Howard Shrobe, Massachusetts Institute of Technology
The Infrastructure of modern society is controlled by software systems. These systems are vulnerable to attacks; several such attacks, launched by "recreation hackers" have already led to severe disruption. However, a concerted and planned attack whose goal is to reap harm could lead to catastrophic results (for example, by disabling the computers that control the electrical power grid for a sustained period of time). The survivability of such information systems in the face of attacks is therefore an area of extreme importance to society. This paper is set in the context of self-adaptive survivable systems: software that judges the trustworthiness of the computational resources in its environment and which chooses how to achieve its goals in light of this trust model. Each self-adaptive survivable system detects and diagnoses compromises of its resources, taking whatever actions are necessary to recover from attack. In addition, a long-term monitoring system collects evidence from intrusion detectors, fire-walls and all the self-adaptive components, building a composite trust-model used by each component. Self-adaptive surviable systems contain models of their intended behavior, models of the required computational resources, models of the ways in which these resources may be compromised and finally, models of the ways in which a system may be attacked and how such attacks can lead to compromises of the computational resources. In this paper we focus on Computational Vulnerability Analysis: a system that, given a description of a computational environment, deduces all of the attacks that are possible. In particular its goal is to develop multi-stage attack models in which the compromise of one resource is used to facilitate the compromise of other, more valuable resources. Although our ultimate aim is to use these models online as part of a self-adaptive system, there are other offline uses as well which we are deploying first to help system administrators assess the vulnerabilitities of their computing environment.