Diverse Intrusion-tolerant Systems

Over the past 20 years, there have been indisputable advances on the development of Byzantine Fault-Tolerant (BFT) replicated systems. These systems keep operational safety as long as at most f out of n replicas fail simultaneously. Therefore, in order to maintain correctness it is assumed that replicas do not suffer from common mode failures, or in other words that replicas fail independently. In an adversarial setting, this requires that replicas do not include similar vulnerabilities, or otherwise a single exploit could be employed to compromise a significant part of the system. The thesis investigates how this assumption can be substantiated in practice by exploring diversity when managing the configurations of replicas. The thesis begins with an analysis of a large dataset of vulnerability information to get evidence that diversity can contribute to failure independence. In particular, we used the data from a vulnerability database to devise strategies for building groups of n replicas with different Operating Systems (OS). Our results demonstrate that it is possible to create dependable configurations of OSes, which do not share vulnerabilities over reasonable periods of time (i.e., a few years). Then, the thesis proposes a new design for a firewall-like service that protects and regulates the access to critical systems, and that could benefit from our diversity management approach. The solution provides fault and intrusion tolerance by implementing an architecture based on two filtering layers, enabling efficient removal of invalid messages at early stages in order to decrease the costs associated with BFT replication in the later stages. The thesis also presents a novel solution for managing diverse replicas. It collects and processes data from several data sources to continuously compute a risk metric. Once the risk increases, the solution replaces a potentially vulnerable replica by another one, trying to maximize the failure independence of the replicated service. Then, the replaced replica is put on quarantine and updated with the available patches, to be prepared for later re-use. We devised various experiments that show the dependability gains and performance impact of our prototype, including key benchmarks and three BFT applications (a key-value store, our firewall-like service, and a blockchain).Unidade de investigação LASIGE (UID/CEC/00408/2019) e o projeto PTDC/EEI-SCR/1741/2041 (Abyss

Analysis of operating system diversity for intrusion tolerance

One of the key benefits of using intrusion-tolerant systems is the possibility of ensuring correct behavior in the presence of attacks and intrusions. These security gains are directly dependent on the components exhibiting failure diversity. To what extent failure diversity is observed in practical deployment depends on how diverse are the components that constitute the system. In this paper, we present a study with operating system's (OS's) vulnerability data from the NIST National Vulnerability Database (NVD). We have analyzed the vulnerabilities of 11 different OSs over a period of 18 years, to check how many of these vulnerabilities occur in more than one OS. We found this number to be low for several combinations of OSs. Hence, although there are a few caveats on the use of NVD data to support definitive conclusions, our analysis shows that by selecting appropriate OSs, one can preclude (or reduce substantially) common vulnerabilities from occurring in the replicas of the intrusion-tolerant system

Enhancing Fault / Intrusion Tolerance through Design and Configuration Diversity

Fault/intrusion tolerance is usually the only viable way of improving the system dependability and security in the presence of continuously evolving threats. Many of the solutions in the literature concern a specific snapshot in the production or deployment of a fault-tolerant system and no immediate considerations are made about how the system should evolve to deal with novel threats. In this paper we outline and evaluate a set of operating systems’ and applications’ reconfiguration rules which can be used to modify the state of a system replica prior to deployment or in between recoveries, and hence increase the replicas chance of a longer intrusion-free operation

OS diversity for intrusion tolerance: Myth or reality?

One of the key benefits of using intrusion-tolerant systems is the possibility of ensuring correct behavior in the presence of attacks and intrusions. These security gains are directly dependent on the components exhibiting failure diversity. To what extent failure diversity is observed in practical deployment depends on how diverse are the components that constitute the system. In this paper we present a study with operating systems (OS) vulnerability data from the NIST National Vulnerability Database. We have analyzed the vulnerabilities of 11 different OSes over a period of roughly 15 years, to check how many of these vulnerabilities occur in more than one OS. We found this number to be low for several combinations of OSes. Hence, our analysis provides a strong indication that building a system with diverse OSes may be a useful technique to improve its intrusion tolerance capabilities

A fuzzy-based technique for describing security requirements of intrusion tolerant systems

To care for security in early stages of software development has always been a major engineering trend. However, due to the existence of unpreventable and accidental security faults within the system, it is not always possible to entirely identify and mitigate the security threats. This may eventually lead to security failure of the target system. To avoid security failure, it is required to incorporate fault tolerance (i.e. intrusion tolerant) into the security requirements of the system. In this paper, we propose a new technique toward description of security requirements of Intrusion Tolerant Systems (ITS) using fuzzy logic. We care for intrusion tolerance in security requirements of the system through considering partial satisfaction of security goals. This partiality is accepted and formally described through establishment of a Goal-Based Fuzzy Grammar (GFG) and its respective Goal -Based Fuzzy Language (GFL) for describing Security Requirement Model (SRM) of the target ITS

S-Scrum: a secure methodology for agile development of web services

To care for security in early stages of software development has always been a major engineering trend. However, due to the existence of unpreventable and accidental security faults within the system, it is not always possible to entirely identify and mitigate the security threats. This may eventually lead to security failure of the target system. To avoid security failure, it is required to incorporate fault tolerance (i.e. intrusion tolerant) into the security requirements of the system. In this paper, we propose a new technique toward description of security requirements of Intrusion Tolerant Systems (ITS) using fuzzy logic. We care for intrusion tolerance in security requirements of the system through considering partial satisfaction of security goals. This partiality is accepted and formally described through establishment of a Goal-Based Fuzzy Grammar (GFG) and its respective Goal-Based Fuzzy Language (GFL) for describing Security Requirement Model (SRM) of the target ITS

How to Tolerate Half Less One Byzantine Nodes in Practical Distributed System

The application of dependability concepts and approaches to the design of secure distributed systems is raising a considerable amount of interest in both communities under the designation of intrusion tolerance. However, practical intrusion-tolerant replicated systems based on the state machine approach can handle at most f Byzantine components out of a total of n=3f+1, which is the maximum resilience in asynchronous systems. This paper extends the normal asynchronous system with a special distributed oracle called TTCB. Using this extended system we manage to implement an intrusion-tolerant service, based on the state machine approach (SMA), with 2f+1 replicas only. Albeit a few other papers in the literature present intrusion-tolerant services based on the SMA, this is the first time the number of replicas is reduced from 3f+1 to 2f+1. Another interesting characteristic of the described service is a low time complexit

FOREVER: Fault/intrusiOn REmoVal through Evolution & Recovery

The goal of the FOREVER project is to develop a service for Fault/intrusiOn REmoVal through Evolution & Recovery. In order to achieve this goal, our work addresses three main tasks: the definition of the FOREVER service architecture; the analysis of how diversity techniques can improve resilience; and the evaluation of the FOREVER service. The FOREVER service is an important contribution to intrustion-tolerant replication middleware and significantly enhances the resilience