That is, the idea of handling—responding, countering, repairing, masking—a broad set of errors that include intentional and malicious errors (we can collectively call them intrusions), which can lead to failure of the system's security features if nothing is done to counteract its effect on the system state. This is classic prevention/removal: of the number, power and severity of the vulnerabilities and the attacks to which the system can be subjected. The crucial questions posed in this section will be addressed in the rest of the paper.
The AVI model is a specialization of the generic error→error→failure sequence, which has several virtues. However, in order for the relationship implied by the definition of trust to be established, trust must be placed on the measure of component reliability. P ra is the probability that a user of the system composed of B and C enjoys properties A, in other words, it measures its reliability.
For efficiency reasons, the use of hardware components with enforced controlled failure modes is often advisable, as a means of providing an infrastructure where more benign fault-tolerant protocols can be used, without a degradation in system resilience. against malicious errors implied. . They are provided with knowledge about the normal behavior of the monitored system, for example through extensive training of the system in correct operation. The strategic option of using some trusted components - for example in critical parts of the system and its operation - can yield more working protocols.
Unlike what happens with classical FT recoverable operation[33], where (c) depends only on (b), here the availability of the system is defined in a more extensive way, proportional to the level of threat, in terms of the severity of the attack and duration. In the answer to this question lies the core of the argument regarding "adequate" intrusion error models. In the presence of random errors, this approach is realistic, as it represents very well how common systems work, which fail benignly most of the time.
In practice, many of the new applications we see today, especially on the Internet, have interactivity or mission-critical requirements. Some parts of the system would legitimately exhibit error-controlled behavior, while the rest of the system would still be allowed to behave arbitrarily. This can best be described as architectural hybridization, in the range of works such as where false assumptions are actually enforced by the architecture and construction of the system components and thus substantiated.
The task of the architect is made easier since the controlled failure modes of some components with respect to malicious errors limit the system errors that the component can produce. Of course, for the system as a whole to provide useful service, it is necessary that at least some of the components are correct. Furthermore, the replicas must communicate by means of self-enforcing protocols of the Byzantine-resilient type, if malicious errors can be attempted at subsets of server replicas.
The user does not need to be aware of the added complexity and spread of the TTP, a common principle in fault tolerance.
OASIS
Both Rampart and SecureRing can be used to build servers using the state machine replication approach. COCA assumes that an adversary takes a certain amount of time to corrupt some servers, therefore keys are changed from time to time (proactive protection).
MAFTIA
MAFTIA defined an authorization service based on fine-grained protection, i.e. on protection at the level of the object method call [26]. We then describe the functionality of the TTCB – its services – and later discuss how security and timeliness (real-time) are enforced in the COTS-based TTCB. Every local TTCB has an asymmetric key pair and we assume that the process manages to get a correct copy of the local TTCB public key.
A parameter of the service is a timestamp indicating the last time the service starts running. Linux was modified so that a real-time executive takes control of the hardware, to enforce real-time behavior of some real-time tasks. This protocol illustrates the approach based on hybrid failure assumptions: most of the system is assumed to fail randomly, while the wormhole is assumed to be safe, i.e., to fail only by crashing.
In the rest of the section, we will make the classic division between receiving a message from the network and delivering a message – the result of the protocol's execution. The predicate sender(M) gives the message field containing the sender, and group(M) gives the "group" of processes involved, i.e. the sender and the recipients (note that we assume that the sender also delivers). The sender securely sends a hash of the message (H(M)) to the recipients via the TTCB Agreement Service and then multicasts the message Od+ 1 time.
This hash code is used by recipients to ensure the integrity and authenticity of the message. These messages are received in the following way: P2 receives both copies of the message, P3 receives the first copy corrupted and the second good, and P4 does not receive the first copy and the second is delayed. They use the hash to choose which of the messages they have received is correct, and then distribute the message to all other recipients.
P4 asks for the result of the agreement later when it receives the first message from the protocol. We have presented an overview of the most important concepts and design principles relevant to intrusion-tolerant (IT) architectures. In our opinion, intrusion tolerance as a knowledge base is, and will continue to be for a while, the most important catalyst for the development of the field of reliability.
Many of the concepts and design principles presented here derive from previous experiences with fault-tolerant and secure system architectures as well as from more recent work and challenging discussions within the European IST MAFTIA project. We would like to say a big thank you to all members of the team, several of whom contributed to the IT concepts presented here, representing a phenomenal think tank.
