This Article 
 Bibliographic References 
 Add to: 
Building Survivable Services Using Redundancy and Adaptation
February 2003 (vol. 52 no. 2)
pp. 181-194
Matti A. Hiltunen, IEEE Computer Society

Abstract—Survivable systems—that is, systems that can continue to provide service despite failures, intrusions, and other threats—are increasingly needed in a wide variety of civilian and military application areas. As a step toward realizing such systems, this paper advocates the use of redundancy and adaptation to build survivable services that can provide core functionality for implementing survivability in networked environments. An approach to building such services using these techniques is described and a concrete example involving a survivable communication service is given. This service is based on Cactus, a system for building highly configurable network protocols that offers the flexibility needed to easily add redundant and adaptive components. Initial performance results for a prototype implementation of the communication service built using Cactus/C 2.1 running on Linux are also given.

[1] M. Abadi and R. Needham, "Prudent Engineering Practice for Cryptographic Protocols," IEEE Trans. Software Eng., vol. 22, no. 1, 1996, pp. 6-15.
[2] W. Aiello, M. Bellare, G. Di Crescenzo, and R. Venkatesan, “Security Amplification by Composition: The Case of Double-Iterated, Ideal Ciphers,” Proc. Advances in Cryptology: Crypto '98, H. Krawczyk, ed., 1998.
[3] R.J. Anderson and R.M. Needham, "Robustness Principles for Public Key Protocols," Proc. 15th Ann. Int'l Cryptology Conf. (Crypto 95), Lecture Notes in Computer Science, vol. 963, Springer-Verlag, Heidelberg, 1995, pp. 236-247.
[4] M. Barbacci, “Survivability in the Age of Vulnerable Systems,” Computer, vol. 29, no. 11, p. 8, Nov. 1996.
[5] P. Bell and K. Jabbour, “Review of Point-to-Point Network Routing Algorithms,” IEEE Comm. Magazine, vol. 24, no. 1, pp. 34-38, 1986.
[6] N. Bhatti, M. Hiltunen, R. Schlichting, and W. Chiu, “Coyote: A System for Constructing Fine-Grain Configurable Communication Services,” ACM Trans. Computer Systems, vol. 16, no. 4, pp. 321-366, Nov. 1998.
[7] L. Blain and Y. Deswarte, “Intrusion-Tolerant Security Server for Delta-4,” Proc. ESPRIT '90 Conf., pp. 355-370, Nov. 1990.
[8] P. Brutch, T. Brutch, and U. Pooch, “Electronic Quarantine: An Automated Intruder Response Tool,” Proc. Information Survivability Workshop 1998, pp. 23-27, Oct. 1998.
[9] K. Campbell and M. Wiener, “DES Is Not a Group,” Advances in Cryptology—CRYPTO '92, E. Brickell, ed., pp. 512-520, Aug. 1992.
[10] I. Chang, M. Hiltunen, and R. Schlichting, “Affordable Fault Tolerance through Adaptation.,” Parallel and Distributed Processing, J. Rolin, ed., pp. 585-603, Springer, Apr. 1998.
[11] W.-K. Chen, M. Hiltunen, and R. Schlichting, “Constructing Adaptive Software in Distributed Systems,” Proc. 21st Int'l Conf. Distributed Computing Systems, pp. 635-643, Apr. 2001.
[12] W. Cheswick and S. Bellovin, Firewalls and Internet Security. Reading, Mass.: Addison-Wesley, 1994.
[13] M. Choi and C. Krishna, “An Adaptive Algorithm to Ensure Differential Service in a Token-Ring Network,” IEEE Trans. Computers, vol. 39, no. 1, pp. 19-33, Jan. 1990.
[14] F. Cohen et al., “Deception Toolkit,” http:///www.all.netdtk/, 1999.
[15] F. Cristian, H. Aghili, R. Strong, and D. Dolev, “Atomic Broadcast: From Simple Message Diffusion to Byzantine Agreement,” Proc. 15th Symp. Fault-Tolerant Computing, pp. 200-206, June 1985.
[16] M. Cukier, J. Lyons, P. Pandey, H. Ramasamy, W. Sanders, P. Pal, F. Webber, R. Schantz, J. Loyall, R. Watro, M. Atighetchi, and J. Gossett, “Intrusion Tolerance Approaches in ITUA,” FastAbstract in Supplement of the 2001 Int'l Conf. Dependable Systems and Networks, pp. 64-65, July 2001.
[17] J. Daemen and V. Rijmen, “The Block Cipher Rijndael,” Smart Card Research and Applications, J.-J. Quisquater and B. Schneier, eds., pp. 288-296, Springer-Verlag, 2000.
[18] D.E. Denning, “An Intrusion-Detection Model,” IEEE Trans. Software Eng., vol. 13, pp. 222–232, Feb. 1987.
[19] Y. Desmedt and Y. Frankel, Threshold Cryptosystems Proc. Advance in Cryptology (Crypto '89), pp. 307-315, 1989.
[20] Y. Deswarte, J.-C. Fabre, J.-M. Fray, D. Powell, and P.-G. Ranea, “Saturne: A Distributed Computing System which Tolerates Faults and Intrusions,” Proc. Workshop Future Trends of Distributed Computing Systems, pp. 329-338, Sept. 1990.
[21] T. Dierks and C. Allen, “The TLS Protocol, version 1.0,” RFC (Standards Track) 2246, Jan. 1999.
[22] W. Diffie and M.E. Hellman, New Directions in Cryptography IEEE Trans. Information Theory, vol. 22, pp. 644-654, 1976.
[23] J.-C. Fabre, Y. Deswarte, and B. Randell, “Designing Secure and Reliable Applications Using Fragmentation-Redundancy-Scattering: An Object-Oriented Approach,” Proc. First European Dependable Computing Conf., pp. 21-38, Oct. 1994.
[24] A. Fox, S.D. Gribble, E.A. Brewer, and E. Amir, "Adapting to Network and Client Variability via On-Demand Dynamic Distillation," ASPLOS-VII Proc., Seventh Int'l Conf. Architectural Support for Programming Languages and Operating Systems,Cambridge, Mass., pp. 160-173, Oct. 1996.
[25] J. Fraga and D. Powell, “A Fault and Intrusion-Tolerant File System,” Proc. IFIP Third Int'l Conf. Computer Security, pp. 203-218, 1985.
[26] J. Fray, Y. Deswarte, and D. Powell, “Intrusion-Tolerance Using Fine-Grain Fragmentation-Scattering,” Proc. 1998 IEEE Symp. Security and Privacy, pp. 194-201, Apr. 1986.
[27] J. Goldberg, I. Greenberg, and T. Lawrence, “Adaptive Fault Tolerance,” Proc. IEEE Workshop Advances in Parallel and Distributed Systems, pp. 127-132, Oct. 1993.
[28] P. Gutmann, “Cryptlib,” Dept. of Computer Science, Univ. of Auckland, 1998.
[29] M. Hiltunen, “Configuration Management for Highly-Customizable Software,” IEE Proc.: Software, vol. 145, no. 5, pp. 180-188, Oct. 1998.
[30] M. Hiltunen and R. Schlichting, “Constructing a Configurable Group RPC Service,” Proc. 15th Int'l Conf. Distributed Computing Systems, pp. 288-295, May 1995.
[31] M. Hiltunen and R. Schlichting, “Adaptive Distributed and Fault-Tolerant Systems,” Computer Systems Science and Eng., vol. 11, no. 5, pp. 125-133, Sept. 1996.
[32] M. Hiltunen and R. Schlichting, “A Configurable Membership Service,” IEEE Trans. Computers, vol. 47, no. 5, pp. 573-586, May 1998.
[33] M. Hiltunen, R. Schlichting, X. Han, M. Cardozo, and R. Das, “Real-Time Dependable Channels: Customizing QoS Attributes for Distributed Systems,” IEEE Trans. Parallel and Distributed Systems, vol. 10, no. 6, pp. 600-612, June 1999.
[34] N.C. Hutchinson and L.L. Peterson, “The x-Kernel: An Architecture for Implementing Network Protocols,” IEEE Trans. Software Eng., vol. 17, no. 1, pp. 64-76, Jan. 1991.
[35] V. Jacobson, "Congestion Avoidance and Control," Proc. ACM SIGCOMM '88, pp. 314-329, Aug. 1988.
[36] S. Jha and J. Wing, “Survivability Analysis on Networked Systems,” Proc. 23rd Int'l Conf. Software Eng. (ICSE 2001), pp. 307-317, 2001.
[37] E. Jonsson and T. Olovsson, “A Quantitative Model of the Security Intrusion Process Based on Attacker Behavior,” IEEE Trans. Software Eng., vol. 23, no. 4, pp. 235-245, Apr. 1997.
[38] S. Kent and R. Atkinson, “Security Architecture for the Internet Protocol,” RFC (Standards Track) 2401, Nov. 1998.
[39] H. Kiliccote and P. Khosla, “Borg: A Scalable and Secure Distributed Information System,” Proc. Information Survivability Workshop 1998, pp. 101-105, Oct. 1998.
[40] Dependability: Basic Concepts and Terminology, J.C. Laprie, ed. Vienna: Springer-Verlag, 1992.
[41] P. McDaniel, A. Prakash, and P. Honeyman, “Antigone: A Flexible Framework for Secure Group Communication,” Proc. Eighth USENIX Security Symp., pp. 99-114, Aug. 1999.
[42] R. Merkle and M. Hellman, “On the Security of Multiple Encryption,” Comm. ACM, vol. 24, no. 7, pp. 465-467, July 1981.
[43] B.C. Neuman and T. Ts'o, "Kerberos: An Authentication Service for Computer Networks," IEEE Comm., vol. 32, no. 9, Sep. 1994, pp. 33-38; available at.
[44] P. Neumann and P. Porras, “Experience with EMERALD to Date,” Proc. First USENIX Workshop Intrusion Detection and Network Monitoring, Apr. 1999.
[45] P. Nikander and A. Karila, “A Java Beans Component Architecture for Cryptographic Protocols,” Proc. Seventh USENIX Security Symp., Jan. 1998.
[46] H. Orman, S. O'Malley, R. Schroeppel, and D. Schwartz, “Paving the Road to Network Security or the Value of Small Cobblestones,” Proc. 1994 Internet Soc. Symp. Network and Distributed System Security, Feb. 1994.
[47] R. v Renesse, K. Birman, M. Hayden, A. Vaysburd, and D. Karr, “Building Adaptive Systems Using Ensemble,” Software Practice and Experience, vol. 28, no. 9, pp. 963-979, July 1998.
[48] R. Rivest, “The MD5 Message-Digest Algorithm,” RFC 1321, Apr. 1992.
[49] O. Rodeh, K. Birman, M. Hayden, Z. Xiao, and D. Dolev, “The Architecture and Performance of Security Protocols in the Ensemble Group Communication System,” Technical Report TR98-1703, Dept. of Computer Science, Cornell Univ., Dec. 1998.
[50] W. Sanders, M. Cukier, F. Webber, P. Pal, and R. Watro, “Probabilistic Validation of Intrusion Tolerance,” FastAbstract in Supplement of the 2002 Int'l Conf. Dependable Systems and Networks, pp. B 78-79, June 2002.
[51] Trust in Cyberspace, F. Schneider, ed. Washington, D.C: Committee on Information Systems Trustworthiness, Nat'l Research Council, Nat'l Academy Press, Sept. 1998.
[52] J. Steiner, C. Neuman, and J. Schiller, “Kerberos: An Authentication Service for Open Network Systems,” USENIX Conf. Proc., pp. 191-202, Winter 1988.
[53] J. Voas, G. McGraw, and A. Ghosh, “Reducing Uncertainty about Survivability,” Proc. 1997 Information Survivability Workshop, Feb. 1997.

Index Terms:
Survivability, dependability, trustworthiness, redundancy, adaptation, intrusion tolerance, distributed systems.
Matti A. Hiltunen, Richard D. Schlichting, Carlos A. Ugarte, "Building Survivable Services Using Redundancy and Adaptation," IEEE Transactions on Computers, vol. 52, no. 2, pp. 181-194, Feb. 2003, doi:10.1109/TC.2003.1176985
Usage of this product signifies your acceptance of the Terms of Use.