Title: Agile Objects: Componentbased Inherent Survivability
1Agile Objects Component-based Inherent
Survivability
- Andrew A. Chien
- achien_at_cs.ucsd.edu, UC San Diego
- Riccardo Bettati
- bettati_at_cs.tamu.edu, Texas AM
- http//www-csag.ucsd.edu/projects/agileO.html
- AFRL F30602-9-1-0534
- OASIS PI Meeting, August 19, 2002
2Outline
- Motivation and Goals
- Agile Objects Project
- Agile Objects Recent Progress
- Naming Services
- Application for DDoS Tolerance
3Context
- Static Distributed Software Architectures
(nearly) - Fixed points of access, deployment, resource
dependence - System/Firewall/Sandbox/Domain based Security
- Resource and containment oriented
- Security Architecture based on Anticipated
Deployment Structures - gt Flexibility and reconfiguration to enhance
survivability - Our Focus Flexible Configuration of Distributed
C3I Systems (Real-time, High Performance,
Mission-Critical Online systems) - E.g. Aegis Battle Cruiser, Theatre
Command/Information system, etc. - High bandwidth networks, rich resource environment
4Agile Objects
- Middleware for survivable component based
distributed applications - Large number of distributed components, extensive
communication via RPC - Ex large distributed Java or .NET application
- Survivability to distributed applications based
on - High performance RPC Configuration independent
performance - Agile configuration changes in response to
resource loss or compromise
5Elusive Applications, Rapid Reconfiguration
- Resource loss due to compromise, physical damage,
or change in security status - Rapid Change of Location and Interface,
Elusiveness - reconfiguration to increase survivability in
response to attacks - preserving real-time performance
6Technical Objectives
- Elusive Distributed Applications
- Location Elusiveness
- Seamless boundary between Component and
Distributed Object applications - Real-time framework allows performance
transparent distributed reconfiguration - Replication supports fault tolerance, rapid
reconfiguration, multi-version assurance and
survivability - Interface Elusiveness
- Integrates security mechanisms with traditional
object interface marshalling to achieve high
performance - An adaptive security mechanism (there are many)
- Adaptive security required with rapidly changing
application configuration - gt also rapidly changing surrounding resource and
security environment - Transparent reconfiguration maintains performance
and security properties - Incorporate software components without major
effort - Respond to critical Assurance and Survivability
events fast (ltlt seconds) - Respond to noisy intrusion information without
negative impact
7Assumptions and Scope
- What threats/attacks is your project considering?
- Any that lead to compromise of nodes, networks,
services - esp. object/component interface based attacks
- What assumptions does your project make?
- Applications are component-based
- Only some resources are compromised segregation
possible - Some warning (could be noisy) gt Low impact
techniques to respond - What policies can your project enforce?
- Application configuration lt-gt Level of compromise
of resources - Reflect Infocon level or resource status fast
- Many that drive reconfiguration, decouple
reconfiguration from complex analysis and
performance
8Challenges
- Location Elusiveness Support rapid application
mobility with - Performance insensitivity
- Uniform resource access
- Continuous real-time performance
- gt make this possible for distributed
applications - Interface Elusiveness Integrate data security
with RPC - Support very high speed networks
- Characterize EI interface configuration spaces
and cost of data permutation approaches - High performance RPC on very high speed networks
while protecting data
9Previous Results
- Location Elusiveness
- Low-latency RPC system (40 microseconds as fast
as local) - Multi-DCOM PrototypeTransparent replication
high performance - Realtor Real-time Allocation Framework
- Analytic Grounding
- Implements rapid allocation while enforcing
Real-time guarantees - Proactive resource allocation
- Interface Elusiveness
- Analysis of interface space for sample
distributed applications - Simple systems, 106 1016 configurations
- Elusive Interfaces prototype and evaluation
- Tolerating a DDOS attack
- Applying Agile Objects technology
- Distributed Proxy Network
- Back-end Agile Object Application
10Recent Progress
- Completion implementation of Elusive Interfaces
- Complete implementation of Realtor RT Allocator
- Analytical Performance Requirements for Naming
and Migration - Modeling of Distributed Denial of Service Attack
and Survivability - Demonstration
11AO Naming Performance Requirements
Traditional System
Object Migration
Name Lookup
Application Work
Naming Update
RPC Overhead
Agile Objects
?
?
- High Performance RPC and Migration enable rapid
application reconfiguration - Major costs state movement, naming updates
- How fast do the naming services have to be?
- Support continuous execution
- Support enable acceptable portion of time for
real computation - Range of analysis, synthetic benchmarks
- Derive performance requirements, tradeoffs
- Determine acceptable naming services performance
(dramatically higher) - gt later combine with application structure
12How much work can a migrating application get
done?
- Vary Call Frequency
- calls/migration
- Vary name server performance
- Vary Migration cost
- gt both are critical to getting reasonable
efficiencies - Ex 100 null calls/migration Lookup 10 mics,
migration cost 100 mics - 25 efficiency
- gt Need very fast name servers and significant
work for AO to work well
13How does migration cost affect efficiency?
- Fast migration directly enables distribution at a
finer object granularity
14How does naming lookup cost affect efficiency?
- Low lookup overhead is critical for achieving
high efficiency - High name lookup overhead prohibits flexible
application distribution (and more
components/application)
15Naming Services Summary
- Low migration and RPC cost enable flexible
deployment and application reconfiguration - Use of migration for Location Elusiveness imposes
stresses on the system - Naming lookup
- Naming update
- gt these services must be low-cost, scalable with
10-100 microsecond overheads to support rapid
reconfiguration - gt we are evaluating approaches to achieve these
performance requirements
16AO Tolerating DDoS Attack
Location Elusive Application
Proxy
Proxy
User
User
User
User
Proxy
Proxy
User
User
User
User
User
- Location Elusiveness uses reconfiguration to
tolerate infrastructure-level attacks - Proxies know application location
- Users do not know application location
17Modeling DDoS Attack Tolerance
- Detailed Approach (Location Elusiveness)
- Applications live in Proxy Network name space
- Users (including attackers) live in the IP name
space - Proxies secure the mapping between name spaces
- Indirection prevents direct infrastructure level
attacks on applications - Dynamically reconfigure (proactively or
reactively) proxy network, migrate applications
18Multi-level Proxy Networks
IP Name Space
Attackers
Distance to edge
Clients
proxy
proxy
App
proxy
proxy
Proxy Name Space
proxy
proxy
proxy
proxy
- Location mapping from IP to Proxy Name Spaces
(Location Elusiveness) - Application can change its location due to
security threat - Location hiding in multiple levels
- Distance to the edge corresponds to the chance of
exposure ( of levels) - Distance can be changed dynamically (overhead vs.
security) - Reconfiguration to contain the impact of attack
- Dynamic location mapping from IP to Proxy
namespace is dynamic - gt Model Analysis determines the key
factors/issues
19Modeling and Analysis
- Formalize DoS attack and delivered Application
service - Models for
- System
- Proxy network (topology, scale, reconfiguration)
- Application (migration)
- Sensor (accuracy, performance)
- Simple Attack model (scale, rate/prob.
compromise, cost) - Cost model (cost of damage, reconfiguration)
- A cost-oriented analysis for DoS tolerance
- Investment vs. attackers capabilities, likely
attacks - Develop a system analysis, based on a set of
models - Open to allow others to use different assumptions
20Key Factors
Proxy network Complexity/Overhead
Application Agility (cost of reconfig)
Investment Expected tolerance
Application Performance
Proxy network reconfiguration cost
Damage to Applications by attackers
Attackers Capability/cost to compromise X
21Summary
- Recent Progress
- Location Elusiveness High Performance RPC and
Migration - Naming Analytical performance requirements,
initial implementations - Interface Elusiveness framework and empirical
evaluation, full implementation - Real-time Resource Framework proactive, fast,
implemented - Exploration of capabilities Tolerating DDoS
using AO, analytical modelling of
attacker/defender tradeoffs - Next Steps
- Evaluation of multiple Naming/migration
implementations - Continue to explore Elusive Interfaces
tradeoffs/capabilities - System Experiments
- Continue to explore AO capabilities to tolerate
DDOS attacks
22Agile Objects Demo Location Elusiveness
Agile Object Clients
Agile Object Applications Migrating
- Back-end Agile Objects application
- Migrates in AO resource pool
- Provides continuous service
- Front End Agile Objects Client, accesses Agile
File Server
AO Resource Pool
23(No Transcript)