New technology creates new capabilities — and new vulnerabilities. “Moving to the cloud” is the trend du jour, even in the intelligence world, but the recent attacks on the nation’s banking system has raised uncomfortable questions about how to make cloud computing secure.
“The cloud” may seem amorphous, but in reality it consists of a host of modestly capable user terminals connected to a high-powered central server or server farm. The great advantage of the cloud is that individual users can borrow capacity — storage, processing power, even entire applications — from the central server when they need it. The great vulnerability is a successful attack on the central server can compromise everyone on the cloud.
When you put that many eggs in one basket, you’d better guard it well. That’s the objective of a new program at DARPA, the Defense Advanced Research Projects Agency: MRC, Mission-oriented Resilient Clouds.
MRC about building a system that can keep functioning while under an attack and continue to provide useful services even after some resources have been corrupted. The research stresses designing resilient, adaptive systems able to fend off attacks, MRC program manager Howard Shrobe told Breaking Defense.
Centralization offers economic efficiency, but it also creates a single point of failure. The problem is similar to what agronomists call a monoculture. Traditionally, in a field of (for example) wheat, every seed will have slightly different DNA, so a disease that beats the immune system of one plant may have trouble infecting another. When you go to genetically modified crops, however, every plant has identical DNA — which means a disease that breaks the code for one can rapidly spread to all the others.
The same vulnerability applies to the cloud. In a computing monoculture, all of the nodes/servers are identical and share the same vulnerabilities. So any attack that can take over a single node can take over the entire cloud.
In addition, Shrobe said, by adding a layer of software to coordinate the individual computers, the cloud creates more complexity, which means more opportunities for something to go wrong and create a vulnerability by mistake. For example, hypervisors, the software that manages the multitasking and virtualization process at the heart of cloud computing, add additional complexity to cloud computing nodes.
Multiple users relying on the central server can lead to what Shrobe refers to as “fate sharing”: when completely unrelated tasks end up running in a shared environment, the vulnerabilities of one application may affect completely unrelated applications. Likewise, when different “virtual machines” are running side by side on a single microchip, malicious code on one virtual machine can steal, say, cryptographic keys running on a different application on a different virtual machine.
The MRC program is using a “community health system” approach to protect cloud computing networks from these threats — turning the cloud’s connectivity from a vulnerability to a source of strength. The idea is that information about potential attacks is shared throughout the cloud, diverting resources around compromised nodes where possible, while mobilizing defensive systems to contain the damage.
Under this system, there would be several watchdog mechanisms in the cloud monitoring how applications behave. To begin with, each node monitor s its own applications, as well as keeping an eye on other nodes. (This self-evaluation may potentially use the hardware and software self-defense procedures being developed in another DARPA cybersecurity program, CRASH, Shrobe said: Click here for our story on CRASH). One way to police the nodes is to have groups of them compute the same answer. Any node deviating from the consensus answer is considered to be suspect, he said. This information is collected into a trust model, a database that estimates how much a resource can be trusted and for what purposes it can be trusted for.
When a compromise or any kind of deviation is detected, the MRC’s diagnostic and self-repair capabilities would kick in to develop filters that can recognize and repel the specific attack; work-arounds that can achieve the same system operating goals, but without exposing the vulnerability; and patches that repair the vulnerability once and for all.
These capabilities are then distributed to every node in the cloud in an approach similar to human public health system’s immunization program, Shrobe said. Just like a public health system, reports of possible attacks are collected and analyzed for trends and patterns such as an “epidemic” of a particular type of system failure. The system might then quarantine affected nodes, to stop them becoming avenues of attack, or set up new barriers to accessing cloud nodes to prevent a multi-stage attack from continuing.
Another area the MRC program is focusing on is resource allocation in cloud computing. The idea behind the research is that the cloud is being used to support multiple missions, so resources should be allocated to maximize mission effectiveness. How efficiently those resources support a mission would be measured by the concept of “net expected utility.”
There may be many possible ways to achieve a mission’s goal and each way requires a unique set of resources, Shrobe said. The complication is that any resources needed for a specific method might be corrupted in a way that causes the mission to fail. The trust model is designed to measure the probability of corruption, Shrobe explained.
DARPA researchers are developing methods to allocate resources to tasks to maximize the net expected utility for the entire mission. “Notice,” Shrobe emphasized, “that this means that we will try to avid potentially compromised resources, but we will use them when the benefit far outweighs the risk.”
As more and more government systems move to the cloud, including super-sensitive applications such as spy satellites, protecting such systems will become all the more important. That’s why the pressure is on DARPA to make their new security model work.