SCSC2003 Abstract S436
A Simulation/Prototype Co-Design Approach for Assuring the Effectiveness of Securing a Distributed System
A Simulation/Prototype Co-Design Approach for Assuring the Effectiveness of Securing a Distributed System
Submitting Author: Dr. Kevin Kwiat
Abstract:
The Air Force Research Laboratory’s Information Directorate (AFRL/IF) fulfilled a need for protecting distributed systems in a hostile environment by developing a voting algorithm called the Timed-Buffer Distributed Voting Algorithm (TBDVA). It replaces the ‘prepare’ and ‘commit’ phases of the standard 2-phase commit protocol with distinct ‘commit’ and ‘dissent’ phases executed in that sequence. TBDVA is built upon primitive tools that are easily realizable in a single local area network (LAN), such as atomic broadcast and bounded message delivery. This paper, in addition to giving background on TBDVA, will describe the architectural approach taken in co-design of simulation and prototyping. This paper will dwell upon the important issue of specifically prototyping that portion of the design that is subject to real-time attacks. That is, what the attacker targets: vulnerabilities.
Simulation models of distributed systems abstract out details in order to make the simulation tractable, but unknown vulnerabilities, as a general rule, tend to lie within the details of the implementation of an algorithm that executes upon the system. TBDVA is intended to withstand cyber attacks, and some form of testing beyond the capability of our current simulations was warranted. We had to go beyond a simulation model. We wanted an implementation that allowed for experimenting with attacks directed at the algorithm; yet did not require that we accrue the cost of completely designing TBDVA upon an actual distributed system. Furthermore, AFRL/IF had to be able to demonstrate TBDVA to potential users and relocating a complete distributed system to the users’ locations was not reasonable. Thus we took the following hybrid approach: simulate multiple voters executing TBDVA upon a single hardware platform where each of the simulated voters uses the actual underlying hardware
resources such that each can undergo the effects of a cyber attack in realtime. This paper will describe how an actual person acting as an attacker becomes an integral part of the overall simulation with an unpredictable outcome: either TBDVA withstood the attack or not. Actually, TBDVA has been formally verified, so it is not likely to be overcome by an attacker with reasonable ability. However, the power of having a real person acting as an attacker is a convincing attribute of using the co-design for demonstrating TBDVA. This co-design approach is the subject of the paper.
Back to SCSC2003 Abstracts