 |
 |
|
|||
![Back to [15]](../all_the_pictures/arrow_left.jpg){kind=icon} [16]
![Forwards to [17]](../all_the_pictures/arrow_right.jpg){kind=icon}
Position Paper Submitted To
Department of Computer Science
(knight | sullivan) @virginia.edu
Survivability Architectures Introduction The national computing infrastructure is relied upon increasingly to carry out a variety of critical applications with the potential to affect life and property. Applications ranging from financial transactions of all scales to telecommunications to the nationwide control of power and transport systems to wide-area medical information systems are being built. These applications are constructed in large part from existing components on commodity platforms. Significant concerns have been raised about the possible effects of failure in these applications. Failure might be caused by equipment failures, software failures, or by terrorist actions, and the effects can be very serious. Massive denial of service is possible as is extensive damage or even loss of life. A number of failures have already been reported. Complicating the situation is the dependence of some of these applications on others. Limited protection against loss of power is afforded in some applications but service following a power loss is usually severely reduced. Thus, for example, transportation systems will be affected significantly if there is a widespread loss of power. Similarly, loss of communication service will disrupt many other infrastructure applications such as finance, electronic commerce, and transportation. In terms of survivability, critical infrastructure applications raise five novel requirements: (1) to combine different facets of dependability; (2) to provide relatively new forms of dependability such as security against terrorist attacks; (3) to support extensive functionality on distributed targets; (4) to use in their implementations commercial-off-the-shelf (COTS) and legacy systems that were not necessarily designed to support dependability; and (5) to evolve yet maintain dependability properties in response to technological and domain changes. COTS and legacy systems cannot be expected to address the necessary reliability, availability, safety, or security needs of infrastructure applications. The volume pricing and extensive functionality available with COTS software systems makes them very attractive in many instances, but their unproven dependability performance deters and frequently prohibits their use. Unfortunately, it is not merely COTS systems that fail to achieve or demonstrate dependability. Irrespective of the origin of the components, the complexity of large infrastructure systems is such that achieving high levels of dependability in any area varies from extremely difficult to essentially impossible. It is quite unrealistic to expect that a multi-million-line software system, no matter how carefully built, will be able to achieve the requisite levels of dependability if the complete system has to be analyzed. Given that current (or foreseeable) software technology offers no hope of assuring the dependability or successful evolution of the needed applications as a whole, along with colleagues at Portland State University we are engaged in a research program that is developing advanced software survivability architectures to tackle the problems. These architectures are based on two concepts: generalized shells or guard processes to constrain the behavior of the applications; and generalized mediators to permit their evolution. Generalized Shells The role of a generalized shell is to protect an application element from a dangerous world (i.e., protection of an application from a security threat) and to protect a vulnerable world from a dangerous application (i.e., protection of the remainder of a system and its context from a defective application element). The shell notion has been demonstrated with security kernels and guards and, more recently, with enforcement safety kernels. Generalized shells permit the localization of dependability enforcement so that only the shells themselves will need significant verification efforts. A unique aspect of the shell approach that we are developing is the use of direct synthesis of the shell implementation from a set of policy specifications. This technique has been demonstrated and evaluated with the enforcement safety kernel implementation and found to be highly satisfactory. The synthesis approach provides the following three benefits:
The first and third of these benefits ensure the practical viability of the approach. The second benefit allows the approach to be applied by "trial and error" when, as frequently occurs, the allowable behaviors are not known a priori. Generalized Mediators Achieving the requisite functionality in critical systems cost-effectively requires the extension and integration of existing components. While these changes are difficult, it is perhaps even harder to make them in ways that do not themselves compromise survivability. Indeed, software evolution, in general, is a serious threat to survivability, albeit possibly a non-malicious one. Not just imposing survivability but preserving it in the face of ongoing software evolution demands novel architectural mechanisms geared to both evolution and survivability concerns. We are developing new techniques for the extension and integration of components using mediators as the fundamental design paradigm. Existing proven mediator technology is being extended to provide two new facilities: (a) protection mediators that support both the use of protection shells at the single component level and dependability enforcement in multi-component, integrated systems; and (b) network mediators that extend mediators to distributed applications. Workshop Position
It appears that major threats to the survivability of critical infrastructure applications cannot be ruled out. The profound consequences of failures of these systems demands that survivability be addressed urgently. In addition to external terrorist threats, survivability is threatened by non-malicious processes of inadequate software engineering and, especially, evolution. We are anxious to get reactions from the community to our survivability concepts, and to learn more from both practitioners and researchers about the state of the art and the state of the practice. [16]
|
