Malicious-and Accidental-Fault Tolerance for Internet Applications
IST Research Project IST-1999-11583
1 January 2000 - 28 February 2003

Check out a summary of the project, or browse through the original project proposal.

MAFTIA involved experts from 5 countries and 6 organisations. The Industrial Advisory Board provided valuable feedback on the work of the project.

Research was organised into six workpackages.

Find out more about the key scientific results and achievements, and the benefits of this research collaboration.


 

[ Conceptual Model ] [ Architecture ] [ Mechanisms and Protocols ] [ Verification and Assessment ]

Conceptual Model

MAFTIA uses fault tolerance techniques to build dependable systems that are intrusion tolerant, that is, able to continue providing a secure service, despite the presence of malicious faults, i.e. deliberate attacks on the security of the system. Such faults are perpetrated by attackers who make unauthorised attempts to access, modify, or destroy information in a system, and/or to render the system unreliable or unusable. Attacks are facilitated by vulnerabilities, which are faults created during the development of the system or during its operation. A successful attacker is said to be an intruder, and a successful attack results in an intrusion upon the system.

Thus, MAFTIA distinguishes between attacks, vulnerabilities, and intrusions as three types of interrelated faults:

  • attack: a malicious interaction fault, through which an attacker aims to deliberately violate one or more security properties; an intrusion attempt.
  • vulnerability: a fault created during development of the system, or during operation, that could be exploited to create an intrusion.
  • intrusion: a malicious, externally-induced fault resulting from an attack that has been successful in exploiting a vulnerability.

Figure 1 - Intrusion as a composite fault

Attacks may be viewed either at the level of the human activity of the attacker, or at the level of the resulting technical activity observable within the considered computer system:

  • attack (human): a malicious human interaction fault whereby an attacker aims to deliberately violate one or more security properties;
  • attack (technical): a malicious technical interaction fault aiming to exploit a vulnerability as a step to achieving the final aim of the attack.
In general, an intrusion can result whenever an attacker is successful in exploiting a vulnerability with respect to any mechanism of a system. If that intrusion is not tolerated, then this can lead to a failure of the mechanism, which could in turn introduce a vulnerability in other parts of the system that depend on the mechanism, allowing the original attack that caused the intrusion to propagate further into the system.

The development of a dependable computing system calls for the combined utilization of a set of four techniques:

  • fault prevention: how to prevent the occurrence or introduction of faults,
  • fault tolerance: how to deliver correct service in the presence of faults,
  • fault removal: how to reduce the number or severity of faults,
  • fault forecasting: how to estimate the present number, the future incidence, and the likely consequences of faults.

Equating attack (in both the human and technical senses), vulnerability and intrusion with fault, we can obtain a priori sixteen methods for ensuring or assessing security, of which ten are distinguishable (Table 1):

Table 1 — Classification of security methods

 

Attack
(human sense)

Attack
(technical sense)

Vulnerability

Intrusion

Prevention (how to prevent occurrence or introduction of…)

deterrence, laws, social pressure, secret service…

firewalls, authentication, authorisation…

semi-formal and formal specification, rigorous design and management…

= attack & vulnerability prevention & removal

Tolerance (how to deliver correct service in the presence of…)

= vulnerability prevention & removal,
intrusion tolerance

= attack prevention & removal,
intrusion tolerance

error detection & recovery, fault masking, intrusion detection, fault handling

Removal (how to reduce number or severity of…)

physical countermeasures, capture of attacker

preventive & corrective maintenance aimed at removal of attack agents (i.e., some forms of malicious logic)

1. formal proof, model-checking, inspection, test…
2. preventive & corrective maintenance, including security patches

Í attack & vulnerability removal

Forecasting (how to estimate present number, future incidence, likely consequences of…)

intelligence gathering, threat assessment…

assessment of presence of latent attack agents, potential consequences of their activation

assessment of: presence of vulnerabilities, exploitation difficulty, potential consequences…

= vulnerability & attack forecasting

The main focus of MAFTIA was on intrusion tolerance and vulnerability removal. An intrusion tolerant system must continue to deliver correct service despite the presence of active faults, both malicious and accidental. By exploring the relationship between intrusion detection and intrusion tolerance, MAFTIA has shown how ideas derived from the dependability community and the intrusion-detection community might fit together in a single integrated framework.

Figure 2 — Integrated intrusion-tolerance framework

From the viewpoint of intrusion-detection, the Intrusion Detection System (IDS) within this integrated framework consists of the set of external and internal sensors, the error-detection mechanisms of any intrusion-tolerant components, and the event analysis and fault diagnosis mechanisms that signal intruder reports to a system security officer. These are shown in dark grey in the diagram.

[ Conceptual Model ] [ Architecture ] [ Mechanisms and Protocols ] [ Verification and Assessment ]