糖心TV

Abstract: 

An intrusive attack involves exploiting vulnerabilities present in systems. An intrusion is a possible outcome of such attacks wherein the attacker controls the behaviour of the targeted system. It can be regarded as a malicious, externally-induced “fault” in the system. Building e-Services that can tolerate intrusions has been an active area of research. All known, intrusion-tolerant schemes extend a well-known fault-tolerant technique, namely, the state machine replication which fundamentally requires that a service be built as a deterministic state machine. However, it is difficult, often practically impossible, to build a large class of applications as deterministic state machines. Consequently, service replication in practice tends to take the primary-backup approach and aims at tolerating only node crashes, not intrusions. An interesting question then arises: Is intrusion tolerance at all possible without having to build the service as a deterministic state machine? Or, more generically, can any fault-tolerant system be extended into an intrusion-tolerant one?  The talk answers these in the affirmative. 

We will describe an approach for incorporating intrusion resilience to a fault-tolerant replicated service, irrespective of the replication used. The approach combines (i) fortifying a fault-tolerant service using proxies that block clients from accessing the servers directly, and (ii) proactive refreshing of proxies and servers with diverse executables generated using code randomization. We will analytically establish that if the state machine replication is 1-intrusion resilient against a set of adversaries, then merely fortifying even a primary-backup replicated service is at least equally resilient, if those adversaries cannot compromise a server without having compromised a proxy first. We will also argue that each proactive refresh can be achieved with a processing overhead that is no more than the overhead for replication management.