Abstract
We believe that the research and development of intrusion tolerant systems will gain more momentum as more and more services are offered online. The expectation of such services is high, considering their essential roles in everyday operations of businesses and individuals as well. The impact of service unavailability and security breaches will only be more serious. In this chapter, we will survey the state of the art techniques for building intrusion tolerant systems. We will also illustrate a few most urgent open issues for future research. Finally, we point out that to build secure and dependable systems, we need a concerted effort in intrusion prevention, intrusion detection, and intrusion tolerance.
TopBackground
In this section, we introduce some basic security and dependability concepts and techniques related to intrusion tolerance. A secure information system is one that exhibits the following properties (Pfleeger & Pfleeger, 2002):
- •
Confidentiality: Only authorized users have access to the information.
- •
Integrity: The information can be modified only by authenticated users in authorized ways. Any unauthorized modification can be detected.
- •
Availability: The information is available whenever a legitimate user wants to access it.
Confidentiality is often achieved by using encryption, authentication, and access control. Encryption is a reversible process that scrambles a piece of plaintext into something uninterpretable. Encryption is often parameterized with a security key. To decrypt, the same or a different security key is needed. Authentication is the procedure to verify the identity of a user that wants to access confidential data. Access control is used to restrict what an authenticated user can access.
Integrity can be protected by using secure hash functions, message authentication code (MAC) and digital signatures. For data stored locally, including the application binary files, a checksum is often used as a way to verify data integrity. The checksum can be generated by applying an oneway secure hash transformation on the data. Before the data is accessed, one can verify its integrity by recomputing the checksum and comparing it with the original one. The integrity of a message transmitted over the network can be guarded by a MAC. A MAC is generated by hashing on both the original message and a shared secret key (and often with a sequence number as well). If it is tampered with, the message can be detected in a way similar to that for checksum. For stronger protection, a message can be signed by the sender. A digital signature is produced by first hashing the message using a secure hash function, and then encrypting the hash using the sender’s private key.
Key Terms in this Chapter
Threshold Cryptography: Security operations such as encryption, decryption, signature generation and verification can be performed by a group of processes without reconstructing the shared secret. Threshold cryptography utilizes (k, n) threshold schemes internally.
Intrusion Tolerance: It refers to the capability of maintaining the system availability and integrity despite malicious attacks.
Fragmentation Redundancy Scattering: A secret sharing scheme that involves the following three steps: fragmenting a file, replicating each fragment, and distributing the replicated fragments to different storage sites.
Byzantine Fault Tolerance: A replication-based technique used to ensure high availability of an application subject to Byzantine fault.
(k, n) Thread Scheme: A secret is divided into n shares. To reconstruct the secret, at least k shares are needed. No useful information can be obtained from k-1 shares.
Byzantine Fault: It is used to model arbitrary fault. A Byzantine faulty process might send conflicting information to other processes to prevent them from reaching an agreement.
Replica Consistency: The states of the replicas of an application should remain to be identical at the end of the processing of each request. Replica consistency is necessary to mask a fault in some replicas.
Byzantine Quorum System: The system offers read and write services to its clients on a set of replicated data items. A read operation retrieves data from a quorum of correct replicas and a write operation applies the update to a quorum of correct replicas. Any two quorums must overlap by at least one correct replica.