Incorruptible Self-Cleansing Intrusion Tolerance and Its Application to DNS Security

Despite the increased focus on security, critical information systems remain vulnerable to cyber attacks. The trend lends importance to the concept of intrusion tolerance: there is a high probability that systems will be successfully attacked and a critical system must fend off or at least limit the damage caused by unknown and/or undetected attacks. In prior work, we developed a Self-Cleansing Intrusion Tolerance (SCIT) architecture that achieves the above goal by constantly cleansing the servers and rotating the role of individual servers. In this paper, we show that SCIT operations can be incorruptibly enforced with hardware enhancements. We then present an incorruptible SCIT design for use by one of the most critical infrastructures of the Internet, the domain name systems. We will show the advantages of our designs in the following areas: (1) incorruptible intrusion tolerance, (2) high availability, (3) scalability, the support for using high degrees of hardware/server redundancy to improve both system security and service dependability, and (4) in the case of SCIT-based DNSSEC, protection of the DNS master file and cryptographic keys. It is our belief that incorruptible intrusion tolerance as presented here constitutes a new, effective layer of system defense for critical information systems.