university of california, san diego computer science and engineering concurrent systems architecture...

University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group

Agile Objects: Component-based Inherent Survivability

Andrew A. Chien

[email protected], UCSD

Jane Liu (UIUC) -> Riccardo Bettati (Texas A&M) http://www-csag.ucsd.edu/projects/agileO.html

AFRL F30602-9-1-0534

DARPA ISO Intrusion Tolerant Systems PI Meeting

Year 1 Progress Report, July 19, 2000

Andrew A. Chien – 7/20/2000

2University of California, San Diego Computer Science and EngineeringConcurrent Systems Architecture Group

Outline

• Motivation and Goals• Agile Objects

» Location Elusiveness» Interface Elusiveness

• Status• Plans



Background/Existing Practice

• Static Distributed Software Architectures (nearly)» Fixed points of access, deployment, resource dependence

• System/Firewall/Sandbox/Domain based Security» Resource and containment oriented

• Security Architecture based on Anticipated Deployment Structures

• => Flexibility and reconfiguration can enhance survivability• Our Focus: Flexible Configuration of Distributed C3I Systems (Real-

time, High Performance, Mission-Critical Online systems)» E.g. Aegis Battle Cruiser, Theatre Command/Information system, etc.



AO Focus: Tolerance and Response

• Resource loss due to compromise» Detected security breach, autonomic response network partition

• Resources made undesirable due to changes in security status» Under attack, detected assaults, partially compromised, loss of

other security critical information

» Information about attack methods and systems targeted

» Proactive reconfiguration in response to partial loss



Traditional Static Distributed System Design

and Config

• Applications Design implicitly assumes distribution and security environment, as well as Specific Resources (and types)

• Difficult to reconfigure, requalify» Complex schedulability analysis and resource matching

• DARPA ITO/Quorum techniques improve situation, but require significant application involvement and management of environment

• => High Performance RPC enables…



Distribution Independent Design

• Identical Application Design can be Deployed in Multiple Configurations» Identical design effort (same performance abstractions ensured by the middleware layer) –

rate-based real-time performance at component level» Identical performance experienced by users of the applications» Configurations can be chosen based on many criteria: survivability, load balance, hardware

reliability, etc.

• => Online Migration and Flexible Replication enables…

Deployment #2

Deployment #3 Deployment #4

Deployment #1



Location Elusive Applications

• Extend distribution flexibility to runtime» Transparent online reconfiguration; functionality and performance invisible to

distributed application and its users (Location Elusiveness)

• Respond to dynamic changes in runtime environment (failures, attack, security)» Without major additional design effort» Useful for commodity and legacy software



Flexible Security Reconfiguration

• Integrated security mechanisms with high performance RPC/distributed objects (Elusive Interfaces)

» Exploit computer manipulable interfaces and data reorganization

• Adaptive security management for Agile, highly decentralized applications» Rapidly and continuously changing environment and configurations

Nasty VirusAttack

Elevated Security Barrier

Change of ProtocolandChange of Interface



Technical Objectives• Agile Objects enables Elusive Distributed Applications• Location Elusiveness

» Seamless boundary between Component and Distributed Object applications» Rate-based real-time framework allows distributed reconfiguration in performance

transparent fashion» Replication supports fault tolerance, rapid reconfiguration, multi-version assurance and

survivability

• Interface Elusiveness» Integrates security mechanisms with traditional object interface marshalling to achieve high

performance– An adaptive security mechanism (there are many)

» Adaptive security required with rapidly changing application configuration– => also rapidly changing surrounding resource and security environment

• Transparent automatic reconfiguration maintains performance and security properties» No major additional application programming effort» Can incorporate commodity software modules without major effort

• Respond to critical Assurance and Survivability events fast (<< seconds)



Assumptions and Scope

• What threats/attacks is your project addressing?» Any that lead to compromise of nodes, networks, services

» esp. object/component interface based attacks

• What assumptions does your project make?» Only some resources are compromised; segregation possible

» Some warning (could be noisy) => Low impact techniques to respond

• What policies can we enforce?» Application configuration <-> Level of compromise of resources

– Reflect Infocon level or resource status *fast*

» Many that drive reconfiguration, decouple reconfiguration from complex analysis and performance



Challenges

• Location Elusiveness: Support rapid application mobility with» Performance insensitivity

» Uniform resource access

» Continuous real-time performance

» => make this real for significant distributed applications

• Interface Elusiveness: Adapt security mechanisms and configuration» Support *very* high speed networks

» Characterize EI interface configuration spaces and develop innovative configuration mgmt and adaptation

» Manage and enforce security requirements, adapting in real time to match rapid changes



Work Completed

Agile Objects Project Plan

High Performance RPC Analytical Foundations & Case Studies

Distrib. Insensitivity Elusive Interface Prototype

Agile Object Migration (RT) Dynamic Mutation (online, reactive)

Name Service for Elusive Applications Elusive Interface System

Elusive Location Demonstration Elusive Interface Demonstration

Agile Objects Application Demonstrations

Object Replication

Location Elusiveness Interface Elusiveness



Expected Major Achievements

• Location Elusiveness: Distribution insensitive distributed applications» High Performance RPC which enables flexible configuration» Online Migration and Replication » Real-time applications which reconfigure while maintaining performance

guarantees

• Interface Elusiveness: Characterize space of interface mutation and dynamic coordination mechanisms» Crystallize a framework for adaptive interface mutation management

(reconfiguration, cost, space)» Configuration independent application security specifications

• Develop a range of targeted responses based on Intrusion Detection & System status information

• Integrate techniques for a unified Agile Objects approach and demonstration



Quantitative Metrics

• Location Elusiveness» Speed of remote RPC, ratio of local/remote» Time of application reconfiguration (physical network

parameters, applications)» Granularity/precision of real-time guarantees

• Interface Elusiveness» Size of reconfiguration space, range of techniques» Reconfiguration Cost» Reconfiguration Delay

• Scale of Demonstrations



Progress

• Previously reported Accomplishments» User-level networking performance» Fast Remote RPC (+ improving)

– 40 microseconds; as fast as local

» Basic Real-time Framework » Multi-DCOM Prototype» Elusive Interfaces Framework

• Recent Accomplishments (since 2/00)» Elusive Interfaces Prototype» Experimentation with Multi-DCOM Prototype



Elusive Interfaces

• Distributed Object and Component Applications: primitive pairwise relationships• End-to-end encryption techniques practically incompatible with high speed

networks• Ideas

» Low-cost encryption techniques based on interface structure» Adapt and manage automatically in response to changes» Systematic analysis of opportunities, costs, and capabilities

High Speed Net

Untrusted Net

Specialized CryptographyHardware

Time-varying



Security Overhead

• SSL inline overhead (excluding initial exchange protocol) » 4x fixed overhead; 17x per byte costs (~2Mbits)» 56-bit keys, 500Mhz Pentium II’s, 100Mbit Ethernet» Cleartext protocol stacks barely feed high speed networks

2 node latency

0

10

20

30

40

50

60

70

0 1024 2048 3072 4096 5120 6144 7168 8192

Bytes

ms

SSL

No SSL



network

Elusive Interfaces

• EI Transformations» Size preserving: Method offset, offset range, parameter location, parameter organization, etc.» Non-size preserving: parameter buffering, message buffering» Sequence: Dynamic variation of interface over lifetime of connection...

• Low cost due to word-level transformations, bury in (de)marshalling• Vary transformation based on expected attack modes

» Active attacks: NumFormats» Passive attacks: NumMethods

client server

EI module EI module



• February 2000 PI Meeting» Analytic analysis of these approaches » Large Elusive interfaces space for realistic interfaces

– Simple systems, 106 – 1016 configurations» Report available from http://www-csag.ucsd.edu/projects/AgileO.html

• July 2000 PI Meeting» Prototype and evaluation



Elusive Interfaces Prototype

• Java RMI• Berkeley’s secure NinjaRMI (authentication and encryption

infrastructure)• Implementation

» RMI compiler which generates mutations in stub and skel files

» Transport layer uses secure key-exchange, followed by mutated data stream

• Limitation: single, fixed sequence of changes

client server

EI stub EI skel

network



Elusive Interfaces is:• within 3% of plain text• 11 - 56x faster than Triple-DES

Explain performance anomaly

Median RMI Time

0.1

1

10

100

1000

0 4096 8192 12288 16384

# ints in array parameter

mill

ise

co

nd

s

Ninja RMIElusive Interfaces3DES, 168 bit key

Elusive Interfaces Latency



Elusive Interfaces Parameter Complexity

EI scales with complexity of interface0 to 64 int ratio is 1 : 1.47

RMI Latency is low

RMI Time

0.1

1

10

100

1000

0 16 32 48 64

# of parameters

mill

isec

on

ds

Ninja RMI

Elusive Interfaces

3DES, 168 bit key



Multi-DCOM Transparent Multicast

(Interception)

ClientClient

ProxyProxy Stub 1Stub 1 Stub 2Stub 2

MSRPCMSRPCMSRPCMSRPC

InterceptorInterceptorInterceptorInterceptor

Proxy 1Proxy 1 Proxy 2Proxy 2

• Transparency• Independent of MSRPC and COM• Universal technique (also applies to network monitoring...)• Interoperable with existing software• Flexibility and Customizability



Multi-DCOM Translucent Replication

• Prototype and Replication Control Tool complete• Performance overhead minimal for interception, linear in

number of replicas maintained• Translucent replication interface enables

» Execution of legacy COM/DCOM applications without change

» Construction of replication aware applications – From source– As simple increments by using wrappers

• Demonstration on Microsoft Corporate Benefits Program» Binaries only, no source code changes to make this work

• => use for experiments in ITS based on lightweight replication



Summary and Future Plans

• Progress on both Location and Interface Elusiveness • Richer Elusive Interfaces System

» Efficient algorithms to generate mutated interfaces» Dynamic selection of mutations; understand relation to encryption» High Speed Networks; IDS Driven Adaptation

• Experimentation with Replicated DCOM infrastructure» Agile Objects Migration System

– Online Migration, Continuous Performance

» Agile Objects Name Service– High performance, scalable, survivable location

• Exploitation of PASIS as a secure, robust back-end distributed storage service» Matches needs of these highly decentralized applications



Technology Transfer

• Publication of Results, Talks, Demonstrations» Application Demonstrations: Use of commodity API’s enables use

of significant applications

• Software releases• Research and Industrial community

– Example Microsoft (Jim Gray, Mike Jones, Rod Gamache), Jane Liu as technology transfer targets

» Code releases for Object Replication, Object Migration, Elusive Interfaces

• Close Interaction with vendors of the COTS source bases• Microsoft (DCOM work)• Sun/Javasoft (Java work)

• Build on previous relationship and successful transfers

university of california, san diego computer science and engineering concurrent systems architecture...

Documents