Transcript Securing Critical Software with Replication and Virtualization

Critical Software Security
Through Replication and
Virtualization
A Research Proposal
Dennis Edwards
Sharon Simmons
Arangamanikkannan Manickam
Original Work
Multi-Level Security Model Architecture
Secure national power distribution grid
Designed for “System after next”, “Beyond SCADA”
Supported by
Department of Energy
FSU – Center for Advanced Power Systems Research
July 9, 2009
NCA09 - BIOCOMS
2
Background
Combine ideas into new architecture
Software mutation – agent diversity
Computation replication – fault tolerance
Software voting – fault detection
Focus on strengthening security triad
Prevention : anticipate and thwart attacks
Detection : recognize penetrations
Correction : recover while limiting consequences
Evolve security to prevent / deter recurrence
July 9, 2009
NCA09 - BIOCOMS
3
Security Model
Hardware Protected
SCADA
network
Source
Communication
Computational
Agent
Mutation
Agent
Distribution/
Voting
Agent
Sensors &
Actuators
serial
Monitor/
Resurrection
Agent
Normal I/O
Replicated
Computational
Agent
Fall 2009 Showcase
Replicated
Computational
Agent
Replicated
Computational
Agent
UWF - Simmons
Control
Signals
4
Previous Results
 Computational agents




Mutated and replicated
Different random mutation for each
Prevents multiple Byzantine failures
Faults result in crash failures
 Distribution/Voting agent
 Replicate input to computation agents
 Combines output into majority decision
 Identifies faulty/failed computational agents
Fall 2009 Showcase
UWF - Simmons
5
Previous Results
 Communication agent
 Implements encryption, validation
 Only entrance into system
 Monitor/resurrection agent
 Monitors health of other agents
 Rebuilds faulty/failed agents
 Implemented in hardware
Fall 2009 Showcase
UWF - Simmons
6
Model Limitations
 Specialized prevention
 Buffer overflow attacks
 Software failures
 Designed for agent-based systems
 Dynamic port binding not supported
 Server processes not supported
 Operating system remains vulnerable
 Required hardware protection
 M/R agent is single-point-of-failure
Fall 2009 Showcase
UWF - Simmons
7
Proposed System
 Multi-layered security model
 Build from previous success
 Provides for replication and voting
 Replicated processes




Computationally equivalent
Executed on different virtual platforms
Platform targeted attack ineffective
Implementation targeted attack ineffective
 Platform weaknesses mitigated
 Failures isolated and identified
 Failed system recovered
Fall 2009 Showcase
UWF - Simmons
8
Proposed System
 Guest OS
 Assigned private IP address
 Monitors health of server processes
 Server processes
 Perform duties as if in isolation
 Results used as votes
 Host OS




Assigned public IP address
Uses NAT to map public  private Ips
Monitors health of guest OSes
Limites consequences of attack to Guest OS
Fall 2009 Showcase
UWF - Simmons
9
Proposed Model
network
Host OS
Communication
Interface
Virtual Machine
NAT
Server
Server
Server
Guest OS 1
Guest OS 2
Guest OS 3
Fall 2009 Showcase
UWF - Simmons
10
Prototype
 Host OS
 Macintosh OS X
 Virtual Machine
 Sun’s Virtual Box
 Guest OSes
 Windows XP
 Linux Fedora 10
 Solaris
 Server
 Apache web server (httpd)
 Each server on port 80 of private IP
Fall 2009 Showcase
UWF - Simmons
11
Prototype
 External communication
 Via communication interface
 Port 80 on well-known IP
 Specialized NAT replicated input (NAT now client)
 Responses from Apache
 Sent to NAT (client)
 NAT tallies votes and returns decision to real client
 Prototype status
 In experimentation/design phase
 Communication with dual servers
 Voting not yet implemented
Fall 2009 Showcase
UWF - Simmons
12
Demonstration Prototype
network
OS X
Communication
Interface
(Distribution & Voting)
VirtualBox
NAT
Apache
Apache
Apache
Windows XP
Linux F10
Solaris
Fall 2009 Showcase
UWF - Simmons
13
Summary
• Previous success with power distribution grid
• Known limitations of system
• Proposed system will
– Take advantage of multiple execution cores
– Use virtualization for system replication
– Provide distinct execution bases for each replicate
– Use voting to identify faulty components
– Recover from faults with no externally visible effects
– Contain consequences to virtual host
Fall 2009 Showcase
UWF - Simmons
14
Contact Information
Dennis Edwards
[email protected]
Sharon Simmons
[email protected]
Fall 2009 Showcase
UWF - Simmons
15