Upload
antonia-copeland
View
214
Download
0
Tags:
Embed Size (px)
Citation preview
20 July 2000 DARPA IA&S Joint PI Meeting
Computational ResiliencyComputational Resiliency
Steve J. Chapin, Susan OlderSteve J. Chapin, Susan Older
Syracuse UniversitySyracuse University
Gregg IrvinGregg Irvin
Mobium EnterprisesMobium Enterprises1
Computational ResiliencyComputational Resiliency
CR: the ability to sustain operation CR: the ability to sustain operation and dynamically restore the level and dynamically restore the level
of assurance during an attack.of assurance during an attack.
A computationally-resilient applicationA computationally-resilient applicationcan sense, tolerate, and react to attack.can sense, tolerate, and react to attack.
Computational ResiliencyComputational Resiliency
A mix of application A mix of application libraries, system libraries, system software, and theorysoftware, and theory
A complementary A complementary solutionsolution
Focused on the Focused on the application (karate)application (karate)
IntrospectiveIntrospective
An intrusion detection An intrusion detection systemsystem although it might use onealthough it might use one
A front-line defenseA front-line defense A system-wide defense A system-wide defense
focused on negative focused on negative policypolicy
Is...Is... Is not...Is not...
Computational CockroachesComputational Cockroaches11
Breed -- use rapid replication to maintain Breed -- use rapid replication to maintain numbers.numbers.
Hide from light -- sense attacks and migrate Hide from light -- sense attacks and migrate away.away.
Adapt -- reconfigure application; use Adapt -- reconfigure application; use camouflage and other tools to make oneself camouflage and other tools to make oneself harder to hit. harder to hit.
1Thanks to Cathy McCollum for the roach analogy.
No matter how hard you try, No matter how hard you try, you just can’t wipe them out.you just can’t wipe them out.
Three-Pronged ApproachThree-Pronged Approach
Strong theoretical basisStrong theoretical basis reason about conformance to policyreason about conformance to policy
Computational resiliency libraryComputational resiliency library dynamic application managementdynamic application management
System software supportSystem software support scheduling/policy frameworksscheduling/policy frameworks sensorssensors
Theoretical FrameworkTheoretical Framework
Support reasoning about application and system Support reasoning about application and system behavior subject to resource constraints and behavior subject to resource constraints and application configurationapplication configuration
Formal notation based on Formal notation based on -calculus-calculus -calculus covers migrating threads, communicating -calculus covers migrating threads, communicating
agents, dynamic topologiesagents, dynamic topologies Extend for location and resource awarenessExtend for location and resource awareness
cf. distributed join-calculus, cf. distributed join-calculus, 11-calculus, D-calculus, D-calculus-calculus
Capture notion of “sufficiently equivalent efficiency”Capture notion of “sufficiently equivalent efficiency”
Computational Resiliency LibraryComputational Resiliency Library
Dynamic multithreadingDynamic multithreading MigrationMigration ReplicationReplication CamouflageCamouflage Functionality reconfigurationFunctionality reconfiguration Policy-based managementPolicy-based management
}Build on SCPlib
Library Technology (SCPlib)Library Technology (SCPlib)
threadprocessor
channel
Reconfigurable Threads may move betweenprocessors to accommodate failuresor changes to resource availability.
Processors may be microprocessors,SMP machines, or special devices.
Reconfigurable Channels provide uniform communication mechanism in SMPs and networks.
Basic CRlib Mechanisms for Basic CRlib Mechanisms for Dynamic ReconfigurationDynamic Reconfiguration
0 1
2Move
0
1 2
3
0
1-2
3Merge
Split
After
0 1
0
1 2
0
1-2
3
0
1 2
3
Before
10
CamouflageCamouflage
SimpleSimple rename process, respawn processrename process, respawn process
More complexMore complex change functionality (via split/merge)change functionality (via split/merge) process size/behavior patternsprocess size/behavior patterns mimic interface of real programsmimic interface of real programs decoy processesdecoy processes
Policy-based ManagementPolicy-based Management
Applications/users specify CR policy:Applications/users specify CR policy: number of replicas number of replicas mutation policymutation policy migration policy migration policy checkpointingcheckpointing
As much as we can, draw on past and As much as we can, draw on past and concurrent work in policy specification concurrent work in policy specification and management at DARPA (we really and management at DARPA (we really would rather not build this yet again)would rather not build this yet again)
System SupportSystem Support Schedulers that Schedulers that
understand CR understand CR policies, resultant policies, resultant resource demands, resource demands, user/process priorityuser/process priority
Build on our past work Build on our past work in scheduling in scheduling (MESSIAHS, Legion)(MESSIAHS, Legion)
High potential for High potential for collaborationcollaboration
Scheduler
User Requests
Thread ManagementCommunication
Management
User Application Code
User Process (user application + library code)
Intrusion DetectionSystem
Testbed EnvironmentTestbed Environment
GigabitSwitch
WirelessHub
GigabitSwitch
Intel8-way
Intel4-way
SGIOrigin
200SMPSGI
PowerChallSMP(14)
SensorSGIIndigo
PC SUNSparc
PC
RadarSensor
SUNSparc
Mobium
AFRL
PC/Alphacluster
Routers
IW-Hardened ApplicationsIW-Hardened Applications
Collaborate with Real-Time Sensors Collaborate with Real-Time Sensors project at Syracuse (DARPA ITO)project at Syracuse (DARPA ITO)
Develop IW-hardened multispectral Develop IW-hardened multispectral imaging application (TBD), e.g.:imaging application (TBD), e.g.: Land mines using UAV’sLand mines using UAV’s Camouflaged equipment and personnelCamouflaged equipment and personnel Missile threats - plume signatures Missile threats - plume signatures Concealed weaponsConcealed weapons Treaty compliance/surveillance using UAV’sTreaty compliance/surveillance using UAV’s
Real Time Multi-spectral Real Time Multi-spectral CameraCamera
Deliver up to 110 frs/secDeliver up to 110 frs/sec Full pixel resolution at Full pixel resolution at
1024x10241024x1024 Filter wheel with 12 Filter wheel with 12
filters ranges from filters ranges from 500nm to 1050nm500nm to 1050nm
motor controlled motor controlled variable frame rate, and variable frame rate, and exposure timeexposure time
Spectral-Screening PCTSpectral-Screening PCT
Entropy = 2.25Entropy = 2.25 Entropy = 0.726Entropy = 0.726
Delta SNR = 4.508 dBDelta SNR = 4.508 dB
Risks and ConcernsRisks and Concerns Self-DOSSelf-DOS
cost of response vs. the cost of attackcost of response vs. the cost of attack cost of defense in the absence of attackcost of defense in the absence of attack manipulation via corrupted sensorsmanipulation via corrupted sensors avoid if possible; document if unavoidableavoid if possible; document if unavoidable
Timing issues and race conditionsTiming issues and race conditions can we react fast enough in the face of heavy attack? can we react fast enough in the face of heavy attack?
Attacks during reconfiguration?Attacks during reconfiguration? Observation reducing the effectiveness of our Observation reducing the effectiveness of our
methodsmethods
Technology TransferTechnology Transfer
Mobium EnterprisesMobium Enterprises subcontractor on this effortsubcontractor on this effort integrate this technology with DARPA integrate this technology with DARPA
applicationsapplications CASE center at SyracuseCASE center at Syracuse
NY state-sponsored incubatorNY state-sponsored incubator sole purpose is tech transfer of computing sole purpose is tech transfer of computing
technology to startups in central NYtechnology to startups in central NY
MilestonesMilestones
6-12 months6-12 months core calculuscore calculus extend SCPlib to create basic CRlibextend SCPlib to create basic CRlib simple camouflagesimple camouflage decoysdecoys prototype IW application using basic CRlibprototype IW application using basic CRlib
Milestones IIMilestones II
15-24 months15-24 months rough equivalence in calculusrough equivalence in calculus initial use of calculus to analyze schedules initial use of calculus to analyze schedules
and configuration changesand configuration changes functionality mutationfunctionality mutation policy specification frameworkspolicy specification frameworks
Milestones IIIMilestones III
36-42 months36-42 months Advanced camouflageAdvanced camouflage CR-aware schedulersCR-aware schedulers Final IW-hardened applicationFinal IW-hardened application policy specification framework using calculuspolicy specification framework using calculus
IW exercises to test system every 6 IW exercises to test system every 6 months starting at 1 yearmonths starting at 1 year
Hypothetical ExampleHypothetical Example
RockyRocky highest priorityhighest priority expands out of safe expands out of safe
zonezone replicationreplication
DudleyDudley lowest priority userlowest priority user stays inside safe stays inside safe
zonezone
BullwinkleBullwinkle expands out of safe expands out of safe
zonezone splits computation to splits computation to
obtain higher obtain higher concurrencyconcurrency
employs replication, employs replication, checkpointingcheckpointing
The Attack...The Attack...
Natasha -> RockyNatasha -> Rocky caught by IDScaught by IDS
Boris -> BullwinkleBoris -> Bullwinkle successfully kills some of Bullwinkle’s successfully kills some of Bullwinkle’s
processesprocesses Snideley ->DudleySnideley ->Dudley
caught at firewall (“Curses, foiled again!”)caught at firewall (“Curses, foiled again!”)
The ReactionThe Reaction Rocky’s applicationRocky’s application
retreats into the safe zoneretreats into the safe zone Bullwinkle’s application Bullwinkle’s application
employs camouflageemploys camouflage puts out decoysputs out decoys recovers from checkpointrecovers from checkpoint
Dudley’sDudley’s does nothing, but must release resources to does nothing, but must release resources to
Rocky’s applicationRocky’s application
Jay’s QuestionsJay’s Questions
Attacks/ThreatsAttacks/Threats We don’t have a specific model at this timeWe don’t have a specific model at this time Alerts by IDS, noticing when our threads Alerts by IDS, noticing when our threads
are killed/incapacitatedare killed/incapacitated Policies we’ll supportPolicies we’ll support
““Positive” policies regarding the behavior Positive” policies regarding the behavior and properties of our applicationsand properties of our applications