Intrusion Tolerant Architectures
Average software engineering practice and average system complexity
produce systems that typically have numerous
vulnerabilities. Designing a system with maximal security assurance
requires avoiding introducing vulnerabilities in the first place,
removing known vulnerabilities, and stopping known vulnerabilities
whose removal is not practical from being exploited by attackers.
Intrusion tolerance is the ultimate defense and assumes that unknown
or unmitigated vulnerabilities remain in the system. The objective
of intrusion tolerance is to maintain acceptable (but possibly
degraded) system services when intrusions occur.
We intend to define abstract intrusion-tolerance properties at the
architectural level and study mechanisms that can be used to ensure these
properties. We will be able to decompose emergent intrusion tolerance
properties into much simpler, directly verifiable architectural properties.
We will investigate definitions of levels of intrusion tolerance,
based on acceptable risk and balanced protection.
We will define architectural refinement patterns and architectural
styles that are relevant for building intrusion tolerant architectures.
We will examine how our ideas can be applied in the development of real systems.