Analisando a Viabilidade da Implementação Prática de Sistemas Tolerantes a Intrusões
Resumo
A construção de sistemas seguros e invioláveis usando mecanismos tradicionais vem se tornando um objetivo cada vez mais difícil de ser atingido. O reconhecimento desse fato tem aumentado o interesse em abordagens alternativas de segurança, como a tolerância a intrusões, que aplica conceitos e técnicas de tolerância a faltas em problemas de segurança. Uma das principais questões envolvendo os sistemas tolerantes a intrusões é que muitos dos algoritmos usados pressupõem que os componentes do sistema falham ou são comprometidos de forma independente, premissa que vem sendo seguidamente questionada. Neste artigo nós mostramos que a diversidade possibilita a construção de sistemas tolerantes a intrusões reais. Nós examinamos várias formas de diversidade e discutimos como elas podem auxiliar nessa tarefa. Além disso, é mostrado um exemplo prático de como um sistema tolerante a intrusões pode ser construído usando a diversidade.
Referências
Algirdas Avizienis, Jean-Claude Laprie, Brian Randell, e Carl Landwehr. "Basic Concepts and Taxonomy of Dependable and Secure Computing". IEEE Transactions on Dependable and Secure Computing, 1(1):11-33, March 2004.
Cristian Cachin e Jonathan A. Poritz. "Secure Intrusion-Tolerant Replication on the Internet". In Proceedings of the International Conference on Dependable Systems and Networks (DSN'2002), Washington, DC, USA, 2002.
Miguel Castro e Barbara Liskov. "Practical Byzantine Fault Tolerance and Proactive Recovery". ACM Transactions on Computer Systems, 20(4):398-461, November 2002.
Miguel Castro, Rodrigo Rodrigues, e Barbara Liskov. "BASE: Using Abstraction to Improve Fault Tolerance". ACM Transactions on Computer Systems, 21(3):236-269, August 2003. A preliminary version appeared in the 18th Symposium on Operating Systems Principles, 2001.
Erik Christensen, Francisco Curbera, Greg Meredith, e Sanjiva Weerawarana. Web Services Description Language 1.1. W3C Working Group, March 2001.
Robert R. Collins. "The Pentium F00F Bug". Dr. Dobb's Journal of Software Tools, 23(5):62, 64-66, May 1998.
Miguel Correia, Lau Cheuk Lung, Nuno F. Neves, e Paulo Veríssimo. "Efficient Byzantine-Resilient Reliable Multicast on a Hybrid Failure Model". In Proceedings of the 21st Symposium on Reliable Distributed Systems (SRDS'2002), Suita, Japan, October 2002.
Crispin Cowan, Perry Wagle, Calton Pu, Steve Beattie, e Jonathan Walpole. "Buffer Overflows: Attacks and Defenses for the Vulnerability of the Decade". In DARPA Information Survivability Conference and Expo (DISCEX), Hilton Head Island, SC, USA, January 2000.
Yvo G. Desmedt. "Some Recent Research Aspects of Threshold Cryptography". In E. Okamoto, G. Davida, e M. Mambo (Eds.), Proceedings of the First International Workshop on Information Security (ISW'97), LNCS 1396, pp. 158-173, Ishikawa, Japan, September 1997. Springer-Verlag.
Yves Deswarte, Karama Kanoun, e Jean-Claude Laprie. "Diversity Against Accidental and Deliberate Faults". In P. Ammann, B. H. Barnes, S. Jajodia, e E. H. Sibley (Eds.), Computer Security, Dependability, and Assurance: From Needs to Solutions, pp. 171-181, Williamsburg, VA, USA, November 1998. IEEE Computer Press.
Osvaldo Pinali Doederlein. "JVMs Alternativas: Explore Implementações do J2SE". Java Magazine, (24):32-45, maio de 2005.
Joni S. Fraga e David Powell. "A Fault- and Intrusion-Tolerant File System". In Proceedings of the 3rd International Congress on Computer Security (IFIP/SEC'85), pp. 203-218, Dublin, Ireland, August 1985.
Peter S. Gemmell. "An Introduction to Threshold Cryptography". Cryptobytes-The Technical Newsletter of RSA Laboratories, 2(3):7-12, Winter 1997. ftp://ftp.rsasecurity.com/pub/cryptobytes/crypto2n3.pdf.
Matti A. Hiltunen, Richard D. Schlichting, e Carlos A. Ugarte. "Building Survivable Services Using Redundancy and Adaptation". IEEE Transactions on Computers, 52(2):181-194, February 2003.
Leslie Lamport, Robert Shostak, e Marshall Pease. "The Byzantine Generals Problem". ACM Transactions on Programming Languages and Systems, 4(3):382-401, July 1982.
OASIS. Universal Description, Discovery and Integration v3.0.2 (UDDI). Organization for the Advancement of Structured Information Standards (OASIS), October 2004.
OpenBSD. "The OpenBSD Project". http://www.openbsd.org/. Acessado em 05 de junho de 2005.
PaX. "Homepage of the PaX Team". http://pax.grsecurity.net/. Acessado em 05 de junho de 2005.
Colin Percival. "Cache Missing for Fun and Profit", May 2005. Disponível em http://www.daemonology.net/papers/htt.pdf. Acessado em 05 de junho de 2005.
Brian Randell. "System Structure for Software Fault Tolerance". IEEE Transactions on Software Engineering, SE-1:220-232, June 1975.
Michael K. Reiter. "The Rampart Toolkit for Building High-Integrity Services". In Theory and Practice in Distributed Systems, LNCS 938, pp. 99-110. Springer-Verlag, 1995.
Fred B. Schneider. "Implementing Fault-Tolerant Service Using the State Machine Aproach: A Tutorial". ACM Computing Surveys, 22(4):299-319, December 1990.
Bruce Schneier. Applied Cryptography: Protocols, Algorithms and Source Code in C. John Wiley & Sons, New York, NY, USA, 2nd edition, 1996.
Hovav Shacham, Matthew Page, Ben Pfaff, Eu-Jin Goh, Nagendra Modadugu, e Dan Boneh. "On the Effectiveness of Address-Space Randomization". In Proceedings of the 11th ACM Conference on Computer and Communications Security (CCS'04), pp. 298-307,Washington, DC, USA, October 2004.
Richard Stallman. Using the GNU Compiler Collection (version 4.0.0). Free Software Foundation, Boston, MA, 2005. Disponível em http://gcc.gnu.org/onlinedocs/. Acessado em 05 de junho de 2005.
Sam Toueg. "Randomized Byzantine Agreements". In Proceedings of the 3rd Annual ACM Symposium on Principles of Distributed Computing (PODC), pp. 163-178, 1984.
Paulo Veríssimo, Nuno Ferreira Neves, e Miguel Correia. "Intrusion-Tolerant Architectures: Concepts and Design". In R. Lemos, C. Gacek, e A. Romanovsky (Eds.), Architecting Dependable Systems, LNCS 2677, pp. 3-36. Springer-Verlag, 2003.
W3C. SOAP 1.2 - W3C Recommendation. W3C, June 2003. http://www.w3.org/TR/soap12/. Acessado em 05 de junho de 2005.
Ira S.Winkler e Brian Dealy. "Information Security Technology? . . . Don't Rely on It-A Case Study in Social Engineering". In Proceedings of the 5th USENIX UNIX Security Symposium, Salt Lake City, UT, USA, June 1995.
Lidong Zhou, Fred B. Schneider, e Robbert Van Rennesse. "COCA: A Secure Distributed Online Certification Authority". ACM Transactions on Computer Systems, 20(4):329-368, November 2002.
Piotr Zielinski. "Paxos at War". Technical Report UCAM-CL-TR-593, University of Cambridge Computer Laboratory, Cambridge, UK, June 2004.