 |
 |
|
|
![Back to [17]](../all_the_pictures/arrow_left.jpg){kind=icon} [18]
![Forwards to [19]](../all_the_pictures/arrow_right.jpg){kind=icon} Dependability, Survivability, and System Architectures
Carl E. Landwehr "Dependability" has been defined as the trustworthiness of a computer system such that reliance can justifiably be placed on the service it delivers. Dependability attributes include availability, reliability, safety, security and others. IFIP WG 10.4 established these definitions and has initiated a series of conferences to present new results in this area that concern critical applications (those that may affect human survival, for example); these are the conferences on Dependable Computing for Critical Applications. There are clear links between the concept of system dependability and survivability as the term is presented in the President's Letter, IEEE COMPUTER, Nov. 1996, p.8, and in Howard Shrobe's presentation to ARPATech '96, May 22, 1996. Much of the work in dependability, however, has been oriented toward dealing with faults, errors, and failures in systems rather than with malicious attacks. But if dependability is to incorporate security as an attribute, then malicious attacks must be anticipated as well. Shrobe's definition of survivability calls for a system to continue to provide critical services and functions even after a "successful" attack. Clearly, as an opponent, I would not consider my attack on a system to have been fully successful if it continues to perform its critical services and functions after the attack, so there is perhaps some room to debate this definition. The real point, however, seems to be to learn how to construct systems that do not fail catastrophically in the face of an attack that breaches, in some sense, the system's outer perimeter. We want to have systems that can continue to operate effectively, albeit in a more limited way. in the face of such an event. Among the approaches Shrobe suggests to build systems with this property are adaptive architectures and diverse components. Acknowledging the reality of flawed COTS components in critical systems, he suggests we develop "wrappers" for them to assure that they maintain desired properties, such as segregation of data at different security levels, with a high degree of confidence. In fact, NRL's Center for High Assurance Computer Systems has for several years pursued this kind of approach to provide MLS database capability using COTS databases. The SINTRA project provides the effect of an integrated, MLS database by employing replicated COTS databases connected by a single, relatively simple, high assurance component: a reliable one-way flow device called the NRL Pump. This architecture is currently being prototyped in the context of the Joint Maritime Combat Information Systems (JMCIS) and is under consideration in other contexts as well. The COTS DBMS systems that are used in this approach can be attacked, but even a Trojan Horse released with the COTS DBMS cannot cause information to flow downward. Another promising new idea in this area is the Starlight Interactive Link developed by the Australian DSTO and presented at the ACSAC conference in San Diego, Dec. 1996. This device permits a COTS-based workstation to function in many respects as though it had a high assurance MLS OS, but achieves this by attaching a simple, high assurance device to the keyboard so that keystrokes can be redirected to either a High or Low X-Window server under the user's control. In FY97, NRL plans to demonstrate Starlight and SINTRA technologies in combination as the first step toward a high assurance MLS X.500 directory capability. These ideas are the beginning, not the end. They are still, for example, focused most strongly on preventing improper disclosure of sensitive information, rather than assuring availability and integrity. The information survivability program needs to foster similar approaches that, can, at relatively low cost permit the use of COTS components in a way that limits the effects of their vulnerabilities.
As far as my personal background is concerned, I head the Computer Security Section of NRL's Center for High Assurance Computing Systems. I founded IFIP WG 11.3 on Database Security, and I acted as its liaison with IFIP WG 10.4 in organizing two joint meetings to address security as an aspect of dependability. I also served as program chair for the third conference on Dependable Computing for Critical Applications (jointly with Brian Randell of the U. of Newcastle) and I have served on the Program Committee of the subsequent editions of that conference (DCCA-4 - DCCA-6). I have chaired an international panel on Trustworthy Computing Technologies (recently altered to Secure Information Systems) and I have been appointed a consultant to NATO. I am also presently serving on a National Research Council study panel on Security and Privacy in Medical Information Applications of the National Information Infrastructure. [18]
|
