System survivability through security bug tolerance

Abstract

Summary form only given. A traditional approach to system security is the construction of entirely new software that satisfy well defined security properties. However, the market pressure towards features seems to make such approach infeasible in the near term. Increasingly, commercial off-the-shelf software such as Windows NT is being used in mission critical information infrastructures. Therefore, alternative means must be found to protect large commercial software from attack. We present the security bug tolerance approach as an alternative to building highly secure software from scratch. Security bug tolerance accepts the idea that critical system software will contain vulnerabilities in the form of exploitable bugs, and seeks effective means to prevent these bugs from being exploited efficiently by attackers. We present a categorization scheme for security bug tolerance techniques, and populate it with techniques of our own and from the literature. The categorization is powerful enough to analyze and compare the similarities and differences of relatively diverse techniques such as firewalls, program type checking, and "security through obscurity". The goal of security bug tolerance techniques is system survivability (e.g., graceful degradation of system functionality or performance in the presence of attacks) in contrast to complete system security. Instead of ferreting out all potential vulnerabilities using the broad array of accepted techniques, such as formal methods and fault injection, we study means to stop and slow down attacks when they occur.