Bend, Don’t Break: Using Reconfiguration to Achieve Survivability

Our national interests are becoming increasingly dependent on the continuous, proper functioning of large-scale, heterogeneous, and decentralized computing enterprises. Examples of such systems abound, ranging from military command and control to vital national security assets such as the financial and banking system. They are formed from large numbers of components originating from multiple sources, some trusted and some not, assembled into complex and dynamically evolving structures. Protecting these interests is critical, yet their sheer scale and diversity has gone far beyond our organizational and technical abilities to protect them. Manual procedures— however well designed and tested—cannot keep pace with the dynamicity of the environment and cannot react to security breaches in a timely and coordinated fashion, especially in the context of a networked enterprise. We are designing a secure, automated framework for proactive and reactive reconfiguration of large-scale, heterogeneous, distributed systems so that critical networked computing enterprises can tolerate intrusions and continue to provide an acceptable level of service. Proactive reconfiguration adds, removes, and replaces components and interconnections to cause a system to assume postures that achieve enterprise-wide intrusion tolerance goals, such as increased resilience to specific kinds of attacks or increased preparedness for recovery from specific kinds of failures. Proactive reconfiguration can also cause a relaxation of tolerance procedures once a threat has passed, in order to reduce costs, increase system performance, or even restore previously excised data and functionality. In a complementary fashion, reactive reconfiguration adds, removes, and replaces components and interconnections to restore the integrity of a system in bounded time once an intrusion has been detected and the system is known or suspected to have been compromised. Recovery strategies made possible by reactive reconfiguration include restoring the system to some previously consistent state, adapting the system to some alternative non-compromised configuration, or gracefully shedding non-trustworthy data and functionality. In our view, proactive and reactive reconfiguration are two sides of the same coin that can be profitably unified into a coherent and comprehensive survivability mechanism.