Conceptual Model and Architecture

The objective of this work package was to define a consistent framework for ensuring the dependability of distributed applications in the face of a wide class of threats.

In particular, the aim was to develop a coherent set of concepts for an architecture that can tolerate deliberately malicious faults, such as attacks and intrusions, in applications distributed over the Internet. Attacks include not only those perpetrated by external penetrators, but also those carried out by corrupt insiders. Although attacks and intrusions were the primary class of targeted faults, the architecture was also intended to be adequately robust towards accidental physical faults and accidental design faults.

Since we are most interested in the tolerance paradigm for dealing with malicious faults, our framework is based on the results of existing work on fault tolerance and in particular the implication chain fault ® error ® failure that has been used as the foundation for structuring concepts in fault-tolerant computing. In fact, there are two underlying causes of any intrusion: a malicious act or attack that attempts to exploit a weakness in the system, and at least one weakness, flaw or vulnerability that enables the attack to succeed. Thus, we regard an intrusion as a composite fault that results from an attack that successfully exploits a vulnerability. However, since our overall goal is to prevent errors from leading to security failures, we need to be able to tolerate errors resulting from both accidental and malicious faults.

In accidental-fault tolerance, error detection is a necessary preliminary to achieving backward or forward recovery, or compensation by switchover, but is not strictly necessary if compensation is carried out systematically (i.e., fault masking). However, irrespectively of the error recovery method employed (if any), error detection is necessary if subsequent fault treatment or curative maintenance actions are to be undertaken.

In an intrusion-tolerant framework, it is similarly possible to distinguish two roles for error detection (i.e., intrusion detection):

1. If a (sub-)system is to be made intrusion-tolerant by means of an automatic recovery mechanism, then intrusion detection may be viewed as a necessary preliminary (unless attack-masking is used).

2. If a (sub-)system is to provide a means (a service) to diagnose and isolate the source of intrusions, together with a possible system reconfiguration to prevent the intruder from perpetrating new attacks, then intrusion detection may be viewed as the necessary preliminary to fault treatment.

A particularly interesting aspect of our model is that it has to cover both accidental faults and intentional attacks. This leads naturally to systems that, simultaneously, ensure services of different qualities under different fault assumptions.

An important aspect of this work was to bring together existing reference models and terminology used by the different dependability communities, e.g. fault tolerance, intrusion detection, security, cryptography, and distributed systems. We believe that in general the existing concepts for the tolerance of accidental faults can be applied to the tolerance of attacks and intrusions, and can be combined with work on frameworks for secure distributed systems coming from the security and cryptography communities. For example, a comprehensive framework should include concepts from cryptography (e.g., simulatability of a trusted host model of a system) and privacy (non-interference, information flow-control).

However, one area certainly requires us to go beyond the existing dependability models: a loss of integrity or availability of a service results in a deviation from the intended behaviour, and therefore corresponds to a "failure" in the dependability terminology. But a loss of confidentiality cannot necessarily be identified with a (detectable) failure.

The MAFTIA conceptual model and architecture delivered by this workpackage was informed by and influenced the work of the rest of the project. In particular, the MAFTIA conceptual model identified the essential components of an intrusion-tolerant system, the degree to which these components need to be themselves intrusion-tolerant and the relationships between the components in terms of security-exception handling and security administration. Also, the basic concepts and terminology formulated here were formalised and used as a basis for the validation activities. During the course of the project, the conceptual model and architecture was refined as a result of feedback from the other workpackages.