEee Symposium on review in Distributed Software and Database Systems.
(1986) 3-12
43
[21] Hadzilacos, V., TouEg, s .: A modular approach to fault-tolerant Broadcasts and related
Problems. Technical Report TR94-1425,
Cornell
University
, Department of Department
Computer science (1994)
[22] Hiltunen, M., Schlichting, R.,
Ugarte
,
C.A.
: ENHANCING SURVIVABILITY OF SECURITY
Services Using Redundancy. in: Proceedings of the IEEE International Conference ON
Dependable Systems and NetWorks. (2001) 173-182
[23] Kihlstrom, K.P., Moser, L.E., Melliar-Smith, P.m .: The Securerge Group Communication
System. ACM Transactions IN Information and System Security 4 (2001)
371-406
[24] Knight, J., Heimbigner, D., Wolf, A., CARZANIGA, A., HILL, J., Devanbu, p .:
Willow
Survivability Architecture. in: Proceedings of the 4th Information Survivability
Workshop. (2001)
[25] Lamport, L., Shostak, R., Pease, M .: The Byzantine Generals Problem. ACM Transactions
On Programming Languages and Systems 4 (1982) 382-401
[26] Lui, P .: General Design of ITDBMS. Technical Report, UMBC (2000)
[27] Malkhi, D., Reiter, M.K., Tulone, D., Ziskind, E.: Persistent Objects in the Fleet
System. in: Proceedings of the 2nd Darpa Information Survivability Conference
And Exposition (DisceptX II). (2001)
[28] Meyer, F., Pradhan, D .: Consens with Dual Failure Modes. In: Proc. Of the 17th
IEEE INTERNATIONAL SYMPOSIUM ON FAULT-TOLERANT COMPUTING. (1987) 214-222
[29] Nicomette, V., DESWARTE, Y .: An Authorization Scheme for Distributed Object Systems.in: IEEE SYMPOSIUM ON Research in Privacy and Security. (1996) 31-40
[30] Pfitzmann, B., Waidner, M .: a Model for Asynchronous Reactive Systems and ITS
Application to Secure Message Transmission. in: Proceedings of the IEEE Symposium
On Research in Security and Privacy. (2001) 184-200
[31] Powell, D., SEATON, D.,
Bonn
, G., Ver'ıssimo, P., Waeelynk, f .: the delta-4 Approach
To DependAbility In Open Distributed Computing Systems. in: Proceedings of the 18th
IEEE International Symposium on Fault-Tolerant Computing. (1988)
[32] Powell, D., Ed .: DELTA-4: a Generic Architecture for Depndable Distributed Processing.
Springer-Verlag (1991) Research Reports Esprit.
[33] Powell, D .: Fault Assumptions and Assumption coverage. In: procedings of the 22nd
IEEE International SympoSium of Fault-Tolerant Computing. (1992)
[34] Reiter, M.K .: The Rampart Toolkit for Building High-Integrity Services. In: Theory
And practice in distributed systems. Volume 938 of Lecture Notes in Computer
Science. Springer-Verlag (1995) 99-110
[35] Schneider, F.B .: The State Machine Approach: a Tutorial. Technical Report TR86-
800,
Cornell
University
, Computer Science Department (1986)
[36] Tallis, M., Balzer, R .: Document Integrity Through Mediated Interfaces. In: Proceedings
Of the 2nd Darpa Information Survivability Conference and Exposition
(DiscEx II). (2001)
[37] Ver'ıssimo, P., Rodrigues, L .: Distributed Systems for System Architects. Kluwer
Academic Publishers (2001)
44
[38] Ver'ıssimo, P., Rodrigues, L., Casimiro, A .: Cesiumspray: a Precise and Accurate
Global Clock Service for Large-Scale Systems. Journal of Real-Time Systems 12 (1997) 243-294
[39] Ver'ıssimo, P .: UncertAinty and Predictability: Can the be reconciled ?in: Future
Directions in Distributed Computing. Springer-Verlag LNCS 2584 (2003) -
[40] Ver'ıssimo, P., Casimiro, A., Fetzer, c .: The Timely Computing Base: Timely Action
In The Presence of Uncertain Timeliness. in: Proceedings of the International
Conference on Deprondable Systems and NetWorks. (2000) 533-542
[41] XU, J., Randell, B., Romanovsky, A., Rubira, C., Stroud, R.j., Wu, Z .: Fault Tolerance
IN Concurrent Object-Oriented Software Through Coordinated Error Recovery. in: Proceedings
Of The 25th IEEE International Symposium on Fault-Tolerant Computing.
(1995) 499-508
[42] zhou, L., Schneider, F., Van Renesse, R .: Coca: a Secure Distributed on-line Certi-
Fiction Authority. ACM Transuter Systems 20 (2002) 329-368
45
