Proactive Fortification of Fault-Tolerant Services

“…Proxies can thus reduce the success probability of derandomization attacks and hence play a major role in our FORTRESS architecture [7]. Using proxies for enhancing intrusion tolerance is not new.…”

“…This led us to examine, in [7], whether a PB system could be made intrusion-resilient without losing its ability to replicate an arbitrary service. More precisely, we explored the possibility of attaining intrusion tolerance without having to comply with the SMR requirement.…”

“…More precisely, we explored the possibility of attaining intrusion tolerance without having to comply with the SMR requirement. In [7], we identified an approach, termed as FORTRESS, that can augment intrusion-resilience to any server system. In particular, the latter may not even be replicated; if replicated, it can be by PB or SMR.…”

“…It involves fortifying servers with proxies which block direct server access, and periodically randomizing the executables of proxies as well as servers. Assuming that no server can be compromised until at least one proxy is compromised, the following result was established in [7]: a fortified PB server is at least as attack resilient as a 4-server SMR system; an attacker who cannot intrude more than 1 server in the SMR system cannot compromise the fortified PB server. The result also assumes randomization only at system set-up and proactive recovery as in [6], i.e., no periodic re-randomization.…”

“…Secondly, we relax a central assumption in [7] and allow servers to be compromised even when they are not directly accessible to an attacker. We then compare, using both analytical models and Monte-Carlo simulations, the resilience of FORTRESS system against simple SMR and PB systems with either proactive randomization or proactive recovery.…”

Assessing the attack resilience capabilities of a fortified primary-backup system

“…Proxies can thus reduce the success probability of derandomization attacks and hence play a major role in our FORTRESS architecture [7]. Using proxies for enhancing intrusion tolerance is not new.…”

“…This led us to examine, in [7], whether a PB system could be made intrusion-resilient without losing its ability to replicate an arbitrary service. More precisely, we explored the possibility of attaining intrusion tolerance without having to comply with the SMR requirement.…”

“…More precisely, we explored the possibility of attaining intrusion tolerance without having to comply with the SMR requirement. In [7], we identified an approach, termed as FORTRESS, that can augment intrusion-resilience to any server system. In particular, the latter may not even be replicated; if replicated, it can be by PB or SMR.…”

“…It involves fortifying servers with proxies which block direct server access, and periodically randomizing the executables of proxies as well as servers. Assuming that no server can be compromised until at least one proxy is compromised, the following result was established in [7]: a fortified PB server is at least as attack resilient as a 4-server SMR system; an attacker who cannot intrude more than 1 server in the SMR system cannot compromise the fortified PB server. The result also assumes randomization only at system set-up and proactive recovery as in [6], i.e., no periodic re-randomization.…”

“…Secondly, we relax a central assumption in [7] and allow servers to be compromised even when they are not directly accessible to an attacker. We then compare, using both analytical models and Monte-Carlo simulations, the resilience of FORTRESS system against simple SMR and PB systems with either proactive randomization or proactive recovery.…”

Assessing the attack resilience capabilities of a fortified primary-backup system