An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh. (ISCA 2006) Lecture: Juan Carlos Martinez Santos

Outline Introduction Remote Attack Insulation and Service Revivability INDRA Architecture Evaluation Related Work Conclusion Personal Comments

Introduction Taxonomy of Network Service Loss

Introduction INDRA – Integrated framework for Dependable and Revivable Architectures  Self-healing network  New programming model  Exploits the characteristics of a multicore processor

Introduction Main advantages:  Consolidated security and revivability.  High efficiency monitoring, backup, and recovery.

Outline Introduction Remote Attack Insulation and Service Revivability INDRA Architecture Evaluation Related Work Conclusion Personal Comments

Remote Attack Insulation and Service Revivability Features in INDRA:  The ability to implement a component which is insulated from remote exploits.  The ability to detect erroneous and corrupted states during software execution.  The ability to automatically recover compromised services with minimal performance impact.

Remote Attack Insulation and Service Revivability Thread and Fault Model  Buffer overflow  Privilege escalation  Corruption of the application’s memory space  Denied of Service - DoS

Remote Attack Insulation and Service Revivability Intrusion Revivable and Instant Recoverable Multi-core System  INDRA tries to repair damages caused by malicious request in real time.  INDRA tries to process every received service request.

Remote Attack Insulation and Service Revivability

Why Multi-core Processors?  Multi-level Insulation  Fine-grained Internal State Logging  Tight Processor Core Coupling and Control  Reconfigurability

Outline Introduction Remote Attack Insulation and Service Revivability INDRA Architecture Evaluation Related Work Conclusion Personal Comments

INDRA Architecture

Asymmetric Multi-core and Insulation  Remote exploit insulation Dual or multiple-systems Memory space isolation Network isolation  Boot sequence

INDRA Architecture Monitoring and Introspection

INDRA Architecture Monitoring and Introspection  Function Call/Return  Code Origin Inspection  Control Transfer Inspection  False Positive vs. False Negative  Synchronization

INDRA Architecture State Backup and Recovery  Memory State Backup and Recovery  Hybrid Recovery Scheme  System Resource Recovery  Connection State Recovery

INDRA Architecture State Backup and Recovery

INDRA Architecture

Processing of Memory Write

INDRA Architecture Processing of Memory Read

INDRA Architecture Processing of Service Request

INDRA Architecture

Hybrid Recovery Scheme

INDRA Architecture Limitation  INDRA does not promise to handle all conceivable attacks and recover from all possible corrupted machine states.  INDRA’s architectural design does not attempt any file system recovery assuming that all disk writes are issued by verified program execution and properly checked.  INDRA is also not a replacement for the conventional means of patching software vulnerabilities.  Last, INDRA does not handle attacks that jam a network channel, e.g. router flooding.

Outline Introduction Remote Attack Insulation and Service Revivability INDRA Architecture Evaluation Related Work Conclusion Personal Comments

Evaluation Security Evaluation Performance  Monitor  State Backup and Recovery

Evaluation Processor model parameters

Evaluation Impact of Shared Queue SizeMonitoring Overhead

Evaluation Slowdown by backup and rollback Slowdown using traditional memory virtual checkpoint

Outline Introduction Remote Attack Insulation and Service Revivability INDRA Architecture Evaluation Related Work Conclusion Personal Comments

Related Work Exploit Detection Recovery  Traditional Recovery  Reactive Immune System and DIRA  Reliability and Security Engine  Memory State Recovery

Outline Introduction Remote Attack Insulation and Service Revivability INDRA Architecture Evaluation Related Work Conclusion Personal Comments

Conclusion INDRA creates a remote attack immune hardware sandbox based on asymmetric configuration among different cores to create a solid insulation against malicious exploits. INDRA proposes a novel delta backup scheme for resurrectees to enable high speed recovery when an attack or a fault is detected by their resurrector. INDRA provides better dependability and availability for high performance production servers hosting high volume networked services. INDRA facilitates a fast backup and recovery mechanism that shows a substantial improvement against the conventional checkpointing schemes.

Outline Introduction Remote Attack Insulation and Service Revivability INDRA Architecture Evaluation Related Work Conclusion Personal Comments

Ever the focus of this paper is in the recovery of network services caused by malicious remote exploit attacks, some aspects are important, for example, synchronization and hardware insulation. Buffer overflow (vulnerable)  No prevention  Detection  Avoid Denied of Service This approach presents performance degradation due to synchronization process. A solution could be sampling the process of checking, for example, only in IL1 missing.

Questions? Thank you.