Agile Objects: Componentbased Inherent Survivability

1
Agile Objects Component-based Inherent
Survivability

• Andrew A. Chien
• achien_at_cs.ucsd.edu, UC San Diego
• Riccardo Bettati
• bettati_at_cs.tamu.edu, Texas AM
• http//www-csag.ucsd.edu/projects/agileO.html
• AFRL F30602-9-1-0534
• OASIS PI Meeting, August 19, 2002

2
Outline

• Motivation and Goals
• Agile Objects Project
• Agile Objects Recent Progress
• Naming Services
• Application for DDoS Tolerance

3
Context

• Static Distributed Software Architectures
  (nearly)
• Fixed points of access, deployment, resource
  dependence
• System/Firewall/Sandbox/Domain based Security
• Resource and containment oriented
• Security Architecture based on Anticipated
  Deployment Structures
• gt Flexibility and reconfiguration to enhance
  survivability
• Our Focus Flexible Configuration of Distributed
  C3I Systems (Real-time, High Performance,
  Mission-Critical Online systems)
• E.g. Aegis Battle Cruiser, Theatre
  Command/Information system, etc.
• High bandwidth networks, rich resource environment

4
Agile Objects

• Middleware for survivable component based
  distributed applications
• Large number of distributed components, extensive
  communication via RPC
• Ex large distributed Java or .NET application
• Survivability to distributed applications based
  on
• High performance RPC Configuration independent
  performance
• Agile configuration changes in response to
  resource loss or compromise

5
Elusive Applications, Rapid Reconfiguration

• Resource loss due to compromise, physical damage,
  or change in security status
• Rapid Change of Location and Interface,
  Elusiveness
• reconfiguration to increase survivability in
  response to attacks
• preserving real-time performance

6
Technical Objectives

• Elusive Distributed Applications
• Location Elusiveness
• Seamless boundary between Component and
  Distributed Object applications
• Real-time framework allows performance
  transparent distributed reconfiguration
• Replication supports fault tolerance, rapid
  reconfiguration, multi-version assurance and
  survivability
• Interface Elusiveness
• Integrates security mechanisms with traditional
  object interface marshalling to achieve high
  performance
• An adaptive security mechanism (there are many)
• Adaptive security required with rapidly changing
  application configuration
• gt also rapidly changing surrounding resource and
  security environment
• Transparent reconfiguration maintains performance
  and security properties
• Incorporate software components without major
  effort
• Respond to critical Assurance and Survivability
  events fast (ltlt seconds)
• Respond to noisy intrusion information without
  negative impact

7
Assumptions and Scope

• What threats/attacks is your project considering?
• Any that lead to compromise of nodes, networks,
  services
• esp. object/component interface based attacks
• What assumptions does your project make?
• Applications are component-based
• Only some resources are compromised segregation
  possible
• Some warning (could be noisy) gt Low impact
  techniques to respond
• What policies can your project enforce?
• Application configuration lt-gt Level of compromise
  of resources
• Reflect Infocon level or resource status fast
• Many that drive reconfiguration, decouple
  reconfiguration from complex analysis and
  performance

8
Challenges

• Location Elusiveness Support rapid application
  mobility with
• Performance insensitivity
• Uniform resource access
• Continuous real-time performance
• gt make this possible for distributed
  applications
• Interface Elusiveness Integrate data security
  with RPC
• Support very high speed networks
• Characterize EI interface configuration spaces
  and cost of data permutation approaches
• High performance RPC on very high speed networks
  while protecting data

9
Previous Results

• Location Elusiveness
• Low-latency RPC system (40 microseconds as fast
  as local)
• Multi-DCOM PrototypeTransparent replication
  high performance
• Realtor Real-time Allocation Framework
• Analytic Grounding
• Implements rapid allocation while enforcing
  Real-time guarantees
• Proactive resource allocation
• Interface Elusiveness
• Analysis of interface space for sample
  distributed applications
• Simple systems, 106 1016 configurations
• Elusive Interfaces prototype and evaluation
• Tolerating a DDOS attack
• Applying Agile Objects technology
• Distributed Proxy Network
• Back-end Agile Object Application

10
Recent Progress

• Completion implementation of Elusive Interfaces
• Complete implementation of Realtor RT Allocator
• Analytical Performance Requirements for Naming
  and Migration
• Modeling of Distributed Denial of Service Attack
  and Survivability
• Demonstration

11
AO Naming Performance Requirements
Traditional System
Object Migration
Name Lookup
Application Work
Naming Update
RPC Overhead
Agile Objects
?
?

• High Performance RPC and Migration enable rapid
  application reconfiguration
• Major costs state movement, naming updates
• How fast do the naming services have to be?
• Support continuous execution
• Support enable acceptable portion of time for
  real computation
• Range of analysis, synthetic benchmarks
• Derive performance requirements, tradeoffs
• Determine acceptable naming services performance
  (dramatically higher)
• gt later combine with application structure

12
How much work can a migrating application get
done?

• Vary Call Frequency
• calls/migration
• Vary name server performance
• Vary Migration cost
• gt both are critical to getting reasonable
  efficiencies
• Ex 100 null calls/migration Lookup 10 mics,
  migration cost 100 mics
• 25 efficiency
• gt Need very fast name servers and significant
  work for AO to work well

13
How does migration cost affect efficiency?

• Fast migration directly enables distribution at a
  finer object granularity

14
How does naming lookup cost affect efficiency?

• Low lookup overhead is critical for achieving
  high efficiency
• High name lookup overhead prohibits flexible
  application distribution (and more
  components/application)

15
Naming Services Summary

• Low migration and RPC cost enable flexible
  deployment and application reconfiguration
• Use of migration for Location Elusiveness imposes
  stresses on the system
• Naming lookup
• Naming update
• gt these services must be low-cost, scalable with
  10-100 microsecond overheads to support rapid
  reconfiguration
• gt we are evaluating approaches to achieve these
  performance requirements

16
AO Tolerating DDoS Attack
Location Elusive Application
Proxy
Proxy
User
User
User
User
Proxy
Proxy
User
User
User
User
User

• Location Elusiveness uses reconfiguration to
  tolerate infrastructure-level attacks
• Proxies know application location
• Users do not know application location

17
Modeling DDoS Attack Tolerance

• Detailed Approach (Location Elusiveness)
• Applications live in Proxy Network name space
• Users (including attackers) live in the IP name
  space
• Proxies secure the mapping between name spaces
• Indirection prevents direct infrastructure level
  attacks on applications
• Dynamically reconfigure (proactively or
  reactively) proxy network, migrate applications

18
Multi-level Proxy Networks
IP Name Space
Attackers
Distance to edge
Clients
proxy
proxy
App
proxy
proxy
Proxy Name Space
proxy
proxy
proxy
proxy

• Location mapping from IP to Proxy Name Spaces
  (Location Elusiveness)
• Application can change its location due to
  security threat
• Location hiding in multiple levels
• Distance to the edge corresponds to the chance of
  exposure ( of levels)
• Distance can be changed dynamically (overhead vs.
  security)
• Reconfiguration to contain the impact of attack
• Dynamic location mapping from IP to Proxy
  namespace is dynamic
• gt Model Analysis determines the key
  factors/issues

19
Modeling and Analysis

• Formalize DoS attack and delivered Application
  service
• Models for
• System
• Proxy network (topology, scale, reconfiguration)
• Application (migration)
• Sensor (accuracy, performance)
• Simple Attack model (scale, rate/prob.
  compromise, cost)
• Cost model (cost of damage, reconfiguration)
• A cost-oriented analysis for DoS tolerance
• Investment vs. attackers capabilities, likely
  attacks
• Develop a system analysis, based on a set of
  models
• Open to allow others to use different assumptions

20
Key Factors
Proxy network Complexity/Overhead
Application Agility (cost of reconfig)
Investment Expected tolerance
Application Performance
Proxy network reconfiguration cost
Damage to Applications by attackers
Attackers Capability/cost to compromise X
21
Summary

• Recent Progress
• Location Elusiveness High Performance RPC and
  Migration
• Naming Analytical performance requirements,
  initial implementations
• Interface Elusiveness framework and empirical
  evaluation, full implementation
• Real-time Resource Framework proactive, fast,
  implemented
• Exploration of capabilities Tolerating DDoS
  using AO, analytical modelling of
  attacker/defender tradeoffs
• Next Steps
• Evaluation of multiple Naming/migration
  implementations
• Continue to explore Elusive Interfaces
  tradeoffs/capabilities
• System Experiments
• Continue to explore AO capabilities to tolerate
  DDOS attacks

22
Agile Objects Demo Location Elusiveness
Agile Object Clients
Agile Object Applications Migrating

• Back-end Agile Objects application
• Migrates in AO resource pool
• Provides continuous service
• Front End Agile Objects Client, accesses Agile
  File Server

AO Resource Pool
23
(No Transcript)