assured cloud computing - dtic · –model the trustworthiness of a workflow –model configuration...
TRANSCRIPT
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Assured Cloud Computing: The Odessa Monitoring System
Roy Campbell
Assuring the Cloud -Summer Workshop
Griffiss Institute, July 11th 2011 Rome, NY
“Fly, fight, and win in air, space, and cyberspace”
1
Report Documentation Page Form ApprovedOMB No. 0704-0188
Public reporting burden for the collection of information is estimated to average 1 hour per response, including the time for reviewing instructions, searching existing data sources, gathering andmaintaining the data needed, and completing and reviewing the collection of information. Send comments regarding this burden estimate or any other aspect of this collection of information,including suggestions for reducing this burden, to Washington Headquarters Services, Directorate for Information Operations and Reports, 1215 Jefferson Davis Highway, Suite 1204, ArlingtonVA 22202-4302. Respondents should be aware that notwithstanding any other provision of law, no person shall be subject to a penalty for failing to comply with a collection of information if itdoes not display a currently valid OMB control number.
1. REPORT DATE 11 JUL 2011 2. REPORT TYPE
3. DATES COVERED 00-00-2011 to 00-00-2011
4. TITLE AND SUBTITLE Assured Cloud Computing: The Odessa Monitoring System
5a. CONTRACT NUMBER
5b. GRANT NUMBER
5c. PROGRAM ELEMENT NUMBER
6. AUTHOR(S) 5d. PROJECT NUMBER
5e. TASK NUMBER
5f. WORK UNIT NUMBER
7. PERFORMING ORGANIZATION NAME(S) AND ADDRESS(ES) University of Illinois at Urbana?Champaign ,Information Trust Institute,Urbana,IL,61801
8. PERFORMING ORGANIZATIONREPORT NUMBER
9. SPONSORING/MONITORING AGENCY NAME(S) AND ADDRESS(ES) 10. SPONSOR/MONITOR’S ACRONYM(S)
11. SPONSOR/MONITOR’S REPORT NUMBER(S)
12. DISTRIBUTION/AVAILABILITY STATEMENT Approved for public release; distribution unlimited
13. SUPPLEMENTARY NOTES
14. ABSTRACT
15. SUBJECT TERMS
16. SECURITY CLASSIFICATION OF: 17. LIMITATION OF ABSTRACT Same as
Report (SAR)
18. NUMBEROF PAGES
74
19a. NAME OFRESPONSIBLE PERSON
a. REPORT unclassified
b. ABSTRACT unclassified
c. THIS PAGE unclassified
Standard Form 298 (Rev. 8-98) Prescribed by ANSI Std Z39-18
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• United States Air Force Vision
– Global vigilance, reach and power
• Net centric military superiority
– Rapid technological advance
– Computer-based weapons systems
• Problems
– Overseas commitments and operations
– Global networking requirements
– Government and commercial off-the-shelf technology
– Secure computing over blue and gray networks
– Agility and mobility
2
United States Air Force and Cloud Computing
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Background
• Federal Cloud Computing Strategy. Vivek Kundra, US Chief
Information Officer, Feb 8th 2011, The White House:
The cloud computing model can significantly help agencies
grappling with the need to provide highly reliable, innovative
services quickly despite resource constraints
http://www.cio.gov/documents/Federal-Cloud-Computing-
Strategy.pdf
• Appendix 1: Potential Federal Spending on Cloud. DOD 2
billion plus.
• Appendix 2: Agency Resources for Cloud Computing
3
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Recent Problems in the Cloud
4
April 21st 2011 Amazon Elastic Block Store (EBS) went offline,
leaving the many Web and database servers depending on that
storage broken. Not until Easter Sunday (April 24) was service
restored to all users.
June 19th 2011 Dropbox, one of the most popular ways to share
and sync files online, says the accounts became unlocked at 1:54pm
Pacific time Sunday when a programming change introduced a bug.
The company closed the hole a little less than 4 hours later.
June 22nd 2011 Microsoft's BPOS (Business Productivity Online
Suite) cloud-hosted communication and collaboration suite suffered
an outage on Wednesday for more than three hours and involved a
networking hardware problem that affected customers in North
America.
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
NIST Cloud Computing Standards Roadmap
5
July 5, 2011:
http://collaborate.nist.gov/twiki-cloud-
computing/pub/CloudComputing/StandardsRoadmap/NIST_CCSR
WG_092_NIST_SP_500-291_Jul5.pdf
The NIST Definition of Cloud Computing identified cloud computing as:
a model for enabling ubiquitous, convenient, on-
demand network access to a shared pool of
configurable computing resources (e.g., networks,
servers, storage, applications, and services) that can
be rapidly provisioned and released with minimal
management effort or service provider interaction.
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Interactions between Actors in Cloud Computing
6
Cloud Consumer
Cloud Provider Cloud Broker
Cloud Auditor
The communication path between a cloud provider & a cloud consumer
The communication paths for a cloud auditor to collect auditing information
The communication paths for a cloud broker to provide service to a cloud
consumer
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Deployment Generic Scenario Perspective
7
Enterprise Systems
1.
Deploy to
a Cloud
2.
Manage
a Single
Cloud
8.
Operate
across
Clouds
Clouds Clouds
7.
Work with
a Selected
Cloud
6. Interface Clouds
5. Migrate Between Clouds
4. Migrate to a Cloud
3.
Interface to a Cloud
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
The Combined Conceptual Reference Diagram
8 Cloud Carrier
Cloud
Consumer
Cloud
Auditor
Cloud
Broker
Security
Audit
Privacy
Impact Audit
Performance
Audit
Cloud
Service
Management
Service Layer
Business
Support
Pri
va
cy
Service
Arbitrage
Service
Aggregation
Service
Intermediation
Secu
rity
Provisioning/
Configuration
Portability/ Interoperability
Physical
Resource Layer
IaaS
SaaS
PaaS
Resource
Abstraction and
Control Layer
Hardware
Facility
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Cloud Provider: Service Orchestration
9
Service Layer
Physical
Resource Layer
IaaS
SaaS
PaaS
Resource
Abstraction and
Control Layer
Hardware
Facility
Cloud
Provider
Biz Process/
Operations
App/Svc
Usage
Scenarios
Software as a Service
Application
Development
Develop,
Test, Deploy
and Manage
Usage
Scenarios
Platform as a Service
Infrastructure as a Service
IT Infrastructure
& Operation
Develop,
Test, Deploy
and Manage
Usage
Scenarios
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• A very new topic
• Multiple bodies are trying to standardize – Cloud Security Alliance
• Security Guidance for Critical Areas of Focus in Cloud Computing
• Top Threats to Cloud Computing
• Cloud Audit (A6Automated Audit,Assertion,Assessment,and Assurance API)
– NIST Cloud Security Initiative • Guidelines on Security and Privacy in Public Cloud Computing
– Military IASE standards from DISA-CSD
– Federal Government • FedRAMP(2011)
• Evolved from NIST 800-053, from 2009
• Assessment procedures
– OASIS Identity in the cloud • Open standards for identity deployment, provisioning and management
10
Cloud Security Standards
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Mission Oriented
• Interoperability (across blue and gray networks)
• A plethora of evolving standards
• End-to-end, Cross-layered
– Security
– Dependability
– Timeliness
11
Assured Cloud Computing Center:
Requirements and Challenges
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Use of formal methods to:
– Analyze, reason, prototype and evaluate architectures
– Design and optimize the performance of secure, timely,
fault-tolerant, mission-oriented cloud computing.
• Evaluation of a wide range of necessary Assured Cloud
Computing components
• Along with engaging AFRL in technological exchange, we plan
to integrate AFRL personnel into our research agenda, as well
as provide focused education delivery 12
Architecture + Design + Testing + Formal Verification
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Configuration and management of:
– Dynamic systems-of-systems
– Trusted and partially trusted resources and,
– Services sourced from multiple organizations
• Assured mission-critical computations and workflows with
configurations that do not violate any security or reliability
requirements
• Models of the trustworthiness of a workflow or computation’s completion for a given configuration in order to specify the
right configuration for high assurances 13
A Survivable and Distributed
Cloud-Computing-based Infrastructure
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
1) Flexible and dynamic distributed cloud-computing-based
architectures that are survivable
2) Novel security primitives, protocols, and mechanisms to
secure and support assured computations
3) Algorithms and techniques to enhance end-to-end timeliness
of computations
4) Algorithms that detect security policy or reliability
requirement violations in a given configuration
5) Algorithms that dynamically configure resources for a given
workflow based on security policy and reliability
requirements and
6) Algorithms, models, and tools to estimate the probability of
completion of a workflow for a given configuration 14
Research Agenda
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
a) Groundbreaking research in new algorithms and techniques
b) Development and experimental evaluation of prototypes
c) Education and technical exchange
15
Deliverables
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Since 2004 ITI has supported a multidisciplinary “Research
Network” of 100+ research faculty to complete a cumulative
of almost $60M in sponsored research into trustworthy systems
• College of Engineering, of which ITI is a part, is ranked sixth
in the nation
• Both Departments of Electrical and Computer Engineering and
Computer Science ranked in the top five of the nation
16
ITI Capabilities
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Assurance is the key factor:
– Model the trustworthiness of a workflow
– Model configuration of dynamic systems-of-systems
– Check Configurations do not violate security or reliability
requirements
• Requires algorithms, models and tools that:
1.Model a cloud configuration
2.Detect security or reliability violations
3.Dynamically configure resources for a given workflow
4.Estimate the probability of completion of a workflow for a
given configuration 17
Approach to Assurance
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Undertake core research and development to address these
challenges for new and modified architectures, algorithms,
and techniques:
– Design, formally analyze, run-time configuration,
experimental evaluation
• Will deliver:
– Research: new algorithms and techniques
– Engineering: development and experimental evaluation of
prototypes
– A focused workforce development that includes
education, and technology exchange
18
ACC-UCoE@UIUC
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
19
Air Force Mission: Disaster Relief in Hostile Territory
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
20
• Available resources
• Blue/Gray networks
• GIS & Cloud Computing
• Communication
• Imaging
• Search
• Confidentiality
• Authorization
Locate and identify
stranded civilians and damaged infrastructures
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
21
Use relay stations to remote monitor remote sensors
• Wireless Networks
• Real-time
• Sensor fusion
• Security & Authentication
• Reliability and Availability
• Search & Analysis
• Satellite Coverage
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Rescue stranded civilians and military personnel
22
• Enable secure and reliable services/computations with available resources from
multiple organizations in real-time
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Risk Analysis
• Research may not yield desired results and we
could discover technological limitations
• Granularity of localization that can be achieved
for a given amount of computing /communication
overhead
• Leverage mature technologies and proven tools
and technologies
• Architectural strategies (e.g. leveraging multiple
paths, complement integrity protection)
23
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Principal Investigator
Roy Campbell
Design
Indranil Gupta
Distributed Architectures
Security Protocols
Real-time Assuredness
Formal Methods
Gul Agha
Safety Properties
Real-time Properties
Performance Properties
Run-time
Campbell
Policy Detection
Dynamic Mapping
Trustworthiness Estimation
Security State Monitoring
Test-bed
Kalbarczyk
Incident Replay Engine (IRE)
Test-bed
Education
Bashir
Technical Exchange &
Speakers
Workshops
Visiting Scholars
(summers)
STEM Internship Programs
Advisory
Committee
24
Organizational structure
Indy Gupta Gul Agha Roy Campbell
Zbigniew
Kalbarczyk Masood Bashir
David Nicol
Bill Sanders Ravi Iyer
Jose Meseguer
Rakesh Bobba
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
25
Design
Principal Investigator
Roy Campbell
Design
Indranil Gupta
Distributed Architectures
Security Protocols
Real-time Assuredness
Formal Methods
Gul Agha
Safety Properties
Real-time Properties
Performance Properties
Run-time
Campbell
Policy Detection
Dynamic Mapping
Trustworthiness Estimation
Security State Monitoring
Test-bed
Kalbarczyk
Incident Replay Engine (IRE)
Test-bed
Education
Bashir
Technical Exchange &
Speakers
Workshops
Visiting Scholars
(summers)
STEM Internship Programs
Advisory
Committee
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Design of Algorithms and Techniques for Real-time
Assuredness in Cloud Computing
Indranil Gupta (and student Brian Cho)
• Design of Novel Security Primitives, Protocols, and
Mechanisms
Rakesh Bobba
• Formal Design of Distributed Cloud-Computing-Based
Architecture
Gul Agha + Jose Meseguer
Design Challenges for Assured Mission-Critical
Computations in Cloud-Based Infrastructure
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Principal Investigator
Roy Campbell
Design
Indranil Gupta
Distributed Architectures
Security Protocols
Real-time Assuredness
Formal Methods
Gul Agha
Safety Properties
Real-time Properties
Performance Properties
Run-time
Campbell
Policy Detection
Dynamic Mapping
Trustworthiness Estimation
Security State Monitoring
Test-bed
Kalbarczyk
Incident Replay Engine (IRE)
Test-bed
Education
Bashir
Technical Exchange &
Speakers
Workshops
Visiting Scholars
(summers)
STEM Internship Programs
Advisory
Committee
27
Formal Methods
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Rewriting Rules as Executable specifications
• Maude provides methods for proving
properties of programs
Safety (security), liveness
• Examples:
– actors using term rewriting
– Two level actor semantics for middleware
– pMaude: Probabilities on tactics of rule application
Statistical metrics.
Quantify robustness stability, timeliness
Jose Meseguer
Formal Methods Team
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
29
Thread State
Procedure
Thread State
Procedure
Interface Interface
Interface
Message
Create
•New actors have their own address
•Addresses may be communicated in messages
Gul Agha
Formal Methods Team
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Principal Investigator
Roy Campbell
Design
Indranil Gupta
Distributed Architectures
Security Protocols
Real-time Assuredness
Formal Methods
Gul Agha
Safety Properties
Real-time Properties
Performance Properties
Run-time
Campbell
Policy Detection
Dynamic Mapping
Trustworthiness Estimation
Security State Monitoring
Test-bed
Kalbarczyk
Incident Replay Engine (IRE)
Test-bed
Education
Bashir
Technical Exchange &
Speakers
Workshops
Visiting Scholars
(summers)
STEM Internship Programs
Advisory
Committee
30
Run-time
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Fast and Scalable Detection of Policy Violations in
Dynamic Assured Cloud Computing
Policy-based Dynamic Mapping of Services and
Workflows
Trustworthiness Estimation for Workflow Completion
Security State Monitoring and Attack Response
Security in cloud requires situational awareness and
dynamic response to events Roy Campbell
David Nicol
Bill Sanders
Rakesh Bobba
Run-Time Configuration, Workflow Scheduling,
and Security Monitoring Consideration
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Principal Investigator
Roy Campbell
Design
Indranil Gupta
Distributed Architectures
Security Protocols
Real-time Assuredness
Formal Methods
Gul Agha
Safety Properties
Real-time Properties
Performance Properties
Run-time
Campbell
Policy Detection
Dynamic Mapping
Trustworthiness Estimation
Security State Monitoring
Test-bed
Kalbarczyk
Incident Replay Engine (IRE)
Test-bed
Education
Bashir
Technical Exchange &
Speakers
Workshops
Visiting Scholars
(summers)
STEM Internship Programs
Advisory
Committee
32
Test-bed
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Objectives for creating the test-bed
• Capabilities of the test-bed for experimental evaluation
• Validation tools
– Example: characterization of error resiliency of virtualization
environment in Cloud Infrastructure
• Reliability/security protection techniques
– Example: application checkpointing through OS/Hypervisor-level
techniques
• Analysis of security incidents
– Example: incidents at NCSA
• Current facilities
33
Outline
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Create a distributed networked test-bed to:
– provide an open platform to prototype and test new
system configurations and applications
– experimentally verify the effectiveness of algorithms
and techniques for security and reliability monitoring
– demonstrate the effectiveness of the developed
architectures, algorithms, and protocols in presence
of accidental failures and malicious attacks
• Complement formal analysis and verification
of safety, real-time-, and performance-related
properties of developed architectures,
protocols, and algorithms
34
Ravishankar
Iyer
Zbigniew
Kalbarczyk
Goals and People
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Validation tools
– Validation of Virtualization Environment
in Cloud Infrastructure using fault/error injection
• Rapid prototyping of designs
– Application check pointing through OS/Hypervisor-level
techniques, e.g., Xen, KVM
• Data-driven modeling of security incidents
– Use knowledge on attack patterns learnt from the analysis of
real security incidents to create security test-bed
35
Example Capabilities of the Test-bed
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Principal Investigator
Roy Campbell
Design
Indranil Gupta
Distributed Architectures
Security Protocols
Real-time Assuredness
Formal Methods
Gul Agha
Safety Properties
Real-time Properties
Performance Properties
Run-time
Campbell
Policy Detection
Dynamic Mapping
Trustworthiness Estimation
Security State Monitoring
Test-bed
Kalbarczyk
Incident Replay Engine (IRE)
Test-bed
Education
Bashir
Technical Exchange &
Speakers
Workshops
Visiting Scholars
(summers)
STEM Internship Programs
Advisory
Committee
36
Education
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
37
PROGRAMS
• NSA Center for Information Assurance Education and Research
• National Center of Academic Excellence in Information Assurance
Education (CAEIAE)
• Graduate Degrees (MS, PhD)
• NSF-SFS scholarship
• Information Trust and Security Summer Internship
• Trust Curricular Roadmaps
• Trust related Short Courses
• Courses meet National Security Systems (CNSS) Training Standards
• Trust & Security Seminar Series
• Distinguished Lecture Series
ITI Educational Initiatives
Masooda
Bashir
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• U.S. forces depend
– C4ISR
– precision navigation/targeting
– Communications (Above Figure)
• The barriers to entry even for high-end cyber warfare
capabilities are low 38
From “Challenges to Military Operations in Support of U.S. Interests”
Cloud Security - Summary
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
The Odessa Monitoring System
Mirko Montanari, Ellick Chan, Kevin Larson,
Wucherl Yoo, Roy H. Campbell {mmontan2, emchan, klarson5, wyoo5, rhc}@illinois.edu
Department of Computer Science
University of Illinois at Urbana-Champaign
June 8th, 2011
Distributed Security Policy Conformance
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Policy Compliance in Large Distributed Systems
• Infrastructure security policies used by organization to
manage their systems and provide a basic level of security
• Challenges:
– How do we make compliance monitoring scale to
large systems?
• Large enterprise networks, Power grid, data centers
– How do we make the monitoring system secure?
40
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Distributed security assessment, delegation, detection and
response leveraging shared configuration information and
global policies
41
Goal -- Scalable and resilient system of systems that do not depend on
static or hierarchical infrastructure
Proposed Approach
References
• Mirko Montanari and Roy Campbell, Attack-resilient Compliance
Monitoring for Large Distributed Infrastructure Systems, 5th International
Conference on Network and System Security (NSS 2011).
• Mirko Montanari, Ellick Chan, Kevin Larson, Wucherl Yoo, Roy H.
Campbell, Distributed Security Policy Conformance, IFIP SEC 2011.
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Approach
• State of system represented as logic statements using ontologies
– Security and reliability requirements expressed as policies
– Interactions between elements as workflows
• Distributed compliance monitoring avoids central bottlenecks and targets
for attacks; disperses information and improves reactivity
– Distributed reasoning algorithms for detection of states that violate policies
• Detection of violation of policies allows auditing, enforcement, and
enables dynamic mapping of workflow operations.
0
20
40
60
80
100
120
140
160
0 5 10 15 20 25
# s
tate
me
nts
# compromised hosts
dora-1dora-3dora-5
centralized-1
0
2
4
6
8
10
0 5 10 15 20 25
# v
iola
tio
ns d
ete
cte
d
# compromised hosts
dora-1dora-3dora-5
centralized
Initial Monitoring Integrity Results Initial Monitoring Confidentiality Results
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Policy Compliance
• Rules that specify the desirable configuration
and state of the infrastructure
Infrastructure Policies (Airports, Power grid …)
• Aircrafts are required to connect to the airport
infrastructure when they touch ground
• Airline applications can be accessed only when the
aircraft is parked at the gate
Security Policies
• All computer systems connected to the internal
network must run an authorized anti-virus software
• Critical systems should be protected from multi-
step attacks exploiting known vulnerabilities
43
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Information Integration – General Architecture
Airport
network
Airline
server
Monitoring
Server
Access information
Type of application
Weight-
on-wheel
state
Server for integrating
information
Software
running on
each device
that monitors
the state of the
system
We need to monitor for changes and evaluate their impact on the overall
system 44
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Security - Byzantine Replication
Verifiers: information is
integrated redundantly in
multiple servers.
Verifiers can be managed
by different departments
in the organization
Violations are detected by
using byzantine
agreement
Agents: devices run
software to monitor the
state (e.g., forensic
analysis, VM
introspection)
Problem: each verifier
needs to verify liveness
and receive updates from
all machines in the
system
45
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Odessa Architecture
We use delegation for
making the solution scale
1) Policy validation
(partially) pushed to agents
2) Detection of liveness is
distributed across multiple
machines
3) Scalable pub/sub
architecture for managing
failures of verifiers
Policy
Aggregation
Tree
Policy
Aggregation
Tree
46
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Configuration Management - Policies
Enterprise Networks
Airport Network Infrastructure
• State and configurations are represented using RDF (Datalog)
• Policies are specified using Datalog rules
aircrafts must connect with
the airport wireless network
after landing for updating
software
(A type Aircraft), (A weight-on-wheels TRUE),
NOT (A connectedTo N), (N partof P), (P type
Airport) FAIL
Malicious users must not be
able to compromise critical
systems using sequences
of known vulnerabilities
(H type CriticalHost), (U type MaliciousUser),
(U canCompromise H) FAIL
(U canCompromise H1), (H1 canCommunicate
S), (S type Service), (S providedBy H2),
(S hasVulnerability V) (A canCompromise
H2)
47
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Scalability Mechanisms
1. Distribution of policy validation
– Policies are split into a portion of
the rule that can be validated
locally on each machine
2. DHT-based mechanisms for
introducing new verifiers upon
failures and for detecting
failures
– Pub/Sub for disseminating
information about new verifiers
and for detecting failures
48
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
1) Distribution of policy validation
• Rule analysis algorithm matches parts of rules with sources of information
• Partial validation of policies can be performed by agents
• Reduce the information to share globally for efficiency and privacy
Rule graph
generation
Determination of
local statements
Rule execution
Each rule is transformed in a graph and
meta-information from the annotation
are integrated in the representation
Each agent determines the statements
that can be found only locally
Statements are exchanged between
agents to complete the evaluation
49
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
A) Rule Graph Generation
(A w-on-wheels true),
NOT (A a_connected N) fail
(A connectedTo N), (N partof P)
(A a_connected N)
a_connected
partof
connectedTo
NOT a_connected
w-on-wheels
true
50
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Information Sources
Aircraft1 A
aircraft1 name ID
aircraft1 w-on-wheels V
aircraft1 a_connected N
Airport P:
O operatingAt P
A w-on-wheels
V
• Each agent provides specific information about the system
• The statements that are generated only locally are represented in a “local graph”
• Given this information we know that certain predicate can be generated only by a specific device
given a specific airplane A, its ID is provided only by A
given a specific airplane A, the list of networks is generated only by A
given a specific airport P, the list of operating airlines is provided by P
51
name
a_connected
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
B) Source Propagation
(A w-on-wheels true),
NOT (A a_connected N) fail
(A connectedTo N), (N partof P)
(A a_connected N)
a_connected
partof
connectedTo
NOT a_connected
w-on-wheels
true
52
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
C) Execution
a_connected
partof
connectedTo
a_connected
w-on-wheels
true
Rule processed locally:
A connectedTo N AND N partof P
A a_connected N Rule processed at the verifier
A a_connectedTo N AND A w-on-
wheels true FAIL
w-on-wheels 53
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Partial validation of complex rules
• Complex rules can be partitioned in multiple parts.
• Some parts can be validated locally, others are validated in the verifiers
54
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
2) Pub Sub mechanism
• Each verifier needs to acquire information about all hosts that
provide specific types of statements
– A a_connectedTo N, A w-on-wheels true FAIL
– All agents generating statements about “a_connectedTo” and
“w-on-wheels” need to send information to verifiers
• We generate a DHT SCRIBE topic H(P) for each predicate P
1. All agents subscribe to the topics of the predicates they
potentially provide
2. New verifier notify agents by publishing a message in all topics
relevant to the rules
3. Agents maintain information about verifiers and send
information directly to them
55
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Experimental Results
• Odessa implemented in Java and C
– Communication built on top of Freepastry
– To increase the trustworthiness of agents, we run them in Dom0
when possible.
56
Mechanism Configuration obtained
Dom0 (XenAccess, file system) Running processes, network
connections, configuration files
Host VM (Linux kernel module) Fast detection of new network
communications
• Using such information, we Implemented policies for
validating:
– Presence of specific programs
– NFS authorizations across networks
– Attack graph generation
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Delegation Experiments: Reduced Load
57
When large portions of the rules are processed locally, the amount of
information transmitted to verifiers because of configuration changes is
reduced
0
10
20
30
40
50
60
70
80
90
0 5 10 15 20 25 30
Avg
de
lay [
s]
# Msgs / min
p=3p=5
F ig. 3. Delay in the detect ion of agent
failures.
0
20
40
60
80
100
0 2 4 6 8 10
% C
ha
ng
es tra
nsm
itte
d
Rule size
k=1k=3
F ig. 4. Agents’ statements t ransferred as
consequences of configurat ion changes.
each host is registered to several t rees, even the failures of all hosts in a branch
of the tree are detected by the parent hosts in other t rees.
6 I mplement at ion and Evaluat ion
We implemented the components of the Odessa system using a combinat ion
of C and Java. The communicat ion between monitoring agents and ver ifiers is
implemented on the FreePast ry system. Inference is performed by using the rule-
based inference system Jena [3]. The monitoring agents run in the Dom0 virtual
machine of a Xen installat ion. They monitor guest VMs by accessing the host
state using an extension of XenAccess [14]. A Linux kernel module is installed
on guest VMs to provide addit ional informat ion about the state of the system
which are not easily accessible using XenAccess.
We ran the system on a real network and we validated a set of test rules
which include (i) checking the presence of specific programs, (ii) checking NFS
authorizat ion for access cont rol misconfigurat ions that give unprivileged users
access to rest ricted files, (iii) and validat ing that crit ical machines are protected
from external at tacks. Our system was able to delegate the validat ion of rules
(i) and (ii) to each host , and it was able to decompose rule (iii) into a local
port ion and a global port ion. The local port ion shares statements about the
host address and about vulnerable programs running on the system, which are
ident ified using the Nat ional Vulnerability Database(NVD)4. The global port ion
integrates this informat ion across the network and computes if a specific host
can be compromised by an external at tacker using logic at tack graphs. We use
our prototype to measure the possible delay in the verificat ion that an at tacker
can int roduce by performing DoS on predicate group roots before a new ver ifier
is registered. We found that the FreePastry implementat ion already provides a
delay limited to an average in the order of tens of seconds. The tradeoff between
message frequency and delay in the detect ion of failures is shown in Figure 3.
The parameter p represents the number of communicat ion at tempts made before
declaring an agent dead. The results are an average of 20 execut ions.
To measure the scalability characterist ics of Odessa, we performed several
simulat ions using random models of large-scale systems. The first experiments
4 NVD: Nat ional Vulnerability Database V2.2 ht tp:/ / nvd.nist .gov/ .
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Scalability Experiments: Maximum Load
58
Maximum number of messages sent by nodes (log-scale)
Odessa reduces of orders of magnitude the load on any central monitoring
host.
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Scalability Experiments: Average Load
Average number of messages sent and received by each node for
monitoring
Odessa does not significantly increase monitoring overhead compared to a
centralized solution 59
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Summary of Security Characteristics
• Policies are validated
redundantly on several verifiers
• Byzantine agreement between
verifiers
• Multiple agents acquires
independently the same
information about the state
• Agents are separated from the device they monitor
• Forensic information
• Virtual machine introspection
Compromised
verifiers
Compromised
agents
Hardening of the
agents
60
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Related Work
• SNMP, WBEM
– Good protocols for communicating with agents and
acquiring information. Their implementations often rely on
a centralized architecture
• TVA [Jajodia „03], MulVal [Ou „06]
– Scanning is slow in detecting policy violations. Multiple
scannings for redundancy increase network load.
• Top Down management architecture [Narain „08]
– Completely rely on centralized control. If the central point
is compromised, the architecture is insecure
61
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
• Dynamic mapping of services require by workflows to systems
that implement them
• Guiding organizational policies that support change in
response to dynamic changes
• Choice of services for workflow respects security policies
• Detection of policy violations
• Optimized algorithms to perform dynamic and distributed
mapping between workflows and services 62
Policy-based Dynamic
Mapping of Services and Workflows
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
63
Workflow
Action 1
Action 2
Action 3Byzantine Monitoring
Workflow Mapping
100
200
300
400
500
600
700
800
40 60 80 100 120 140 160 180 200
dela
y [m
s]
# hosts
min-1min-3min-5
max-1max-3max-5
0
2000
4000
6000
8000
10000
12000
14000
40 60 80 100 120 140 160 180 200
# m
sgs
# hosts
dora-1dora-3dora-5
centralized-5centralized-1
Liveness
Monitoring Load Compliance
Monitoring Load
Delay
Mapping and Monitoring
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Network Policy Management Extension
Manual Policy Enforcement
• Network administrators
configure hosts, switches and
middleware manually.
• This process is slow and
error-prone.
• Cloud networks are far too
dynamic to be managed with
manual configuration.
64
Host X is compromised
IDS notifies network admin
Admin determines what needs changed
Admin manually reconfigures each relevant network resource.
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Current Static Network Policy Management
Static Policy (e.g. FSL)
• Policy-based network
configuration consolidates
configuration data.
• Administrators write policies
to define network operation.
• However, policies apply to
individual hosts.
• Changing policies requires
recompiling.
65
Host X is compromised
IDS notifies network admin
Admin changes policy
Policy recompiled
FSL
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
State-based Static Policy Management
State-based Policy (e.g. Resonance) • Resonance provides
limited dynamic policy enforcement with finite-state machine
• Not all systems can be modeled with a reasonable number of states
• Forces policies into a rigid paradigm
Registration Quarantined
Authenticated Operation
Infection removed or
manually fixed
Failed Authentication
Infected after
an update
Successful
Authentication
Clean after update
Vulnerability discovered
Resonance
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Proposed Solution: Dynamic Policy
Using inference, dynamic policy system checks network events (Observed Data) against a set of given conditions (Base Policy). When a given condition is satisfied, the inference engine produces: • Actions – Changes to the network necessitated to enforce policy • Refined Policy – New conditions amended to Base Policy
Base
Policy Inference
Engine
Observed
Data
System
State
Policy
Refinement
Actions
Refined Policy
Base Policy:
Anonymous
hosts can’t use
SSH
Event:
Anonymous host
A joins the
network
Refined Policy:
Anonymous host
A can’t use SSH
+
=
Refined Policy:
Anonymous host
A can’t use SSH
Event:
Anonymous host
A tries to use
SSH
Action
SSH flow
blocked
+
=
Example Dynamic Policy Information Flow
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Proposed Solution: Dynamic Policy
Static Policy Dynamic Policy
Administrators define policies for
individual hosts.
Administrators define general base
policies for classes of hosts.
Violations must corrected manually. Violations can be automatically
corrected upon detection.
Every rule must be manually defined
by the administrator.
Refined policies can be logically
inferred from existing policies and
data.
Incurs little computational overhead. Can be resource intensive.
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Dynamic Policy in the Network
Dynamic Policy is implemented in the network architecture using programmable switches. This enables policy to be context aware, adapting itself to the state of the network at runtime. This design offers additional advantages: • Cannot be directly altered by end hosts, malicious
code, etc. • Policy can be automatically enforced • Required for some policies, e.g. path
specification • Can improve network efficiency, not just security
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Our Design: NetODESSA
Inferenc
e Engine
ODESSA
Agents
Inferred Policy
Base Policy
OpenFlow Switches
Violation
NetODESSA in conjunction with ODESSA
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Experiment: Inference Benchmarking
In this experiment, we simulated monitoring between two networks connected with an OpenFlow switch, using a NOX controller. Our goal was to implement basic policy monitoring and to measure the resource utilization for performing policy inference.
NOX Jen
a
OpenFlow Switch
Controller
VM1 VM2 VM3
VM7
VM4 VM5 VM6
VM8 VM9 VM8
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Experiment: Inference Benchmarking
Experiment: Inference Benchmarking
From our results, we conclude that dynamic policy monitoring will be bound by
the limitations of physical resources. However, our current inference engine uses
the OWL reasoner, which is not suited as well for our purposes as others.
Previous work has indicated that a more sophisticated implementation with a
specialized reasoner will be more scalable.
0
50
100
150
200
250
300
350
400
450
0
20
40
60
80
100
120
0 20 40 60 80 100
M
e
m
o
r
y
C
P
U
flows per second
CPU Utilization (%)
Resident Memory (MB)
Log. (CPU Utilization (%))
Log. (Resident Memory (MB))
This graph shows resource utilization relative to the amount of
network traffic being observed.
0
50
100
150
200
250
300
350
400
0
20
40
60
80
100
120
0 2 4 6 8
M
e
m
o
r
y
C
P
U
Number of Rules
CPU Utilization (%)
Resident Memory (MB)
Linear (CPU Utilization (%))
Linear (Resident Memory (MB))
Here we see how resource utilization trends with respect to
the number of rules being checked.
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Conclusions
• Policy compliance is an important component of the security
posture of large organizations
• Policy compliance monitoring system need to be scalable and secure
– Our architecture increases the security by introducing replication
of monitoring
– Delegation is used decrease the load and make our solution scale
to large networks
• Future Work
– Automatic reconfiguration of the agents to recover from
violations
– Consistency for detecting correctly short-lived violations
73
UNIVERSITY OF ILLINOIS AT URBANA-CHAMPAIGN | ENGINEERING AT ILLINOIS INFORMATION TRUST INSTITUTE
Acknowledgements
74
D Information Trust I N S T I T U T E
IIOEING lV IJ TCIPG
I Assured Cloud Computing University Center of Excellence
ILLINOIS