Slashdot Mirror
Intrusion Tolerance - Security's Next Big Thing?
An anonymous reader writes "DARPA's OASIS program consists of more than 20 research projects in intrusion-tolerant systems. The basic idea is to concede that systems will be penetrated by malware and hackers, but to keep operating anyway. Other projects take a wide variety of technical approaches to providing intrusion tolerance. MIT's Automatic Trust Management uses models of trust to choose from a variety of ways to achieve system goals; Duke/MCNC's SITAR (Scalable Intrusion Tolerant Architecture) adapts tricks from fault-tolerant systems and distributes decision-making; BBN-Illinois-Maryland-Boeing's ITUA employs unpredictable adaptation. Shutting down the military while waging war is not an option, but the idea of continuing to operating critical defense systems even after known penetration by hostile hackers or damaging worms will take some getting used to."
I think it is great that something like this is being looked at. Every biological system on the planet works on the same principal, yes, the system will be attacked, keep functioniong, and attempt to regain controll.
I think an interesting option for powerfull machines would be to 'fall on the sword' if complete failure was immenent.
paul reinheimer
Seriously. The implementations are new, but the concept goes back to the dawn of interconnected computers, maybe further. Back in the Iron Age, you used different passwords on different systems specifically so that, if one of the systems were penetrated and your password compromised, all the other systems you had access to would not be immediately compromised as well. That was a limited form of intrusion tolerance, forcing the intruder to start over from scratch on every system in the network.
Much engineering effort goes into the benefits of balancing somethings hardness against its resilience. The broad idea for security lately has been to make systems as hard as possible, but leaving them brittle. Even Diamond and Alumina Ceramics shatter relatively easily. Building systems with something more akin to the resilience of steel makes sense... ... as long as you have some damned way of translating materials science into network security.
:)
perhaps I need coffee
Why do we have to accept break ins? OpenBSD hasn't had a vulnerability disclosed in months now. Does that mean there are no vulnerabilities? No. Is an OpenBSD box pretty much unusable out of the box? Pretty much yes. But the thing is if you keep things simple, they should be easy to audit. Bugs should be easy to detect and fix.
You get into trouble when you start piling on feature after feature after feature. Is all of that really needed?
Denial of Service is, unfortunately, harder to deal with. But when you have your own network, it's much easier to deal with. Dependancy on the Internet still creates a problem (the majority of US government data communication is done via the Internet). It comes down to a cost benefit analysis - is it worth building a totally seperate network? For the military, I'd say yes.
espo
In general, I don't like the idea of making a concession that malware will have to be operating in a given computing environment (as stated above), and to think otherwise would simply be incorrect. OK, Windows environments may be an obvious exception ;-)
:
:
I would prefer to consider that (at least from my own philosophical viewpoint), that you can construct systems with defined patterns of behavior, even when "malware" is introduced.
From one of the links referenced above
Successive levels in the hierarchy are linked by refinement mappings that can be shown to preserve properties of interest. This project will apply this technology to intrusion tolerance properties.
This harkens back to enforcement mechanisms (Biba Integrity Model, No Read Up, No Write down policies, Models for descriptions of multi-level secure behavior, etc...). (Aside: Amoroso's book is an excellent reference)
What this alone tells me (I didn't read all the blurbs, articles, and briefings), is that we are discussing mappings (mathematical functions), and properties (which can be mathematically tested for by use of a logic or algebraic system).
At a glance, I am thinking of some of the issues in formal methods, proven-secure-O/S kernels, and other high-reliability software engineering methods for [secure] systems.
I like the idea that mathematical theorem provers can be applied to any system so defined.
Some basic issues do arise for practical application
- Theorem - proving aspects mean very precise use of functional requirements and mathematical specification for system behaviors. (Also, special talent and additional manpower is necessary. Also, mis-applications of the tools used, or introduced human error in the test process can subvert the efforts)
- This should be applied (I believe) to systems-of-systems and their behaviors. The systems that your system interacts with would have to had similiarly rigorous analysis and design.
- There is (I believe) a trend in military computing towards commercial, and less custom, software development. Long-term, where will the actual development of such systems be funded (beyond the initial R&D stage).
- The use of analysis of pre and post conditions in the executing environment (to ensure that violations of the underlying security policy are not permitted) is not a new concept. While I am not saying that this is an intrinsically ecessary mechanism for these methods, most current system lack such an approach, and there may be fundamental computer security issues present by the nature of the software development environment. If these methods are used, it is still highly desirable to design systems with security in mind regarding their handling of all data, traffic, and O/S vulnerability issues.
I only took a brief look at the material, but these are some thoughts. I also think that the effort itself is very worthwhile, and potentially of value. Also, looking at Dr. Lulu's credentials, there is no naivite in his software background; the basic tenents can't just be shrugged off.
Sam Nitzberg
sam@iamsam.com
http://www.iamsam.com
I concur.
There is a parallel here; Most large corporations heve given up on the virus war, and have implemented "Virus Management" strategies.
They have basically said, "Ok, we can't keep them out,so we'll just let them in a little bit."
So now we're doing the same thing on the security front. I must admit, I'm not all that surprised.
The cynic in me says, "That's what you get for outsourcing all those tech jobs."
Huh? The military has had *thousands of years* of experience in information security! They created/funded/supported research in almost every major communications system/cypto system of the past two millennia.
They know no system is totally secure - especially when your adversary has spies, troops, and bombs. You expect enemy signals intelligence, broken codes, code-books captured in combat, spies in your data centers, secure comm channels destroyed.
There is no one line/security barrier: the only rational approach is a defense in depth, with montoring of problems, and the ability to route around compromized and destroyed systems.
BWHAHAHA! Who says 'self-aware networks' are even possible? I've seen no evidence to show that they are. Read "What Computers Can't Do." An intelligent machine is most likely impossible using a digital computer. I just think its funny people still worry about this when the smartest machine we've ever built is a robot vacuum. Take it easy.
If silent failure is the normal mode, detecting failure is going to be really fun :-(
There's a reason former US presidents get USSS protection for quite some time (now 10 years, formerly life) after leaving office - What they know remains highly prejudicial to national security after they go.
The problem with computers is that you can force them to reveal everything they know without leaving them catatonic with drugs or physically destroyed - In theory, nobody would ever know.
This biological concept of security needs to use the full biological model of sacrifical guards. The body repels invaders by sacrificing cells to attack the invader. A computer that merrily allows an intruder to work its way back through the network until they can read everything is no use.
Maybe create switches that have fusible links on the network ports that can be destroyed with a command from within the network? Make the links cheap and easy to replace, so that it's not a major imposition to fix if someone does it maliciously or accidentaly. A physically "down" network port is absolute security against a remote attacker, particularly when a computer only has a single NIC.
"God, root, what is difference?" - Pitr, userfriendly
I don't think the idea is that the computers will just ignore intrusions. At the very least, they'll notify a human operator that an intrusion has taken place while trying to continue normal functioning. If possible it will probably try to elimiante the intrusion.
However the first priority is to continue it's primary functions. The military can't aford to have it's communication grid or it's airflight control or other items of such a crucial nature shut down in the middle of combat, not unless there's a backup ready to take over. (And do you trust a compromised machine to decide whether or not a backup system is available?)
So the system continues to do it's best to carry out it's tasks while a human operator decides when and if the machine can be shut down and another swaped in to take it's place, and coordinates any possible counter-hacking operations.
If you want to fall back to a cold war/MAD mentality, here's a worst case scenario for you. Say that twenty years from now China launches an unexpected nuclear ICBM assult against the US. At the same time Chinese hackers attempt to infiltrate every known computer in NORAD and any SDI systems. Would you want the computers to automatically destroy themselves, thereby eliminating any chance of a timely defense or counterattack, or assume that the hackers haven't got full access and keep the computers going as long as possible since the other alternative is death?
And if you're going for a MAD strategy, which of those two systems would you want your adversaries to know that you have?
This Space Intentionally Left Blank
No, that's great.
This and this are complete surprises. Who would think to create a momoculture of poor security systems like that? Especially after right headed thinking like:
Friends don't help friends install M$ junk.
Question: If you know how the intruder got in using this on-the-fly automated system, why not just patch the vulnerability in advance?
You don't need to know in advance the vulnerability to figure out how someone got in. If Apache suddenly spawns a shell, well, that is a pretty good hint right there (or that some nutter is using a shellscript as a CGI, but they deserve getting false negatives in that case).
Plus, if you combine this with packet data logging (probably with a protocol level filtering tool, so you only have to deal with interesting parts of the conversation), it can be quite useful (although slow...), say you log apache starting a shell, and at the same time you logged an "interesting" request consisting of the same byte repeated 5000 times followed by a known shellcode pattern, you'd have an even better idea of what happened.
If I have been able to see further than others, it is because I bought a pair of binoculars.
bout time the question was change from "how are you going to keep them out" to "what are you going to do when they get in"
*** I suffer from a colorful array of psychological problems
I guess everyone would agree that there is some merit to the concept of defense in depth. That said, recognise that the typical user (i.e. those most likely to be hacked) will generally not do anything about an intrusion as long as they can continue to work. I think a result of better intrusion tolerance would be a significant increase in the number of long term compromised systems.
respectfully disagree. yes, tolerant to the fact that there is always someone better than you i agree with. but these kinds of systems are not the ones that can take care of themselves while you finish your vacation in Hawaii so you can deal with it while you get back. These are the systems that can keep going while you are racing from dinner with your family back to the office to solve the problem.
In 90% of the cases, pulling the plug is the best thing to do. but take EBay for example, 1.2 billion in revenue relying entirely on their systems. That means they earned $2,289.38 every minute. So in that perspective, could you really tell someone to just simply shut off the site while you drive back to the office to fix it?
*** I suffer from a colorful array of psychological problems
For another point of view, read The Emperor's New Mind by Roger Penrose.
Whether strong AI is possible is still an open question. It has been "coming soon" now for at least four decades.
"Rub her feet." -- L.L.
Well that's how things are today, all right.
But the technology we have today was unforeseen by previous generations. Just think about the internet for example. Asimov came closest I think, with his "Multivac" - but even he thought it was much farther off.
So the technology may yet appear in our own lifetimes. Once the right component density is available (only a matter of time, now) it could take just one breakthrough in AI systems design to change everything.
But if you have a principled objection to the possibility of truly strong AI then there is probably nothing I can say to convince you. You may still be denying it when it comes knocking at your door.
As far as fragility is concerned, it is much easier *even in theory* let alone in practice, to make electronic devices that can withstand extremely harsh conditions such as exist in space, than it is to harden humans. It's not even certain, without a prohibitively massive amount of shielding, how long humans could survive the solar and cosmic radiation out beyond the van Allen belt without contracting terminal cancer.
I'm not going to give you an essay here, but it is well understood and widely agreed that we will send intelligent autonomous probes to the nearby stars long before we send humans, because they can be made small (and therefore cheap to power and propel) and we can't; because they can withstand the long journey and extreme conditions and we can't; because they can do without tonnes of food water and air and expensive organic recycling systems, and we can't.
So who's fragile?
It may still turn out that the human body relies, for its continued health and existence, upon the presence of as yet undetected substances and/or symbiotic microorganisms in our own biosphere. Substances and organisms that we therefore don't bring with us when we leave Earth. You have surely noticed that those who return from long stays even in Low Earth Orbit generally don't look too healthy afterwards? It might all be due to the absence of gravity, but then again it might not.