-
[show abstract]
[hide abstract]
ABSTRACT: We present a novel approach for key management in wireless sensor networks. Using initial trust built from a small set of shared keys, low-cost protocols enable neighboring sensors to authenticate and establish secure local links. As the risk of sensor compromise increases with time, the keys are used only for a limited period right after deployment. Once secure local links are established, other security services such as group-key refresh can be provided. The protocols we present require little memory and processing power, and require a small number of shared keys independent of the network size. Moreover, these protocols do not depend on a trusted server or base station. To validate the applicability of our approach to ad hoc wireless sensor networks, we have implemented our protocols on the TinyOSbased Mica platform and applied them to secure a perimeter monitoring application.
05/2004;
-
[show abstract]
[hide abstract]
ABSTRACT: We describe a general architecture for intrusion-tolerant enterprise systems and the implementation of an intrusion-tolerant Web server as a specific instance. The architecture comprises functionally redundant COTS servers running on diverse operating systems and platforms, hardened intrusion-tolerance proxies that mediate client requests and verify the behavior of servers and other proxies, and monitoring and alert management components based on the EMERALD intrusion-detection framework. Integrity and availability are maintained by dynamically adapting the system configuration in response to intrusions or other faults. The dynamic configuration specifies the servers assigned to each client request, the agreement protocol used to validate server replies, and the resources spent on monitoring and detection. Alerts trigger increasingly strict regimes to ensure continued service, with graceful degradation of performance, even if some servers or proxies are compromised or faulty. The system returns to less stringent regimes as threats diminish. Servers and proxies can be isolated, repaired, and reinserted without interrupting service.
06/2003;
-
3rd DARPA Information Survivability Conference and Exposition (DISCEX-III 2003), 22-24 April 2003, Washington, DC, USA; 01/2003
-
[show abstract]
[hide abstract]
ABSTRACT: Runtime verification permits checking system properties that cannot be fully verified o#-line. This is particularly true when the system includes complex third-party components, such as general-purpose operating systems and software libraries, and when the properties of interest include security and performance. The challenge is to find reliable ways to monitor these properties in realistic systems. In particular, it is important to have assurance that violations will be reported when they actually occur. For instance, a monitor may not detect a security violation if the violation results from a series of system events that are not in its model.
08/2002;
-
Security Protocols, 10th International Workshop, Cambridge, UK, April 17-19, 2002, Revised Papers; 01/2002
-
[show abstract]
[hide abstract]
ABSTRACT: We introduce the notion of a design assurance argument as a diverse assembly of design choices, evidence, and rea-soning that makes a convincing case that the design of the system, from abstract architecture to the most concrete de-tails of implementation and operation, meets appropriate operational and security requirements. We sketch an ap-proach to forming design assurance arguments and discuss its advantages and applicability to intrusion tolerant sys-tems, using an intrusion tolerant Web server as an illustra-tion.
-
[show abstract]
[hide abstract]
ABSTRACT: We show how the Dependable Intrusion Tolerance (DIT) server architecture prevents the effects and prop-agation of some common Internet viruses and worms. This results from complementary detection and preven-tion mechanisms that provide defensive depth, and the application of the principle of least privilege at the net-work level, including the use of signature-based IDS to enforce higher-level specifications.
-
[show abstract]
[hide abstract]
ABSTRACT: Self-regenerative capabilities are a new trend in survivable system design. Self-regeneration ensures the property that a system's vulnerabilities cannot be exploited to the extent that the mission objective is compromised, but instead that the vulnerabilities are eventually removed, and system functionality is restored. To establish the usefulness of self-regenerative capabilities in the design of survivable systems, it is important to ensure that a system satisfying the self-regenerative requirement is survivable, and software engineering practices and tool support are available for building self-regenerative systems. This paper emphasizes the need for formal definition of the concept of self-regenerative systems in general and self-regenerative software components in particular. We propose a simple formal definition of a self-regenerative software component and we propose to adapt well-established formal software validation techniques to build tool support to implement self-regenerative capabilities at the component level.
-
[show abstract]
[hide abstract]
ABSTRACT: Runtime verification permits checking system properties that cannot be fully verified off-line. This is particularly true when the system includes complex third-party components, such as general-purpose operating systems and software libraries, and when the properties of interest include security and performance. The challenge is to find reliable ways to monitor these properties in realistic systems. In particular, it is important to have assurance that violations will be reported when they actually occur. For instance, a monitor may not detect a security violation if the violation results from a series of system events that are not in its model.We describe how combining runtime monitors for diverse features such as memory management, security-related events, performance data, and higher-level temporal properties can result in more effective runtime verification. After discussing some basic notions for combining and relating monitors, we illustrate their application in an intrusion-tolerant Web server architecture under development at SRI.
Electronic Notes in Theoretical Computer Science.
