Intrusion Tolerance

CONTENTS

Topic

Page No.

Introduction

Methods involved

Fault Model

Classical Methodology

Error Processing

Fault Treatment

11

Paradigms

12

Example IT systems

14

Conclusion

15

1|Page

Intrusion Tolerance

INTRODUCTION

DEFINITIONS Intrusion Tolerance

The notion of handling react, counteract, recover, mask a wide set of faults encompassing intentional and malicious faults (intrusions), which may lead to failure of the system security properties if nothing is done to counter their effect on the system state. Instead of trying to prevent every single intrusion, these are allowed, but tolerated. The system has the means to trigger mechanisms that prevent the intrusion from generating a system failure. A new approach has slowly emerged during the past decade, and gained impressive momentum recently: intrusion tolerance. That is, the notion of tolerance to a wide set of faults encompassing intentional and malicious faults (we may collectively call them intrusions), which may lead to failure of the system security properties if nothing is done to react, counteract, recover, mask, etc., the effect of intrusions on the system state. In short, instead of trying to prevent every single intrusion, the latter are allowed, but tolerated: the system has the means to trigger mechanisms that prevent the intrusion from generating a system failure.

Traditionally, security has involved either: Trusting that certain attacks will not occur Removing vulnerabilities from initially fragile software Preventing attacks from leading to intrusions In contrast, the tolerance paradigm in security: Assumes that systems remain to a certain extent vulnerable Assumes that attacks on components or sub-systems can happen and some will be successful Ensures that the overall system nevertheless remains secure and Operational

2|Page

Intrusion Tolerance In other words: Faults--- malicious and other--- occur. They generate errors, i.e. component-level security compromises. Error processing mechanisms make sure that security failure is prevented. Obviously, a complete approach combines tolerance with prevention, removal, forecasting, after all, the classic dependability fields of action!

What measures the risk of intrusion? RISK is a combined measure of the level of threat to which a computing or communication system is exposed, and the degree of vulnerability it possesses: RISK = VULNERABILITY X THREAT The correct measure of how potentially insecure a system can be (in other words, of how hard it will be to make it secure) depends: on the number and severity of the flaws of the system (vulnerabilities) on the potential of the attacks it may be subjected to (threats)

METHODS INVOLVED

In the process of intrusion tolerance we come across many stages that directly or indirectly do help in making the process Efficient and Effective. 1. Fault Models. 2. Classic Methodology. 3. Error Processing. 4. Fault Treatment.

3|Page

Intrusion Tolerance

FAULT MODELS
Attacks, Vulnerabilities, Intrusions
Intrusion An externally induced, intentionally malicious, operational fault, causing an erroneous state in the system. An intrusion has two underlying causes:

Vulnerability Malicious or non-malicious weakness in a computing or communication system that can be exploited with malicious intention

Attack Malicious intentional fault introduced in a computing or comms system, with the intent of exploiting vulnerability in that system Without attacks, vulnerabilities are harmless Without vulnerabilities, there cannot be successful attacks

Hence: Attack + vulnerability intrusion error failure A specialization of the generic fault, error, failure sequence

4|Page

Intrusion Tolerance

Attack-Vulnerability-Intrusion composite fault model

AVI sequence: Attack + vulnerability intrusion error failure

5|Page

Intrusion Tolerance

Faults in Cascade:

Outsider vs. Insider intrusions

6|Page

Intrusion Tolerance b is outsider with respect to D: Not authorized to perform any object operations On D a is insider with respect to D: His privilege (A) intersects D authorized to perform some specified

Object-operations b performs outsider intrusion on D Privilege theft a performs insider intrusion on D Privilege abuse Maybe combined with privilege theft b usurps identity of a Privilege usurpation

CLASSICAL METHODOLOGY
7|Page

Intrusion Tolerance

Achieving dependability with respect to malicious faults (The classical ways)

AVI Composite fault model

ERROR PROCESSING
Processing the errors deriving from intrusions
8|Page

Intrusion Tolerance

Error detection detecting the error after it occurs, aims at: confining it to avoid propagation; Triggering error recovery mechanisms; triggering fault treatment mechanisms Modified files or messages; phony OS account; sniffer in operation; Host flaky or crashing on logic bomb. Error recovery recovering from the error aims at: providing correct service despite the error. recovering from effects of intrusions. Backward recovery: the system goes back to a previous state known as correct and resumes system suffers DOS (denial of service) attack, and re-executes the corrupted operation system detects corrupted files, pauses, reinstalls them. Forward recovery: Proceeds forward to a state that ensures correct provision of service system detects intrusion, considers corrupted operations lost and increases level of security (threshold/quorums increase, key renewal) system detects intrusion, moves to degraded but safer op mode. Error masking Redundancy allows providing correct service without any noticeable glitch systematic voting of operations; fragmentation-redundancy-scattering sensor correlation (agreement on imprecise values).

Error processing at work

9|Page

Intrusion Tolerance

FAULT TREATMENT
Diagnosis
10 | P a g e

Intrusion Tolerance determine cause of error, i.e., the fault(s): location and nature Non-malicious or malicious syndrome (intrusion)? Attack? --- To allow removal/retaliation Vulnerability? --- To allow removal

Isolation
prevent new activation Intrusion: prevent further penetration Attack: disable further attacks of this kind (block the origin) Vulnerability: Passivate the cause of successful attack (e.g. patch)

Reconfiguration
So that fault-free components provide adequate/degraded service Contingency plans to degrade/restore service

PATTERNS UNDER INTRUSION TOLERANCE

Authentication, signatures, MACs

11 | P a g e

Intrusion Tolerance

Intrusion prevention device: enforces authenticity, integrity Coverage: signature/authentication method End-to-end problem: who am I authenticating? me or my PC?

Tunneling, secure channels

Intrusion prevention device: enforces confidentiality, integrity(authenticity) Coverage: tunelling method, resilience of gateway End-to-end problem: are all intranet guys good?

Firewalling

12 | P a g e

Intrusion Tolerance

Intrusion prevention device: prevents attacks on inside machines Coverage: semantics of firewall functions, resilience of bastions End-to-end problem: are all internal network guys good?

EXAMPLE INTRUSION TOLERANT SYSTEMS

13 | P a g e

Intrusion Tolerance 1. MAFTIA - Malicious and Accidental Fault Tolerance for Internet Applications. MAFTIA is investigating ways of making computer systems more dependable in the presence of both accidental and malicious faults.

2. OASIS- Organically Assured & Survivable Information Systems. Construct intrusion-tolerant architectures from potentially vulnerable components Characterize cost-benefits of intrusion tolerance mechanisms Develop assessment and validation methodologies to evaluate intrusion tolerance mechanisms

CONCLUSION

14 | P a g e

Intrusion Tolerance Therefore I conclude that security being an issue that cannot be taken lightly, any circumstance where in an immediate action has to be taken place to keep up the security, tolerance approach is the one effective. Intrusion tolerance is one of the effective approaches to handle the intrusion and punish the intruder under the law. Using the Intrusion tolerant measures and protocols, though intrusion takes place it can certainly be tolerated.

15 | P a g e