Slashdot Mirror
Intrusion Tolerance - Security's Next Big Thing?
An anonymous reader writes "DARPA's OASIS program consists of more than 20 research projects in intrusion-tolerant systems. The basic idea is to concede that systems will be penetrated by malware and hackers, but to keep operating anyway. Other projects take a wide variety of technical approaches to providing intrusion tolerance. MIT's Automatic Trust Management uses models of trust to choose from a variety of ways to achieve system goals; Duke/MCNC's SITAR (Scalable Intrusion Tolerant Architecture) adapts tricks from fault-tolerant systems and distributes decision-making; BBN-Illinois-Maryland-Boeing's ITUA employs unpredictable adaptation. Shutting down the military while waging war is not an option, but the idea of continuing to operating critical defense systems even after known penetration by hostile hackers or damaging worms will take some getting used to."
I think it is great that something like this is being looked at. Every biological system on the planet works on the same principal, yes, the system will be attacked, keep functioniong, and attempt to regain controll.
I think an interesting option for powerfull machines would be to 'fall on the sword' if complete failure was immenent.
paul reinheimer
What to do when penetrated
1) Remove all sources of power
2) Incinterate the hard disk, ram, motherboard and most importantly, the sys admin who was in charge of the box.
3) Bury the ahses in a safe concrete cavern, do not touch for 1000 years.
upon hearing this, my first thought was the chatter-box prostitute from Bruce-Willis's "Last Man Standing."
Somebody drag my mind out of the gutter please!
My life in the land of the rising sun.
The obvious question is how did the hacker get there? These computers shouldn't even be connected to the internet. And if they're not, then there are more important things to worry about, such as why is there an agent from a different military operating on restricted computers.
What has to be understood is that a compromised system, if part of a larger group of compro & non-compro systems can have a lot of undesirable consequences. In a Corporation network of say 150 servers a couple broken in boxes serving as open relays, ftp/warez sites or just sniffing around do not necessarily have to bring the whole Company down for a day, pulling the plug on them is always an option.
However if your servers/farms are crunching numbers for a Satellite recon or is running a battlefield communication center then your not quite sure how it would behave. A lot of modelling and discussions will go on about this, but some of these problems (of data consistency) have already been handled previously in Computer Science... so its not that big a deal.
It will I guess be like one of those "decisions" a battlefield commander takes, of how much he trusts the intel he is getting and how he wishes to proceed and are the risks acceptable.
Similarly the network/systems ppl will be making choices whether they can live with this intrusion or not...how best to handle it without stopping the grid.
-- everyones not everybody and neither is everybody like everyone.
Shutting down the military while waging war is not an option, but the idea of continuing to operating critical defense systems even after known penetration by hostile hackers or damaging worms will take some getting used to."
What do they think the military goes home when someone gets killed or they find out there might be a spy? That's why our military security is completely segmented. The whole concept of need to know basis, is the understanding that information will fall into the wrong hands, you just want to minimize how much information can fall into the wrong hands when someone or something is compromised. That computers, especially military computers would follow this highly pragmatic principle shouldn't come as much of a surprise.
Doug Tolton
"The destruction of a value which is, will not bring value to that which isn't." -John Galt
I think the next step from intrusion-tolerance would be a system that logs intruder activity, determines how the intruder got in, and when the intruder leaves, cleans up whatever rootkits, etc. were left behind after logging everything it can about the event.
;)
Other interesting ideas would be determining "tainted" processes run or otherwise affected (library overwrites, etc) by the intruder, and automatically sandboxing these processes in a nifty little world that looks realistic, but couldn't be used for a DDoS.
Anyone up for writing a drop-in libc replacement that screens any attempts to overwrite libc? You'd also have to override the linker behavior, so that an attacker couldn't just LD_PRELOAD a normal libc for their apps. You'd still be open to statically compiled apps, so this may be a lot of work for only a little gain.
Of course, this would make it hard to upgrade libc
If I have been able to see further than others, it is because I bought a pair of binoculars.
Seriously. The implementations are new, but the concept goes back to the dawn of interconnected computers, maybe further. Back in the Iron Age, you used different passwords on different systems specifically so that, if one of the systems were penetrated and your password compromised, all the other systems you had access to would not be immediately compromised as well. That was a limited form of intrusion tolerance, forcing the intruder to start over from scratch on every system in the network.
All it's doing is moving the security barrier. You're creating a new line, and saying that it's OK for attackers to cross the old line, since that doesn't get them across the new line. But defending the new line is not fundamentally any easier than defending the original line.
" concede that systems will be penetrated by malware and hackers, but to keep operating anyway"
Hasn't this always been the strategy of Windows? Now if they could just finish implementing that second part...
Much engineering effort goes into the benefits of balancing somethings hardness against its resilience. The broad idea for security lately has been to make systems as hard as possible, but leaving them brittle. Even Diamond and Alumina Ceramics shatter relatively easily. Building systems with something more akin to the resilience of steel makes sense... ... as long as you have some damned way of translating materials science into network security.
:)
perhaps I need coffee
... sounds like somebody is reinventing Multics... again.
...this new mantra of security.
I must not fear. Fear is the mind-killer. Fear is the little death that brings total obliteration. I will face my fear. I will permit it to pass over me and through me. And when it has gone past, I will turn the inner eye to see its path. Where the fear has gone there will be nothing. Only I will remain.
-- The Bene Gesserit Litany of Fear
Dune by Frank Herbert
"A great democracy must be progressive or it will soon cease to be a great democracy." --Theodore Roosevelt
Why do we have to accept break ins? OpenBSD hasn't had a vulnerability disclosed in months now. Does that mean there are no vulnerabilities? No. Is an OpenBSD box pretty much unusable out of the box? Pretty much yes. But the thing is if you keep things simple, they should be easy to audit. Bugs should be easy to detect and fix.
You get into trouble when you start piling on feature after feature after feature. Is all of that really needed?
Denial of Service is, unfortunately, harder to deal with. But when you have your own network, it's much easier to deal with. Dependancy on the Internet still creates a problem (the majority of US government data communication is done via the Internet). It comes down to a cost benefit analysis - is it worth building a totally seperate network? For the military, I'd say yes.
espo
In general, I don't like the idea of making a concession that malware will have to be operating in a given computing environment (as stated above), and to think otherwise would simply be incorrect. OK, Windows environments may be an obvious exception ;-)
:
:
I would prefer to consider that (at least from my own philosophical viewpoint), that you can construct systems with defined patterns of behavior, even when "malware" is introduced.
From one of the links referenced above
Successive levels in the hierarchy are linked by refinement mappings that can be shown to preserve properties of interest. This project will apply this technology to intrusion tolerance properties.
This harkens back to enforcement mechanisms (Biba Integrity Model, No Read Up, No Write down policies, Models for descriptions of multi-level secure behavior, etc...). (Aside: Amoroso's book is an excellent reference)
What this alone tells me (I didn't read all the blurbs, articles, and briefings), is that we are discussing mappings (mathematical functions), and properties (which can be mathematically tested for by use of a logic or algebraic system).
At a glance, I am thinking of some of the issues in formal methods, proven-secure-O/S kernels, and other high-reliability software engineering methods for [secure] systems.
I like the idea that mathematical theorem provers can be applied to any system so defined.
Some basic issues do arise for practical application
- Theorem - proving aspects mean very precise use of functional requirements and mathematical specification for system behaviors. (Also, special talent and additional manpower is necessary. Also, mis-applications of the tools used, or introduced human error in the test process can subvert the efforts)
- This should be applied (I believe) to systems-of-systems and their behaviors. The systems that your system interacts with would have to had similiarly rigorous analysis and design.
- There is (I believe) a trend in military computing towards commercial, and less custom, software development. Long-term, where will the actual development of such systems be funded (beyond the initial R&D stage).
- The use of analysis of pre and post conditions in the executing environment (to ensure that violations of the underlying security policy are not permitted) is not a new concept. While I am not saying that this is an intrinsically ecessary mechanism for these methods, most current system lack such an approach, and there may be fundamental computer security issues present by the nature of the software development environment. If these methods are used, it is still highly desirable to design systems with security in mind regarding their handling of all data, traffic, and O/S vulnerability issues.
I only took a brief look at the material, but these are some thoughts. I also think that the effort itself is very worthwhile, and potentially of value. Also, looking at Dr. Lulu's credentials, there is no naivite in his software background; the basic tenents can't just be shrugged off.
Sam Nitzberg
sam@iamsam.com
http://www.iamsam.com
Recently I upgraded and migrated to a newer, much faster server. When I moved over all my software, everything worked OK, so I switched DNS about 2 weeks ago.
However, I got sporadic complaints about images not sizing properly, even though I initially found nothing wrong.
However, what had happened is that a critical piece of software (ImageMagick) wasn't loaded on the new server - but since all the functions that resized images had numerous fallbacks (such as using expired, cached copies, and failover to full size display which even then didn't always cause a problem since they were frequently resized with HTML tags)
In any event, this (I think) demonstrates the idea - there were several layers of failure that had to happen before images didn't show - and everything kept more-or-less rolling for 2 weeks.
I have no problem with your religion until you decide it's reason to deprive others of the truth.
All micorsoft operating systems are extremely compliant with RFC intrusion tolerance. Indeed they positively welcome intruders open arms and open legs. once in the intruder can pretty much do as they please. If that isn't intrusion tolerant I dont know what is.
Some drink at the fountain of knowledge. Others just gargle.
This is similar to research being done at MIT in the Computer Architecture Group by Martin Rinard and his graduate student Brian Demsky. They are building and researching ways to automatically detect and repair data structure errors so that if a programs data structures get corrupted their tool will repair the heap so the program can keep running.
There was related work done like this back in the day at AT&T but Rinard and Demsky have introduced automatic repair which, as you might imagine like this security idea, is scary to some people. Imagine a program that would have crashed due to some bug or malicious data mangling, now kept running by a tool... But the tool chooses the repair actions based on heuristics and specifications by the developer... takes some getting used to!
All of this stuff falls under fault tolerance... its pretty crazy to look at what the AT&T/Lucent Phone Switches do when they fail... they try a million different things to keep operating no matter what happens...
More likely, the next big jive word my boss is going to get obsessed with. I mean, sure, it's a great idea, and eventually I see it coming into heavy use, but for right now, I just see the corporate types throwing it around in their techno-babble pissing matches
Suit 1: We've got 10,000 uberhumungo servers running Microsoft 2003 Humungo Server Edition, with b2b backend, integrated transaction safe, load-balanced Humungo Edition IIS.
Suit 2: Well, we have all of that, plus Intrusion Tolerance.
Suit 1: Oh, baby. Can I merge with you?
====
Crudely Drawn Games
Oh... I thought we were going to start being Politically Correct and stop saying bad things about script kiddies.. I'm relieved to see the world hasn't quite reached that level or purgatory just yet.
My best guess is that the military (and the pseudo government international defense-corporate twins) know they are penetrated in advance, ie, they got spies inside, and no way to keep them off their nets, even if secured from the "internet". They need some way to keep functional even though they know they are compromised. When you have top level nuke secrets waltzing out of supposedly secure places like los alamos, well, no amount of software is going to save you. When you have top FBI cybercops being spies, military IT people being spies, research univerities where english is a minor second language to whatever the majority of the researchers grew up speaking, and etc, well, that's an insecure system(s) from the gitgo. You can have an airgap, steel doors, retina scans, you name it, if the PEOPLE involved are not all on the same team, means will be found to sneak off with the IT gems, either on a one time basis or ongoing. That's the part I don't think they are emphasizing. That and a lot of the top level politico bosses being blackmailed/bribed off, again, adding huge levels of insecurity.
The old saying is "who watches the watchers?", but now it can be added to "who can you trust when no one is trustworthy?"
Perhaps the aproach should be to throw so many false leads at the attacker that they play their hand before they do any real damage.
There is an old philosophy that you don't need to create a perfect lie. You only need to tell so many lies that they truth can no longer be seen.
A system of honeypots, firewalls, and harmless paths into a network would allow a hacker to be studied, traced, and combated (counter-hacked?).
The law is becoming an obstical to such an approach. There is legal speculation that honeypots constitute a form of wiretapping. Bad laws are going to make it very difficult to be a white hat in a few years.
This is nothing new, Windows has had tolerance towards intrusions for years...
One project is working on a new standard for memory in DIMM form - the HCC DIMM - Hacker Checking and Correcting memory.
When information is power, privacy is freedom.
But they (biological systems) also autonomously evolve, compete strongly, and often get wiped out. And when they do too well, they have the tendency to consume all resources, pollute, and then die out or reinvent themselves.
We (humans) are a biological animal. Let's be careful building something that will compete with us. The potential dangers of this scenario have been played out in Terminator and countless other sci-fi epics. Self-aware entities fight for their survival and the survival of their species/genes.
You might say "but we control the technology", but in fact the next generation of computers will control us. Digital Rights Management (DRM) is in effect our surrendering of our rights to machines. As more of our survival becomes dependent on machines (as has been increasing at an exponential rate recently), this means our rights of survival are out of our hands. Think of DRM as the Declaration of Independence, but in reverse -- well, we had a nice run there for a couple hundred years! But I'd rather be a heavily-taxed under-represented colonist of a foreign empire than a farm animal to machine masters any day.
I don't mean to rant tinfoil hat conspiracy nonsense, and it's important to secure our systems from collapse, but let's not be so quick to push ourselves toward slavery just yet. I think this (self-aware networks) is an area that is as important as nano/biotech to watch out for, and it's far more likely that we become totally enslaved to technology than that we all get turned into gray goo.
So the idea is, have a vulnerability, get attacked, keep on trucking with the same vulnerability, continue to get pounded through the same vulnerability relentlessly by every script kiddie's scan, vendor never patches because we've all accepted that we can just live with the vulnerabilities, keep on suckin'?
From the MIT article, it sounds like some intelligence will shut some non-critical services down so that the core still runs, but isn't that what Intrusion Prevention is supposed to do? When you're talking military use, I expect the important areas to be surrounded by honeypots as part of the Intrusion Detection and Prevention.
"Beware of he who would deny you access to information, for in his heart, he dreams himself your master."
No, that's great.
This and this are complete surprises. Who would think to create a momoculture of poor security systems like that? Especially after right headed thinking like:
Friends don't help friends install M$ junk.
Remember that from the Vietnam War? Intrusion tolerant computer systems... the more things change, the more the seem the same.
Wogs "Freedom's just another word for having nothing left to lose."
bout time the question was change from "how are you going to keep them out" to "what are you going to do when they get in"
*** I suffer from a colorful array of psychological problems
When you look at the whole idea of a screened subnet where you have your more exposed public servers in a spot where intrusions cannot easily spread to your internal private network, this is indicative of some level of intrusion tolerance to the network as a whole (not the individual computers though).
When I started writing Hermes (see my sig), one of the major issues I dealt with was security and intrusion tolerance. The question is-- given that this would be used to access comfidential customer information, how can we make it as secure as possible. The answer was that since I didn't want to trust anythign (even the web server) I opted for a strategy of "even if the web server is compromised, the user accounts will not be." Again, this is a sort of intrusion tolerance.
However, I must agree that leaving a known compromised system *in production* is always foolish. For example, if (with Hermes) someone were to break into the web server and modify the scripts to log usernames and passwords, than all my security would not be worth anything if you leave the server in production, but if you act fast this tolerance limits the damage and gives the administrators a better chance to contain the damage before something important is taken.
Anyway, I see this as building on ideas that have ben here for a while.
LedgerSMB: Open source Accounting/ERP
I guess everyone would agree that there is some merit to the concept of defense in depth. That said, recognise that the typical user (i.e. those most likely to be hacked) will generally not do anything about an intrusion as long as they can continue to work. I think a result of better intrusion tolerance would be a significant increase in the number of long term compromised systems.
respectfully disagree. yes, tolerant to the fact that there is always someone better than you i agree with. but these kinds of systems are not the ones that can take care of themselves while you finish your vacation in Hawaii so you can deal with it while you get back. These are the systems that can keep going while you are racing from dinner with your family back to the office to solve the problem.
In 90% of the cases, pulling the plug is the best thing to do. but take EBay for example, 1.2 billion in revenue relying entirely on their systems. That means they earned $2,289.38 every minute. So in that perspective, could you really tell someone to just simply shut off the site while you drive back to the office to fix it?
*** I suffer from a colorful array of psychological problems
maybe its because noone bothered trying =-)
this coming from someone that has been begging his boss for a mac laptop for 2 months. mini-me sold it, i want one.
*** I suffer from a colorful array of psychological problems
If you have a multi-level and/or granular security architecture, penetration or a hack at one security level doesn't mean automatic access to other levels or privileges. So they hack the webserver process. If the webserver is running as a non-root process in a chrooted jail -- perhaps even on a 'virtual machine', does that automatically mean we should shut down the whole system?
It's the same with well designed programs -- there was a slashdot article recently on QNX -- that is designed to be fault tolerant -- and it works. Only when you design huge monolithic code monsters where a fault anywhere in the monster means kill the whole beast do you have such frail computer systems.
Imagine human skin hacked by a scrape on some sharp object. If the first decision was to instantly kill the whole host, there wouldn't be too many humans -- can you say *stoopid* design?
Sure, there are some things that can't be healed, but the majority of us have had scrapes and bruises growing up and are still quite healthy -- and even where the car body may have permanent damage, then engine/CPU (the person's brain) is often quite capable.
Next time you think fault tolerant or intrusion tolerant systems are foolish and impossible, think "Stephen Hawking", or "Einstein" (not able to complete High School). I had a *stoopid* manager who thought that making system-audit so efficient, it could be left on by default in all but the most demanding of compute environments was a waste of time -- that it was *impossible* to build real-time intrusion detection systems.
Of course people thought it was impossible to circumnavigate the globe (you'd fall off the edge), impossible to fly, impossible to go faster than the speed of sound, etc.
Every time someone talks about how "impossible", you have to realize they are consciously or unconsciously thinking inside a box. To do the impossible requires something that *isn't* engineering. It isn't manageable. It can't be driven by a schedule. You have to *think outside the box*. You have to be creative. By definition, engineering, isn't creative. Engineering is taking known principles, applying them in some set of known circumstances, and coming out with another "widget", that looks similar to a previous widget.
Most large companies breed conformity and uniformity. While this type of engineering is great for reproducing Honda's on an assembly line, it greatly hinders thinking 'out of the box' (the box of conformity and uniformity that the company asserts is "necessary" for their business). Then they wonder why what was once a 'wonder company' is now a 'dinosaur company'.
Creative people are often *not* group players -- if they had a group mentality, then how can they be expected to come up with any idea that is radically different from the rest of the group?
Creative people tend more toward not having exceptional social graces (think of the novel ideas of unix, or Multics). These were not done by suit-and-tie, management "yes"-men. Even Linux was started by 1 person -- who has not always been known to be the social charmer, even tempered type -- and I certainly don't get the impression that everything is done by group consensus.
But already in linux, there is a fair amount of doing things the 'linux' way, certain people to please, various people who get say-so or veto powers (or are believed to have such) beyond Linus.
People familiar with Microsoft can remember when even the simplest application crash would bring down the entire system. Unix people would generally laugh at this. But now we see those who think a single penetration should cause the whole system to be brought down. Maybe it will require a next-generation OS (dunno enough about QNX to know if it might qualify), but there are other OS's that have better security records than linux (BSD, OS/X (I've heard)).
Linux, laughably, doesn't even have CAPP certification. Sure, there are alot more Microsoft vulnerabilities every
Dintcha just know that was coming? :o)
You can't avoid the inevitable.
Our biological forms are too fragile to survive anywhere long term except here on Earth. Even if we found a way to terraform other worlds, we would still need intelligent machines to do it for us and then to get us there.
And as many futurologists have pointed out, if we do pursue such technology, there *will* come a point in the next few decades when our creations' intelligence finally surpasses our own.
So what are you going to do? Crawl back to your cave, maybe even give up using fire because of the risk of where it might lead? We need to meet this challenge head on; prepare for it, make room for it in our plans.
I think what it boils down to is this: will our creations tolerate us, can we co-exist? I think the answer lies here: if we ourselves are moral then so will be our children and we will live in peace. If we are not, though, and we create children without any moral spirit, well yes, then as a biogical species we're doomed.
Hrm. I think it's an opportunity. It is our destiny that our machines replace us; once we have machines that are better at doing the general purpose things we are, why not just become our machines? It's the next logical step in our evolution.
...and many more other things.
Just imagine what it would be like if we could abandon our fragile, biological bodies for a self-repairing machine body:
- Space travel: life support greatly simplified. Just need an energy source and sufficient radiation shielding for the components which will already be a lot more tolerant of radiation than our bodies.
- Repairs - break your back, just get a new one. No more being crippled for the rest of your life.
- Hostile environments may no longer be hostile. We can live on Mars without the need to terraform.
- Interstellar travel possible - just shut down for the duration of the journey, and restart at the destination.
- Ability to back up data in the brain, so if the body gets totally trashed, a restore is possible.
- Ability to complement the intelligent parts with simple procedurally programmed parts - mental arithmetic suddenly becomes instantaneous. You may have had a problem calculating 3 * 47 / 2 -3 + 4096 / 7 in your head, but now you can comfortably work out the square root of pi without worrying about where the calculator went.
Oolite: Elite-like game. For Mac, Linux and Windows
Shameless plug: Askemos is a GPL'ed incorruptible and intrustion resistant operating system (or application server for that matter).
Byzantine fault tolerance (BFT) is a "traditional" distributed systems technique that enables intrusion resilience. BFT replicates a service such that the service continues to work correctly as long as less than one third of the replicas are comprimised. Combined with proactive recovery (periodically shutting down replicas and restarting them from a read-only disk), this can enable the system to survive an arbitrary number of compromises over its lifetime.
For another point of view, read The Emperor's New Mind by Roger Penrose.
Whether strong AI is possible is still an open question. It has been "coming soon" now for at least four decades.
"Rub her feet." -- L.L.
Well that's how things are today, all right.
But the technology we have today was unforeseen by previous generations. Just think about the internet for example. Asimov came closest I think, with his "Multivac" - but even he thought it was much farther off.
So the technology may yet appear in our own lifetimes. Once the right component density is available (only a matter of time, now) it could take just one breakthrough in AI systems design to change everything.
But if you have a principled objection to the possibility of truly strong AI then there is probably nothing I can say to convince you. You may still be denying it when it comes knocking at your door.
As far as fragility is concerned, it is much easier *even in theory* let alone in practice, to make electronic devices that can withstand extremely harsh conditions such as exist in space, than it is to harden humans. It's not even certain, without a prohibitively massive amount of shielding, how long humans could survive the solar and cosmic radiation out beyond the van Allen belt without contracting terminal cancer.
I'm not going to give you an essay here, but it is well understood and widely agreed that we will send intelligent autonomous probes to the nearby stars long before we send humans, because they can be made small (and therefore cheap to power and propel) and we can't; because they can withstand the long journey and extreme conditions and we can't; because they can do without tonnes of food water and air and expensive organic recycling systems, and we can't.
So who's fragile?
It may still turn out that the human body relies, for its continued health and existence, upon the presence of as yet undetected substances and/or symbiotic microorganisms in our own biosphere. Substances and organisms that we therefore don't bring with us when we leave Earth. You have surely noticed that those who return from long stays even in Low Earth Orbit generally don't look too healthy afterwards? It might all be due to the absence of gravity, but then again it might not.