CS 448/548: Survivable Systems and Networks

This page is ALWAYS under construction!!!

Welcome to CS448/548 Survivable Systems and Networks. This course is offered in the Fall Semester 2015 at the University of Idaho. The course is taught by Dr. Axel Krings. The web site used the last time the course was taught can be viewed here, but be aware that each semester the format and material will change to reflect the dynamic behavior of the research area. This web-page contains information about the course, e.g. syllabus, class notes, pointers to interesting places etc. Material can be down-loaded in pdf and/or postscript format, and will be made available in the updated form as the class goes on. If you have comments, please let me know.

Imagine what would happen if our critical infrastructures were to be compromised by malicious act -- failure of communications, power, water, gas, banking & finance, emergency services etc. With increasing computer security concerns and the recognition of the vulnerability of our critical infrastructure to cyber terrorism, achieving Survivability of Systems under attack is vital in computing and networked systems, whether it is the systems themselves or the critical applications or infrastructures they control.

This course will focus on malicious act and other faults and their impacts on systems, as well as techniques useful in the design of systems that can survive such acts. Survivability goes beyond computer & network security or fault-tolerance. The range of threats to survivability that must be considered is enormous, including hardware malfunctions, software flaws, environmental hazards, and malicious and accidental human acts. However, we will also expand our view to include resilient systems and intrusion tolerant systems. These terms are actually closely related and have common attributes. But can one really design systems that can survive attacks, tolerate intrusions or be resilient? You would be surprised to find out that there is an entire research areas that deals with exactly that. Don't think of your laptop that becomes invincible (no James Bond scenarios here). Think bigger, think of models that help analyze systems, model reliability, identify essential services, explore the limits of redundancy and the assumptions under which this will or will not work. Think of what kind of faults or attack scenarios those systems may be subjected to. Now tab into the vast amount of tools and solutions that exist, including agreement algorithms, N-version & N-variant software, new Hybrid Fault Models, new analyzing approaches etc. and start designing your system!

Course description: This course discusses issues of Survivability, Attributes of System Survivability, Trustworthiness, Dependability and Assurance, Threats to Survivability, Threats to Security, Threats to Reliability, Threats to Performance, Requirements and Their Interdependence, Systemic Inadequacies, Approaches for Overcoming Deficiencies, Evaluation Criteria, Attempts at Standardization, Architectures for Survivability, Implementing and Configuring for Survivability. However, we will not limit ourselves to the term "survivability" and look at contemporary issues of resilient systems, which are closely related in their goals.

A wealth of literature has surfaced that deals with issues of system survivability. This class will be taught in several phases in which material will be presented by the instructor and literature will be reviewed by individual or groups of students. The results will be individual and group presentations as well as discussions of contemporary issues. The exact list of topics and class format is not final and a work in progress.

• Contact information:
  • Axel Krings (PhD), JEB 320,
  • Phone: 208-885-4078, fax: 208-885-9052.
  • Engineering outreach students: dial toll free 800-824-2889 ext 4078
  • Mailing address: Engineering Outreach, PO Box 441014, Moscow, Idaho 83844-1014.
  • Office Hours: (see here)
  • Class time: MWF 2:30-3:20pm room JEB 26.
• Fall 2015 Term Class Handouts:
  • The handouts are ordered by sequence numbers and the material covered in the lectures are indicated next to the date. Specifically, the numbers in parentheses indicate the slides covered during class, i.e., [a/b-c/d] indicates that the material covered is from sequence a (slide b) to sequence c (to slide d).
  • If there are any problems with accessing the handouts, please let me know (email, phone, smoke signs, drums, ...)!
  • Corrections: some slides may contain formatting errors, typos etc. which have been addressed in class, but have not been reflected in the notes posted here.
  • Course syllabus: to be discussed in class.
  • Lecture Support Material: Note that this represents only a subset of the issues presented in class! Whereas the information below gives the general information about the schedule of the lectures, it does not always indicated the specific approaches, methods, mechanisms, basic concepts and building blocks. These are derived using the reading assignments as "case studies", the concepts are introduced as we discuss the papers.
    Note that we will stretch out the material of the first few classes in order to address background issues raised during the presentation of the papers. This will help especially students that have not taken computer security and fault-tolerant systems. However, please do not confuse hand-waving with in-depth knowledge!
    • Lecture 1 (08/24/15): [1/1-1/04] Sequence 1, (pdf), : Introduction, Fault-tolerance primer. This will be revisited in the discussion based on Reading assignment 1, [Reading Assignment 1]
    • Lecture 2 (08/26/15): [1/5-1/06] Sequence 2, (pdf), : Introduction cont.: survivability, intrusion tolerance, resilience, fault-tolerance... Fault-tolerance primer, Standard Definitions, Assumptions and their Limitations. Main discussion focus is on fault, error, failure, as well as independence-of-fault-assumption (or common-mode faults). This includes also the understanding of the limitations of testing and the Test-vector Generation Problem, which is NP-hard (even for non-sequential circuits). [Reading Assignment 2]
    How-to-reference contract (Password will be given in class)
    • Lecture 3 (08/28/15): [1/7-2/08] Sequence 3, (pdf), : Preparation for Reading Assignment 2. Make sure you really read these assignments or you will lose out on developing a feeling for the topic. More on definitions related to fault-tolerance and background why many solutions from that field may or may not be suitable to address our malicious aspects. [Reading Assignment 3]
    • Lecture 4 (08/31/15): [2/09-3/07] Survivability definitions, their specific powers or limitations, Security: An Intrusion-tolerant approach.
    • Lecture 5 (09/02/15): [3/08-3/17] Sequence 4, (pdf), : Very Important: look closely at Reading Assignment 3, as it will be the basis for Fault model classifications and what this really means in malicious environments.
    • Lecture 6 (09/04/15): [3/18-4/10] Byzantine Agreement.
    • Lecture 7 (09/09/15): [4/11-4/20] Sequence 5, (pdf), : Introduction to Hybrid Fault Models, [based on Reading assignment 4].
    • Lecture 8 (09/11/15): [4/20-4/34] Agreement algorithms cont.
    • Lecture 9 (09/14/15): [5/01-5/xx] Sequence 6, (pdf), : Hybrid Fault Models
    • Lecture 10 (09/16/15): [5/xx-6/19] Fault Models and Data Aggregation Sequence 6, (pdf), : [Reading Assignment 5]
    • Lecture 11 (09/18/15): [6/20-6/xx] Fault models, approximate agreement and conversion. [Reading Assignment 6]
    • Lecture 12 (09/21/15): [6/30-7/xx] Sequence 7, (pdf), : Based on Reading Assignment 6, What faults should the application tolerate, what can the infrastructure provide? Looking at partially connected topologies. Local versus global convergence.
    • Lecture 13 (09/23/15): [7/09-7/16] Sequence 8, (pdf), : Discussion on the concept of Design for Analyzability, Reliability Block Diagrams, their dual, i.e., Fault Trees, and how useful or limited they are in our context. Concepts and Taxonomy of Dependable and Secure Computing, [Reading Assignment 7]
    • Lecture 14 (09/25/15): [7/17-7/32] Unpredictable, latent, Unobserved and Unobservable Risks, in the context of the 3-layer survivability analysis architecture [Ma & Krings 2008], Discussion of Assignment 1 and the 548 Project.
    • Lecture 15 (09/28/15): [8/01-8/xx] Material from reading assignment 7. Continuation of Unpredictable, latent, Unobserved and Unobservable Risks.
    • Lecture 16 (09/30/15): [8/xx-8/66] Sequence 9, (pdf), : Survivable Network (System) Analysis Method, [Reading Assignment 8 & 9]. There have been different variants, but it started out here.
    • Lecture 17 (10/02/15): [9/01-9/07] Survivable Systems Analysis preliminary discussion. SSA extensions, e.g., including Risk Assessment.
    • Lecture 18 (10/05/15): [9/08-9/44] Sequence 10, (pdf), : SSA Case Study.
    • Lecture 19 (10/07/15): [9/45-10/xx] Lessons learned, limitations of SSA, SSA derivatives, Case studies. [Reading Assignment 10]
    • Lecture 20 (10/09/15): [10/xx-11/07] Sequence 11, (pdf), : Dealing with patterns, e.g., intrusion detection systems, finishing up discussion on SSA Case Studies listed in Sequence 10. [Reading Assignment 10]
    • Lecture 21 (10/12/15): [11/08-11/19] Sequence 12, (pdf), : Dealing with patterns, e.g., intrusion detection systems
    • Lecture 22 (10/14/15): [12/01-12/21] Sequence 13, (pdf), : Background material on Markov chains (needed for reading assignment 10 and an upcoming reading assignment by Y. Liu and K. Trivedi).
    • Lecture 23 (10/16/15): [13/01-13/14] Markov Analysis of Software Specifications, based on Reading Assignment 10.
    • Lecture 24 (10/19/15): [13/15-14/03] Sequence 14, (pdf), : Decentralizing services, Case Study 1: Real-time attack recognition. Dealing with Patters cont.: Case study based on [Reading Assignment 11]
    • Short fuse Take-home EXAM coming up Tuesday: Will cover everything up to and including sequence 13. It will be due in class on Wednesday.
    • Lecture 25 (10/21/15): [14/04-14/xx] exam discussion, redundancy case study: lessons learned, DoS detection and recovery case study [from Reading Assignment 11] :
    • Lecture 26 (10/23/15): [14/xx-32] Sequence 15, (pdf), : Profiling-based DoS detection and recovery (case study cont.) [Reading Assignment 12]
    • Lecture 27 (10/26/15): [15/01-15/15] Attack recognition continued. Case study: real-time control application: ITS (Intelligent Transportation System)
    • Lecture 28 (10/28/15): [15/16-15/34] Sequence 16, (pdf), : Decentralized Services: case study background: RAID (note: this will be only a brief outline of the material), [Reading Assignments 13]
    • Lecture 29 (10/30/15): [15/35-16/xx] Sequence 17, (pdf), : Decentralized Services: case study Survivable Storage [Reading Assignment 14]
    • Lecture 30 (11/02/15): [xx-16/46] Exam review. RAID Systems.
    • Lecture 31 (11/04/15): [17/01-17/15] Survivable Storage. [Reading Assignment 15]
    • Lecture 32 (11/06/15): [17/16-17/33] Sequence 18, (pdf), : Survivable Storage cont.,
    • Lecture 33 (11/09/15): [18/01-18/05] How to share a secret. Derived on board.
    • Lecture 34 (11/11/15): [19/01-19/15] Sequence 19, (pdf), : Case study: Survivability architecture. Concepts: N-version and N-variant executions, [based on Reading Assignment 16]
    • Lecture 35 (11/13/15): [19/16-19/xx] N-variant executions using multi-core environments, different approaches of the literature. Background info Petri-Nets (see Fault-Tolerance course sequence 11: and Petri Nets 12: ) and Probabilistic Automata.
    • Lecture 36 (11/16/15): Petri nets continued.
    • Lecture 37 (11/18/15): [19/xx-19/46] Sequence 20, (pdf), : Conceptual design: how to assess feasibility of survivability by evaluating if reliability specifications can theoretically be archived from evaluating concepts towards implementation. [Reading Assignment 17]
    • Lecture 38 (11/18/15): [19/xx-19/46] Project day, catching up on reading assignment 16 (probabilistic automata)
    • Fall Break
    • Lecture 39 (11/30/15): [20/01-20/xx] Decentralized Services: case study SITAR
    • Lecture 40 (12/02/15): [21/01-21/06] Sequence 21, (pdf), : Survivability Quantification, Markov Models, Transient and Steady State solutions and the connection to the T1A1.2 definition of survivability. Survivability quantification, case study telephone system, analysis using common survivability definitions, Performance model, Availability model, Composite model [Reading Assignment 18]
    • Lecture 41 (12/04/15): [21/07-22/06] Sequence 22, (pdf), : How do you know that your results of large computations have not been (massively) corrupted? A probabilistic approach to Result Certification, [Reading Assignment 19]
    • Lecture 42 (12/07/15): [22/07-22/xx] Result Certification cont.
    • Lecture 43 (12/09/15): [22/xx-23/17] Sequence 23, (pdf), : Sequence 24, (pdf), : Risk background, SP800-30 Risk Management Guide, Risk Management or Risk Analysis?
    • Lecture 44 (12/11/15): [24/01-25/19] Sequence 25, (pdf), : Risk Staging
    • Final exam slot: December 14, 10-12pm. We may make it a short fuse take-home exam instead.
  • Reading Assignments (so far):
    • Note: besides the reading assignments below there are references to papers in the slides. These papers should be looked at as well!
    • 1) Fault-Tolerant Computing: Fundamental Concepts, by Victor P. Nelson, Computer, Issue 7, Pages 19-25, 1990.
    • 2) Internet Security: An Intrusion-Tolerance Approach, by Yves Deswarte and David Powell, Proceedings of the IEEE, Vol. 94, Issue 2, 2009.
    • 3) The Byzantine Generals Problem, by Leslie Lamport, Robert Shostak and Marshall Pease, ACM Transactions on Programming Languages and Systems, Volume 4, Issue 3, (July 1982). This paper is mainly for students that have not take CS449/549 and will bring them up to speed on topics related to fault models. We will discuss their limitations in hostile environments later.
    • 4) Thambidurai, P., and You-Keun Park, "Interactive Consistency with Multiple Failure Modes", 7th Symposium on Reliable Distributed Systems, 1988. Only read up to section 3. There is an interesting followup paper "Verification of Hybrid Byzantine Agreement Under Link Faults", by P. Lincoln and J. Rushby that addresses a problem in the algorithm of Thambidurai and Park.
    • 5) Azadmanesh, M.H. and Kieckhafer, Exploiting omissive faults in synchronous approximate agreement, R.M., IEEE Transactions on Computers, Volume: 49, Issue: 10, 2000.
    • 6) Krings Axel and Zhanshan (Sam) Ma, "Surviving Attacks and Intrusions: What can we Learn from Fault Models", Proceedings of the 42nd Hawaii International Conference on System Sciences, (HICSS-42) , Waikoloa, Big Island, Hawaii, January 5-8, 2009.
    • 7) Basic Concepts and Taxonomy of Dependable and Secure Computing, Algirdas Avizienis, Jean-Claude Laprie, Brian Randell, and Carl Landwehr, IEEE TRANSACTIONS ON DEPENDABLE AND SECURE COMPUTING, VOL. 1, NO. 1, JANUARY-MARCH 2004
    • 8) Survivable Network Analysis Method, (CMU-report-00tr013.pdf).
    • 9) A Case Study in Survivable Network System Analysis, (CMU-report-98tr014.pdf)
    • 10) [Whi93] Whittaker James A., and J.H. Poore, Markov Analysis of Software Specifications, ACM Transactions on Software Engineering and Methodology, Vol.2, No.1, January 1993, pp. 93-106.
    • 11) Case study 1: A Two-Layer Approach to Survivability of Networked Computing Systems, Krings A.W, et. al. (pdf)
    • 12) Case study 2: A. Krings, A. Serageldin and A. Abdel-Rahim, "A Prototype for a Real-Time Weather Responsive System" (pdf)
    • 13) Here are two pointers to papers. The original RAID paper is this one: Patterson, D.A., et. al., ÒA Case for Redundant Arrays of Inexpensive Disks (RAID)Ó, ACM SIGMOD Records, International Conference on Management of Data, Vol.~17, No.~3, pp.~109-116, June~1988. Note: this is only a background paper (keep the date (1988) in mind when you read this). A great overall paper about RAID is this: RAID: High-Performance, Reliable Secondary Storage, by Peter M. Chen , Edward K. Lee , Garth A. Gibson , Randy H. Katz , David A. Patterson, ACM Computing Surveys, 1994.
    • 14) Survivable Storage, CMU Tech. Report CMU-CS-01-120. Also look at "Decentralized Recovery for Survivable Storage Systems", Theodore Ming-Tao Wong May 2004 CMU-CS-04-119
    • 15) Adi Shamir, "How to Share a Secret", Communications of the ACM, Vol. 22, No. 11, November 1979.
    • 16) An Adaptive N-variant Software Architecture for Multi-Core Platforms: Models and Performance Analysis, by Li Tan and Axel Krings, Proc. 11th Intl. Conference on Computational Science and its Applications (ICCSA 2011), June 20-23, 2011. (*)
    • 17) SITAR: A Scalable Intrusion-Tolerant Architecture for Distributed Services, by Feiyi Wang, Fengmin Gong, Chandramouli Sargor, Katerina Goseva-Popstojanova, Kishor Trivedi, Frank Jou, Proc 2001 IEEE Workshop on Information Assurance and Security, United States Military Academy, West Point, NY, 5-6 June, 2001
    • 18) A General Framework for Network Survivability Quantification, by Y. Liu and Kishor Trivedi, Proc. 12th GI/ITG MMB, 2004.
    • 19) Krings Axel, Jean-Louis Roch, Samir Jafar and Sebastien Varrette, "A Probabilistic Approach for Task and Result Certification of Large-scale Distributed Applications in Hostile Environments", Proc. European Grid Conference (EGC2005), in LNCS 3470, Springer Verlag, February 14-16, 2005. (pdf)
  • Assignments:
    • Assignment 1(pdf)
    • CS548 Project (pdf)