survivability through customization and adaptability: the ... · survivability through...
TRANSCRIPT
![Page 1: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/1.jpg)
Survivability ThroughCustomization and Adaptability:
The Cactus Approach
Matti A. Hiltunen, Richard D. Schlichting*, Carlos A. Ugarte,and Gary T. Wong
Department of Computer ScienceThe University of Arizona
*Current address:AT&T Research, Florham Park, NJ
http://www.cs.arizona.edu/cactus/
![Page 2: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/2.jpg)
2
Work supported in part by DARPA undergrant N66001-97-C-8518.
Work done in collaboration with GreggTownsend and current and former graduatestudents.
![Page 3: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/3.jpg)
3
Introduction
Survivable systems:
¥ Complete missions in time despite failures and attacks.
¥ Build on security, fault tolerance, safety, etc.
¥ Require techniques to protect, detect, react, and recover.
Cactus: A framework for constructing configurable andadaptive distributed services and protocols.
Theme: Application of Cactus and its techniques to issuesin survivability.
![Page 4: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/4.jpg)
4
Fundamental techniques:
¥ Fine-grain customization through configurability.
¥ Dynamic adaptation.
Advantages:
¥ Customizable cost versus protection.
¥ Customization for scale.
¥ Artificial diversity through configuration.
¥ New survivability techniques can be easily added.
¥ Dynamic adaptation to attacks and changes insurvivability requirements.
![Page 5: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/5.jpg)
5
Presentation Outline
¥ The Cactus Approach.
¥ Cactus Survivability Mechanisms.
¥ Services - Current and Planned.
¥ Status
¥ Conclusions.
![Page 6: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/6.jpg)
6
CACTUS
SERVICE X
SERVICE YReliability
Availability
Timeliness
Security
Consistency
Performance
CHANGED USERREQUIREMENTS INTRUSIONS
FAILURESCHANGES IN AVAILABLERESOURCES
CPUMemory
APPLICATION
OS & NETWORKNetworkBandwidth
The Cactus Approach
![Page 7: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/7.jpg)
7
Customizable API
Co
mp
osi
te p
roto
col
Customizable API
EventsShared datastructures
Messages
Micro-protocols
Reliability
TotalOrder
Privacy
Msg from below
Site failure
Msg timeout
Msg from above
Hash tables etc.
Composite/Traditional ProtocolMessages/ Method invocations QoS requests/Notifications
Composite/Traditional Protocol
Event handlers
Messages/ Method invocations QoS requests/Notifications
Cactus Model
![Page 8: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/8.jpg)
8
Configurability through independence between micro-protocols provided by the Cactus mechanisms:
Events:l Dynamic binding of event handlers to events.
l Flexible: parameter passing, synchrony, ordering.
Shared session and protocol variables.
Cactus messages.l Msg header = dynamic set of named msg attributes.
l Attribute scope: LOCAL, PEER, STACK.
l Coordination mechanism for sending msg to next protocol.
Configurability in Cactus
![Page 9: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/9.jpg)
9
Adaptability in Cactus
Idea: Adaptation by dynamically reconfiguring a service.
Examples:
l FT: changing multicast algorithm to accommodate a change infailure model assumption.
l Security: increasing level of encryption to counteract anintruder.
Cactus mechanisms:
l Activation/deactivation of micro-protocols through eventhandler binding.
l Dynamic code loading + activation of new code.
![Page 10: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/10.jpg)
10
change
detection
adaptation
Adaptor
New AdAw mp
Pre
Act
ivat
e
Old AdAw mpPreDeactivate(new)
Dea
ctiv
ate
Act
ivat
e(s)
Act
ivat
e(s)Fitness
Fitness
Goal: smooth adaptation.
Approach: a multiphasetransition from old to newmicro-protocol.
Coordination issues: ¥ When to activate/deactivate a micro-protocol.¥ Distributed coordination of adaptation.
![Page 11: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/11.jpg)
11
Cactus Survivability MechanismsFault tolerance and security
Fundamental properties for survivable systems.
Different FT and security mechanisms can be implemented asmicro-protocols.
FT: retransmission, atomicity, checksums, object/processreplication, message logging.
Security: cryptographic methods for privacy, authenticity,integrity, replay prevention, non-repudiation.
Implementation options:
1. Integration with an existing configurable service (e.g.,communication or file service) or
2. Separate fault-tolerance or security service.
![Page 12: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/12.jpg)
12
Artificial diversity
Harder for an intruder to apply same attack method on differentinstallations of a system/service.
Configurability a mechanism for artificial diversity:
l Natural diversity through customization for userrequirements and characteristics of the executionenvironment.
l Additional diversity by providing alternative micro-protocols with same service property (e.g., differentencryption algorithms for privacy).
![Page 13: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/13.jpg)
13
Adaptability
Survivable systems exhibit adaptive behavior:
l Automated reactions to intrusions, system state restoration.
l Service upgrades to handle new attacks.
l Dynamic change of security level when intrusion suspected.
Current work: performance and fault-tolerance adaptations.
Future work: security and real-time adaptations.
Challenges:
l Adaptation mechanisms must be intrusion tolerant (e.g.,message authentication, Byzantine methods).
l Adaptation must happen in bounded time.
![Page 14: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/14.jpg)
14
Transparent survivability
Legacy and off-the-shelf applications not often survivable enoughþ transparent enhancement of survivability necessary.
Replacement of underlying communication/OS services ortransparent insertion of middleware services:
Linux loadable kernel modules (Cactus comm. protocols).
Interception of signals on Linux and Solaris (Cactus DSMservice).
Smart stubs, interceptors, and DSI on CORBA allow insertionof Cactus services between an application and the ORB.
![Page 15: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/15.jpg)
15
Current Cactus Services
A number of distributed services implemented to validateand demonstrate the Cactus approach.
Examples:l RTD Channels (real-time, reliability, ordering).
l Group membership (ordering, consistency).
l Distributed shared memory (consistency, replacement, etc).
l Secure communication service.
l Group RPC.
l System monitoring service.
Focus on basic attributes rather than adaptation.
![Page 16: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/16.jpg)
16
Secure Communication ServiceIncreasing emphasis on customizing communication
security (e.g., IPSec, SSL, TLS).
SecComm: customizable secure communication serviceimplemented using Cactus:
l Multiple basic security MPs for privacy, integrity, authenticity,non-repudiation, replay prevention, key distribution, etc.
l Meta security MPs: use basic security MPs to construct morecomplex protocols, e.g., alternating encryption.
l MPs simple ⇒ easy to add custom security MPs.
l Arbitrary number and combinations of the micro-protocolsallowed ⇒ arbitrarily high security at arbitrarily high cost.
![Page 17: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/17.jpg)
17
MP classes and event interactions
Privacy
Authenticity
Non-Repudiation
Replay Prevention
Integrity
Security Audit
Key DistributionkeyMiss
securityAlert
keyMsgFromBelow
MetaSecurity
Basic security MPs
dataMsgFromBelow
msgFromAbove SecComm
![Page 18: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/18.jpg)
18
SecComm performanceImplemented on a cluster of Pentium PCs (133 MHz) running
MK 7.3 OS from Open Group/RI connected by a 10 MbpsEthernet.
micro-protocols roundtrip
none 3.59 msXOR 3.82 msDES 6.75 ms
DES, XOR 6.96 msDES, XOR, Blowfish 8.98 ms
MD5 4.01 msSHA 3.99 ms
MD5, SHA 4.36 ms
Package size: 100 bytes.
Key lengths:
¥ DES 56,
¥ Blowfish 448,
¥ XOR 64
Average IP roundtrip time:
¥ 3.03 ms.
![Page 19: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/19.jpg)
19
Group RPCReplicated RPC to a group of servers.
Novel feature: customizable failure model (crash,send/receive omission, late/early timing, value, Byzantine).
Other properties: synchronous/asynchronous, FIFO/totalorder, atomicity.
11 micro-protocols, dozens of configurations.
clients servers failure model fifo total
1 1 none 3.3 ms 3.6 ms1 2 crash 4.2 ms 6.2 ms1 2 send omission 4.1 ms 6.6 ms1 3 rec. omission 5.3 ms 10.5 ms1 3 byzantine 2181 ms 18924 ms
![Page 20: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/20.jpg)
20
System Monitoring ServiceA dynamically configurable distributed system monitor forNT and Linux implemented using Cactus/J 2.0 (Java).
Each aspect of system monitoring implemented as aseparate micro-protocol:
l Users.
l Processes: CPU/memory usage, etc.
l Processor: Available memory, context switches, etc.
Micro-protocols can be loaded/unloaded at runtime.
New features could be easily added, e.g., monitoring forsurvivability.
![Page 21: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/21.jpg)
21
![Page 22: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/22.jpg)
22
Services for Survivability
Cactus mechanisms could be used to construct servicesspecifically geared for survivability.
Intrusion detection.• Extensible: new data collection and analysis micro-protocols.
• Customizable coverage versus performance/resourceutilization/inconvenience.
• Customization for current mode of operation.
• Short term adaptation to detected threats.
• Long term adaptation: integration of new techniques.
![Page 23: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/23.jpg)
23
Survivable data storage.
• Confidentiality: cryptography, data fragmentation.
• Integrity for intrusion detection.
• Replication for availability.
• Checkpointing, change logging for recovery.
Access control and authentication.
• Customized authentication => diversity.
• Adaptive authentication.
![Page 24: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/24.jpg)
24
Status: Prototypes and Services
Example services
Consistency
Fault tolerance
Real time
GroupRPC
RTD Channel
Security SecComm
CT
P
ConfDSM
QoS Attributes
Solaris MK NT Linux
Cactus 1.0 C++ C C++
In-kernel Linux
Cactus 2.0 JavaC JavaJava C CC++
Services
Protocols
ÒMiddlewareÓ
GroupRPC
RTD Channel
Application DistMonServ
System level
ConfDSM
SecComm
Membership
ConfCORBA
CTPColors:¥ completed, released,¥ in progress, planned.
![Page 25: Survivability Through Customization and Adaptability: The ... · Survivability Through Customization and Adaptability: The Cactus Approach Matti A. Hiltunen, Richard D. Schlichting*,](https://reader033.vdocuments.site/reader033/viewer/2022042809/5f95574574b20c1bc44ace17/html5/thumbnails/25.jpg)
25
ConclusionsConfigurability and adaptability supported by the Cactus
platform important mechanisms for survivable systems.
¥ Customization of tradeoffs.
¥ Extensibility to introduce new survivability techniques.
¥ Adaptation to attacks.
Cactus framework and example services available throughCactus home page: http://www.cs.arizona.edu/cactus/