Jean-Charles Fabre

Intrusion tolerance in distributed computing systems

An intrusion-tolerant distributed system is a system which is designed so that any intrusion into a part of the system will not endanger confidentiality, integrity and availability. This approach is suitable for distributed systems, because distribution enables isolation of elements so that an intrusion gives physical access to only a part of the system. In particular, the intrusion-tolerant authentication and authorization servers enable a consistent security policy to be implemented on a set of heterogeneous, untrusted sites, administered by untrusted (but nonconspiring) people. The authors describe how some functions of distributed systems can be designed to tolerate intrusions. A prototype of the persistent file server presented has been successfully developed and implemented as part of the Delta-4 project of the European ESPRIT program.<<ETX>>

Designing Secure and Reliable Applications using Fragmentation-Redundancy-Scattering: An Object-Oriented Approach

Security and reliability issues in distributed systems have been investigated for several years at LAAS using a technique called Fragmentation-Redundancy-Scattering (FRS). The aim of FRS is to tolerate both accidental and intentional faults: the core idea consists in fragmenting confidential information in order to produce insignificant fragments and then in scattering the fragments so obtained in a redundant fashion across a distributed system, such as a large network of workstations and servers. Of these workstations, in principle just the user’s own workstation needs to be regarded as trusted, whereas from this user’s viewpoint the other workstations and servers, which in all probability are under someone else’s control, can be untrusted devices.

SATURNE: a distributed computing system which tolerates faults and intrusions

SATURNE, a research project aimed at increasing distributed system reliability by means of fault-tolerance and security by means intrusion tolerance, is discussed. The saturation and fragmentation-and-scattering techniques proposed by the SATURNE project show that it is possible to exploit more distribution than has been done up to now, in order to increase computing system dependability, and more precisely reliability with respect to accidental, physical faults, and security with respect to intrusions, i.e. deliberate, human-made, interaction faults.<<ETX>>

Saturation: reduced idleness for improved fault-tolerance

The authors present a technique for maximizing the redundancy level of tasks and tolerating hardware faults by majority voting in the context of a network of workstations. The idea is to compute dynamically the number of copies allocated to each task, according to the number of sites and the tasks criticality parameters. This technique leads to maximum utilization of the available resources in the distributed system, i.e. it reduces the idleness of resources and increases the redundancy of tasks. A reduction in fault dormancy and error latency is thus provided. This technique, called the saturation technique, is compared with similar approaches. A detailed description and the results obtained by simulation showing the advantages and the cost of implementing the saturation technique are given. The authors underline the structure of a convenient distributed operating system, including the execution model and task designation, to support the execution of multiple copies of tasks. The fault assumptions are discussed, and the different phases of a distributed scheduler are detailed.<<ETX>>

Friends - A Flexible Architecture for Implementing Fault Tolerant and Secure Distributed Applications

FRIENDS is a software-based architecture for implementing fault-tolerant and, to some extent, secure applications. This architecture is composed of sub-systems and libraries of metaobjects. Transparency and separation of concerns is provided not only to the application programmer but also to the programmers implementing metaobjects for fault tolerance, secure communication and distribution. Common services required for implementing metaobjects are provided by the sub-systems. Metaobjects are implemented using object-oriented techniques and can be reused and customised according to the application needs, the operational environment and its related fault assumptions. Flexibility is increased by a recursive use of metaobjects. Examples and experiments are also described.

Processing of confidential information in distributed systems by fragmentation1This work has been partially supported by the ESPRIT Basic Research Action no.6362, PDCS2 (Predictably Dependable Computing Systems). 1

This paper discusses how object orientation in application design enables confidentiality aspects to be handled more easily than in conventional approaches. The approach is based on the Fragmentation-Redundancy-Scattering technique developed at LAAS-CNRS for several years. This technique and previous developments are briefly summarized. The idea developed in this paper is based on object fragmentation at design time for reducing data processing in confidential objects; the more non confidential objects can be produced at design-time, the more application objects can be processed on untrusted shared computers. Still confidential objects must be processed on non shared trusted workstations. Rules and limits of object fragmentation are discussed together with some criteria evaluating tradeoffs between fragmentation and performance. Finally, a distributed object-oriented support especially fitted for fragmented applications is briefly described.

An Object-Oriented View of Fragmented Data Processing for Fault and Intrusion Tolerance in Distributed Systems

This paper describes a technique, called Object-Oriented Fragmented Data Processing, for jointly improving the reliability and security with which distributed computing systems process sensitive information. The technique protects the information contained in, and the processing performed by, a given object by first fragmenting the object into the subsidiary objects of which it is composed. It then relies on the (i) the correct execution of a majority of a set of copies of these subsidiary objects, and (ii) the reliable storage of a majority of a set of copies of each of these subsidiary objects, having distributed the subsidiary objects widely across a number of computers in a distributed computing system. The intent is to impede intruders and to tolerate faults, and involves ensuring that an isolated subsidiary object is not significant, due to the lack of information it would provide to a potential intruder. This technique can be applied to application objects and/or to the objects used in the implementation of the basic object-oriented system. The paper illustrates the technique using a detailed example, of an “electronic diary”, that has been designed using Eiffel, and experimented with using the DELTA-4 Support Environment.

Fault and intrusion tolerance in object-oriented systems

Provides a brief overview of a unified technique, called fragmented data processing (FDP), for jointly improving the reliability and security with which distributed computing systems process sensitive information. This technique has already been used to implement various system services in the DELTA-4 distributed system. The paper discusses how FDP can take advantage of an object-oriented design and how it can be applied in object-oriented systems in order to provide fault and intrusion tolerance to ordinary application programs as well as system services.<<ETX>>

Design and implementation of the Friends system

The paper describes a metaobject architecture for distributed fault tolerant systems. Basically metaobject protocols enables functional objects to be independent from meta-functional properties implemented by metaobjects. Metaobjects can thus be specialised for fault tolerance, security, distribution and used on a case-by-case basic within application. The runtime support for metaobjects must include basic common services required in distributed fault tolerant computing (i.e. atomic multicast protocols and group management facilities, detection mechanisms). Off-the-shelf microkernels correspond to the very basic layer of the system. Architectural issues, application issues, development issues, experimental and performance issues are presented. Some implementation details and properties (ease of use, reusability, configurability, etc., namely flexibility) of our system are also discussed. Two prototypes have been developed today, the last one being based on the Chorus microkemel.

Fragmentation of confidential objects for data processing security in distributed systems

This paper discusses how object orientation in application design enables confidentiality aspects to be handled more easily than in conventional approaches. The idea, based on object fragmentation at design time, is to reduce processing in confidential objects; the more non confidential objects can be produced at design-time, the more application objects can be processed on untrusted shared computers. Still confidential objects must be processed on non shared trusted workstations. Rules and limits of object fragmentation are discussed together with some criteria evaluating trade-offs between fragmentation and performance.