Intrusion Tolerance: Concepts and Design Principles. A Tutorial

In traditional dependability, fault tolerance has been the workhorse of the many solutions published over the years. Classical security-related work has on the other hand privileged, with few exceptions, intrusion prevention, or intrusion detection without systematic forms of processing the intrusion symptoms. A new approach has slowly emerged during the past decade, and gained impressive momentum recently: intrusion tolerance. The purpose of this tutorial is to explain the underlying concepts and design principles. The tutorial reviews previous results under the light of intrusion tolerance (IT), introduces the fundamental ideas behind IT, and presents recent advances of the state-of-the-art, coming from European and US research efforts devoted to IT. The program of the tutorial will address: a review of the dependability and security background; introduction of the fundamental concepts of intrusion tolerance (IT); intrusion-aware fault models; intrusion prevention; intrusion detection; IT strategies and mechanisms; design methodologies for IT systems; examples of IT systems and protocol

Security for Service-Oriented On-Demand Grid Computing

Grid Computing ist mittlerweile zu einem etablierten Standard für das verteilte Höchstleistungsrechnen geworden. Während die erste Generation von Grid Middleware-Systemen noch mit proprietären Schnittstellen gearbeitet hat, wurde durch die Einführung von service-orientierten Standards wie WSDL und SOAP durch die Open Grid Services Architecture (OGSA) die Interoperabilität von Grids signifikant erhöht. Dies hat den Weg für mehrere nationale und internationale Grid-Projekten bereitet, in denen eine groß e Anzahl von akademischen und eine wachsende Anzahl von industriellen Anwendungen im Grid ausgeführt werden, die die bedarfsgesteuerte (on-demand) Provisionierung und Nutzung von Ressourcen erfordern. Bedarfsgesteuerte Grids zeichnen sich dadurch aus, dass sowohl die Software, als auch die Benutzer einer starken Fluktuation unterliegen. Weiterhin sind sowohl die Software, als auch die Daten, auf denen operiert wird, meist proprietär und haben einen hohen finanziellen Wert. Dies steht in starkem Kontrast zu den heutigen Grid-Anwendungen im akademischen Umfeld, die meist offen im Quellcode vorliegen bzw. frei verfügbar sind. Um den Ansprüchen einer bedarfsgesteuerten Grid-Nutzung gerecht zu werden, muss das Grid administrative Komponenten anbieten, mit denen Anwender autonom Software installieren können, selbst wenn diese Root-Rechte benötigen. Zur gleichen Zeit muss die Sicherheit des Grids erhöht werden, um Software, Daten und Meta-Daten der kommerziellen Anwender zu schützen. Dies würde es dem Grid auch erlauben als Basistechnologie für das gerade entstehende Gebiet des Cloud Computings zu dienen, wo ähnliche Anforderungen existieren. Wie es bei den meisten komplexen IT-Systemen der Fall ist, sind auch in traditionellen Grid Middlewares Schwachstellen zu finden, die durch die geforderten Erweiterungen der administrativen Möglichkeiten potentiell zu einem noch größ erem Problem werden. Die Schwachstellen in der Grid Middleware öffnen einen homogenen Angriffsvektor auf die ansonsten heterogenen und meist privaten Cluster-Umgebungen. Hinzu kommt, dass anders als bei den privaten Cluster-Umgebungen und kleinen akademischen Grid-Projekten die angestrebten groß en und offenen Grid-Landschaften die Administratoren mit gänzlich unbekannten Benutzern und Verhaltenstrukturen konfrontieren. Dies macht das Erkennen von böswilligem Verhalten um ein Vielfaches schwerer. Als Konsequenz werden Grid-Systeme ein immer attraktivere Ziele für Angreifer, da standardisierte Zugriffsmöglichkeiten Angriffe auf eine groß e Anzahl von Maschinen und Daten von potentiell hohem finanziellen Wert ermöglichen. Während die Rechenkapazität, die Bandbreite und der Speicherplatz an sich schon attraktive Ziele darstellen können, sind die im Grid enthaltene Software und die gespeicherten Daten viel kritischere Ressourcen. Modelldaten für die neuesten Crash-Test Simulationen, eine industrielle Fluid-Simulation, oder Rechnungsdaten von Kunden haben einen beträchtlichen Wert und müssen geschützt werden. Wenn ein Grid-Anbieter nicht für die Sicherheit von Software, Daten und Meta-Daten sorgen kann, wird die industrielle Verbreitung der offenen Grid-Technologie nicht stattfinden. Die Notwendigkeit von strikten Sicherheitsmechanismen muss mit der diametral entgegengesetzten Forderung nach einfacher und schneller Integration von neuer Software und neuen Kunden in Einklang gebracht werden. In dieser Arbeit werden neue Ansätze zur Verbesserung der Sicherheit und Nutzbarkeit von service-orientiertem bedarfsgesteuertem Grid Computing vorgestellt. Sie ermöglichen eine autonome und sichere Installation und Nutzung von komplexer, service-orientierter und traditioneller Software auf gemeinsam genutzen Ressourcen. Neue Sicherheitsmechanismen schützen Software, Daten und Meta-Daten der Anwender vor anderen Anwendern und vor externen Angreifern. Das System basiert auf Betriebssystemvirtualisierungstechnologien und bietet dynamische Erstellungs- und Installationsfunktionalitäten für virtuelle Images in einer sicheren Umgebung, in der automatisierte Mechanismen anwenderspezifische Firewall-Regeln setzen, um anwenderbezogene Netzwerkpartitionen zu erschaffen. Die Grid-Umgebung wird selbst in mehrere Bereiche unterteilt, damit die Kompromittierung von einzelnen Komponenten nicht so leicht zu einer Gefährdung des gesamten Systems führen kann. Die Grid-Headnode und der Image-Erzeugungsserver werden jeweils in einzelne Bereiche dieser demilitarisierten Zone positioniert. Um die sichere Anbindung von existierenden Geschäftsanwendungen zu ermöglichen, werden der BPEL-Standard (Business Process Execution Language) und eine Workflow-Ausführungseinheit um Grid-Sicherheitskonzepte erweitert. Die Erweiterung erlaubt eine nahtlose Integration von geschützten Grid Services mit existierenden Web Services. Die Workflow-Ausführungseinheit bietet die Erzeugung und die Erneuerung (im Falle von lange laufenden Anwendungen) von Proxy-Zertifikaten. Der Ansatz ermöglicht die sichere gemeinsame Ausführung von neuen, fein-granularen, service-orientierten Grid Anwendungen zusammen mit traditionellen Batch- und Job-Farming Anwendungen. Dies wird durch die Integration des vorgestellten Grid Sandboxing-Systems in existierende Cluster Scheduling Systeme erreicht. Eine innovative Server-Rotationsstrategie sorgt für weitere Sicherheit für den Grid Headnode Server, in dem transparent das virtuelle Server Image erneuert wird und damit auch unbekannte und unentdeckte Angriffe neutralisiert werden. Um die Angriffe, die nicht verhindert werden konnten, zu erkennen, wird ein neuartiges Intrusion Detection System vorgestellt, das auf Basis von Datenstrom-Datenbanksystemen funktioniert. Als letzte Neuerung dieser Arbeit wird eine Erweiterung des modellgetriebenen Softwareentwicklungsprozesses eingeführt, die eine automatisierte Generierung von sicheren Grid Services ermöglicht, um die komplexe und damit unsichere manuelle Erstellung von Grid Services zu ersetzen. Eine prototypische Implementierung der Konzepte wird auf Basis des Globus Toolkits 4, der Sun Grid Engine und der ActiveBPEL Engine vorgestellt. Die modellgetriebene Entwicklungsumgebung wurde in Eclipse für das Globus Toolkit 4 realisiert. Experimentelle Resultate und eine Evaluation der kritischen Komponenten des vorgestellten neuen Grids werden präsentiert. Die vorgestellten Sicherheitsmechanismem sollen die nächste Phase der Evolution des Grid Computing in einer sicheren Umgebung ermöglichen

New insights on the fundamentals and modeling of the external sulfate attack in concrete structures

The external sulfate attack (ESA) is a complex degradation process typically compromising the durability of underground foundations, nuclear or industrial waste containments and tunnel linings exposed to sulfate solutions. The structures affected usually remain covered its entire service life, which compromises the detection of this phenomenon before severe material degradation has occurred. Once diagnosed, the large size and criticality of the typical structures affected greatly limit the efficiency of the remedial actions. Consequently, monitoring of the evolution of the structural behavior is often the only applicable measure. This scenario places the development of reliable tools to assist the design of sulfate-resisting concrete structures and assess the risk of ESA in existing properties as key challenges for structural durability. The present thesis aims to advance knowledge in this field by presenting important contributions in three different research lines: numerical modeling of the ESA, role of porosity during the attack and the relevance of reproducing field-like conditions on ESA assessments. Advances on the ESA numerical modelization led to the development of a chemo-transport-mechanical model and a simplified assessment methodology. The former simulates the effects of ionic transport, chemical reactions, degradation mechanisms and the mechanical response of the structure. The validations performed indicate that the model captures the importance of the location of the ettringite formed within the pore network and provides a fair quantification of the overall expansions. The simplified assessment methodology evaluates the risk of failure during the ESA based on the aggressiveness of the media, the reactivity and mechanical properties of the material and the geometric characteristics and service life of the element under attack, without resorting to complex iterative algorithms. Unlike current design guidelines, the application of this simplified procedure allows the definition of flexible and optimized precautionary measures for each application. The second research line involved an extensive experimental program that led to the formulation of a conceptual model to explain the role of porosity during the ESA. The results obtained indicate that high durability against the attack might be achieved by limiting the penetration of sulfates or increasing the capacity of the matrix to accommodate expansive products. Both approaches correspond to opposing pore characteristics of the matrix: the former is usually associated with low porosities while the latter requires matrices with high porosities. These results question the common perception that high porosities are always negative for ESA durability and open up the possibility to design sulfate-resisting materials by increasing the capacity of the matrix to accommodate expansive phases. The third research line evaluates the influence of early sulfate exposure and the effects of confinement on the ESA by two experimental programs. The first study suggests that the delayed exposition to sulfates commonly adopted in accelerated laboratory tests might lead to imprecise damage estimations for structures cast in situ. In these cases, it is recommended to expose the samples to sulfates shortly after casting. The second study suggests that assessing sulfate resistance on specimens in free-expanding conditions might not be representative of the behavior of real structures where the attack is developed in combination with confining conditions. Results indicate that compressive stresses generated by confinement interact with the normal development of the attack by limiting or delaying the appearance of micro-cracks and reducing the amount of ettringite crystals exerting expansive pressures.El ataque sulfático externo (ASE) es un proceso de degradación complejo que afecta principalmente la durabilidad de estructuras de cimentación, contenedores de residuos nucleares o industriales y revestimientos de túneles. Dichas estructuras suelen permanecer enterradas toda su vida útil, lo que compromete la detección del fenómeno antes de que se hayan desarrollado altos niveles de degradación. Una vez detectado, el tamaño e importancia estratégica de las estructuras afectadas limitan las opciones de reparación y su eficacia. Debido a ello, habitualmente la única acción posible consiste en la monitorización de la evolución del comportamiento estructural. Este escenario sitúa el desarrollo de herramientas para el diseño de estructuras resistentes a sulfatos y la evaluación del fenómeno en propiedades existentes como desafíos clave para la durabilidad de estructuras enterradas. Esta tesis doctoral aspira a profundizar el conocimiento en torno a esta temática mediante contribuciones relevantes en tres líneas de investigación: la modelización numérica del ASE, el rol de la porosidad durante el ataque y la relevancia de reproducir condiciones de campo en la evaluación del ASE. Avances en el campo de la modelización numérica han dado lugar a un modelo avanzado y una metodología de evaluación simplificada del ASE. El primero se basa en la simulación de procesos de transporte iónico, reacciones químicas, mecanismos de degradación y respuesta mecánica de la estructura. Las validaciones realizadas indican que el modelo refleja la importancia de la localización de la etringita dentro de la red porosa y proporciona estimaciones ajustadas de las expansiones generadas. La metodología de evaluación simplificada mide el riesgo de fallo estructural basándose en la agresividad del medio, la reactividad y propiedades mecánicas del material y las características geométricas y vida útil del elemento atacado, sin recurrir a algoritmos iterativos. A diferencia de las guías de diseño actuales, su aplicación permite la definición de medidas preventivas ajustadas a cada aplicación. La segunda línea de investigación ha dado lugar a un modelo conceptual que explica el rol de la porosidad durante el ASE. Los resultados obtenidos indican que se pueden alcanzar altas resistencias al ataque mediante la limitación de la penetración de sulfatos en la estructura o incrementando la capacidad de la matriz de acomodar fases expansivas. Los dos enfoques se corresponden a características porosas opuestas de la matriz. La primera se suele asociar a bajas porosidades mientras que la segunda se maximiza en porosidades altas. Los resultados obtenidos cuestionan la idea de que porosidades altas siempre son negativas para la durabilidad ante el ASE y abre la posibilidad de diseñar materiales resistentes a sulfatos incrementando la capacidad de acomodar fases expansivas. La tercera línea de investigación evalúa la influencia de la exposición temprana a sulfatos y los efectos del confinamiento en el ASE. Resultados referentes al primer estudio indican que una exposición tardía a los sulfatos como la empleada en la mayoría de ensayos acelerados puede conllevar a estimaciones incorrectas del daño generado en estructuras fabricadas in situ. El segundo estudio, referente a los efectos del confinamiento, sugiere que el uso de probetas en condiciones de expansión libre puede no ser adecuado para reproducir los efectos del ASE en estructuras donde el ataque se desarrolla en condiciones confinadas. Las tensiones de compresión generadas interactúan con el desarrollo normal del ataque limitando o retardando la aparición de micro-fisuras y reduciendo la cantidad de cristales de etringita creciendo en condiciones confinadas y por ende, ejerciendo presiones expansivas.Postprint (published version

MAFTIA Conceptual Model and Architecture

This document builds on the work reported in MAFTIA deliverable D1. It contains a refinement of the MAFTIA conceptual model and a discussion of the MAFTIA architecture. It also introduces the work done in WP6 on verification and assessment of security properties, which is reported on in more detail in MAFTIA deliverable D

Security Enhanced Applications for Information Systems

Every day, more users access services and electronically transmit information which is usually disseminated over insecure networks and processed by websites and databases, which lack proper security protection mechanisms and tools. This may have an impact on both the users’ trust as well as the reputation of the system’s stakeholders. Designing and implementing security enhanced systems is of vital importance. Therefore, this book aims to present a number of innovative security enhanced applications. It is titled “Security Enhanced Applications for Information Systems” and includes 11 chapters. This book is a quality guide for teaching purposes as well as for young researchers since it presents leading innovative contributions on security enhanced applications on various Information Systems. It involves cases based on the standalone, network and Cloud environments

Structural assessment and characterization of the unstable rock slopes at Mellomfjellet, Nordreisa

The aim of this study has been to structurally assess and characterize the unstable rock slopes (URS) at Mellomfjellet using an interdisciplinary approach of structural geological analysis, geomorphological mapping, photogrammetry and remote sensing. The URS are located on the west-facing slopes of Mellomfjellet and display a dramatic geomorphology with deep ice filled fractures and clearly displaced blocks in the glacially eroded Reisadalen in Northern Troms. Geological mapping of Mellomfjellet showed that the bedrock consists predominantly of amphibolite. The area was divided into two domains (MF1 and MF2) where MF1 comprised of a foliation (strike/dip; 169°/15°±18.9°) and three joint sets: J1 (029°/72°±16. 3°), J2 (286°/83°±21.8°) and J3 (075°/67°±12.3°). MF2 comprised of a foliation (183°/11°±14.3°) and three joint sets: J1 (022°/82°±14.7°), J2 (108°/88°±15.3°) J3 and (071°/52°±12.7°). Joint set J3 was for both domains found in relation to two E – W-trending morphological depressions. The mapped joint sets correlated well with joint sets determined from drone photogrammetry, and InSAR displacement showed structural trends, delineated by mapped bedrock structures and morphological elements. The kinematic analysis from MF1 showed that flexural toppling along J1 was a partly feasible failure mechanism. Planar failure along the foliation was feasible for some of the foliation and therefore a bi-planar compound slide comprising of J1 and the foliation is proposed as the main failure mechanism. At MF2 flexural toppling along J1 is the main failure mechanism and slide topple is proposed, as there is feasibility for planar sliding along some of the foliation. The mapped bedrock structures align with regional structural geological trends and are interpreted to govern the failure mechanisms and delineation of the URS at Mellomfjellet. Worst-case scenarios for each domain where delineated based on geomorphological features in order to assess consequences connected to the URS. The scenarios ranged from 1 to 3 Mm3 in volume and the run-out modeling showed that no settlement was reached and therefore the risk is low for both scenarios

Robust and cheating-resilient power auctioning on Resource Constrained Smart Micro-Grids

The principle of Continuous Double Auctioning (CDA) is known to provide an efficient way of matching supply and demand among distributed selfish participants with limited information. However, the literature indicates that the classic CDA algorithms developed for grid-like applications are centralised and insensitive to the processing resources capacity, which poses a hindrance for their application on resource constrained, smart micro-grids (RCSMG). A RCSMG loosely describes a micro-grid with distributed generators and demand controlled by selfish participants with limited information, power storage capacity and low literacy, communicate over an unreliable infrastructure burdened by limited bandwidth and low computational power of devices. In this thesis, we design and evaluate a CDA algorithm for power allocation in a RCSMG. Specifically, we offer the following contributions towards power auctioning on RCSMGs. First, we extend the original CDA scheme to enable decentralised auctioning. We do this by integrating a token-based, mutual-exclusion (MUTEX) distributive primitive, that ensures the CDA operates at a reasonably efficient time and message complexity of O(N) and O(logN) respectively, per critical section invocation (auction market execution). Our CDA algorithm scales better and avoids the single point of failure problem associated with centralised CDAs (which could be used to adversarially provoke a break-down of the grid marketing mechanism). In addition, the decentralised approach in our algorithm can help eliminate privacy and security concerns associated with centralised CDAs. Second, to handle CDA performance issues due to malfunctioning devices on an unreliable network (such as a lossy network), we extend our proposed CDA scheme to ensure robustness to failure. Using node redundancy, we modify the MUTEX protocol supporting our CDA algorithm to handle fail-stop and some Byzantine type faults of sites. This yields a time complexity of O(N), where N is number of cluster-head nodes; and message complexity of O((logN)+W) time, where W is the number of check-pointing messages. These results indicate that it is possible to add fault tolerance to a decentralised CDA, which guarantees continued participation in the auction while retaining reasonable performance overheads. In addition, we propose a decentralised consumption scheduling scheme that complements the auctioning scheme in guaranteeing successful power allocation within the RCSMG. Third, since grid participants are self-interested we must consider the issue of power theft that is provoked when participants cheat. We propose threat models centred on cheating attacks aimed at foiling the extended CDA scheme. More specifically, we focus on the Victim Strategy Downgrade; Collusion by Dynamic Strategy Change, Profiling with Market Prediction; and Strategy Manipulation cheating attacks, which are carried out by internal adversaries (auction participants). Internal adversaries are participants who want to get more benefits but have no interest in provoking a breakdown of the grid. However, their behaviour is dangerous because it could result in a breakdown of the grid. Fourth, to mitigate these cheating attacks, we propose an exception handling (EH) scheme, where sentinel agents use allocative efficiency and message overheads to detect and mitigate cheating forms. Sentinel agents are tasked to monitor trading agents to detect cheating and reprimand the misbehaving participant. Overall, message complexity expected in light demand is O(nLogN). The detection and resolution algorithm is expected to run in linear time complexity O(M). Overall, the main aim of our study is achieved by designing a resilient and cheating-free CDA algorithm that is scalable and performs well on resource constrained micro-grids. With the growing popularity of the CDA and its resource allocation applications, specifically to low resourced micro-grids, this thesis highlights further avenues for future research. First, we intend to extend the decentralised CDA algorithm to allow for participants’ mobile phones to connect (reconnect) at different shared smart meters. Such mobility should guarantee the desired CDA properties, the reliability and adequate security. Secondly, we seek to develop a simulation of the decentralised CDA based on the formal proofs presented in this thesis. Such a simulation platform can be used for future studies that involve decentralised CDAs. Third, we seek to find an optimal and efficient way in which the decentralised CDA and the scheduling algorithm can be integrated and deployed in a low resourced, smart micro-grid. Such an integration is important for system developers interested in exploiting the benefits of the two schemes while maintaining system efficiency. Forth, we aim to improve on the cheating detection and mitigation mechanism by developing an intrusion tolerance protocol. Such a scheme will allow continued auctioning in the presence of cheating attacks while incurring low performance overheads for applicability in a RCSMG