Detalhes do Documento

Security in distributed computing systems is usually based on the idea of prevention. The usual approach consists in trying to design perfect systems, with no vulnerabilities to be exploited by potential attackers. Reality shows that this is impossible and that systems live in a permanent cycle: vulnerability discovered systems attacked patch published some systems patched new vulnerability discovered etc. Fault-tolerance or, more generically, dependability, takes a different approach. This discipline also tries to build systems as reliable as possible. However, components are assumed to fail, and systems that do not fail have to be built using fallible components. Although the two approaches seem almost opposite, attacks and intrusions can be considered to be faults. The problem of tolerance of these kinds of faults has been receiving much attention in recent years, and gained a new momentum under the designation of intrusion tolerance. This thesis appears in the context of research on intrusion tolerance in distributed systems. One of the problems with this approach, studied in the thesis, is the design of systems that are simultaneously efficient and secure, given the difficulty of making assumptions about the failure modes caused by the attacker. The thesis is based on an architectural-hybrid fault model. This model assumes that most of the system can fail arbitrarily, even maliciously, with the exception of a few components that are by construction secure and real-time. The component studied in depth in the thesis is called Trusted Timely Computing Base (TTCB). The TTCB is a component with novel characteristics. In the first place, it is a distributed subsystem with its own secure network. Secondly, it is real-time, i.e., a synchronous subsystem capable of timely behavior. Thirdly, it can be implemented using only COTS components. The first part of the thesis presents the TTCB model, its implementation based on COTS components and its services functionality. Once the TTCB introduced, the thesis describes the design of several intrusiontolerant middleware components with the objective of validating the proposed ap- proach. Note that the TTCB is used architecturally as a runtime support component, not as a layer of the usual stack of protocols. This makes the architecture very versatile since the TTCB can be used indiscriminately by all or just some of the system layers. Then, the thesis presents a first protocol based on the hybrid fault model, a reliable multicast protocol. This protocol is efficient and tolerates any number of malicious processes, contrary to similar protocols in the literature that tolerate less than one third. A classical problem in distributed systems consensus is used to show another way of using the TTCB to support intrusion-tolerant protocols. The protocol is efficient in terms of message and time complexities. It also shows how the FLP impossibility result relates to systems based on the TTCB. Group communication is an important paradigm for the implementation of faulttolerant distributed systems. The final part of the thesis presents an intrusion-tolerant group communication system. The system includes a membership service and an atomic multicast primitive. This system has an arguably superior performance in relation to similar systems in the literature.