Malicious-and Accidental-Fault Tolerance for Internet Applications
IST Research Project IST-1999-11583
1 January 2000 - 28 February 2003

Check out a summary of the project, or browse through the original project proposal.

MAFTIA involved experts from 5 countries and 6 organisations. The Industrial Advisory Board provided valuable feedback on the work of the project.

Research was organised into six workpackages.

Find out more about the key scientific results and achievements, and the benefits of this research collaboration.

Conceptual Model and Architecture
WP1 concentrated on the Conceptual Model and Architecture of attack tolerance.

Dependable Middleware
WP2 developed a modular and scalable cryptographic group-oriented middleware suite

Intrusion Detection
WP3 investigated ways of reducing the high rate of false positives and false negatives for existing Intrusion Detection Systems (IDSs), whilst making the IDS itself intrusion-tolerant

Trusted Third Parties
WP4 designed a generic architecture for dependable Trusted Third Party (TTP) services based on results from WP2.

Distributed Authorisation
In WP5, we defined a framework for access control and authorisation

Verification and Assessment
worked towards formalisation of the MAFTIA conceptual model

Dependable Middleware

The applications that MAFTIA is targeted at have a multi-party, interactive, and in a broad sense transactional nature. The basic applications to be supported by the MAFTIA middleware platform, namely authorisation, intrusion detection, and trusted third parties, share this same nature.

Our approach to dependability with respect to both accidental and malicious faults is based on modular fault tolerance and requires techniques that enable the construction of provable mechanisms aimed at tolerating attacks:

  • error containment, detection and recovery as a means to counter the effect of attacks; and
  • error compensation as a means of overcoming the inaccuracy of intrusion detection

Most complex interactive distributed activities, such as the types of application that motivate this project, require a few baseline attributes from the communication support: multi-site (multicast) addressing and membership; error (including intrusion) detection; ability to provide well-defined semantics (order, agreement); a notion of timeliness. The advantage of asynchronous operation for large-scale systems seems obvious at first sight: no timing assumptions have to be made, it is a time-free model, that handles well the inherent asynchrony of the communication support (e.g. Internet). However, it offers poor quality when there are timeliness expectations from the service, such as with interactive applications. Partial synchrony models, such as timed-asynchronous or quasi-synchronous ones, have recently emerged as particularly suited for large-scale settings, where synchrony assumptions are hard to enforce, but timeliness is required by interactivity of applications. The protocols developed by MAFTIA were based on both kinds of model.

The group-oriented paradigm fulfils the requirements expressed for the MAFTIA middleware and adds to them, providing powerful primitives for performing fault tolerant and timely communication, and supporting group-oriented algorithms to assist distributed activities. In architectural terms, our middleware was structured along the lines of modern group-oriented platforms. In addition, cryptography is a fundamental paradigm for security-related systems, and cryptographic communication was essential for the building blocks we developed during the project. Specifically, we used intrusion-tolerant group communication protocols to achieve the necessary intrusion tolerance for the replication and dissemination mechanisms underpinning our architecture.

The dependable middleware we designed was based on paradigms possessing the following important characteristics: a well-defined semantics; containment of both functional and non-functional behaviour; the ability to represent activities with a multi-party, interactive and transactional nature. Our overall objective was to produce a scalable architecture based on both asynchronous and partial synchrony models whose mechanisms support: intrusion-tolerant error detection; cryptographic group communication and membership; intrusion-tolerant transactions.

The conceptual model and architectural guidelines produced by WP1 influenced the design of the MAFTIA middleware and the trade-offs we made between vulnerability prevention and intrusion tolerance at different levels of the infrastructure. In particular, we explored the use of architectural hybridization to build trustworthy protocols that were designed to execute for the most part in insecure environments, but depended on trusted components for crucial parts of their operation.