Tolerating Intrusions Through Secure System Reconfiguration
|Quad Chart:||Quad Chart (.pdf) (.ppt)|
The objectives of this project are to
develop timely, assured, automated, and secure
reconfiguration as a viable technique for tolerating intrusions
into critical information systems.
Our hypothesis is that system reconfiguration is essential if degraded
or alternate service has to be provided because of resource corruption,
and such reconfiguration must be secure and achieved in bounded
Reconfiguration-based intrusion tolerance provides a uniform, powerful mechanism for both proactive and reactive reconfiguration. Proactive reconfiguration adds, removes, and replaces components and interconnections to cause a system to assume postures that achieve enterprise-wide intrusion tolerance goals, such as increased resilience to specific kinds of attacks, increased preparedness for recovery from specific kinds of failures, or relaxed tolerance procedures once a threat has passed.
Reactive reconfiguration adds, removes, or replaces components and interconnections to restore the integrity of compromised systems after a failure, either by restoring the system to some previously consistent state, adapting the system to some alternative non-compromised configuration, or gracefully shedding non-trustworthy data and functionality.
Our approach is to design, prototype, and
evaluate a framework for tolerating intrusions in large-scale,
heterogeneous, networked computing enterprises.
The framework is
known as Willow, in reference to its ability to bend without breaking.
Our framework is
derived from a synergistic
blending of leading-edge results from the disciplines of fault
tolerance, configuration management, and secure mediation.
The Willow reconfiguration-based intrusion tolerance framework, consists of two interrelated elements:
The infrastructure element of Willow will provide several common components for inclusion into implementations adhering to the architecture, as well as several development tools for generating, optimizing, and verifying distributed reconfiguration control code.
Key to the utility of our approach is the use of a novel high-level language for specifying intrusion tolerance policies that are then translated into the control code. Also used in realizing control is an advanced software configuration and deployment system designed to operate in a wide-area, large-scale, and heterogeneous enterprise environment. The infrastructure itself is secured using a new technique we refer to as view-based delegation of trust.
Our reconfiguration-based approach to the challenge of tolerating intrusions is based on a number of new and unique capabilities. These capabilities include:
|Recent FY-99 Accomplishments:||This project is a "New Start" as of July 2000.|
Our goals for FY-00 are as follows.
The primary transferable technology that we expect to develop will be
techniques and architectures
permitting applications to be proactively postured and reactively
recovered in a secure fashion.
Along with the basic design
techniques, notations for specifying configurations of deployed and
active systems will be made available.
In previous research on infrastructure survivability we have performed extensive domain analyses of the banking and finance industries, the electric power generation and distribution industry, the air traffic control system, and the freight rail industry. As a result of these analyses, we have established strong relationships with experts in these various domains. We will pursue these relationships and seek avenues for the exploitation of the expected results in the civilian critical infrastructure area. We will also endeavor to transfer our technology into the DOD command and control systems; these systems are similar in structure and requirements to our civilian targets.
|Principal Investigator:||Alexander L. Wolf
University of Colorado
Department of Computer Science
ECOT 717, Campus Box 430
Boulder, CO 80309-0430