Applications that Participate in their Own Defense
APOD version 3.0 is now available
BBN Distributed Systems Project -- Technical Overview
This project is developing mechanisms a distributed software application can use to defend itself against malicious intruders. An intruder can gain access to and attack the computer systems on which the application runs, corrupting or disabling them, and thus causing the application to fail. Defenses built for this project allow the application to respond to such attacks, surviving their effects by adapting and reconfiguring.
Our approach is to use the QuO adaptive middleware as a basis for organizing the application's defense. QuO allows an application to use a variety of resource managers for sensing and responding to changes in environmental conditions. An application using QuO can sometimes sense malicious intrusion both by interacting with intrusion detection systems (IDSs) and by observing anomalies in its own behavior and in the environment. Responses taken by an intrusion-aware application will range from changing the application's own behavior to adjusting resource requirements. We claim that by adapting to, and trying to control, its environment an application can increase its chance of survival under attack.
Our approach to defense differs from, but complements, traditional security engineering. Traditionally, a system is protected by an uncircumventable Trusted Computing Base that enforces security for all applications. Most operating systems and networks in use today, however, offer only imperfect protection that can be circumvented by intruders. Because of increasing complexity, commercial priorities, heterogeneity, and distributivity this infrastructure is likely to remain vulnerable in the near future. On the other hand, we assume that defenses in that infrastructure -- limited access to privileged commands, IDSs, etc. -- serve to slow down attacks and offer warning of some of them. Our application-level and middleware defenses are intended to augment, not replace, these infrastructure defenses.
The defense strategies we are developing use some of the generic resource managers available with QuO:
We have integrated other mechanisms with QuO specifically to support APOD:
- OODTE access control and cryptography-based security services to protect against direct corruption of the application;
- AQuA redundancy management to counter attacks that destroy application component processes;
- bandwidth management to counter network flooding attacks. We use a security-enhanced version of RSVP developed by the ARQoS research group for this purpose.
Our long-term plans include the use of other QuO resource management for real-time processing, and extension of the QuO specification languages to relate, when possible, an application's defensive goals to QoS requirements.
- two off-the-shelf IDSs, Tripwire and Snort, to serve as complementary triggers for heightened alertness;
- Linux IPTables to filter network traffic;
- dynamic port-hopping to make some denial of service attacks more difficult;
- dynamically-enabled IPsec encryption to frustrate the intruder's reconnaissance;
- application-specific invariants to help diagnose the nature of an attack and configure the response.
With this project, we aim to answer the following question: can defenses organized in middleware and at the application layer significantly improve the defenses available at lower system layers? On the one hand, application-layer defenses have advantages over defenses in lower layers in that both detection and response can be customized for each application and can take a bird's-eye view of attacks. On the other hand, a prepared attacker will be able to overcome the best application-layer defenses if the infrastructure defenses can be completely circumvented. It is not clear, a priori, whether attack or defense is likely to prevail.
We are using the services of a professional Red Team (Sandia) to answer this question experimentally. So far these experiments, carried out at BBN, show that the APOD defense makes an intruder with some insider privilege ("root" on a subset of the hosts) work significantly harder to corrupt an application. The experiments, however, have not shown whether this given level of privilege is typical or atypical for real-world intruders.
Software Release 2.0 of the APOD Toolkit has been available by request since September 2001. Software Release 3.0 will become available in the summer of 2002; it will be open-source. These releases include the defense mechanisms already described plus examples that use these mechanisms to defend simple applications.
Quad Charts
- As presented in the third annual report, July, 2002 ( PowerPoint )
- As presented in the second annual report, August, 2001 ( PowerPoint )
- As presented in the first annual report, July, 2000 ( PowerPoint )
Presentations
- Slides from ISORC 2003 , April 2003 (PowerPoint with sound) (PowerPoint no sound)
- Slides from Symposium on Network Computing and Applications , NCA-03, April 2003 (PowerPoint)
- Slides from the Workshop on Dependable Middleware-Based Systems, DSN June 2002 (PowerPoint)
- Slides from the Workshop on Intrusion-Tolerant Systems, DSN June 2002 (PowerPoint)
- Slides from the OPX PI Meeting in Honolulu, Februar 2002 (PowerPoint)
- Slides from the DARPA program review meeting at BBN, November, 2001 (PowerPoint)
- MILCOM 01 Presentation, Tysons Corner, Virginia, October, 2001 (PowerPoint)
- FTN PI Meeting Presentation, Colorado Springs, July-August, 2001 (PowerPoint)
- FTN PI Meeting Presentation, St. Petersburg, January, 2001 (PowerPoint)
- Slides from the Demo at the FTN PI meeting, St. Petersburg, January, 2001 (PowerPoint)
- IA&S Joint PI Meeting Presentation, Honolulu, July, 2000 (PowerPoint)
- Interim Technical Presenation, March, 2000 (PowerPoint)
- FTN Kick Off Meeting Presentation at Rome Lab, October, 1999 (PowerPoint)
Papers
- Michael Atighetchi, Partha Pal, Chris Jones, Paul Rubel, Richard Schantz, Joseph Loyall, and John Zinky. Building Auto-Adaptive Distributed Applications: The QuO-APOD Experience. The 3rd International Workshop on Distributed Auto-adaptive and Reconfigurable Systems, in conjunction with the 23rd International Conference on Distributed Computing Systems, Providence, Rhode Island, USA. May 19-22, 2003.
- Partha Pal, Michael Atighetchi, Franklin Webber, Rick Schantz, and Chris Jones. Adaptive Use of Network-Centric Mechanisms in Cyber-Defense. The 6th IEEE International Symposium on Object-oriented Real-time Distributed Computing, Hakodate, Hokkaido, Japan. May 14-16, 2003.
- Partha Pal, Michael Atighetchi, Franklin Webber, Richard Schantz and Chris Jones. Reflections On Evaluating Survivability: The APOD Experiments. The 2nd IEEE International Symposium on Network Computing and Applications (NCA-03), Royal Sonesta Hotel,Cambridge, MA, USA, April 16-18, 2003.
- Pal P, Webber F, Schantz RE, Atighetchi M and Loyall JP. Defense-Enabling Using Advanced Middleware- An Example. In the Proceedings of MILCOM 2001, Tysons Corner, VA, October, 2001.
- Webber F, Pal P, Schantz RE and Loyall JP. Defense-Enabled Applications. In the Proceedings of DISCEX II, Anaheim, CA, May 2001.
- Loyall JP, Pal PP, Schantz RE, Webber F. Building Adaptive and Agile Applications Using Intrusion Detection and Response Proceedings of NDSS 2000, the Network and Distributed System Security Symposium, February 2-4 2000, San Diego, CA.
- Pal PP, Loyall JP, Schantz RE, Zinky JA, Webber F. Open Implementation Toolkit for Building Survivable Applications. Proceedings of DISCEX 2000, the DARPA Information Survivability Conference and Exposition, January 25-27, 2000, Hilton Head Island, SC.
Experimentation Results
- FTN PI Meeting, July 25 2002, Newport, RI
APOD-1 Experimentation Results [ ppt | pdf ]
APOD-2 Experimentation Results [ ppt | pdf ]
- APOD Red-team Exp. 1 Final Report (pdf)
- APOD Red-team Exp. 2 Final Report (pdf)
APOD People
BBN
Last modified July 11, 2002
This project is a DARPA/ATO-funded research effort under the Information Assurance and Survivability, Fault Tolerant Networks program
