Defense Enabling Using QuO:  Experience in Building Survivable CORBA Applications

Citation: Chris Jones, Partha Pal, Franklin Webber, BBN Technologies.  OMG Workshop on Distributed Objects and Components Security (DOCSEC), March 18-21, 2002, Baltimore, MD.

Formats: Powerpoint

Abstract As applications become more inter-connected and inter-networked and rely on COTS hardware and software, they become dependent on the common infrastructure used to economically build such systems. At the same time, it is becoming increasingly clearer that in the short run there is not, and in the long run there may never be a completely trustworthy computing base (TCB) economic enough to use. A key challenge therefore is, how to build applications that exhibit better security and survivability characteristics than the potentially flawed infrastructure they are built upon. We call such applications that can deal with flaws in their infrastructure "defense oriented" applications, and adding the survivability properties "defense enabling". We have been exploring the issue of defense enabling as part of our ongoing research on security and survivability of Distributed Object Computing (DOC) applications for the last few years.

Our position is that it is possible to build survivable systems using less than completely reliable and trustworthy infrastructure, through the systematic use of adaptation supported by redundancy, heterogeneity and use of COTS security mechanisms such as access-control, intrusion detection and packet filtering. We have developed a prototype implementation of our technology, which is currently undergoing formalized red-team experimentation.

Adaptive behavior is key to defense and survival in imperfect infrastructure environments. As a result of (even a partially successful) attack the operating condition of the system changes and in order to survive the system/application must cope with the change. For instance, an attack may consume resources such as bandwidth, memory or CPU cycles, and a survivable application must be able to either continue with the degraded resources (perhaps also providing degraded levels of service) or actively engage other mechanisms to counter the shortage or degradation. Two things are important in this regard: the adaptation strategy ( i.e. what to do in general as a response to various forms of attack or potential attack) and the mechanisms that are exercised as part of the strategy (i.e. the mechanisms that acts as sensors and actuators for the strategy). We have developed a distributed object toolkit (mostly CORBA) that helps us implement a defensive strategy with the help of a diverse set of middleware-centric defense mechanisms controlled through the QuO adaptive middleware. This defense strategy can then be integrated with an application with minimal changes to the application.

A typical use-case for our technology begins with the defense or survivability needs of a critical application. Based on the attacks or attack effects that this application needs to survive, a defense strategy is then devised. Implementation of this strategy may require identification and integration of external services of defense mechanisms ranging from packet filtering to replication management. The final step of defense enabling is the integration of the defense strategy with the application. We are attempting to develop a catalog of general defense strategies that are independent of the application context and therefore, potentially reusable. Implementing the defense in the middleware is a key concept in this regard.

From our experience in conceiving, prototyping and finally validating the defense enabling technology, here are a number of activities that this community can do to help build survivable CORBA systems.