• About ISSO
• Research Areas
• Projects
• Finished Projects and Archive
• Opensource Projects

Finished Projects

Distributed Systems Security

CORBA Security

Intrusion Tolerant Distributed Object Systems
Intrusion prevention mechanisms and technologies cannot always prevent a well-funded and persistent adversary from penetrating information systems. Mission-critical systems require intrusion tolerance in order to provide correct system operation after an attacker has successfully breached the prevention mechanisms. Many of the new mission-critical systems being developed today are designed with distributed object architectures. These new systems require intrusion tolerance in order to provide high availability, but the commercial world has failed to deliver such systems. Our goal is to create an architecture for distributed object systems that can provide high reliability for mission-critical information systems by tolerating Byzantine (arbitrary) faults in object servers.

Intrusion tolerant systems can tolerate a broader class of faults than fault tolerant systems. Fault tolerant systems can tolerate accidental faults, such as system crashes. These faults are the result of hardware or software failures, not malicious behaviour. Intrusion tolerant systems can also tolerate Byzantine behaviour, such as that caused by an adversary. Byzantine faults can appear to be accidental faults, so intrusion tolerant systems must also be fault tolerant. Our research is focused on intrusion tolerance for distributed object systems, and particularly those based on CORBA.

Approach
CORBA is a standardized architecture for distributed object computing that is independent of any programming language, operating system, or computing platform. CORBA supports heterogeneous client and server environments and object location transparency for remote method invocations. Our research seeks to preserve these key features of CORBA while adding intrusion tolerance.

In CORBA, clients invoke methods on objects that reside on remote servers. CORBA systems provide location transparency of objects. Client applications invoke methods on remote objects as if they were local. The Object Request Broker (ORB) provides most of the machinery for location transparency. The client's ORB transmits the method invocation to the proper server. The server's ORB dispatches the method invocation to the target object and returns the result of the method to the client ORB. The General Inter-ORB Protocol (GIOP) provides an abstract interoperability protocol between ORBs from different vendors, different host platforms, and different programming languages. The Internet Inter-ORB Protocol (IIOP) is the mapping of GIOP onto TCP/IP. We plan to use actively replicated servers and secure, reliable, authenticated multicast directly from clients to the replicated servers. The figure below shows an overview of the architecture.

Our approach is to integrate intrusion tolerance technologies directly into the CORBA architecture. In a CORBA system, direct integration into the ORB provides a significant advantage over techniques that operate by intercepting communications at a lower level. CORBA applications interoperate heterogeneously, particularly with other CORBA applications written in different languages and running on different host architectures. Server heterogeneity improves system survivability by providing diversity of implementation. We want to preserve this feature of CORBA. Because of this architecture, two interoperable ORBs can send messages that are equivalent when interpreted by the ORB, but appear to be different when a byte-wise comparison is performed. If fault detection operates at the message transport level, numerous false detections would occur when the redundant servers are not homogeneous. Our intrusion tolerance and fault detection approach will recognise these equivalent messages by working at the ORB level, and so avoid false detections while preserving CORBA's inherent support for heterogeneous systems.

Another important aspect of our research is integrated application proxy firewall support. Although replicated, the servers in our Intrusion Tolerant CORBA implementations will still be individually vulnerable to attacks on their host operating systems. If the replicated servers are not adequately protected from the external network, a determined adversary could conceivably exploit vulnerabilities in the host operating platform and disable a large number of the replicated servers in a relatively short time. Firewalls increase the survivability of the replicated servers by limiting access from outsiders, thereby increasing the difficulty of penetrating the server host.

Our approach provides integrated firewall support for the secure reliable authenticated multicast used by Intrusion Tolerant CORBA. The proxy will inspect the multicast messages to ensure that they are legitimate CORBA messages. In addition, the proxy will permit end-to-end authentication among the members of the multicast group.

Research Focus

Intrusion Tolerant CORBA
Our intrusion tolerance approach follows the prior work in fault tolerant CORBA that employs actively replicated servers. The significant new features of this work will be a) support for interoperable heterogeneous CORBA server implementations, and b) integrated application proxy firewall support. Prior work has assumed a homogeneous server implementation.

Heterogeneity provides and additional level of assurance by providing diversity of implementation in the servers. A vulnerability or defect in one particular implementation or platform will not imply that all of the other replicated servers will share the same vulnerability or defect. We will support heterogeneity by implementing our voting component in the middleware, rather than in the secure transport.

The second key feature, application proxy firewall support, is essential to ensure the survivability of the replicated clients and servers. Our proxy will provide protocol inspection of the messages while permitting end-to-end authentication between clients and servers.

Additional Information
For additional technical information regarding Security for Object Oriented Distributed Systems, contact Gregg Tally at 443-430-8000 or visit our Web page.