Attack Tolerant Information Systems

Attack Tolerant Information Systems

“We assume that our systems will be attacked. We will protect protocols by formally generating a large number of logically equivalent variants, stored in an attack response library.”

(Van Reneese., et al 2011).

Introduction

Cybersecurity is difficult to achieve because the current environment favors offensive rather than defensive cyber operations. Because the balance favors offense it is currently very cheap to do cyber attacks while simultaneously very expensive to defend against them. Formal correctness is a part of the security paradigm of security by correctness which when done properly can increase the resource costs for a successful cyber attack.

In this article I will give an overview of some of the state of the art defensive methods of cyber security based around the security by correctness paradigm, I will introduce the concept of attack tolerant information systems, and I will also look to the future and discuss possible new methods of creating attack tolerant information systems in based on blockchains as a means of achieving these ends.

Correct by construction

Correct by construction takes an engineers approach to software development. Code is formally specified, allowing for formal verification of the intended behavior. This is my suggested approach for developing smart contracts, or for developing compilers.

Security through diversity

Synthetic diversity is a relatively new method for obscuring the attack surface through randomization of components within an information system. Typically attacks rely on the fact that there are commonalities between different components. Computers for instance may all be running the same version of the same operating system which makes it easier for the attacker to conduct one attack which compromises many systems. The result of this is that there is very little cyber defense in information systems while the offensive side maintains the momentum.

Synthetic diversity can help limit the amount of damage an attacker can cause, having a similar effect as if a different unique password were chosen for every device, only in this case the diversity is on a much more fundamental level. Synthetic code diversity is described:

“We introduce diversity at all levels of the formal code development (synthesis) process starting at a very high level of abstraction. For example, in the TwoThirds protocol, we can use different functions f , alter the means of collecting Msg i , synthesize variants of the protocol, alter the data types, etc. We are able to create multiple provably correct versions of protocols at each level of development,” (Van Reneese., et al 2011).

Intelligent software immune systems

Intelligent software immune systems represent a new paradigm of biomemetic cyber security. In living systems we see that diversity, camouflage, and immune systems all work to increase the survivability of the host. Evolution itself through the Darwinian process generates solutions to many different problems including an elegant solution to attacks which we call the immune system. This solution can be replicated in software and while this kind of software is still in it's practical infancy it is a much better theoretical solution than the solutions currently deployed.

In a secure distributed information system it may make sense to implement this approach where economically feasible. The intelligent software immune system approach be desirable could be desirable in a blockchain computer which can be defined as a blockchain with distributed storage, bandwidth, and computation functionalities. In a blockchain computer each intelligent component in the secure distributed information system could check one another, using the blockchain as a shared ledger or source of truth.

The CRASH program

The CRASH (Clean Slate Design of Resilient Adaptive Hosts) is a program for DARPA in collaboration with Cornell University's Computer Science dept. In particular part of their goal was to explore the concept of and produce software immunity. To accomplish this goal the team built and utilized correct-by-construction concurrent systems. This is based upon the security by code correctness paradigm of cyber security which makes use of formal specification and verification, fully functional programming languages, computer assisted reasoners, and proof assistants.

Tauchain

Tauchain is a project in development to create a decidable logically consistent platform capable of providing the peer to peer networking capabilities utilizing the a best of class blockchain data structure and much more. It is unique in that it will adopt some of the same paradigm shifting techniques as the CRASH program and even goes far beyond it in scope. It will utilize dependently typed fully functional programming languages based on the work of Martin-Löf, and contain a built in reasoner. It will also have the ability to allow hosts to rent computation buyers through a Tauchain “context” (a Tauchain built in feature) called Agoras which is a decentralized market. Computers that take part in the computation rental market will be paid in Agoras tokens, but this same incentive structure could be used for storage, hiring programmers, and perhaps bandwidth as well.

Attack tolerant blockchains may be coming in the near future:

“We believe that the more code variants we can produce, the more resistant systems are to attack. We have found ways to automatically produce many provably equivalent variants of components using formal synthesis.”

(Van Reneese., et al 2011).

In the near future we may see the principles and knowledge acquired from the development of attack tolerant systems exported to blockchain based architectures. This would potentially provide more security benefits, as well as practical benefits. Whether this happens or not depends on the success or failure of certain projects such as Tauchain and on the desire of developers to build it out, but it appears to be theoretically possible.

Distributed applications which run on distributed blockchain infrastructure could have code variation for diversity, be modular enough so that the multiple provably equivalent variant components can be automatically switched in and out during an incident, and include multiple implementations of the protocols. The benefits of blockchain technology are just being discovered, but some of these benefits include data preservation as highlighted by Microsoft Research (Permacoin) (Miller., et al 2014), and because data isn't stored in any one place such as in the client/server model, and because it's stored distributed in encrypted spread across many hosts, this provides improvements to confidentiality and immunity in the era of data breaches like the Ashley Madison breach.

Additionally availability and integrity are also improved on blockchain infrastructure because every piece of information can be hashed on the blockchain even if it is stored off of the blockchain, and redundancy can be assured as off-chain computers can join in to host the data.

Incident response planning could be dramatically simplified in this context. The applications themselves along with the data and business logic could be distributed in the decentralized cloud, while the front end can be maintained by the business. In the situation where there is an incident such as distributed denial of service attack, it is very unlikely there would be a data breach, and the network could have self healing properties. This provides a new secure foundation for businesses and represents a new paradigm for cybersecurity.

References

Web: http://www.darpa.mil/program/clean-slate-design-of-resilient-adaptive-secure-hosts

Asor, O. (2015). About Tau-Chain. arXiv preprint arXiv:1502.04120.

Mazurczyk, W., Drobniak, S., & Moore, S. (2015). Towards a Systematic View on Cybersecurity Ecology. arXiv preprint arXiv:1505.04207.

Miller, A., Hicks, M., Katz, J., & Shi, E. Authenticated Data Structures, Generically.

Miller, A., Juels, A., Shi, E., Parno, B., & Katz, J. (2014, May). Permacoin: Repurposing bitcoin work for data preservation. In Security and Privacy (SP), 2014 IEEE Symposium on (pp. 475-490). IEEE.

Miller, A., & LaViola Jr, J. J. (2014). Anonymous byzantine consensus from moderately-hard puzzles: A model for bitcoin. Retrieved from Anonymous Byzantine Consensus from Moderately-Hard Puzzles: A Model for Bitcoin.

Van Renesse, R., Bickford, M., & Constable, R. (2011). Investigating correct-by-construction attack-tolerant systems.