Qu O O & & A P P O O D

Size: px

Start display at page:

Download "Qu O O & & A P P O O D"

Regina Cameron
5 years ago
Views:

1 Defense Enabling Using QuO: Experience in uilding Survivable CORA Applications Chris Jones, Partha Pal, Franklin Webber N Technologies QuO & APOD 1 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

2 APOD Overview APOD is toolkit of mechanism wrappers and adaptation strategies that allows an application to use security mechanisms to dynamically adapt to a changing environment We believe that adaptation increases an application s resiliency to certain kinds of attacks APOD uses QuO, which provides an application with adaptation. 2 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

3 Quo Overview QuO is a middleware system that offers an application the ability to adapt to the changing environment in which it is running. Host resources (CPU and memory) usage Network resource availability Intrusion status The adaptive code is separated into a QuO qosket for reuse. A qosket is a set of specifications and implementations that define a quality of service module. It can be added into a distributed object application with minimum impact on the application 3 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

4 QuO Overview (cont.) Quality Description Languages (QDL) Contract description language, adaptive behavior description language Code generators that generate Java and C++ code for contracts, delegates, creation, and initialization System Condition Objects Provide interfaces to resources, managers, and mechanisms QuO Runtime Kernel Contract evaluator Factory object which instantiates contract and system condition objects 4 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

5 CORA DOC MODEL QUO/CORA DOC MODEL CLIENT IDL STUS CLIENT Delegate IDL STUS OJ REF QuO Architecture in args operation() out args + return value Network OJECT (SERVANT) IDL SKELETON OR IIOP IIOP OR OJ REF SysCond Contract SysCond in args operation() out args + return value MECHANISM/PROPERTY MANAGER Network SysCond Contract SysCond OJECT (SERVANT) IDL SKELETON Delegate OR IIOP IIOP OR OJECT ADAPTER OJECT ADAPTER Application Developer Mechanism Developer Application Developer QuO Developer Mechanism Developer 5 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

6 APOD Description We believe that by adapting to and trying to control its environment, an application can increase its chances of survival under attack Use QuO to integrate multiple security mechanisms into a coherent strategy for adaptation Use mechanisms where they exist to harden or protect an application, a resource, or a service Tie security information to the adaptation of an application through the QuO system condition objects QuO s contract language is used to define defensive strategies that a Example strategies include» containment, which uses snort and iptables to detect and limits the extent of attacks» outrun, uses dependability with replication to move away from attacks 6 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

7 Defense-Enabled Application Competes With Attacker for Control of Resources Attacker C r y p t o Application QoS Management OSs and Network IDSs Firewalls Raw Resources CPU, bandwidth, files... 7 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

8 APOD Mechanisms Network and Host Sensors Snort is a lightweight network intrusion detection system Tripwire for detecting file systems integrity violations Actuators Network traffic filters - Iptables File systems recovery secure backup Dependability management using replication Aqua replication system from University of Illinois, Urbana- Champaign APOD us mechanism for publishing data about application s status and for maintaining replicas of application processes andwidth Management Intserv (RSVP, SecureRSVP) and Diffserv Access Control NAI s OO-DTE at the interceptor layer 8 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

9 APOD Strategies QuO s contract language is used to define defensive strategies Example strategies include containment, which uses snort and iptables to detect and limits the extent of attacks outrun, uses dependability with replication to move away from attacks. 9 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

10 APOD Red-teaming Experimentation Sandia labs redteam attacks an APOD enabled application Test the added value of APOD to an application Also, analyzing the overhead of APOD Application has three pieces; client, image server, and broker. The broker is responsible for hooking clients requesting images to the server that can provide those images Two broker components are maintained by the APOD bus on a set hosts. Each of these hosts is running a qosket implementing a containment strategy Using snort and tripwire as sensors and iptables and the bus to react to attack detections. 10 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

11 APOD Redteam Example Client 1 Subscribe/ Unsubscribe APOD bus Publish/ Unpublish Server 1 Client 2 Server ready/ Server gone Subscribe/ Unsubscribe Server ready/ Server gone roker 1 roker 2 Publish/ Unpublish Publish/ Unpublish Server 2 Server 3 11 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

12 Experimentation Configuration Testing environment of 14 hosts on 4 subnets. client2 broker2_1 broker2_2 C broker1_1 broker1_2 server S autobot Experiment Control, external waypoint VPN/ Internet optimus (IPNET3) (IPNET2).1 router_ipnet_2 router_ipnet_ router_ipnet_1 router_ipnet_ (IPNET1) (IPNET4) C S badguy S client3 broker3_1 broker3_2 server3 broker4_1 broker4_2 server4 12 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

13 Red-teaming Attack and Preliminary Results With APOD and the configuration, the redteam was forced to combine three different attacks to cause a denial of service of the broker The three attack are: ARP cache poisoning, Spoofing, connection flooding The combined attacks took 5 minutes and we have implemented counter defenses APOD has added value and the method call latency overhead of QuO and APOD to application is very small (~.3 msec.) note: encryption at interceptor layer not included, but measured by APOD team as roughly 500 msec per method call using symmetric encryption can improve this number. Ipsec overhead compared to interceptor layer is very small 13 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

14 What APOD would like from DOC security etter elimination of software flaws in OR implementations Standardized support across CORA implementations for pluggable transports interceptors Knobs and Dials at OR and service level to adjust security Easy configuration of OR s port selection dynamically under middleware control.» Specific ports or range of ports» How to select the next port to use Configuration of timeouts and how to deal with them. 14 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

15 Conclusion The red teaming has been extremely useful for APOD Validated our work and stress test our defenses CORA support needs to as secure and uniform as possible Found lack of uniformity in implementations Trusting the OR is secure Websites: QuO: APOD: 15 APOD 12/1/2002 DOCSEC 2002 Christopher Jones

Using Quality Objects (QuO) Middleware for QoS Control of Video Streams

Using Quality Objects (QuO) Middleware for QoS Control of Streams BBN Technologies Cambridge, MA http://www.dist-systems.bbn.com/tech/quo/ Craig Rodrigues crodrigu@bbn.com OMG s Third Workshop on Real-Time