Joshua Levy

An Architecture for an Adaptive Intrusion-Tolerant Server

We describe a general architecture for intrusion-tolerant enterprise systems and the implementation of an intrusion-tolerant Web server as a specific instance. The architecture comprises functionally redundant COTS servers running on diverse operating systems and platforms, hardened intrusion-tolerance proxies that mediate client requests and verify the behavior of servers and other proxies, and monitoring and alert management components based on the EMERALD intrusion-detection framework. Integrity and availability are maintained by dynamically adapting the system configuration in response to intrusions or other faults. The dynamic configuration specifies the servers assigned to each client request, the agreement protocol used to validate server replies, and the resources spent on monitoring and detection. Alerts trigger increasingly strict regimes to ensure continued service, with graceful degradation of performance, even if some servers or proxies are compromised or faulty. The system returns to less stringent regimes as threats diminish. Servers and proxies can be isolated, repaired, and reinserted without interrupting service.

Self-regenerative software components

Self-regenerative capabilities are a new trend in survivable system design. Self-regeneration ensures the property that a systems vulnerabilities cannot be exploited to the extent that the mission objective is compromised, but instead that the vulnerabilities are eventually removed, and system functionality is restored. To establish the usefulness of self-regenerative capabilities in the design of survivable systems, it is important to ensure that a system satisfying the self-regenerative requirement is survivable, and software engineering practices and tool support are available for building self-regenerative systems. This paper emphasizes the need for formal definition of the concept of self-regenerative systems in general and self-regenerative software components in particular. We propose a simple formal definition of a self-regenerative software component and we propose to adapt well-established formal software validation techniques to build tool support to implement self-regenerative capabilities at the component level.

Combining Monitors for Runtime System Verification

Abstract Runtime verification permits checking system properties that cannot be fully verified off-line. This is particularly true when the system includes complex third-party components, such as general-purpose operating systems and software libraries, and when the properties of interest include security and performance. The challenge is to find reliable ways to monitor these properties in realistic systems. In particular, it is important to have assurance that violations will be reported when they actually occur. For instance, a monitor may not detect a security violation if the violation results from a series of system events that are not in its model. We describe how combining runtime monitors for diverse features such as memory management, security-related events, performance data, and higher-level temporal properties can result in more effective runtime verification. After discussing some basic notions for combining and relating monitors, we illustrate their application in an intrusion-tolerant Web server architecture under development at SRI.

Dependable Intrusion Tolerance: technology demo

The Dependable Intrusion Tolerance (DIT) architecture is a flexible, adaptive, and intrusion-tolerant server design. We briefly discuss its prototype implementation and validation, and demonstrate how it resists sample attacks.