This proposal aims to study (and develop appropriate defenses against) emerging exploits that target the "dynamics" of a system's operation---dynamics that result from the adaptation strategies deployed in most computing systems and networks. While few instances of adversarial exploits along these lines have been identified recently---namely, the PIs work on Reduction of Quality (RoQ) attacks on admission controllers of end-hosts and on TCP adaptation in networks---little is known about the significance, prevalence, and other-than-adversarial motives of such exploits, not to mention effective defenses.
INTELLECTUAL MERITS: The work to be pursued as part of this proposal flows along three dimensions: (1) vulnerability assessment, (2) attack synthesis, and (3) hardening and countermeasures. Along the first dimension, and in order to assess the vulnerability of system components, the PIs intend to adopt a control-theoretic approach to model the transient operation of common adaptive system and network components -- from schedulers, load balancers, and admission controllers to network traffic engineering and routing protocols. These models will be used to analytically characterize the vulnerabilities of such components to various exploits, whether the motive of such exploits is adversarial in nature (e.g., reducing a system's fidelity or effective capacity) or simply unfriendly (e.g., causing the system to preferentially treat a particular class of requests or flows). Along the second dimension, the PIs will investigate how a determined adversary could infer the vulnerabilities of a given system component through simple observations (from the outside), and thereupon design an exploit of low intensity but of high impact on the component's availability or service quality. Along the third dimension, the PIs intend to develop mechanisms that harden a component's susceptibility to exploits by non-clairvoyant adversaries, and also enable the identification (e.g., trace-back) of perpetrators.
The PIs will focus their attention on two specific types of systems that are particularly vulnerable to exploits of adaptation dynamics, and with which they have had quite a bit of experience, namely (A) network management and engineering, and (B) scalable web services, virtual hosting environments, and firewalls. These systems are particularly vulnerable due to their open nature, necessitating the use of dynamic resource management policies, which are exploitable by adversaries.
Expected outcomes from this effort include: - The development of metrics and techniques that are capable of quantifying the vulnerabilities of computing systems to exploits that target their dynamics. - The development of design principles that elucidate the tradeoffs between various design goals. For example, by relating a system's adaptation speed to its susceptibility to exploits, a system designer would be able to discern the risks and rewards involved in choosing one adaptation strategy versus another.
- The development of novel adaptation strategies and protocols that would be tolerant to specific exploits. While the PIs' focus will be on adaptation techniques that are prevalent in Internet systems, the new approaches and principles they develop will be applicable to a much wider range of systems, including operating systems, embedded systems, sensor networks, ad-hoc and distributed systems, among others.
BROADER IMPACT: The proposed work will also result in important tangible contributions to education and training through the development of various artifacts, including: - The creation of a repository that would act as a knowledge base of known vulnerabilities and defenses in various adaptive systems. The mere availability of such a repository would be quite instrumental in hardening newly developed systems by enabling practitioners access to what amounts to benchmarks for testing their designs. - The development of artifacts (e.g., tutorials, laboratory modules, software tools, and Web-based demonstrations) that could be integrated into standard systems and networking curricula.
In addition, the pursuit of the proposed work will result in important intangible broader impacts, including: - Heightening the research community's appreciation of the importance of system dynamics, which will undoubtedly lead to concrete advancement in basic research with the expected outcomes of scientific publications and student training. - Leveraging the efforts of the PIs in extending their proven service record to the systems and networking research community, as well as their outreach to minority and under-represented groups.
Last but not least, the pursuit of the research outlined in this proposal will promote the design of information systems, which are worthy of (and to which we can entrust) our society.
