DARPA ISO Sponsored Research

Tolerating Intrusions Through Secure System Reconfiguration
ITS
(Universities of Colorado, Virginia, and California)
Project Website:  http://www.cs.colorado.edu/serl/its/
Quad Chart:  Quad Chart   (.pdf)   (.ppt)
Objective: The objectives of this project are to develop timely, assured, automated, and secure reconfiguration as a viable technique for tolerating intrusions into critical information systems. Our hypothesis is that system reconfiguration is essential if degraded or alternate service has to be provided because of resource corruption, and such reconfiguration must be secure and achieved in bounded time.

Reconfiguration-based intrusion tolerance provides a uniform, powerful mechanism for both proactive and reactive reconfiguration. Proactive reconfiguration adds, removes, and replaces components and interconnections to cause a system to assume postures that achieve enterprise-wide intrusion tolerance goals, such as increased resilience to specific kinds of attacks, increased preparedness for recovery from specific kinds of failures, or relaxed tolerance procedures once a threat has passed.

Reactive reconfiguration adds, removes, or replaces components and interconnections to restore the integrity of compromised systems after a failure, either by restoring the system to some previously consistent state, adapting the system to some alternative non-compromised configuration, or gracefully shedding non-trustworthy data and functionality.

Approach: Our approach is to design, prototype, and evaluate a framework for tolerating intrusions in large-scale, heterogeneous, networked computing enterprises. The framework is known as Willow, in reference to its ability to bend without breaking. Our framework is derived from a synergistic blending of leading-edge results from the disciplines of fault tolerance, configuration management, and secure mediation.

The Willow reconfiguration-based intrusion tolerance framework, consists of two interrelated elements:

  1. A common infrastructure for building and securely operating intrusion tolerant systems and
  2. An application architecture for designing large-scale, dynamically reconfigurable systems.
A coordinated set of models, a standard component reconfiguration interface, and an agent-based policy mechanism together form the innovative core of the architecture.

The infrastructure element of Willow will provide several common components for inclusion into implementations adhering to the architecture, as well as several development tools for generating, optimizing, and verifying distributed reconfiguration control code.

Key to the utility of our approach is the use of a novel high-level language for specifying intrusion tolerance policies that are then translated into the control code. Also used in realizing control is an advanced software configuration and deployment system designed to operate in a wide-area, large-scale, and heterogeneous enterprise environment. The infrastructure itself is secured using a new technique we refer to as view-based delegation of trust.

Our reconfiguration-based approach to the challenge of tolerating intrusions is based on a number of new and unique capabilities. These capabilities include:

  1. Proactive reconfiguration, which supports the automated reconfiguration of systems into new postures that are more resilient in the face of intrusions;
  2. Reactive reconfiguration, which automatically converts an intrusion trigger into an appropriate reconfiguration that either repairs the intrusion or discards compromised components to enable continued operation in a functionally degraded mode;
  3. Full life cycle reconfiguration, which supports the reconfiguration of systems both in their deployed state and in their activated (i.e., executing) state;
  4. Enterprise-wide reconfiguration, which generalizes reconfiguration of a single system on a single computing site to include coordinated reconfiguration of multiple systems distributed across multiple computing sites;
  5. Assured reconfiguration, which uses Willow-enabled consistency analyses and automated procedures to provide guarantees that planned reconfigurations are attainable when triggered;
  6. Dynamic tolerance evolution, which makes new postures and tolerance strategies available dynamically and in a structured manner;
  7. Secure mediation, which provides secure and optionally anonymous access to trusted authorities and their resources.
Recent FY-99 Accomplishments: This project is a "New Start" as of July 2000.
FY-00 Plans: Our goals for FY-00 are as follows.
  • Specify requirements and define an initial set of configuration models, including the Reconfigurable-System Description (RSD), the Configured-System Description (CSD), and the Active-System Description (ASD), necessary for comprehensive reconfiguration of systems.
  • Specify requirements and define an initial tolerance specification for mapping intrusion and posturing triggers to specific reconfigurations.
  • Specify requirements for secure, mediated policies for access to depots.
Technology Transition: The primary transferable technology that we expect to develop will be techniques and architectures permitting applications to be proactively postured and reactively recovered in a secure fashion. Along with the basic design techniques, notations for specifying configurations of deployed and active systems will be made available.

In previous research on infrastructure survivability we have performed extensive domain analyses of the banking and finance industries, the electric power generation and distribution industry, the air traffic control system, and the freight rail industry. As a result of these analyses, we have established strong relationships with experts in these various domains. We will pursue these relationships and seek avenues for the exploitation of the expected results in the civilian critical infrastructure area. We will also endeavor to transfer our technology into the DOD command and control systems; these systems are similar in structure and requirements to our civilian targets.  
Principal Investigator: Alexander L. Wolf
University of Colorado
Department of Computer Science
ECOT 717, Campus Box 430
Boulder, CO 80309-0430
303-492-5263 (voice)
303-492-2844 (fax)
Alexander.Wolf@Colorado.EDU

Administrative Contact:
Laurence D. Nelson
Office of Contracts and Grants
University of Colorado
3100 Marine Street
Campus Box 572
Boulder, CO 80309-0572
303-492-6221 (voice)
303-492-6421 (fax)
Larry.Nelson@Colorado.EDU