DIVERSE: Diversity for Intrusion-Tolerant Systems

From Navigators

Revision as of 09:37, 26 July 2014 by Casim (Talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to: navigation, search



Intrusion tolerance is a security and dependability paradigm that has beengaining momentum over the past decade. It lets system designers address bothaccidental faults and attacks in a seamless manner, which can complement thereach of classical security approaches. Intrusion tolerance assumes that: inpart due to their complexity, systems remain to some extent faulty and/orvulnerable; attacks on components can happen and some will be successful; butautomatic mechanisms can ensure that the overall system nevertheless remainscorrect and operational.

In distributed systems, the usual way to deploy intrusion tolerance servicesis through a middleware layer that manages n server replicas. Replicas performthe operations requested by the users, and rely on distributed protocols of themiddleware to carry out coordination and cooperation actions. Given themalicious intelligence behind the expect threats, the protocols have to resistto a wide range of attacks, originating from the network, bad clients andcorrupted replicas. The necessary number of replicas varies with systemconfiguration, the baseline being that if one expects a number f of faults orintrusions, then the service should run a minimum of n = 3f+1 replicas.

Intrusion tolerant systems, therefore, can only remain correct if they areable to preserve in every instant a number of corrupted replicas smaller thanthe f threshold. This is a difficult task because adversaries are alwaysdiscovering new forms of attack, and it can be exacerbated due to common-modevulnerabilities. These vulnerabilities occur in all (or in a large subset of)replicas, and once found allow a speedy compromise of the system with minimaleffort. Additionally, adversaries learn from past intrusions, which means thateven if replicas are recovered, they will be rapidly corrupted unless they arerestarted with diverse software (that does not contain the samevulnerabilities).

In this project, we want to investigate ways to obtain and integrate diversesoftware replica versions in intrusion tolerant systems. In the past, thissubject has been mainly overlooked because research in distributed protocols hasconsidered it an orthogonal issue. However, once the actual deployment ofsystems is considered, it becomes a fundamental problem that is actually quitehard to solve. Firstly, in almost all cases it is unfeasible to build severalsoftware versions due to cost, but even if it was possible, it is not clear thatthe outcome would acceptable (e.g., programmers tend to make similar mistakes).Therefore, one would always need to devise evaluation methods to confirm thevulnerability independence of replicas. Secondly, diversity increases thedifficulty of ensuring replica execution determinism, a common assumption inintrusion tolerant systems. In these systems, malicious replica behavior isusually tolerated by running the same operation in all replicas and then byselecting the result which has more than f votes. This quorum might not beattainable because small changes on replicas’ executions can have an impact onthe output result. Therefore, mechanisms will have to be devised to address thisissue.

Contributions are expected in the following important areas:

  • The project will investigate new techniques for the inclusion of diversityin intrusion tolerant services, in order to reduce the probability of occurringcommon mode vulnerabilities across multiple replicas. The project will considertwo fundamental approaches to achieve this objective: it will take advantage ofthe inherent diversity provided by software products that implement the samefunctionality, and it will develop ways to automatically introduce diversity inthe applications, for example, by exploring disparate configurations, input datamodifications, and control flow randomization.
  • The project will implement the techniques and integrate them in a middlewarethat supports the execution of intrusion tolerant services. One shouldunderstand that this implementation poses a few research challenges becausediversity undermines replica determinism, a primary assumption on the statemachine replication paradigm. Non-determinism can be a problem even for a singleprogram that runs multiple times (e.g., due to scheduling differences of theoperations), therefore, it becomes much more complex to tackle when diversity isemployed.
  • The project will evaluate the merits of each technique to prevent orincrease the difficulty of attacks. For software products that have been in themarket for a while, one would like to develop metrics to measure vulnerabilityindependence, for example, based on evidence collected from the analysis of bugreports. For cases where this data is unavailable, one would like to employexperimental techniques that look for common vulnerabilities (e.g., staticanalysis or attack injection).


  • Miguel Garcia, Alysson Bessani, Ilir Gashi, Nuno Ferreira Neves, Rafael R. Obelheiro, “OS Diversity for Intrusion Tolerance: Myth or Reality?”, in Proceedings of the International Conference on Dependable Systems and Networks - DSN'11. Hong Kong, China, June 2011., Jun. 2011.


Navigators - DIVERSE project
Personal tools
Navigators toolbox