Abstract
Despite the significant amount of effort that often goes into securing critical infrastructure assets, many systems remain vulnerable to advanced, targeted cyber attacks. This paper describes the design and implementation of the Trusted Dynamic Logical Heterogeneity System (TALENT), a framework for live-migrating critical infrastructure applications across heterogeneous platforms. TALENT permits a running critical application to change its hardware platform and operating system, thus providing cyber survivability through platform diversity. TALENT uses containers (operating-system-level virtualization) and a portable checkpoint compiler to create a virtual execution environment and to migrate a running application across different platforms while preserving the state of the application (execution state, open files and network connections). TALENT is designed to support general applications written in the C programming language. By changing the platform on-the-fly, TALENT creates a cyber moving target and significantly raises the bar for a successful attack against a critical application. Experiments demonstrate that a complete migration can be completed within about one second.
Chapter PDF
Similar content being viewed by others
References
A. Bangalore and A. Sood, Securing web servers using self cleansing intrusion tolerance (SCIT), Proceedings of the Second International Conference on Dependability, pp. 60–65, 2009.
S. Blackmon and J. Nguyen, Storage: High-availability file server with heartbeat, System Administration, vol. 10(9), pp. 24–32, 2001.
G. Bronevetsky, D. Marques, K. Pingali and P. Stodghill, Automated application-level checkpointing of MPI programs, ACM SIGPLAN Notices, vol. 38(10), pp. 84–94, 2003.
R. Brown, Stuxnet worm causes industry concern for security firms, Mass High Tech, Boston, Massachusetts (www.masshightech.com/stories /2010/10/18/daily19-Stuxnet-worm-causes-industry-concern-for-security-firms.html), October 19, 2010.
G. Carl, G. Kesidis, R. Brooks and S. Rai, Denial-of-service attack detection techniques, IEEE Internet Computing, vol. 10(1), pp. 82–89, 2006.
Y. Chen, K. Li and J. Plank, CLIP: A checkpointing tool for message passing parallel programs, Proceedings of the ACM/IEEE Conference on Supercomputing, p. 33, 1997.
C. Clark, K. Fraser, S. Hand, J. Hansen, E. Jul, C. Limpach, I. Pratt and A. Warfield, Live migration of virtual machines, Proceedings of the Second Conference on Symposium on Networked Systems Design and Implementation , vol. 2, pp. 273–286, 2005.
I. Habib, Virtualization with KVM, Linux Journal (www.linuxjournal.com/article/9764), February 1, 2008.
HDF Group, HDF4 Reference Manual, Champaign, Illinois (ftp.hdfgroup.org/HDF/Documentation/HDF4.2.5/HDF425_RefMan.pdf), 2010.
Y. Huang, D. Arsenault and A. Sood, Closing cluster attack windows through server redundancy and rotations, Proceedings of the Sixth IEEE International Symposium on Cluster Computing and the Grid, p. 21, 2006.
Y. Huang, D. Arsenault and A. Sood, Incorruptible self cleansing intrusion tolerance and its application to DNS security, Journal of Networks, vol. 1(5), pp. 21–30, 2006.
Y. Huang and A. Ghosh, Automating intrusion response via virtualization for realizing uninterruptible web services, Proceedings of the Eighth IEEE International Symposium on Network Computing and Applications, pp. 114–117, 2009.
Y. Huang, A. Ghosh, T. Bracewell and B. Mastropietro, A security evaluation of a novel resilient web serving architecture: Lessons learned through industry/academia collaboration, Proceedings of the International Conference on Dependable Systems and Networks Workshops, pp. 188–193, 2010.
Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), ICS-ALERT-10-301-01 – Control System Internet Accessibility, Department of Homeland Security, Washington, DC (www.us-cert.gov /control_systems/pdf/ICS-Alert-10-301-01.pdf), October 28, 2010.
K. Ingols, M. Chu, R. Lippmann, S. Webster and S. Boyer, Modeling modern network attacks and countermeasures using attack graphs, Proceedings of the Annual Computer Security Applications Conference, pp. 117–126, 2009.
K. Kolyshkin, Virtualization in Linux, OpenVZ (ftp.openvz.org/doc/open vz-intro.pdf), 2006.
S. Lee, T. Johnson and R. Eigenmann, Cetus – An extensible compiler infrastructure for source-to-source transformation, Proceedings of the Sixteenth International Workshop on Languages and Compilers for Parallel Computing, pp. 539–553, 2003.
lxc Linux Containers, lxc man pages (lxc.sourceforge.net/index.php/about /man).
National Security Council, Cybersecurity Progress after President Obama’s Address, The White House, Washington, DC, July 14, 2010.
Parallels, Clustering in Parallels Virtuozzo-Based Systems, White Paper, Renton, Washington, 2009.
R. Rabbat, T. McNeal and T. Burke, A high-availability clustering architecture with data integrity guarantees, Proceedings of the IEEE International Conference on Cluster Computing, pp. 178–182, 2001.
G. Rodriguez, M. Martin, P. Gonzalez, J. Tourino and R. Doallo, CPPC: A compiler-assisted tool for portable checkpointing of message-passing applications, Concurrency and Computation: Practice and Experience, vol. 22(6), pp. 749–766, 2010.
E. Sarmiento, Securing FreeBSD using Jail, System Administration, vol. 10(5), pp. 31–37, 2001.
J. Smart, K. Hock and S. Csomor, Cross-Platform GUI Programming with wxWidgets, Prentice Hall, Upper Saddle River, New Jersey, 2005.
A. Sood, Intrusion tolerance to mitigate attacks that persist, presented at the Secure and Resilient Cyber Architectures Conference, 2010.
G. Stellner, CoCheck: Checkpointing and process migration for MPI, Proceedings of the Tenth International Parallel Processing Symposium, pp. 526–531, 1996.
U.S. Air Force Chief Scientist, Report on Technology Horizons: A Vision for Air Force Science and Technology During 2010–2030, Volume 1, Technical Report AF/ST-TR-10-01-PR, Department of the Air Force, Washington, DC, 2010.
Author information
Authors and Affiliations
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2011 IFIP International Federation for Information Processing
About this paper
Cite this paper
Okhravi, H., Comella, A., Robinson, E., Yannalfo, S., Michaleas, P., Haines, J. (2011). Creating a Cyber Moving Target for Critical Infrastructure Applications. In: Butts, J., Shenoi, S. (eds) Critical Infrastructure Protection V. ICCIP 2011. IFIP Advances in Information and Communication Technology, vol 367. Springer, Berlin, Heidelberg. https://doi.org/10.1007/978-3-642-24864-1_8
Download citation
DOI: https://doi.org/10.1007/978-3-642-24864-1_8
Publisher Name: Springer, Berlin, Heidelberg
Print ISBN: 978-3-642-24863-4
Online ISBN: 978-3-642-24864-1
eBook Packages: Computer ScienceComputer Science (R0)