 |
 |
|
|
![Back to [13]](../all_the_pictures/arrow_left.jpg){kind=icon} [14]
![Forwards to [15]](../all_the_pictures/arrow_right.jpg){kind=icon}
Dale M. Johnson
The MITRE Corporation I. Underlying goals. Our involvement with the issues of information survivability derives primarily from our involvement with information warfare. Thus, we view information survivability as a goal to be achieved through the techniques of defensive information warfare. These cover a wide range; indeed, one of the advantages of the "information warfare" point of view is that it encourages one to apply many of the methods one would use in other forms of warfare. Warfare rewards deception, unpredictability, and flexibility; it requires a succession of levels of defense; it imposes response under uncertainty. All of these methods must be used to ensure that critical resources ranging from command and control systems to the public telephone and power networks remain available for critical functions despite concerted attacks. For this reason, information survivability calls for a large bag of tricks. One will want to create appealing electronic traps ("honeypots"). One will try to equip systems with redundant and deceptive information flows. One will design systems to have interchangeable implementations of certain components, so that the adversary cannot be confident that an attack on a flaw in a single implementation will succeed. In this position paper, however, we will focus on a particular aspect of the problem. Our focus will be on techniques that can be used before attack to analyze the strengths and weaknesses of our systems. The results of analysis can be used for a number of purposes:
Methods for self-analysis must consider a number of different kinds of information about our own systems. They include:
Can some components improve the quality of information, for instance, by checking whether independent sources of information are compatible? In all of these areas it is crucial to consider the degree of redundancy available, and the tolerance to faults it offers. It is also crucial to consider the degree of unpredictability that the adversary must face. Can he be sure that an attack will have an impact? Can he detect whether it is actually having an impact? Similarly, one wants to consider the degree of diversity within ones systems, whether they will all fall to similar attacks, or whether the adversary must develop independent tactics to undermine them. II. Modeling Framework. Many of the issues we have introduced can be analyzed in a common modeling framework. We find it frequently natural and informative to model systems under analysis as graphs. The modeling framework may be used in many ways. For instance, the nodes may represent software modules, where the directed edges represent dependency or data flow. Alternatively, the nodes may represent distributed components of a system, where the directed edges represent the mechanisms they use for communication. In different cases, one will represent these mechanisms at different levels of abstraction. They may be something concrete, such as a radio link, or something complex, such as the SIPRNET. In some cases, the nodes may represent components, while the edges represent the information they pass between themselves, regardless of its medium. For instance, this approach is appropriate if one wants to analyze the quality of information as it flows between components, some of which may be corrupted. III. Example: Policy-Based Adaptation. Routing for networks has long included "survival" techniques aimed at dealing with breaks in network topologies and heavy traffic load conditions. The Open Shortest Path First (OSPF) Protocol (RFC 1583), for example, provides fault-tolerant algorithms for detecting breaks in topologies and dynamically reconfiguring routing tables to avoid them (cf. Bertsekas and Gallager, Data Networks, Ch. 5). To try to achieve information survivability it should be possible to lift these techniques from the network layer to the level of information. We assume there is a set of nodes storing items of information (information storehouses) in a network. At times these items are transmitted through the network from one node to another. We assume two forms of redundancy: the information items are stored redundantly at more than one node, and the nodes have a high degree of connectivity in the topology. On this basis, it is possible to develop policies aimed at information survivability. We may assume various levels of trust or reliability concerning the information at nodes and concerning the transmission paths of the network. We could use modified forms of policy routing (D. Clark, RFC 1102) combined with OSPF ideas. For example, to be assured that information from node A is properly transmitted to node B, we could lay down a policy concerning more trusted routes and use several routes to transmit the information redundantly. Many policies are possible. They could be tailored to the value of the information items being considered, the need to store them at several nodes, and the desire to use several trustworthy routes to guarantee with a high probability their correct transmission. Another mode of transmission could be used: covert channels. One could pick a variety of signalling channels to send information items around the network with little chance of detecting the nature of the information. Ordinary messages could conceal valuable information in a covert manner. Such channels are fairly easy to build and can be used to transmit a significant amount of information.
In these ways standard techniques could be lifted to the level of information survivability. The class of attacks or faults which they may be expected to withstand can be studied systematically using graph-based analysis. [14]
|
