An intrusion-tolerant distributed system is a system which is designed so that any intrusion into a part of the system will not endanger confidentiality, integrity and availability. This approach is suitable for distributed systems, because distribution enables isolation of elements so that an intrusion gives physical access to only a part of the system. By intrusion, we mean not only computer breakins by non-registered people, but also attempts by registered users to exceed or to abuse their privileges. In particular, possible malice of security administrators is taken into account. This paper describes how some functions of distributed systems can be designed to tolerate intrusions, in particular security functions such as user authentication and authorization, and application functions such as file management.the distributed system, a local TCB is responsible for the authentication of local users, and for the access control to local objects. For accesses from local subjects to remote objects, the local TCB must cooperate with the remote TCBs responsible for the objects. The enforcement of the authorization policy is based on cooperation between the TCBs, which must therefore trust each other, i.e. all the computers of the distributed system must enforce the same security concepts, with a consistent knowledge of subjects and objects, and with homogeneous security protocols. Consequently, this approach is unsuitable for current heterogeneous open distributed systems. Moreover, a successful intrusion into a local TCB can endanger the security of the whole distributed system. Such a case has to be seriously considered since, with current workstations, it is easy for a local user to obtain complete local control (e.g. as superuser). In addition, TCB administrators may be targets for bribery.
scite is a Brooklyn-based organization that helps researchers better discover and understand research articles through Smart Citations–citations that display the context of the citation and describe whether the article provides supporting or contrasting evidence. scite is used by students and researchers from around the world and is funded in part by the National Science Foundation and the National Institute on Drug Abuse of the National Institutes of Health.