Creating a Cyber Moving Target for Critical Infrastructure Applications

Despite the significant amount of effort that often goes into securing critical infrastructure assets, many systems remain vulnerable to advanced, targeted cyber attacks. This paper describes the design and implementation of the Trusted Dynamic Logical Heterogeneity System (TALENT), a framework for live-migrating critical infrastructure applications across heterogeneous platforms. TALENT permits a running critical application to change its hardware platform and operating system, thus providing cyber survivability through platform diversity. TALENT uses containers (operating-system-level virtualization) and a portable checkpoint compiler to create a virtual execution environment and to migrate a running application across different platforms while preserving the state of the application (execution state, open files and network connections). TALENT is designed to support general applications written in the C programming language. By changing the platform on-the-fly, TALENT creates a cyber moving target and significantly raises the bar for a successful attack against a critical application. Experiments demonstrate that a complete migration can be completed within about one second.

[1]  Daniel Marques,et al.  Automated application-level checkpointing of MPI programs , 2003, PPoPP '03.

[2]  Yih Huang,et al.  Automating Intrusion Response via Virtualization for Realizing Uninterruptible Web Services , 2009, 2009 Eighth IEEE International Symposium on Network Computing and Applications.

[3]  Rudolf Eigenmann,et al.  Cetus - An Extensible Compiler Infrastructure for Source-to-Source Transformation , 2003, LCPC.

[4]  Julian Smart,et al.  Cross-Platform GUI Programming with wxWidgets (Bruce Perens Open Source) , 2005 .

[5]  Evan Sarmiento Securing freeBSD using jail , 2001 .

[6]  Tim Burke,et al.  A high-availability clustering architecture with data integrity guarantees , 2001, Proceedings 42nd IEEE Symposium on Foundations of Computer Science.

[7]  Patricia J. Teller,et al.  Proceedings of the 2008 ACM/IEEE conference on Supercomputing , 2008, HiPC 2008.

[8]  Julian Smart,et al.  Cross-Platform GUI Programming with wxWidgets , 2005 .

[9]  Georg Stellner,et al.  CoCheck: checkpointing and process migration for MPI , 1996, Proceedings of International Conference on Parallel Processing.

[10]  Richard Lippmann,et al.  Modeling Modern Network Attacks and Countermeasures Using Attack Graphs , 2009, 2009 Annual Computer Security Applications Conference.

[11]  Kai Li,et al.  CLIP: A Checkpointing Tool for Message Passing Parallel Programs , 1997, ACM/IEEE SC 1997 Conference (SC'97).

[12]  Kirill Kolyshkin,et al.  VIRTUALIZATION IN LINUX , 2006 .

[13]  John Nguyen,et al.  Storage: high-availability file server with heartbeat , 2001 .

[14]  Yih Huang,et al.  A security evaluation of a novel resilient web serving architecture: Lessons learned through industry/academia collaboration , 2010, 2010 International Conference on Dependable Systems and Networks Workshops (DSN-W).

[15]  Arun K. Sood,et al.  Closing cluster attack windows through server redundancy and rotations , 2006 .

[16]  Gabriel Rodríguez,et al.  CPPC: a compiler-assisted tool for portable checkpointing of message-passing applications , 2010 .

[17]  George Kesidis,et al.  Denial-of-service attack-detection techniques , 2006, IEEE Internet Computing.

[18]  Irfan Habib,et al.  Virtualization with KVM , 2008 .

[19]  Arun K. Sood,et al.  Securing Web Servers Using Self Cleansing Intrusion Tolerance (SCIT) , 2009, 2009 Second International Conference on Dependability.

[20]  Andrew Warfield,et al.  Live migration of virtual machines , 2005, NSDI.

[21]  Arun K. Sood,et al.  Incorruptible Self-Cleansing Intrusion Tolerance and Its Application to DNS Security , 2006, J. Networks.

[22]  Gabriel Rodríguez,et al.  CPPC: a compiler‐assisted tool for portable checkpointing of message‐passing applications , 2010, Concurr. Comput. Pract. Exp..

[23]  Arun Sood Intrusion Tolerance to Mitigate Attacks that Persist , 2010 .