Reference Model and Use Cases

This document constitutes the first deliverable of MAFTIA work package 1. The objective of this work package is to define a consistent framework for ensuring the dependability of distributed applications in the face of a wide class of threats. In particular, the aim is to develop a coherent set of concepts for an architecture that can tolerate deliberately malicious faults, such as intrusions, in applications distributed over the Internet. The intrusions of concern include not only those perpetrated by external penetrators, but also those carried out by corrupt insiders, i.e., users who are authorized to access the system but not authorized for the accessed data, program or resource, and administrators who misuse their rights. Although intrusions are the primary class of targeted faults, the architecture should also be adequately robust towards accidental physical faults and accidental design faults. Reference Model and Use Cases 2 Chapter

[1]  Katherine Guo,et al.  A transparent light-weight group service , 1996, Proceedings 15th Symposium on Reliable Distributed Systems.

[2]  Willy Zwaenepoel,et al.  Distributed process groups in the V Kernel , 1985, TOCS.

[3]  Andrew William Roscoe,et al.  The Theory and Practice of Concurrency , 1997 .

[4]  Yves Deswarte,et al.  Intrusion-Tolerance Using Fine-Grain Fragmentation-Scattering , 1986, 1986 IEEE Symposium on Security and Privacy.

[5]  N. Asokan,et al.  Optimistic protocols for fair exchange , 1997, CCS '97.

[6]  Birgit Pfitzmann,et al.  A General Framework for Formal Notions of "Secure" Systems , 1994 .

[7]  Paulo Veríssimo,et al.  A replication-transparent remote invocation protocol , 1994, Proceedings of IEEE 13th Symposium on Reliable Distributed Systems.

[8]  Joachim Biskup Sicherheit von IT-Systemen als "sogar wenn - sonst nichts - Eigenschaft" , 1993, VIS.

[9]  S. G. Frison,et al.  INTERACTIVE CONSISTENCY AND ITS IMPACT ON THE DESIGN IN TMR SYSTEMS , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing, 1995, ' Highlights from Twenty-Five Years'..

[10]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[11]  Sam Toueg,et al.  Unreliable failure detectors for reliable distributed systems , 1996, JACM.

[12]  P. Veríssimo,et al.  Time, clocks and temporal order , 1999 .

[13]  D SchlichtingRichard,et al.  Preserving and using context information in interprocess communication , 1989 .

[14]  Brian Randell,et al.  Designing Secure and Reliable Applications using FRS: An Object-Oriented Approach , 1993 .

[15]  I. Bey,et al.  Delta-4: A Generic Architecture for Dependable Distributed Computing , 1991, Research Reports ESPRIT.

[16]  Marc Dacier,et al.  Towards a taxonomy of intrusion-detection systems , 1999, Comput. Networks.

[17]  A. Avizienis,et al.  Fault-tolerance: The survival attribute of digital systems , 1978, Proceedings of the IEEE.

[18]  Flaviu Cristian,et al.  Exception Handling and Software Fault Tolerance , 1982, IEEE Transactions on Computers.

[19]  Jim Gray,et al.  Why Do Computers Stop and What Can Be Done About It? , 1986, Symposium on Reliability in Distributed Software and Database Systems.

[20]  Paulo Veríssimo,et al.  Topology-Aware Algorithms for Large-Scale Communication , 1999, Advances in Distributed Systems.

[21]  R. Dierstein The Concept of Secure Information Processing Systems and their Basic Functions. , 1990 .

[22]  David Chaum,et al.  Untraceable electronic mail, return addresses, and digital pseudonyms , 1981, CACM.

[23]  Brian Randell,et al.  Error recovery in asynchronous systems , 1986, IEEE Transactions on Software Engineering.

[24]  J. Swannell The oxford modern english dictionary , 1992 .

[25]  Li Gong,et al.  A security risk of depending on synchronized clocks , 1992, OPSR.

[26]  Jean Arlat,et al.  Definition and analysis of hardware- and software-fault-tolerant architectures , 1990, Computer.

[27]  Theodore Y. Ts'o,et al.  Kerberos: an authentication service for computer networks , 1994, IEEE Communications Magazine.

[28]  Bernard Courtois,et al.  A generalized theory of fail-safe systems , 1989, [1989] The Nineteenth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[29]  Flaviu Cristian,et al.  Atomic Broadcast: From Simple Message Diffusion to Byzantine Agreement , 1995, Inf. Comput..

[30]  Richard D. Schlichting,et al.  Preserving and using context information in interprocess communication , 1989, TOCS.

[31]  Adi Shamir,et al.  How to share a secret , 1979, CACM.

[32]  Jeffrey I. Schiller,et al.  An Authentication Service for Open Network Systems. In , 1998 .

[33]  André Schiper,et al.  Lightweight causal and atomic group multicast , 1991, TOCS.

[34]  Algirdas Avizienis,et al.  Design of fault-tolerant computers , 1967, AFIPS '67 (Fall).

[35]  Hugo Krawczyk,et al.  A Security Architecture for the Internet Protocol , 1999, IBM Syst. J..

[36]  B. P. Ziegler,et al.  Theory of Modeling and Simulation , 1976 .

[37]  S. Yau,et al.  Design of self-checking software , 1975, Reliable Software.

[38]  Paulo Veríssimo,et al.  The Delta-4 approach to dependability in open distributed computing systems , 1988, [1988] The Eighteenth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[39]  John F. Wakerly,et al.  Error detecting codes, self-checking circuits and applications , 1978 .

[40]  James P. Black,et al.  Redundancy in Data Structures: Improving Software Fault Tolerance , 1980, IEEE Transactions on Software Engineering.

[41]  Leslie Lamport,et al.  The Byzantine Generals Problem , 1982, TOPL.

[42]  Birgit Pfitzmann,et al.  Composition and integrity preservation of secure reactive systems , 2000, CCS.

[43]  Dhiraj K. Pradhan,et al.  Consensus With Dual Failure Modes , 1991, IEEE Trans. Parallel Distributed Syst..

[44]  Paulo Veríssimo,et al.  Quasi-Synchronism: a step away from the traditional fault-tolerant real-time system models , 1995 .

[45]  Bernard P. Zeigler,et al.  Theory of modeling and simulation , 1976 .

[46]  Özalp Babaoglu,et al.  On the reliability of consensus-based fault-tolerant distributed computing systems , 1987, TOCS.

[47]  Avelino Francisco Zorzo,et al.  Rigorous development of a safety-critical system based on coordinated atomic actions , 1999, Digest of Papers. Twenty-Ninth Annual International Symposium on Fault-Tolerant Computing (Cat. No.99CB36352).

[48]  Brian Randell,et al.  System structure for software fault tolerance , 1975, IEEE Transactions on Software Engineering.

[49]  Antonio Casimiro,et al.  The timely computing base: Timely actions in the presence of uncertain timeliness , 2000, Proceeding International Conference on Dependable Systems and Networks. DSN 2000.

[50]  Donald A. Norman,et al.  Design rules based on analyses of human error , 1983, CACM.

[51]  W. W. Peterson,et al.  Error-Correcting Codes. , 1962 .

[52]  D. K. Pradhan Fault-tolerant multiprocessor and VLSI-based system communication architectures , 1986 .

[53]  P. M. Melliar-Smith,et al.  Synchronizing clocks in the presence of faults , 1985, JACM.

[54]  Hermann Kopetz,et al.  Fault tolerance, principles and practice , 1990 .

[55]  Nancy A. Lynch,et al.  Consensus in the presence of partial synchrony , 1988, JACM.

[56]  Hans Hermann Brüggemann Prioritäten für eine verteilte, objekt-orientierte Zugriffskontrolle , 1993, VIS.

[57]  Kenneth P. Birman,et al.  Reliable communication in the presence of failures , 1987, TOCS.

[58]  Algirdas Avizienis,et al.  A fault tolerance approach to computer viruses , 1988, Proceedings. 1988 IEEE Symposium on Security and Privacy.

[59]  Dorothy E. Denning,et al.  Cryptography and Data Security , 1982 .

[60]  Nancy A. Lynch,et al.  Impossibility of distributed consensus with one faulty process , 1983, PODS '83.

[61]  Jie Xu,et al.  Coordinated exception handling in distributed object systems: from model to system implementation , 1998, Proceedings. 18th International Conference on Distributed Computing Systems (Cat. No.98CB36183).

[62]  Flaviu Cristian,et al.  Agreeing on who is present and who is absent in a synchronous distributed system , 1988, [1988] The Eighteenth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[63]  Jean-Claude Laprie,et al.  Dependable computing: concepts, limits, challenges , 1995 .

[64]  Liuba Shrira,et al.  Lazy replication: exploiting the semantics of distributed services (extended abstract) , 1990, OPSR.

[65]  P. M. Melliar-Smith,et al.  Software reliability: The role of programmed exception handling , 1977, Language Design for Reliable Software.

[66]  Cecília M. F. Rubira,et al.  Fault tolerance in concurrent object-oriented software through coordinated error recovery , 1995, Twenty-Fifth International Symposium on Fault-Tolerant Computing. Digest of Papers.

[67]  Jacob A. Abraham,et al.  LBW COST SCEEMES FOR FAULT TOLEEANCE IN MATRIX OPERATIONS WITH PROCESSOR ARRAYS , 1982 .

[68]  William C. Carter,et al.  Design of dynamically checked computers , 1968, IFIP Congress.

[69]  Michael O. Rabin,et al.  Efficient dispersal of information for security, load balancing, and fault tolerance , 1989, JACM.

[70]  David Powell,et al.  A fault- and intrusion- tolerant file system , 1985 .

[71]  Andrew Birrell,et al.  Implementing remote procedure calls , 1984, TOCS.

[72]  Randall J. Atkinson,et al.  Security Architecture for the Internet Protocol , 1995, RFC.

[73]  Danny Dolev,et al.  On the minimal synchronism needed for distributed consensus , 1983, 24th Annual Symposium on Foundations of Computer Science (sfcs 1983).

[74]  Henning Schulzrinne,et al.  RTP: A Transport Protocol for Real-Time Applications , 1996, RFC.

[75]  N. Asokan,et al.  Optimistic fair exchange of digital signatures , 1998, IEEE Journal on Selected Areas in Communications.

[76]  Lee Garber,et al.  Denial-of-Service Attacks Rip the Internet , 2000, Computer.

[77]  Birgit Pfitzmann,et al.  Cryptographic Security of Reactive Systems Extended Abstract , 2000 .

[78]  Hermann Kopetz,et al.  Clock Synchronization in Distributed Real-Time Systems , 1987, IEEE Transactions on Computers.