Applications that Participate in their Own Defense (APOD)

OPX PI Meeting 2002 February 21 -- page 1

QuOQuO

Franklin Webber

BBN Technologies

Project

• Sponsor: DARPA/ATO• Program: Fault-Tolerant Networks• Program manager: Doug Maughan• Project monitor: Pat Hurley (AFRL)• Period of performance: July 1999 - July 2002

Technical Objective

Give any critical distributed software application an increased resistance to malicious attack:

• even though the environment in which it runs is untrustworthy;• without major modifications to its code.

Any such application is “defense-enabled”.

Existing Practice/Technical Approach

• Infrastructure (operating systems, networks) on which many military applications are run is less than trustworthy– applications are vulnerable to attacks that exploit security flaws in

infrastructure

• An application that can adapt to work around the effect of attacks will offer more dependable service– a defense-enabled application is aware of its quality-of-service (QoS)

requirements and monitors its environment for QoS changes

• Metric: length of correct computation while under attack– measured in Red Team experiments and other validation

A Distributed Military Application

A Cyber-Attack

An Abstract View

Attacker

Data Processing(Fusion,Analysis,Storage,

Forwarding,etc.)

DataUser

DataSource

Traditional Security

AttackerApplication

PrivateResources

LimitedSharing

Trusted OSs and Network

Most OSs and Networks In Common Use Are Untrustworthy

AttackerApplication

PrivateResources

LimitedSharing

OSs and Network

Cryptographic Techniques Can Block (Most) Direct Access to Application

AttackerApplication

PrivateResources

LimitedSharing

OSs and Network

Crypto

OSs and Network

Attacker

Raw ResourcesCPU, bandwidth, files...

OSs and Network IDSs Firewalls

Firewalls Block Some Attacks;Intrusion Detectors Notice Others

Application

Crypto

ApplicationAttacker

Raw ResourcesCPU, bandwidth, files...

QoS Management

Crypto

OSs and Network IDSs Firewalls

Defense-Enabled Application CompetesWith Attacker for Control of Resources

QuO Adaptive Middleware Technology

QuO is DARPA Quorum developed middleware that provides:•interfaces to property managers, each of which monitors

and controls an aspect of the Quality of Service (QoS)offered by an application;

•specifications of the application’s normal and alternateoperating conditions and how QoS should dependon these conditions.

QuO has integrated managers for several properties:•dependability (DARPA’s Quorum AQuA project)•communication bandwidth

(DARPA’s Quorum DIRM project)•real-time processing

(using TAO from UC Irvine/WUStL)•security (using OODTE access control from NAI)

QuOQuO

QuO adds specification, measurement, and adaptation into the distributed object model

ApplicationDeveloper

MechanismDeveloper

CLIENT

Network

operation()

in args

out args + return value

IDLSTUBS

IDLSKELETON

OBJECTADAPTER

ORB IIOP ORBIIOP

CLIENT OBJECT(SERVANT)OBJECT(SERVANT)

OBJREF

CLIENT

DelegateContract

SysCond

Contract

Network

MECHANISM/PROPERTYMANAGER

operation()

in args

out args + return value

IDLSTUBS

Delegate

SysCond

IDLSKELETON

OBJECTADAPTER

ORB IIOP ORBIIOP

CLIENT OBJECT(SERVANT)OBJECT(SERVANT)

OBJREF

ApplicationDeveloper

QuODeveloper

MechanismDeveloper

The QuO Toolkit Supports Building Adaptive Apps or Adding Adaptation to Existing Apps

QuO Code Generator

QoS AdaptivitySpecification

QoS Management

CORBAIDL

Implementing Defenses in Middleware

•for simplicity:•QoS concerns separated from functionality of application.•Better software engineering.

•for practicality:•Requiring secure, reliable OS and network support is not currently cost-effective. •Middleware defenses will augment, not replace, defense mechanisms available in lower system layers.

•for uniformity:•Advanced middleware such as QuO provides a systematic way to integrate defense mechanisms.•Middleware can hide peculiarities of different platforms.

•for reuseability•Middleware can support a wide variety of applications.

Security Domains Limit the Damage From A Single Intrusion

hackeddomain

router

domain

router

domain

Replication Management Can Replace Killed Processes

hackeddomain

router

domain

router

domain

application component replicas

QuO replica management

Bandwidth Management Can Counter Flooding Between Routers

hackeddomain

router

domain

router

domain

QuO bandwidth management

RSVP reservation or packet-filtered link

Other Defense Mechanisms

• Dynamically change communication ports• Dynamically change communication protocols

Defense Strategy

• Use QuO middleware to coordinate all available defense mechanisms in a coherent strategy.

• Best current strategy has two parts:– “outrun”: move application component replicas off bad

hosts and on to good ones

– “contain”: quarantine bad hosts by limiting or blocking network traffic from them and, within limits, shutting them down

Validation

• Experimentation: a defense-enabled application is attacked by professional hackers, i.e., a “Red Team”, and its performance is measured

• Modeling: properties of a defense-enabled application are measured in the lab and plugged into an abstract model of attack and defense

Experimentation

• Blue Team: the technology developers– Franklin Webber, et al., BBN/Distributed Systems

• Red Team: the attackers– Steve Kaufman, et al., Sandia

• White Team: the moderators– Ken Theriault, et al., BBN/Security

– testbed preparation; experiment planning and analysis

Experimentation Milestones

• October: begin weekly planning meetings• November: experiment plan outlined• December: ‘whiteboard’ experiment analysis

– all teams met at BBN

– plan for first experiment complete

• January: testbed preparation• February: conducted first experiment

– approximately one week long

Multiple APOD Experiments

• ‘whiteboard’ experiment: discuss likely approaches to attack and defense without actually carrying them out

• first experiment (February)– use replication management, dynamic packet filtering,

and intrusion detection for defense; flooding is off-limits

• second experiment (TBD)– add bandwidth management; allow flooding

VPN/Interne

Experiment Control,external waypoint

router

LegendC: clientS: serverB: broker factory

Experiment Testbed and Test Application

Whiteboard Analysis of APOD

• Red Team starts with ‘root’ privilege on one host• Intended Red Team attacks:

– ARP cache poisoning to partition network– spoofing to trigger APOD ‘containment’ strategy, leading to

self-denial-of-service– reverse engineering application components to cause

malicious application behavior

• Lessons learned for Blue Team:– network partitioning a bigger problem than expected– some changes to mechanisms and strategy

• Formulating an experiment to test the limits of the APOD ‘outrun’ strategy is difficult

Results from First Experiment

• A defense-enabled application forced a highly-skilled and prepared attacker to work very hard and with no stealth against a purely automated defense to deny service

• Red Team eventually defeated APOD defenses with a combination of spoofing, ARP cache poisoning, and TCP connection flood– roughly a week of trial-and-error

– final scripted attack takes 5 minutes and sets off numerous alarms (the undefended app, in comparison, could be killed immediately in the same situation)

More Results

• APOD defenses add roughly 5% to application request latency on average

• Unpredictable adaptation is good– nondeterministic placement of replicas helped

– dynamic choice of communication ports would be better

• Corrupting running application processes to cause malicious behavior was not attempted, but may be harder than it seemed at first

Plans for Second Experiment

• Improve APOD strategy– TCP connection flood can be detected and responded to

– other

• Add bandwidth management mechanism– detect and respond to (data) flooding

– may use security-enhanced RSVP from NCSU to reserve bandwidth; will use dynamic packet-filtering to block floods

– use strategically-placed Linux routers

• Consider augmenting purely automatic defense with tools for operator intervention

Technology Transition/Summary

• APOD defenses measurably “raise the bar” against cyber-attack, even against well-prepared attackers.

• APOD middleware encapsulates adaptive defense strategies for reuse in many applications.

• A distributed military application is sought– for testing the APOD technology against a real-world set of

requirements

– for testing how easily an existing application can be defense-enabled

– for further research to improve APOD defenses

Applications that Participate in their Own Defense (APOD)

Documents

Energy efficiency gains through Schneider Electric lighting control Speaker : Michael Lam, Control Systems APOD, Installation Systems and Controls, Schneider

H205 Cosmic Origins Today: The Milky Way (Ch. 19) Hand in EP3 APOD

Neutron Stars & Black Holes (Chapter 11) APOD. Student Learning Objective Indentify properties of Neutron Stars & Black Holes NASA

The Differentiation of Vertebrate Immune Cells In the immune system, two types of cells participate directly in defense against pathogens. Plasma

Annual Property Operating Data (APOD)

To participate or not to participate ? Een introductie

APoD eXplorer: Recommendation System and Interactive

What does the word eminent mean? APOD. Famous and respected within a particular sphere or profession

Limbic System. Limbic system Participate visceral and motor responses involved in defense and reproduction and processes involved in memories It includes

APOD Astronomy Picture of the Day Write in your blue book 3-2-1

Applications that Participate in their Own Defense (APOD)

Department of Defense · PDF fileDepartment of Defense . INSTRUCTION . ... 5.4. The Under Secretary of Defense for Acquisition, Technology, and Logistics ... 5.4.2. Participate in

This is the End Image from APOD Image from APOD (credit and copyright Michael Wilson) Artists conception of Xenia and the Solar System…100AU from Sun

Welcome to A105 Stars and Galaxies Instructor: Caty Pilachowski Assoc. Instructor: Tara Angle Today’s APOD APOD Read units 1, 2, 3, 4.1 Essential Facts

Http://apod.nasa.gov/apod/ap070819.html. Overview of Calculus Derivatives Indefinite integrals Definite integrals

H205 Cosmic Origins Telescopes (Ch. 6) Visit Kirkwood Obs Time for Reflection Hand in EP1 APOD

2001 July 30 -- page 1 Applications that Participate in their Own Defense (APOD) BBN Technologies FTN PI Meeting 2001 July 30 Franklin Webber QuO

AUTOMOBILE SUBROGATION: In All 50 · Participate In Settlement Negotiations Use Of Similar Injury/Jury Verdict Resources Solicit Opinion Of Defense Counsel During Litigation Engage

Suez's 2017 Supplement to the Update Report, Addressing ... · 26.06.2017 · 2. "Mini-APOD" authorization for Suez's original Marden Treatment Plant Ranney collector right. 3. "Mini-APOD"

SUMMER NIGHTS Easy observing for short summer nights Matthew Spinelli APOD 7 Feb 2003