1 Engineering a Distributed Intrusion Tolerant Database System Using COTS Components Peng Liu University of Maryland Baltimore County Feb 2001.

Slides:



Advertisements
Similar presentations
Steve Lewis J.D. Edwards & Company
Advertisements

Configuration Management
Performance Testing - Kanwalpreet Singh.
Trust Management of Services in Cloud Environments:
Operating System Security
Protecting Software Code By Guards - by Hoi Chang and Mikhail J. Atallah “Many software-based mechanisms for protecting program code are too weak[…] or.
Resource Management §A resource can be a logical, such as a shared file, or physical, such as a CPU (a node of the distributed system). One of the functions.
CS 443 Advanced OS Fabián E. Bustamante, Spring 2005 Resource Containers: A new Facility for Resource Management in Server Systems G. Banga, P. Druschel,
Chapter 19: Network Management Business Data Communications, 5e.
DARPA OASIS PI Meeting – Santa Fe – July 24-27, 2001Slide 1 Aegis Research Corporation Not for Public Release Survivability Validation Framework for Intrusion.
DARPA ITS PI Meeting – Honolulu – July 17-21, 2000Slide 1 Aegis Research Corporation Intrusion Tolerance Using Masking, Redundancy and Dispersion DARPA.
Randomized Failover Intrusion Tolerant Systems (RFITS) Ranga Ramanujan Noel Schmidt Architecture Technology Corporation Odyssey Research Associates DARPA.
1 A Game Theoretic Approach for Active Defense Peng Liu Lab. for Info. and Sys. Security University of Maryland, Baltimore County Baltimore, MD OASIS,
Oracle Data Guard Ensuring Disaster Recovery for Enterprise Data
1 Independent Verification and Validation Current Status, Challenges, and Research Opportunities Dan McCaugherty IV&V Program Manager Titan Systems Corporation.
Chapter 19: Network Management Business Data Communications, 4e.
Intrusion Detection and Containment in Database Systems Abhijit Bhosale M.Tech (IT) School of Information Technology, IIT Kharagpur.
Chapter 15 Transaction Management. McGraw-Hill/Irwin © 2004 The McGraw-Hill Companies, Inc. All rights reserved. Outline Transaction basics Concurrency.
SWE Introduction to Software Engineering
An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.
2/23/2009CS50901 Implementing Fault-Tolerant Services Using the State Machine Approach: A Tutorial Fred B. Schneider Presenter: Aly Farahat.
Transaction Processing IS698 Min Song. 2 What is a Transaction?  When an event in the real world changes the state of the enterprise, a transaction is.
Database Management Systems I Alex Coman, Winter 2006
Page 1 Copyright © Alexander Allister Shvartsman CSE 6510 (461) Fall 2010 Selected Notes on Fault-Tolerance (12) Alexander A. Shvartsman Computer.
Stephen S. Yau CSE , Fall Security Strategies.
Software Configuration Management (SCM)
Database System Development Lifecycle
Software Dependability CIS 376 Bruce R. Maxim UM-Dearborn.
Computer System Lifecycle Chapter 1. Introduction Computer System users, administrators, and designers are all interested in performance evaluation. Whether.
Maintaining a Microsoft SQL Server 2008 Database SQLServer-Training.com.
IMS 4212: Distributed Databases 1 Dr. Lawrence West, Management Dept., University of Central Florida Distributed Databases Business needs.
DIDAR – Database Intrusion Detection with Automated Recovery Asankhaya Sharma Govindarajan S Srivatsan V Prof. DVLN Somayajulu.
Integrity Through Mediated Interfaces PI Meeting: Feb 22-23, 2000 Bob Balzer Information Sciences Institute Legend: Changes from previous.
Lecture On Database Analysis and Design By- Jesmin Akhter Lecturer, IIT, Jahangirnagar University.
Michael Ernst, page 1 Collaborative Learning for Security and Repair in Application Communities Performers: MIT and Determina Michael Ernst MIT Computer.
1 Engineering a Distributed Intrusion Tolerant Database System Using COTS Components Peng Liu University of Maryland Baltimore County July 2000.
Computer Science Open Research Questions Adversary models –Define/Formalize adversary models Need to incorporate characteristics of new technologies and.
Computer Science and Engineering 1 Service-Oriented Architecture Security 2.
Cluster Reliability Project ISIS Vanderbilt University.
Information Assurance Research Group 1 NSA Security-Enhanced Linux (SELinux) Grant M. Wagner Information Assurance.
EMI INFSO-RI SA2 - Quality Assurance Alberto Aimar (CERN) SA2 Leader EMI First EC Review 22 June 2011, Brussels.
Resisting Denial-of-Service Attacks Using Overlay Networks Ju Wang Advisor: Andrew A. Chien Department of Computer Science and Engineering, University.
What is a Business Analyst? A Business Analyst is someone who works as a liaison among stakeholders in order to elicit, analyze, communicate and validate.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 3 Slide 1 Critical Systems 1.
1099 Why Use InterBase? Bill Todd The Database Group, Inc.
1 Engineering a Distributed Intrusion Tolerant Database System Using COTS Components Peng Liu Lab. for Info. and Sys. Security
Advanced Computer Networks Topic 2: Characterization of Distributed Systems.
Introduction to dCache Zhenping (Jane) Liu ATLAS Computing Facility, Physics Department Brookhaven National Lab 09/12 – 09/13, 2005 USATLAS Tier-1 & Tier-2.
1 Concurrency Control II: Locking and Isolation Levels.
©Ian Sommerville 2004Software Engineering, 7th edition. Chapter 20 Slide 1 Critical systems development 3.
©Silberschatz, Korth and Sudarshan15.1Database System Concepts Chapter 15: Transactions Transaction Concept Transaction State Implementation of Atomicity.
Framework for MDO Studies Amitay Isaacs Center for Aerospace System Design and Engineering IIT Bombay.
Cmpe 589 Spring 2006 Lecture 2. Software Engineering Definition –A strategy for producing high quality software.
Fault Tolerance Benchmarking. 2 Owerview What is Benchmarking? What is Dependability? What is Dependability Benchmarking? What is the relation between.
OPERATING SYSTEMS CS 3530 Summer 2014 Systems and Models Chapter 03.
INFSO-RI Enabling Grids for E-sciencE ARDA Experiment Dashboard Ricardo Rocha (ARDA – CERN) on behalf of the Dashboard Team.
Slide 1 Security Engineering. Slide 2 Objectives l To introduce issues that must be considered in the specification and design of secure software l To.
Archictecture for MultiLevel Database Systems Jeevandeep Samanta.
Chapter 8 System Management Semester 2. Objectives  Evaluating an operating system  Cooperation among components  The role of memory, processor,
Virtualized Execution Realizing Network Infrastructures Enhancing Reliability Application Communities PI Meeting Arlington, VA July 10, 2007.
Intrusion Tolerant Distributed Object Systems Joint IA&S PI Meeting Honolulu, HI July 17-21, 2000 Gregg Tally
Chapter 5 Managing Multi-user Databases 1. Multi-User Issues Database Administration Concurrency Control Database Security Database Recovery Page 307.
Tool Support for Testing Classify different types of test tools according to their purpose Explain the benefits of using test tools.
SYSTEMS IMPLEMENTATION TECHNIQUES TRANSACTION PROCESSING DATABASE RECOVERY DATABASE SECURITY CONCURRENCY CONTROL.
Chapter 19: Network Management
Using Ada-C/C++ Changer as a Converter Automatically convert to C/C++ to reuse or redeploy your Ada code Eliminate the need for a costly and.
Semantic Concurrency Control for Real-Time Diagramming
Threads Chapter 4.
Basic Dynamic Analysis VMs and Sandboxes
Transactions, Properties of Transactions
Presentation transcript:

1 Engineering a Distributed Intrusion Tolerant Database System Using COTS Components Peng Liu University of Maryland Baltimore County Feb 2001

2 The problem: Database Intrusion Tolerance Attacks can succeed -> Intrusions Intrusions can seriously impair data integrity and availability DBMS Authentication SQL Commands connect Access control Integrity control Database

3 Technical Objectives Engineering using COTS components a database system that can tolerate intrusions Practical Database Intrusion Tolerance –Our approach: using COTS DBMS as main building blocks Cost effective Database Intrusion Tolerance –Our approach: multi-layer defense, cost-effectiveness-performance analysis Comprehensive Database Intrusion Tolerance –Our approach: transaction-level intrusion detection, isolation & masking, damage confinement, assessment, and repair Adaptive Database Intrusion Tolerance –Our approach: self-stabilization by adaptation

4 Assumptions & Policies What attacks are you considered? –All and only the attacks through malicious transactions What assumptions are you making? –The proposed ITS facilities are trusted –The COTS DBMS executes transactions correctly What policies can your project enforce? –The system will continuously execute transactions even in face of attacks –Damage caused by attacks will be automatically located and repaired –Located damage will be confined to not further spread –Suspicious users will be isolated or masked transparently –The degree of data integrity will be automatically stabilized –etc.

5 Existing Practice: Database Assurance Authentication and access control cannot prevent all attacks Integrity constraints are weak at prohibiting plausible but incorrect data Concurrency control and recovery mechanisms cannot distinguish legitimate transactions from malicious ones Automatic replication facilities and active database triggers can serve to spread the damage network

6 Expected major achievements A cost-effective intrusion tolerant database system prototype A family of innovative database intrusion tolerance techniques –Transaction-level intrusion detection –Intrusion isolation and masking –Multi-phase damage confinement –On the fly damage assessment and repair (implementation) –Adaptive database intrusion tolerance –Optimized load balance among ITS facilities Identification and study of such ITS properties as adaptability, stability, and sensitivity

7 Our Approach

8 Transaction-Level vs. OS-Level Intrusion Tolerance Transaction-LevelOS-Level Good when attacks are via transactions Cannot handle OS-level attacks Good when attacks are via direct OS operations Inefficient in handling malicious transactions Although both transaction-level and OS-level intrusion tolerance are necessary, we focus on transaction-level intrusion tolerance: –Most database attacks are (by insiders) through transactions –OS-level techniques can be easily integrated into our framework

9 Scheme 1: preliminary intrusion tolerance COTS DBMS Proof collector Intrusion detector Mediator (Policy Enforcement) User SQL Commands Damage Assessor Damage Repairer Repair SQL Commands Proofs Damage Confinement

10 Transaction-Level Intrusion Detection Our goal: applying existing intrusion detection techniques to identifying malicious transactions Key issues: –semantics-based intrusion detection –proof collection –using the detector as a protection tool –coupling OS-level and transaction-level intrusion detection

11 Application-Aware Intrusion Detection Features: –application aware –portable –real time –protect the database from active bad transactions –integrate OS-level, table-level, session- level, and transaction- level semantics or statistics

12 Damage Assessment and Repair (Liu& Ammann & Jajodia 98,00) A history time B1G2G3 B1: read(x,z); write(x) G2: read(z); write(z) G3: read(x,y); write(y) y x z B1 G2 G3 A dependency graph Read-from A repair Undo B1 & G3 Our goal: implementation and evaluation The database

13 Current Status of Scheme 1 A prototype of Scheme 1 is implemented except that –damage confinement is not implemented –a simulated intrusion detector is used, the real one is under coding The prototype has around 20,000 lines of multi-threaded C++ code, running on top of a NT LAN and an Oracle server The prototype proxies every SQL command, maintains the status of every session and every transaction, collects the proofs for every transaction, raises warnings, rolls back active bad transactions, locates the damage as a bad transaction is identified, and repairs the damage, all on-the-fly Now the prototype is under testing and evaluation We plan to demo this prototype on DISCEX II in June

14 A Limitation of Scheme 1 Proof collector Intrusion detector Mediator (Policy Enforcement) User SQL Commands Damage Assessor Damage Repairer Repair SQL Commands Proofs Damage Confinement The database B1 G2 G4 The purpose of confinement is to prevent damage from spreading The delay of damage assessment can cause ineffective confinement! B1’s write sets G2’s write sets

15 Scheme 2: multi-phase confinement COTS DBMS Proof collector Intrusion detector Mediator (Policy Enforcement) User SQL Commands Damage Assessor Damage Repairer Repair SQL Commands Proofs Damage Confinement Later phases Phase 1

16 Multi-Phase Confinement: An example Proof collector Intrusion detector Mediator (Policy Enforcement) User SQL Commands Damage Assessor Damage Repairer Repair SQL Commands Proofs Damage Confinement The database B1 B1[5] G2[7] G4[15] G3’s write set is clean G3[9] B1 all data objects updated after time 5 To be confined: except the data objects updated by G3

17 Current Status of Scheme 2

18 A Limitation of Scheme 2 For accuracy, intrusions can be detected with a significant delay The delay can cause serious damage when an intrusion is detected Quicker detection can decrease the amount of damage, but could mistake many legitimate transactions for malicious, and cause denial-of-service Our goal: decreasing the amount of damage without losing detection accuracy and denial-of-service The database An user’s history Attack enforcedAttack detected t1t2

19 Scheme 3: Isolation Intrusion detector Mediator (Policy Enforcement) User SQL Commands Damage Assessor Damage Repairer Damage Confinement Main database Suspicious trans. Isolating engine 1 Isolating engine n... merge read

20 Current Status of Scheme 3 Our preparation Our current focus: design and implementation (is challenging!)

21 A Limitation of Scheme 3 To reduce cost, very few users (i.e., one) can be isolated within a single engine However, to avoid causing damage on the main database, the number of suspicious transactions can be large Hence, isolating every suspicious transaction can be too expensive! Our solution Treating very suspicious and less suspicious users differently Isolating very suspicious users Masking less suspicious users Advantage: better cost-effectiveness

22 Scheme 4: Masking Intrusion detector Mediator (Policy Enforcement) User SQL Commands Damage Assessor Damage Repairer Damage Confinement Main DB Less suspicious trans. Isolating engine 1 Isolating engine n... merge read Masking engine 1 Masking engine n Very suspicious trans....

23 Intrusion Masking: An Example Three less suspicious users: Main history If T[i1], T[j1], and T[k1] are all malicious, the main database is valid If T[i1] and T[j1] are malicious, but T[k1] is not, then masking engine 2 is valid If T[i1] and T[k1] are malicious, but T[j1] is not, then though none is valid, re- executing T[j1] on the main history can produce the valid database Masking history 1Masking history 2 T[i1] T[j1] T[k1] clean Advantages: Quicker recovery Less cost

24 A Limitation of Scheme 4 Scheme 4 is not adaptive by nature Adaptation can give better resilience and cost-effectiveness There is no automatic way for the system to adaptively adjust its defense behavior according to : the characteristics of recent and ongoing attacks its current performance against these attacks Although the SSO can dynamically reconfigure some of its components, manual reconfiguration operations are ad-hoc, not scalable, and prone to errors Our goal: adaptive database intrusion tolerance

25 Scheme 5: Self-Stabilization Mediator (Policy Enforcement) User SQL Commands Damage Assessor Damage Repairer Main database Isolation engines Masking engines The database Intrusion detector Damage Confinement The controller State variable feedback Tolerable range Self-Stabilization: the degree of data integrity should be able to be automatically stabilized within a tolerable range no matter how the system is attacked

26 Optimized Load Balance Observation: Different load configurations usually cause different cost-effectiveness A load configuration can cause very different cost-effectiveness in different situations An example of load configuration: the percentage of isolated users the percentage of masked users the percentage of malicious users the number of masking engines used the average interval of state variable feedback... Our goal: adaptive load configuration optimization Mechanism: the controller can be responsible for this job

27 Metrics to measure success (better cost-effectiveness) Cost –time, space needed for tolerating intrusions Effectiveness –how many intrusions are detected, isolated, or masked –how many mistakes are made –how effectively can the damage be confined –how quick can the damage be assessed and repaired –how well can the system be adapted –availability: how often is a legitimate request rejected –integrity: how well can data integrity be preserved under attacks Performance –system throughput –response time

28 Task Schedule

29 Technology Transfer Technical papers published in leading technical meetings and technical reports Release and dissemination of the prototype in source and binary forms Pursuing technology transition through major commercial DBMS vendors. The technologies can either be absorbed into their DBMS kernels, or be commercialized as intrusion tolerance wrappers Starting a company to commercialize the technologies and provide flexible services to arm customers' database systems with necessary intrusion tolerance facilities

30 Questions? Thank you!

31 Multi-layer representation of our approach

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.