Upload
others
View
0
Download
0
Embed Size (px)
Citation preview
Survivability of Critical Infrastructure Systems*
John Knight
Department of Computer Science
University of Virginia
*Joint work with the University of Colorado and the University of California, Davis.
January 30, 2001 Survivability of Critical Infrastructure Systems 2
January 30, 2001 Survivability of Critical Infrastructure Systems 3
January 30, 2001 Survivability of Critical Infrastructure Systems 4
Outline
n Domain Analysis:
– Services Provided And Core Information Systems– Threats and Vulnerabilities
n Survivability Architectures:
– System Architectural Concepts– Application Reconfiguration
n Security of Survivability Mechanisms
n Prototyping System/Testbed
n Comprehensive Survivability—Overview of Willow (U. Col, U. Va, UCD):
– Generalized Timeline– Generalized Recovery
January 30, 2001 Survivability of Critical Infrastructure Systems 5
Sponsors
n DARPA
n U.S. Air Force
n Microsoft
n NASA
Domain Analysis
January 30, 2001 Survivability of Critical Infrastructure Systems 7
Critical Infrastructure
January 30, 2001 Survivability of Critical Infrastructure Systems 8
Application Interdependence
Power GenerationAnd Distribution
Telecommunications
Finance
January 30, 2001 Survivability of Critical Infrastructure Systems 9
Application Domains
n Financial systems—World-Wide Networks:
– Payment System, Fedwire– CHIPS, SWIFT, ACH’s– Credit Cards, Debit Cards, Smart Cards– Equities, Treasuries, Futures, Options, Foreign Exchange
n Electric Power—Highly Automated System:
– Regional Networks, National Networks, National Databases– Generation And Distribution Control, Equipment Monitoring
n Freight Rail:
– Four Companies Serve Entire Country– Very Sophisticated Systems:– Critical Infrastructure Application
January 30, 2001 Survivability of Critical Infrastructure Systems 10
Freight Rail
n Four Companies Serve Entire Country
n Very Sophisticated Computer Systems:
– Real-time Move Authority
– Real-time Locomotive and Car Monitoring
– Real-time Switching
– Scheduling
– Customer Interaction
n Critical Information System
January 30, 2001 Survivability of Critical Infrastructure Systems 11
Example - CSX Corporation
n Large East-Coast Freight Rail System
n 430,000 Employees In 1960 - 28,000 Employees Now
n Difference Is Information Technology
n “Just In Time” Is Essence Of Transport
– Partially In Effect
– Growing And Considered Essential
n Intermodal System Expanding
n Network-Wide Payload Scheduling and Management
January 30, 2001 Survivability of Critical Infrastructure Systems 12
CSX Carloads (Thousands)
n Agricultural Products 254
n Automotive 367
n Chemicals 408
n Coal 1,711
n Food & Consumer 161
n Forest Products 443
n Intermodal 980
n Metals 227
n Minerals 428
n Phosphates and Fertilizers 511
January 30, 2001 Survivability of Critical Infrastructure Systems 13
CSX System Characteristics
n Operates In 20 States, 31,365 Miles Of Track
n 2,773 Locomotives, 97,504 Freight Cars
n ALL Controlled From Jacksonville, FL:
– Train Assembly And Dispatch
– Real-Time Recording Of Equipment Locations
– Switching/Signaling
January 30, 2001 Survivability of Critical Infrastructure Systems 14
CSX Computer Systems
n Operations Center:
– 150 VAX-Based Information Displays
– Real-Time Signal And Status, Voice Comm.
n Data Center:
– Mainframe Based Database Systems
– Five Terabytes Of Data– 109 Access/Day, 12-15% Updates
– 2,400 MIPS Of Processor Capacity
January 30, 2001 Survivability of Critical Infrastructure Systems 15
The Future
n Positive Train Separation:
– Moving Block vs. Fixed Block– Differential GPS & Inertial System To Track Trains
– Real-Time Sequence Of Move Authorizations
– Major Demonstration:
• Portland (OR) -> Hincle -> Blaine
n Precision Train Control:
– Power Distributed Throughout Train
– Electronic Braking
– Traintalk System - “Train by Wire”
January 30, 2001 Survivability of Critical Infrastructure Systems 16
Rail Network Management
n New Control Center Capabilities (Redundancy, Automation, Flexibility)
n Cargo Prioritization
n Network-Wide “Just In Time” Capability
n Elimination Of Most Track-Side Equipment
n Elimination Of Location-Relay Mechanism
n Much Greater Efficiency
n Much Faster Average Transport
January 30, 2001 Survivability of Critical Infrastructure Systems 17
System Summary
January 30, 2001 Survivability of Critical Infrastructure Systems 18
A Visible Problem
n Presidential Commission:
– http://www.pccip.gov/
n Defense Science Board Study:
n National Research Council Committee:
– http://www.nap.edu/catalog/6161.html
n Various Armed Services Committees And Studies
n See Also http://www.cs.virginia.edu/survive
January 30, 2001 Survivability of Critical Infrastructure Systems 19
Threats To Service
n Errors by Operators
n Errors in Operational Procedures
n Software Faults
n Software Design Degradation
n Changes in Environmental Conditions
n Hardware Degradation Faults
n Hardware Design Faults
AND
n Malicious Attacks
January 30, 2001 Survivability of Critical Infrastructure Systems 20
World-Wide Problem
Survivability Architectures
January 30, 2001 Survivability of Critical Infrastructure Systems 24
System-Wide Survivability
n Serious Problems Are Rarely Local, E.G.:
– Wide-area Environmental Stress
– Common-mode Software Failure
– Coordinated, Parallel Malicious Attacks
– Cascading Equipment Failures
n System-wide Survivability Properties:
– Coordinated Approach to Meeting Dependability Requirements
– Recovery Above the Node Level
January 30, 2001 Survivability of Critical Infrastructure Systems 25
Complex Architectural Problem
January 30, 2001 Survivability of Critical Infrastructure Systems 26
Approach—New Type Of Network
n System Architectures to Support:
– Operational Survivability
n Application Architectures to Support:
– Operational Reconfiguration Requirements
n Survivability Analysis—How Good Are the Defenses?
n Security:
– Of the Applications Themselves
– Of the System Architectural Elements That Support Survivability
January 30, 2001 Survivability of Critical Infrastructure Systems 27
Critical Information Systems
Function f
Function g
Function h
Local Database
January 30, 2001 Survivability of Critical Infrastructure Systems 28
Survivability As Control
Control Function
“Sensor” Signals “Actuator” Commands
From Sensors To Actuators
January 30, 2001 Survivability of Critical Infrastructure Systems 29
Specification And Implementation
SurvivabilitySpecification
Error DetectionState
Sensor/Actuator Implementation
January 30, 2001 Survivability of Critical Infrastructure Systems 30
Non-Local Error Detection
Object-Oriented Database
Network Control
Code Synthesis
FSM’s
NetworkTopology
SurvivabilitySpec. - Z
Data Synthesis
January 30, 2001 Survivability of Critical Infrastructure Systems 33
Survivability Architecture
Control Server
InfrastructureNetwork
January 30, 2001 Survivability of Critical Infrastructure Systems 34
The Malicious Host Problem
Protection of software entities from (potentially) malicious execution environments
– Intelligent tampering
– Impersonation
January 30, 2001 Survivability of Critical Infrastructure Systems 35
Summary of Approach
n A Framework to Handle the Malicious Host
Problem in a Network Environment
n A Theoretical Foundation and Complexity
Bounds
n An Automated Toolkit
January 30, 2001 Survivability of Critical Infrastructure Systems 36
Assertions
§ Successful Tampering/impersonation Attacks Should Require Program/system Analysis
§ Program/system Analysis Should Be Difficult
§ The Analysis Difficulty Should Be Supported by Theory and Sound Metrics
January 30, 2001 Survivability of Critical Infrastructure Systems 37
Solution Framework
• Diversity• Spatial• Temporal
• Program Manipulation• Increase the Analysis
Difficulty of Individual Programs
P
P’ P’’
timeP P’ P’’
January 30, 2001 Survivability of Critical Infrastructure Systems 38
Solution Architecture
Control Server
P1
P2
P3
Pn
Code Manipulator
Code Manipulator
P
Pn+1
Infrastructure Network
January 30, 2001 Survivability of Critical Infrastructure Systems 39
Obstructing Analysis
§ Dynamic Analysis (e.g. execution simulation)
§ Static Analysis§ Control-flow Analysis
§ Data-flow Analysis
January 30, 2001 Survivability of Critical Infrastructure Systems 40
Analysis Complexity
§ Control-flow Transformations§ Restructure Static Control Transfers
§ Add Additional Control Transfers
§ Data-flow Transformations§ Pervasive Aliasing
Control-flow & Data-flow
January 30, 2001 Survivability of Critical Infrastructure Systems 43
Prototyping System Goals
n Provide Vehicle for Experimentation, Evaluation and Demonstration
n Support:
– Arbitrary Network Topology– Arbitrary Number of Hosts– Arbitrary Number of Nodes Per Host
n Based on COTS Software and Hardware, E.G., Windows 2000
n Allow Variety of Demonstration Applications
n Implement Architectural Ideas
n Comprehensive Symptom Injection Mechanism, Including:– Coordinated Parallel Attacks– Cascading Failures
January 30, 2001 Survivability of Critical Infrastructure Systems 44
RAPTOR Modeling System
n Arbitrary network topologies
n Large model support
n Demonstration:
– FedWire payment sys.
– 10 000 banks
– Terrorist bombs
– Coordinated attacks
n Windows 2000 platform
n Available for download soon
Vulnerabilities
NetworkTopology
NodeSemantics
Symptoms
Network Model
Visualization
Run-timeinput
Modelspecification
January 30, 2001 Survivability of Critical Infrastructure Systems 45
Typical Example System
FederalReserve
Money Center Banks
Local Banks
Payment Request Generator
10,000 Node Model
The Willow System
January 30, 2001 Survivability of Critical Infrastructure Systems 48
NetworkSensors A
ctua
tors
Network State &Analysis Model
SelfHealing
TolerateAnticipated
Faults
PlannedPostureChange
SystemUpdate
SystemDeployment
External Input
Dimensions of Survivability
January 30, 2001 Survivability of Critical Infrastructure Systems 49
Survivability ArchitectureLogical View
Reactive
ActiveControl
ActiveControl
Proactive
ActiveManagement
ActiveManagement
NewPostures
NewPostures
CommandsCommands
Operator
Administrator
Intelligence
Analysis
Development
Trust boundary
DuringAttack
Beforeand
AfterAttack
January 30, 2001 Survivability of Critical Infrastructure Systems 50
Conclusion
n Survivability Is A Complex But Essential System Property
n A Key Element Is Non-Maskable Faults
n Achieved Much Of The Time By Fault Tolerance
n Willow:
– Extends Error Detection To External State
– Extends Error Recovery To Posturing And Deployed Software
– Generalizes The Time Frame Of Both