Académique Documents
Professionnel Documents
Culture Documents
1
Talk Outline
3
DETER Program Goals
4
5
DETER Experimenters and User
Organizations (representative)
6
DETERLab: The Facility
7
DETERlab: The DETER Facility
9
DETER Testbed -
Users
Users
Internet Cluster Architecture
Users
Control
External DB
Firewall
Power
Node Node Node 160 Controller
N X 4 @1000bT
Data ports Switch Control Interface
Testbed comprises:
– A number of clusters
– Interconnected by
secure tunnels, using
– Shared or separate
physical networks
11
Extended Hardware Capability
12
Experiment Methodology and The
SEER Facility
• Palettes capture high-level “design
TOPOLOGY TRAFFIC ATTACK DATA-CAPTURE
PALETTES
patterns” for well-formed
experiments: Topology, Background
and Attack Traffic, and Packet
Capture and Instrumentation. Skeleton
palettes for original and customized
experiments are also available.
?
METHODOLOGY
& GUIDANCE
• Methodology Engine frames standard,
systematic questions that guide an
experimenter in selecting and
combining the right elements.
EXPERIMENT
AUTOMATION • Experiment Automation increases
repeatability and efficiency by
integrating the process to the DETER
testbed environment.
13
SPARTA DDoS Experiment
September 2005
Background Traffic:
REPLAY | NTCG | HARPOON
HIGH FIDELITY TRAFFIC
CORE
Topology: AS-11357
BUILDING-BLOCKS |
JUNIPER ROUTER CORE
REALISTIC CONNECTIVITY AND
SCALE-DOWN
Attack Traffic:
DETER-INTEGRATED ATTACK
SCRIPTING
AUTOMATION OF VARIETY OF
SCENARIOS UNDER STUDY
Instrumentation:
PACKET AND HOST STATISTICS
CAPTURE | SPECTRAL ANALYSIS
ATTACK TRAFFIC
| METRICS CALCULATION |
BACKGROUND
INTEGRATED VISUALIZATION
TRAFFIC
TOOLBOX FOR RIGOROUS
INVESTIGATION OF RESULTS
14
A General Purpose Facility
• Flexibility:
– Topologies shown are
from representative real
experiments
• Sharability
– Many of these topologies
can coexist simultaneously
in separate experiments
15
Beyond the Facility -
Creating new tools for cyberscience
16
Federation
17
Dynamic Federation
• On-demand creation of
experiments spanning
multiple, independently
controlled facilities
• Why?
– Scale
– Unusual facilities
– Data & knowledge sharing
– Information hiding -
multiparty scenarios
Elements of Federation
• Experiment decomposition
– Creation and embedding of per-federant sub-experiments
• Create coherent distributed environment (embedding)
• Guide experimenter about potential choices and effects
• Trust, policy, and security analysis mechanisms
– Manage federated resources within local policies
• Access / Authorization (who can use?)
• Constrain use (how can they use?)
• Provide unified runtime environment to researcher and experiment
– Shared file system, scheduling and event system, control hooks, etc.
– Failure management model
• Secure implementation mechanisms
– Inter-facility communication, namespace mapping, etc
19
DFA System Architecture
CEDL
“Assembly Code”
Standard Experiment
Representation Testbeds
Experiment
Experiment Creation
Requirements Tool
Testbed Experiment
Properties Creation Federator
Tool
Experiment
Topology Experiment
Creation
Tool
Testbed
Experiment Properties
Decomposition Tools
CEDL
Canonical Experiment Description Language
• Expressiveness (today):
– Core semantics:
• Logical {nodes, links, elements}
• Topology (Emulab/ns2)
– Annotations: logical attributes (eg, node type)
• Type information: router, switch, etc.
• Physical selection: map to specific instance
– Annotations: physical attributes
• “Escapes” to allow physical configuration of hardware
DFA Authorization
Flexible
Principal IDs
Attested
Attributes
22
Authorization for Dynamic
Federated Testbed Environments
(with Steve Schwab, SPARTA)
• Basic model:
– Principals
• In our work, user’s identity established by local authority’s local means -
Kerberos, certs, passwords, …
– Principals have attributes
• Established by digitally signed credentials…
… through which credential issuers assert judgments about the attributes of
principals
• Expressed in a formal language
– Attributes and Rules drive a reasoning engine
• Authorization decisions are based on applying rules to attributes of the requestor
Revisiting the Architecture
Generalized Federant
Authorization
Model
DETER
Authentication
SEER DETER and GMPLS
CEDL
configuration DRAGON
Internet
DETER
Federator GMPLS
CEDL
Authentication
Credentials DETER and
configuration
USERS Plug-in
DETER
based
federation
interfaces
Federant
Federation: Status
• Operating today
– Hundreds of nodes
– Emulab-based testbeds {DETER, WAIL, Emulab}
– Simple / simplistic ID based authorization
– Scale-limited: primarily by filesystem and event model
• Extending to
– Full attribute-based auth/auth framework
– Removal of scaling limitations
– Richer resource discovery / integration with higher level tools
– Additional testbed architectures
• NSF GENI program
• DRAGON
Experiment Health
27
Supporting Rigorous and
Structured Experiments
28
Maintaining Experiment Invariants:
The DETER Experiment Health System
29
Experiment Health: Benefits
30
Experiment Health System:
Design Goals
31
Continuing Development
Experimental cybersecurity in a
complex world
33
Domain of interest
• “Malware Containment” Î
“Risky Experiment Management”
– Malware study
– “Active Defense” research
– Stress and failure testing
– Agent based measurement and monitoring
– …
34
Problem formulation
“Classical Formulation”
Containment
Boundary
•Focus on isolation
•De facto emphasis of initial DETER work
35
Problem formulation
More accurate formulation
Controlled interaction
with outside
environment
World Experiment
Observation Experiment
and Control
monitoring
•Key issue:
– Not “isolation and containment” but
“understanding and assurance”
36
Model
•Two-stage approach:
Malware / Testbed
Experiment behavior
behavior constraint constraint
transform: T1 transform: T2
• Richer function
– Simplifies reasoning about a wider range of potentially
risky experiments/circumstances
– Simplifies tradeoff between different experimenter goals
• Increased verifiability
– T2 (testbed) constraints common to many experiments,
can be extensively tested
– Behavior of T2(T1()) may be subject to formal analysis
38
Why is this a good idea (2)
• Separation of concerns:
– Experimenter best equipped to understand impact of constraints on
experiment validity - express T1 for experimenters
– Testbed designer best equipped to understand impact of constraints
on testbed and external behavior - express T2 for testbed
designers/implementors
39
Near Term: Constraint sets
• Constraint sets are
– pre-established sets of T1 constraints that,
– when met, allow useful, well behaved, well understood experiments to be run.
• It is useful to imagine defining more than one set
Simpler, more
Stronger T1 Weaker T2
flexible
constraints restrictions
experiment
• Such a tool would provide a highly general facility for limiting the
risk of risky experiments
A Common Theme
• Interesting to note …
• ... underlying concept of establishing,
understanding, monitoring, enforcing
experiment/test invariants is common to
– Experiment Health
– Risky Experiment Management
– Intelligent, high-level design of experiments
• Direction: unified, shared mechanisms for invariant
management to serve these goals
42
Summary
DETER Cyber Security Testbed
• Facility
– Tool libraries, Workbench, Operations,
Community
• Tools for Cyber Science
– Federation, Experiment Health, Risky Experiment
• Foundation for next generation testbeds
– Geni, National Cyber Range
• More info – www.isi.edu/deter or www.deterlab.net
Beyond the Facility -
Creating new tools for cyber science
• Dynamic Federation
– On-demand creation of experiments spanning multiple, independently
controlled facilities
• High Level User/Workflow Tools
– User-friendly user interface for configuring, launching, monitoring,
and analyzing experiments
• Experiment Health Support
– Supporting Rigorous and Structured Experiments
• Risky Experiment Management
– Experimental cybersecurity in a complex world