MAFTIA’s Interpretation of the IFIP 10.4 Terminology David Powell Yves Deswarte LAAS-CNRS Toulouse, France deswarte@laas.fr Dependability Trustworthiness of a computer system such that reliance can justifiably be placed on the service it delivers J.-C. Laprie (Ed.), Dependability: Basic Concepts and Terminology in English, French, German, Italian and Japanese, 265p., ISBN 3-211-82296-8, Springer-Verlag, 1992. The Dependability Tree Attributes Dependability Availability Reliability Safety Confidentiality Integrity Maintainability Impairments Fault Error Failure Methods Fault Fault Fault Fault Prevention Tolerance Removal Forecasting Security The Dependability Tree Attributes Dependability Availability Reliability Safety Confidentiality Integrity Maintainability Impairments Fault Error Failure Methods Fault Fault Fault Fault Prevention Tolerance Removal Forecasting w.r.t. authorized actions Security Are these attributes sufficient? Attributes Dependability Availability Reliability Safety Confidentiality Integrity Maintainability Impairments Fault Error Failure Methods Fault Fault Fault Fault Prevention Tolerance Removal Forecasting Security Properties Availability Anonymity Integrity Confidentiality Auditability Traceability Authenticity Accountability Imputability Privacy Secrecy Non-repudiability Irrefutability Opposability Security Properties Availability Anonymity Integrity Authenticity Confidentiality Auditability Tracability Accountability Imputability Privacy Secrecy Non-repudiability Irrefutability Opposability Security Properties Confidentiality Integrity Availability Accountability A+I Anonymity C Privacy C Authenticity I Non-repudiation A+I of Information Meta-information • existence of operation • identity of person • personal data • message content • message origin • sender, receiver identity The Dependability Tree Attributes Dependability Availability Reliability Safety Confidentiality Integrity Maintainability Impairments Fault Error Failure Methods Fault Fault Fault Fault Prevention Tolerance Removal Forecasting Security Fault, Error & Failure H/W Bug fault Intrusion Attack Fault Error Failure adjuged or hypothesize d cause of an error that part of system state which may lead to a failure occurs when delivered service deviates from implementing the system function Example: Single Event Latchup SELs (reversible stuck-at faults) may occur because of radiation (e.g., cosmic ray, high energy ions) Lack of shielding Cosmic Ray External fault Vulnerability Internal, dormant fault active fault SEL Internal, externally-induced fault Satellite on-board computer Intrusions Intrusions result from (at least partially) successful attacks: account with default password Attack Vulnerability External fault Internal, dormant fault active fault Intrusion Internal, externally-induced fault Computing System Who are the intruders? 1: Outsider Authentication Authorization 2: User Authentication Authorization 3: Privileged User Authentication Authorization Outsiders vs Insiders Outsider: not authorized perform any Outsider: not authorized toto perform any ofof specified object-operations Insider: authorized to perform some of specified object-operations outsider intrusion (unauthorized increase in privilege) A: privilege of user a D: an objectoperation domain B: privilege of user b insider intrusion (abuse of privilege) The Dependability Tree Attributes Dependability Impairments Methods Availability Reliability Safety Confidentiality Integrity Maintainability Fault Error Failure Fault Fault Fault Fault Prevention Tolerance Removal Forecasting Security Fault Tolerance Fault Fault Treatment Error Diagnosis Isolation Reconfiguration Error Processing Damage assessment Detection & Recovery Failure Error Processing Backward recovery 1 2 3 3 4 5 6 7 11 12 13 Forward recovery 1 2 3 Compensation-based recovery (fault masking) 1 2 3 4 5 6 7 1 2 3 4 5 6 7 Error Processing (wrt intrusions) Error (security policy violation) detection o + Backward recovery (availability, integrity) o + Forward recovery (availability, confidentiality) Intrusion masking o Fragmentation (confidentiality) o Redundancy (availability, integrity) o Scattering Fault Tolerance Fault Fault Treatment Error Diagnosis Isolation Reconfiguration Error Processing Damage assessment Detection & Recovery Failure Fault Treatment Diagnosis o determine cause of error, i.e., the fault(s) localization nature Isolation o prevent new activation Reconfiguration o so that fault-free components can provide an adequate, although degraded, service Fault Treatment (wrt intrusions) Diagnosis o Non-malicious or malicious (intrusion) o Attack (to allow retaliation) o Vulnerability (to allow removal) Isolation o Intrusion (to prevent further penetration) o Vulnerability (to prevent further intrusion) Reconfiguration o Contingency plan to degrade/restore service inc. attack retaliation, vulnerability removal http://www.research.ec.org/maftia/ FTI References Avizienis, A., Laprie, J.-C., Randell, B. (2001). Fundamental Concepts of Dependability, LAAS Report N°01145, April 2001, 19 p. Deswarte, Y., Blain, L. and Fabre, J.-C. (1991). Intrusion Tolerance in Distributed Systems, in IEEE Symp. on Research in Security and Privacy, Oakland, CA, USA, pp.110-121. Dobson, J. E. and Randell, B. (1986). Building Reliable Secure Systems out of Unreliable Insecure Components, in IEEE Symp. on Security and Privacy, Oakland, CA, USA, pp.187-193. Laprie, J.-C. (1985). Dependable Computing and Fault Tolerance: Concepts and Terminology, in 15th Int. Symp. on Fault Tolerant Computing (FTCS-15), Ann Arbor, MI, USA, IEEE, pp.2-11. J.-C. Laprie (Ed.), Dependability: Basic Concepts and Terminology in English, French, German, Italian and Japanese, 265p., ISBN 3-211-82296-8, Springer-Verlag, 1992. D. Powell, A. Adelsbasch, C. Cachin, S. Creese, M. Dacier, Y. Deswarte, T. McCutcheon, N. Neves, B. Pfitzmann, B. Randell, R. Stroud, P. Veríssimo, M. Waidner. MAFTIA (Malicious- and Accidental-Fault Tolerance for Internet Applications), Sup. of the 2001 International Conference on Dependable Systems and Networks (DSN2001), Göteborg (Suède), 1-4 juillet 2001, IEEE, pp. D-32-D-35.