Middleware Policies for Intrusion Tolerance:  A Position Statement for WDMS '02

Citation: Webber F, Pal P, Jones C, Atighetchi M, Rubel P. Middleware Policies for Intrusion Tolerance: A Position Statement for WDMS '02. Workshop on Dependable Middleware-Based Systems, Part of Dependable Systems and Networks Conference (DSN 2002), June 26, 2002, Bethesda, Maryland.

Formats: PDF PostScript Powerpoint

Abstract For many years, researchers have argued that redundancy can be used to recover from computer system failures, not only those failures that arise from random “acts of God” but those caused by malicious and orchestrated acts of Man as well[2]. Some middleware has been built to coordinate groups of component replicas in a way that tolerates arbitrary failures of a subset of the replicas; then if an attacker corrupts only one of these subsets, the system will continue functioning correctly. Ongoing research seeks to refine this approach to intrusion tolerance, including building the next generation of dependable middleware to support it. Our position is that successful intrusion tolerance will depend on a policy that links replica coordination with other intrusion countermeasures and that this policy should be implemented in middleware. Replica coordination by itself is not sufficient because:  Attackers will try, and often succeed, in corrupting or killing more replicas than can be tolerated. A policy for replacing corrupt or dead replicas automatically is therefore needed to increase the system’s useful life.

Attackers will try to kill many replicas at once, or corrupt replicas so that each behaves normally at first, then many fail simultaneously. A policy that uses other mechanisms, intrusion detectors and firewalls in particular, to quarantine the attacker is therefore needed to make this and other attacks harder. 

The intrusion tolerance policy belongs in middleware because it is likely to be reusable for many different distributed applications, and it involves adaptation and reconfiguration that needs to be coordinated across multiple hosts. 

Intrusion tolerance policies involve a trade-off: a system that is quick to replace replicas and to quarantine hosts where suspicious events have happened is a system that may make itself especially vulnerable to denial-of-service attacks. An attacker who learns to trigger quarantining, for example, may be able to quarantine so many hosts that the system fails to provide enough resources even for authorized applications. On the other hand, a system that is slow to react may be too slow to counter many attacks.

We have defined several intrusion tolerance policies and implemented them using the QuO adaptive middleware toolkit. One of these policies is currently being evaluated in an adversarial “Red Team” experiment. This paper describes that policy, summarizes the result of a Red Team experiment involving middleware implementing that policy, and provides some topics for discussion.