Can Reliability and Security be Joined Reliably and Securely?

The combined topics of reliability and security are briefly traced in relation to the past and present endeavors of the Air Force Research Laboratory’s Information Directorate. 1. The Past and the Future Prior to being integrated into the Air Force Research Laboratory, the former Rome Laboratory had for many decades a distinguished reliability research program. Because many of the electronic systems procured by the DOD are complex first-of-a-kind systems (with demanding reliability goals) there was little or no specific historical data on which to base the system reliability estimates. The need for analyzing the reliability of these systems was met by a military handbook (although oftentimes mistakenly called a military specification or mil-spec). The basic concept behind MIL-HDBK-217, “ Reliability Prediction of Electronic Equipment”, was to use historical piece part failure data to build an estimate of future system reliability [1]. To many, MIL-HDBK-217 symbolized what they perceived as distasteful about reliability it promoted stress derating and screening and that caused the building of systems to move with glacial speed. It led not to leading edge, but to trailing edge designs. Some of these critics sought to replace MIL-HDBK-217 with a “physics-offailure” approach that would analyze each individual failure mechanism separately to estimate component life [1]. One outspoken group maintained that continual adherence to a mil-spec meant being literally stuck in a rut [2]. This comment deserves a parenthetical explanation. (The US standard railroad gauge or distance between the rails is 4 feet and 8 1 2 inches. Why is this exceedingly odd number used? The answer is traceable to ancient times. The US railroads adopted the gauge used in England. The English had built their railroads applying the same gauge as their prerailroad tramways found in coal mines. It so happened that the tools and jigs that the tramway builders used were the same as those used to build wagons and thus the tramway rails and wagons had identical wheel spacing. Spacing of wagon wheels was set at a de facto distance determined by uniformly separated ruts found in roads throughout England. Who built these old rutted roads? The first long distance roads were built by Imperial Rome for its legions and the ruts were made by Roman war chariots. Everyone who later used these roads had to match these ruts or else their wagons would break. Thus, those derisive of military specifications could state that deriving the US standard railroad gauge from the ancient Roman army chariots demonstrates that mil-specs seem to live forever!) Realistically, however, whenever it became cost-effective, railroading changed with the adoption of new technology. For instance, the caboose, once required by law to accompany every freight train, has now faded into nostalgia having been replaced by sophisticated electronic end-of-train telemetry devices [3]. Changes also occurred for Rome Laboratory, and these too were technology driven. In the latter half of the 1990’s, Rome Laboratory was reorganized under the newly formed Air Force Research Laboratory (AFRL). As the new headquarters for AFRL’s Information Directorate, the former Rome Laboratory divested itself of the “hard-core” reliability functions such as life-testing, parts control, and reliability prediction and modeling. Information technologies for the warfighter became the focus and this focus embodied three thrusts: global awareness, dynamic planning and execution, and global information exchange. The criticality of delivering the right information to the right person, at the right time, and in the right form are paramount to the Air Force if it is to achieve information dominance. Note that the repeated use of ”right” carries the connotation that the information is provided reliably. Although reliability as a major mission component seemed to disappear altogether, the need to furnish it did not only the means to provide reliability had to be reshaped. Past reliability practices had to give way to procedures that would give consideration to using mainstream information technology. The order of precedence to designing for military applications is to first adopt, secondly to adapt commercial technologies, and thirdly to resort to specialized, mil-spec-like, components. One way to improve reliability is with fault tolerance. The effects of a fault-tolerant design strategy on system reliability can be expressed as follows [4]: Rsystem = Prfno faultg+ Prfcorrect operationjfaultg Prffaultg The first term is the probability that no fault will occur; usually achieved by high-reliability (this might mean milspec) components. Fault tolerance is represented by the second term of the above equation. Prfcorrect operationjfaultg is the conditional probability that system will continue to operate correctly given the occurrence of a fault. In the context on the above equation, the desired reliability can be obtained in spite of imperfect components as long as the fault tolerance techniques are up to the task. Unfortunately, failures may be induced not only by natural phenomenon, but by information attack and this goes beyond the scope of reliability. Security of computers and communications have long been active areas of research for the Air Force and continue today with the Information Directorate’s commitment to information assurance. Information assurance has the following attributes: availability (an attribute close to reliability [4]), confidentiality, authentication, integrity, and non-repudiation [5]. Evidence of this commitment is a large research program conducted by the Defensive Information Warfare Branch. Linking security and fault tolerance is non-trivial. The probability of failure can be reasonably measured for the natural faults, but the likelihood of failures induced by a directed attack depend on intangibles such as the skill, determination, and power of the attackers. Furthermore, redundancy is a typical prerequisite for fault tolerance; yet replicating a secret runs contrary to normal security practices. In the Information Directorate, research is underway to join fault tolerance with security in ways that eliminate the conflicts between the two. The potential is to leverage concepts from the well-researched fault tolerance domain to address information assurance problems in distributed and mobile systems. A demonstration of this leveraging is the continuing development of Software Radio Development System (SoRDS) [6]. SoRDS will implement a secure fault-tolerant voting scheme called the Timed-Buffer Distributed Voting Algorithm (TB-DVA) [7]. Compared to previous approaches, TB-DVA consumes less bandwidth in wireless communications and increases security but without sacrificing any of the fault coverage of traditional majority voting schemes. TB-DVA masks out system integrity attacks at the expense of time. Removing the disruptive behavior of these attacks could be done by eliminating their sources. That is, empower the system to deliberately cause failure. An offensive information warfare capability of this kind would be unique and therefore highly irreplaceable within the system. It must therefore be reliable; yet devised in such a way that it cannot be turned into a weapon for the adversary. This is true when replicating services for enabling fault tolerance. Redundancy per se may not increase security but may actually diminish it: an attacker who overtakes one replica will probably use it as a platform to repeat his attack on the remaining. In the realm of information assurance, system features created to tolerate benign failures and to respond to attack must be stressed and tested beforehand and their effectiveness predicted otherwise they might inadvertently magnify the attacker’s power. With the explosive growth of distributed and mobile systems and the need for information assurance to address the accompanying vulnerabilities, one history lesson comes to mind: although ancient Rome was not built in a day, it did not take very long for it to fall once the barbarians took hold.