Dependable Middleware

The applications that MAFTIA is targeted at have a multi-party, interactive, and in a broad sense transactional nature. The basic applications to be supported by the MAFTIA middleware platform, namely authorisation, intrusion detection, and trusted third parties, share this same nature.

Our approach to dependability with respect to both accidental and malicious faults is based on modular fault tolerance and requires techniques that enable the construction of provable mechanisms aimed at tolerating attacks:

• error containment, detection and recovery as a means to counter the effect of attacks; and
• error compensation as a means of overcoming the inaccuracy of intrusion detection
  

Most complex interactive distributed activities, such as the types of application that motivate this project, require a few baseline attributes from the communication support: multi-site (multicast) addressing and membership; error (including intrusion) detection; ability to provide well-defined semantics (order, agreement); a notion of timeliness. The advantage of asynchronous operation for large-scale systems seems obvious at first sight: no timing assumptions have to be made, it is a time-free model, that handles well the inherent asynchrony of the communication support (e.g. Internet). However, it offers poor quality when there are timeliness expectations from the service, such as with interactive applications. Partial synchrony models, such as timed-asynchronous or quasi-synchronous ones, have recently emerged as particularly suited for large-scale settings, where synchrony assumptions are hard to enforce, but timeliness is required by interactivity of applications. The protocols developed by MAFTIA were based on both kinds of model.

The group-oriented paradigm fulfils the requirements expressed for the MAFTIA middleware and adds to them, providing powerful primitives for performing fault tolerant and timely communication, and supporting group-oriented algorithms to assist distributed activities. In architectural terms, our middleware was structured along the lines of modern group-oriented platforms. In addition, cryptography is a fundamental paradigm for security-related systems, and cryptographic communication was essential for the building blocks we developed during the project. Specifically, we used intrusion-tolerant group communication protocols to achieve the necessary intrusion tolerance for the replication and dissemination mechanisms underpinning our architecture.

The dependable middleware we designed was based on paradigms possessing the following important characteristics: a well-defined semantics; containment of both functional and non-functional behaviour; the ability to represent activities with a multi-party, interactive and transactional nature. Our overall objective was to produce a scalable architecture based on both asynchronous and partial synchrony models whose mechanisms support: intrusion-tolerant error detection; cryptographic group communication and membership; intrusion-tolerant transactions.

The conceptual model and architectural guidelines produced by WP1 influenced the design of the MAFTIA middleware and the trade-offs we made between vulnerability prevention and intrusion tolerance at different levels of the infrastructure. In particular, we explored the use of architectural hybridization to build trustworthy protocols that were designed to execute for the most part in insecure environments, but depended on trusted components for crucial parts of their operation.