What Next in Intrusion Tolerance Partha Pal, Rick Schantz, Michael Atighetchi, Joseph Loyall, Franklin Webber BBN Technologies Cambridge, MA {ppal, rschantz, matighet, jloyall, fwebber}@bbn.com Abstract—Emerging software technologies such as SOA, cloud computing and semantic web are challenging some of the assumptions made in the existing designs of intrusion tolerant systems. This paper provides an analysis of the changing landscape, describes the newly introduced risks and vulnerabilities, and briefly outlines research efforts that may point the way forward. Keywords-intrusion-tolerance; cyber-security; service-oriented architecture; cloud-computing, semantic-web I. INTRODUCTION Experience shows that attacks may never be completely prevented, and some attacks may not be detected accurately and on time. Consequently, intrusion tolerance, combining aspects of protection, detection and reaction, is currently considered the optimal way to address information security challenges. However, the architecture of intrusion-tolerant systems, integrating multiple layers of defenses, redundancy and diversity can be daunting, and is often viewed as heavyweight, costly to provision and difficult to dynamically re-provision. At the same time, the information technology landscape has been evolving with the introduction of new software technologies such as cloud computing [1], SOA [2] and Semantic Web [3]. The new technologies present an opportunity. For example, cloud computing can reduce a lot of provisioning issues, and enable “on-click” dynamic provisioning of computing power and storage. The SOA concept implies that software building blocks, including security mechanisms, can now be thought of as services, potentially developed independently, to be connected to a service bus. Semantic Web envisions many of the tasks that require human comprehension of disparate data available in the network to be done by automated processing agents. Combining SOA and cloud has the potential to make intrusion tolerant architectures affordable in the same way safedeposit boxes in banks (instead of vaults in individual homes) made safe storage of valuables affordable. Similarly, semantic linking of disparate data can unlock inferences leading to new heights of cyber-defense situation awareness. However, indiscriminate migration to SOA and cloud computing (the “Someone Else’s Data Center” phenomenon) can also be potentially dangerous. In addition to compute power, storage or connectivity, the cloud must offer a level of trust and protection. In SOA, the services must include security aspects in their service-level agreements in addition to “functionality” or “logic”. But developing cloud or SOAservices with customizable levels of security and trust is no different from developing trustworthy and secure computer programs—a problem that has not been solved completely yet. In addition, combination of SOA and cloud computing may unleash new security threats, and the power of semantic linking will make controlling access to information more difficult, threatening privacy of individuals and information owners. Unless these issues are well understood, and intrusion tolerance technologies are adapted to the new environment, new features and capabilities may have shorter time to market, but information systems of the future will become more vulnerable, and may actually fare worse against attackers than today’s intrusion tolerant systems. In this paper, we present our analysis of the potential impact SOA, cloud and semantic web technologies on intrusion tolerance. Our conclusions can be summarized as follows. A number of defenses and security techniques, especially those providing availability, integrity and confidentiality, can possibly be encapsulated in the cloud or within the services, and offered as value-add; but new capabilities (e.g., the ability to dynamically manage the security aspects of SOA services and cloud resources or support for privacy preserving interaction) will also be needed. Furthermore, some of the current security and intrusion tolerance challenges are likely to remain problematic, and may even be exacerbated, creating additional difficulties for law-enforcement in some cases. II. EMERGING TECHNOLOGIES Intrusion tolerant versions of distributed systems of various flavors (e.g., thin client, 3 tier, distributed objects, peer to peer, publish-subscribe) that are based on a vertical ownership structure, where a single organization has control over the software application, the CPU and memory resources it requires to run, as well as the access points for remote interactions, have been developed and experimented with [4, 5, 6]. The tolerance of such systems is derived from the protection, detection and redundancy mechanisms integrated into the vertical silos, controlled air-gapped communication among them, and adaptive management of the resulting defense-enabled silos. A typical example is shown in Figure 1, where Widgets’ service is made available in the Internet via content delivery mechanisms such as Akamai. There is only one “cloud” in this scenario—the network. From the perspective of Widgets’ customers, Widgets’ services are available from the network cloud, whereas from Widgets’ own perspective, the network cloud is a combination of its intranet (leased lines or tunnels through the public Internet connecting Widgets’ corporate and partner sites) and the Internet (where Widgets’ customers are). Widgets and its partner organizations can be expected to have multiple layers of defense to protect their own enclaves. System Network Host Process Application App. JVM CSA/SELinux ADF VPN Firewall Switches Redundancy/Diversity Each enclave is architected to be intrusion tolerant with multiple layers of defense. Inter-enclave and client access strictly controlled during transit, how to trust the services building blocks found in the cloud, what level of QoS to negotiate with service providers (e.g., platform or network services providers) etc. Consumers of Widgets.com service Local (host), networkand system-wide control loops for managing defense mechanisms Content & Application delivery (e.g., Akamai) Network cloud Widgets.com service offering Widgets.com service offering widget.com intranet applications & services behind widgets.com Widgets.com back office hardware Partner organization hardware Widget.com overseas hardware Figure 1: A networked distributed system Cloud computing and SOA introduce a different kind of structure (see Figure 2). The “cloud” is not confined to the “network” anymore. Some of the software and storage that were on Widgets’ corporate and partner sites will now be hosted in the cloud (e.g., Amazon’s data centers). Instead of tunneling through the public Internet, Widgets and its partners can obtain high bandwidth connectivity from network service providers (e.g, Verizon) to link their premises to the cloud data centers. Providers like Amazon and Verizon can cater to many organizations like Widgets and its partners at the same time and possibly sharing the same resources creating horizontal layers that collect or co-locate communication, storage and computation from multiple sources. Widgets’ customers on the other hand, will continue to view the network cloud as the source of Widgets’ services. Consumers of Widgets.com service Content & Application delivery (e.g., Akamai) “cloud” Widgets.com service offering Processin g of data to support Widgets.com service offering Widgets.com service offering Application and Support services Cloud Data Center (e.g., Amazon) Platform services (CPU & Storage) Widgets.com Back office Partner Organization Widgets.com overseas Network Services (e.g., fiber from Verizon) Figure 2: A system in a Cloud-SOA setting In this hybrid vision of cloud and SOA, the network services providers offer the service to establish communication paths that deliver bits from ingress to egress with certain properties (i.e., at a certain data rate -- guaranteed or best effort, unmodified, despite network failures etc). The cloud data center or platform services providers offer services to start, advertise and connect hosted services to end consumers, migrating or load-balancing hosted services as necessary, and once again with certain properties (e.g., maintaining a standby, migrating or adding new instances if load increases etc.). Organizations like Widgets obviously need to worry about applications: buy vs. build, how to organize available building block services etc. In addition, they also need to worry about who accesses their data and computation hosted in the cloud, whether information exchanged within the cloud (data center or the network) are exposed to unauthorized entities or tampered Figure 3 illustrates the utility of semantic web technologies. Deriving answers to questions like the one posed there requires human interpretation of the data and services that are available in the network cloud. With semantic web technology, automated agents can scour the network chasing semantic links to find the answer. The confluence of cloud computing and SOA actually facilitates semantic linking and advanced data mining. In SOA, some services and information must be externalized (e.g., service description and discovery), some service transactions may leave a visible trace as they cross organizational boundaries, and furthermore, the information externalized this way may already be structured and tagged. Starbucks Restaurants by cuisine Semantic Web Service Google Maps Italian restaurant close to a Starbucks near to Main and Rt 27 in Acton If John Doe uses the service, he will leave a trail.. The information is “out there” in the web– a human can do the job, how to make the machine do it for us? Semantic Web: technologies to semantically tagging and linking unstructured data so that an automated agent can these queries John Doe Figure 3: Example use of Semantic Web Technology III. ANALYSIS OF SECURITY ISSUES While the horizontal “services” stove-piping the “cloud” can be constructed to offer certain levels of security, we still need to worry about end-to-end security. For example, a cloud data center may offer storage or computing service with 99.9% availability, or the global information grid (GIG) [7] may offer core communication services with strong authentication and access control. But this security covers the interface between the “cloud” and its consumers (e.g., organizations like Widgets); end-users’ interactions such as Widgets’ customers logging in and using widgets.com are not covered, even though parts of the end-users’ requests get processed in the cloud. Even from the perspective of an organization like Widgets, not everything is rosy and peachy- while it is easier to encrypt data to be stored in the cloud, no such technology exists to “encrypt” the computation that is delegated to the cloud. Semantic linking, and subsequent crawling and mining of such linked information and services may lead to information tied to the identity of individuals that the individuals and organizations may not want to share (i.e., violation of privacy). For instance, in the example shown in Figure 3, it is possible to track John Doe’s eating habits by following the trail left by his use of the semantic web service (more damaging scenarios follow the same pattern of this benign example). It is not clear what an adversary, empowered with semantically linked data about the system, can do to an intrusion tolerant system that uses SOA and delegates some of its storage and computation to the cloud. It turns out that the introduction of SOA, cloud and semantic web technology can make some aspects of intrusion tolerance easier to realize. At the same time, some current issues are likely to remain as problematic as it is today. But more importantly, we observe that the emerging software technologies will introduce additional complications and new challenges in a number of areas. We present some examples of each kind in the next three subsections. storage as well making certain kinds of denial of service attacks that plague the Internet today more difficult. Authentication and access control for individual services and resources also help building up system-wide defense in depth. A. Things likely to get better Defense in depth: In a SOA-cloud setting, availability, confidentiality, integrity and access control can be embedded in each service layer imposing separation of concern and facilitating defense in depth. In this structure, network experts will worry about the network and platform experts will worry about storage and CPU availability (separation of concern). Systems configured by orchestrating services and resources with built-in security value-add will inherently include multiple independent layers of defense and containment boundaries. Reasoning about incident reports: Adoption of semantic web technology will enable semantic linkage and development of intelligent query processing capabilities. Such capabilities are believed to be helpful for managing and using vast amount of unstructured and distributed data. Applying semantic web technologies to the large volume of alerts and incident reports collected in intrusion tolerant systems today can therefore lead to improved cyber-defense situation awareness. Availability mechanisms (e.g., redundancy and diversity) and redundancy-based protocols for checking or tolerating process integrity (e.g., Byzantine fault tolerant protocols) can be incorporated into the network services layer as well as the platform services layer. Mechanisms contained in a layer can also help contain the impact of failures within the layer (in order avoid violation of service level agreements). In this set up, different levels of diversity or redundancy independently for network and platform resources can be allocated for a given system configuration, and the allocation can be dynamically adjusted (i.e., adding or releasing bandwidth/CPU/memory) easily and nearly instantly based on urgency and cost considerations. Existence of a network services layer can facilitate multiple layers of integrity protection for messages in transit. The network services layer can guarantee that what it received at ingress is not tampered before it exits at the egress, and at the same time, the messages can still be signed at the application layer. This will be similar to what we did in our prior survivable system work [6], but with the following differences. In prior work, the survivability architects needed to put in place network-level mechanisms at each of the communicating enclaves (recall, they owned the entire vertical), but in the SOA-cloud setting the capability can be bought for a price from the network provider. This commoditization also makes it easy to turn the network level mechanisms off or on dynamically. Like availability and integrity, some aspects of confidentiality, in particular confidentiality of data can also be commoditized: the network or the cloud storage can offer encryption/obfuscation/isolation value-add that one can buy or dynamically negotiate. Access control for resources: The SOA-cloud setting will enforce a level of access control to system resources and services that are not available today. Because unauthorized access can damage their revenue stream, the cloud vendors will aggressively control access and usage of their services and resources. For instance, a network services provider selling network bandwidth between two locations to various organizations can be expected to require the devices attaching to its network at these locations to authenticate themselves. In addition, it will likely enforce strict flow control to prevent bandwidth over-consumption, and block traffic types that were not contracted for. Similar features at platform services providers will extend the scope of control to CPU usage and B. Things likely to remain the same Validation and trust: We argue that validating security claims, especially quantitative evaluation of security, will be at least as difficult as it is today in a SOA-cloud-semantic web setting. Separation of concern may help in constructing assurance cases, but this will be counterbalanced by the difficulty in evaluating the security claims made by the cloud services. How much trust should be placed on the services procured from the cloud? Do you want to actively assess the level of assurance provided by the platform or the network services layer? What are the mechanisms? How trustworthy is the assessment mechanism itself? Analogous questions arise today in peer-to-peer systems in the Internet, and it is likely that reputation or behavior based approaches used in the peer-topeer context will be applicable in the SOA-cloud-semantic web setting as well. Accountability: Accountability obviously is very useful as deterrence for insider threat as well as post-incident forensics. Execution of tasks that are internal to one organization today can span multiple organizations in SOA-cloud setting. Different organizations may monitor and track what they are interested in leaving holes in the end-to-end data and control flow. The audit trails may be incompatible with each other. But we argue that a similar situation exist today in systems and applications that involve multiple security domains. C. Things that need innovative solutions Data protection: Today it is the data owner who accepts the terms and conditions of the cloud storage (e.g., when one uploads an album to Snapfish or Facebook). The data owner has no control over what a friend, who is authorized to access the photographs, does after he copies them. Clearly, this model will not work when the data owner has its own authentication and access control policy. Even though breach of confidentiality is hard to detect, data in the cloud can be stored in encrypted form. But for computation delegated to the cloud, there is no such analog. This makes the computing processes in the cloud a weaker point in the data processing chain. What can a platform service provider do to offer a confidentiality value-add? In addition to loss of confidentiality, which is essentially about data, semantic linking and data-mining that take advantage of such linkage will give rise to privacy issues, which is essentially about individuals. For instance, someone’s social security number can be in the public—it is just a 9 digit number, but as soon as it is linked with an individual, it becomes private information. To preserve privacy, it is not the data itself, but the association of the data with an identity that needs to remain confidential—but it is not clear today how to control semantic linking or who has what rights to that link. A related case can be demonstrated using “friend of a friend” or FOAF. On one hand, FOAF provides a level of access control: Alice, being a FOAF of Bob, obtains certain rights to access Bob’s information. On the other hand, FOAF is often used as an indicator of trust, e.g., when Bob links his data with data that is linked with Alice (or a fixed number of indirections away from Alice) but not with data linked with Charlie, who is not a FOAF. In a semantically linked universe, FOAF is but one kind of semantic link that will be automatically formed, followed and mined by semantic web applications—however, mechanisms for 3-way authentication (between the data owners and the application exploiting the semantic link) and access control of the semantic links are not readily available yet. Meaningful auditing of semantic link chasing may even be very difficult (consider the difficulty of tracing back an attacker who hides behind a sequence of relays). It is likely that there will a need for 3rd party services for tracking and verification (like credit reporting agencies). It is easy to detect unavailability and integrity breaches. The service providers may be able to contain and mitigate the failures within their layers, but in cases when that is not possible or the mitigation is not sufficient meet the end-to-end security and service delivery requirement of the system, a system-wide response will be necessary. For example, Widget may decide to provision connectivity from a second network or platform services provider to maintain availability of its system to end customers while its primary providers work on restoring their services. The SM service is the natural choice for handling the coordination required for such system-wide actions. Obviously, the SM application itself needs to be intrusion tolerant. Finally, the discussion about data protection in SOA-cloud setting will remain incomplete without talking about metadata. Metadata forms the basis on which service consumers find services it needs. Unless there is a tamperproof way to associate metadata with services, and verify that association, new kinds of “phishing” attacks will appear. Regulatory Issues: Suppose a terrorist organization buys a guaranteed service and uses encrypted communication between ingress A and egress B- the network operator will only have access to encrypted data, which is not helpful for prosecution. Similarly, a terrorist organization can store their secret information in the cloud in encrypted form. Law enforcement has already encountered similar issues with VOIP and peer-topeer networks, despite the existence of laws like the Communications Assistance for Law Enforcement Act (CALEA). How to distinguish between a terrorist taking advantage of the services and legitimate privacy and confidentiality requirements (e.g., Alice may rent cloud storage to safely store her medical or financial records, or establish a secure link between her and her doctor)? Issues like this will be at the forefront when SOA systems in the cloud will manage semantically linked information. To satisfactorily address the forensics, auditing and provenance requirements existing rules and regulations need to be revisited along with development of new technology hooks. Services management: In the SOA-cloud setting, a system is a collection of cooperating services including the cloud services (e.g., the network or platform services offering connectivity, CPU or storage), application services (implementing the business logic) and support services (providing among others, security functions). We argue that a specialized support service—the “services management” or SM service—will be needed to ensure end-to-end security and service delivery requirements. We envision the SM service as a middleware service that takes requirements from the application owners (e.g., Widget) and provisions network, CPU and storage resources from network and platform services providers with appropriate level of security, and controls the security posture of all participating services. D. An Emerging Opportunity With two-way smart metering and intelligent devices in every home and distributed generation involving a larger percentage of green sources that are inherently unpredictable, electric grids of the future will become very large distributed interdependent cyber-physical systems requiring sophisticated algorithms processing huge amounts of data collected throughout the system that range from billing information and consumers’ usage patterns to the internal state of generating stations and transmission lines and pricing data from energy market and carbon markets. And as recent news reports [12] indicate, it will also become an attractive target for cyber attacks. The ease of dynamic re-provisioning in the SOA-cloud setting will open up the possibility of using more resources on demand—based on load (need to serve more requests) or threat (my services are being attacked, need additional redundant servers). The envisioned SM service should be able to react to security breaches and monitored load, and dynamically re-provision affected resources. However adding new resources is not free of side effects: it may temporarily suspend the ability to deliver service or impact the quality of service; the security posture of the services needs to be realigned. Therefore the SM service will need to dynamically coordinate with all the participating services as well. Various utilities and system operators have already embarked upon grid modernizing efforts. Many have adopted SOA for their advanced control center applications that obtain data and interact with each other by connecting to an enterprise service bus (ESB). In many cases telecom providers and new band-width-on demand (BoD) services connect control centers and other key elements—much like a cloud. New requirements such as the owner of a plug-in hybrid vehicle (PHV) being billed for charging the car in a public car park as well as a friend’s house (charging at his home is no different from another household device) present the need for novel semantic linking of data. Overall, it is very likely that the electricity grid will undergo a level of disruptive transformation in the next 5 to 10 year period. Yet, at the same time, the grid must maintain the highest level of reliability. Under the current environment, maintaining reliability means it must operate through cyber attacks and provide continued service which may degrade initially, but need to recover quickly. Keeping that requirement in mind, there is a recent surge of research and development activity both in the US [13] and EU [14] in the area of resiliency and protection of critical infrastructure such as the power grid. We argue that the electric grid will be an interesting proving ground where some of the issues we describe in this paper will be encountered, and hopefully, addressed. In many ways, the transformation we anticipate in the power grid is reminiscent of the early days of the Internet. The ability to connect a large number of devices distributed over a large distributed area enabling bi-directional communication will lead to new applications and use cases, which in turn will lead to new requirements. However, networking and distributed system construction technology has progressed, and newer techniques such as SOA, cloud computing and semantic web are well poised to make these efforts comparatively easier and the evolution faster this time. It would be nice to be able to say the same thing with similar level of confidence about intrusion tolerance and security of the energy grids of the future. IV. SOLUTION APPROACHES In this section we will briefly describe some work currently being done by us and other researchers that are relevant and may point the way forward. Service-oriented security: Emerging standards and COTS products seem to exhibit an “everything is a service” theme. Some defenses that are typically part of an application will become externalized and shared in a SOA setting. For instance, instead of having their own internal authentication mechanisms, an Oracle database server and a JBOSS application server can share an authentication service in the cloud. But there are cases where such externalization will be risky and inefficient. For example, for session level encryption (i.e., after a consumer’s session is established), it does not make sense for the end points to go to a third party service to encrypt their messages. Apart from inefficiency, this will raise the issue of trusting the encryption service. As part of our continued work on survivable systems, we have begun exploring the limits of externalizing defense mechanisms and developing the specialized SM middleware service we described earlier. In the SM service work we are leveraging our prior work in adaptive redundancy and multi-level resource management implemented as a middleware service as well. A key point of concern in service-oriented security is deciding what security and survivability function needs to be a service. To illustrate, consider the issue of service corruption. In a traditional setting, a voting protocol among replicas can be used for this purpose. Should the voting algorithm be implemented as a voting service in a SOA setting? Which implementation choice offers better security: a distributed protocol where protocol libraries are embedded in each participant; or a voting service implementation where the participants interact with it? The latter can be a single point of failure, and will introduce another new service requestresponse interaction that needs to be protected. Multiple Independent Levels of Security (MILS): Isolation and containment is a basic design principle of intrusion tolerant architectures. MILS [8] aim to provide a nonbypassable, evaluable, always-invoked, and tamperproof architecture, where components of various levels of trustworthiness can coexist. It is foreseeable that future cloud services will be constructed based on MILS. The quality of the MILS architecture can be used to gain confidence of the service consumers (for example, a vendor may claim that their separation kernel has a mean time t compromise of 7 days). Similarly, if the “service management” task can monitor the tamperproof mechanisms in the architecture, it can direct defensive responses to prevent further damage. New “separation mechanisms” will be needed as cloud providers seek to maximize their return on investment by using virtualization, new types of coding and multiplexing schemes to increase their resource utilization both in the network and platform services. Virtual machine firewalling techniques such as the one described in [9] can be useful in this context if organizations choose to delegate their applications as VMs, or the cloud provider sells computing resources as VMs. Virtualization at network devices such as routers, as well as novel networking technologies such as dynamic wave-division multiplexing (WDM) optical circuits over fiber backbone networks can provide multiple independent security in the network. Trust and assurance: We have begun working on a framework of indicators from which it is possible to assess the assurance level of a system from various stakeholder perspectives. The indicators cover a range of static and organization-level aspects both internal and external to the system, as well as a number of dynamic properties of the system. The assessment is not in terms of absolute quantification; rather it provides a way to order various configurations of values and observations from the indicators in terms of the assurance concerns of a given stakeholder. Trusted computing initiative [10] is another promising line of work that is extremely relevant in this context. Services built around trusted platform monitor (TPM) can be leveraged to assess whether a computation task can be handed off to platform resources in the cloud. We have also started looking at developing such services and facilitating user mode programs to safely use such services. Data and information protection: Work in digital object identifier (DOI) system has developed a formalism to represent data stored in digital media as digital objects with unique identifier and associated metadata. We are exploring the possibility of encoding authentication and access control policies in a mark-up language, storing the policies with the digital objects, and enforcing them at the point of use. This technique will take advantage of semantic linking, availability of fast network and computing resources: request for a digital object will fetch the XML metadata to be process first; metadata processing may involve fetching DTD schema from remote sites, credentials checking, and producing a cryptographic code to unlock the actual data. There has been quite a bit of mathematical work in privacy preserving computation [11], but developing a real world application as a privacy-preserving computation is impractically complex. We have started exploring simpler and more practical techniques such as substituting real data by a virtual “use once data” and hiding in the crowd to preserve a level of privacy. Such techniques will also leverage existing fast networks and semantic linking to establish and check association between the virtual “use once data” and its real counterpart, and also to formulate and accommodate the load of artificial “crowd” transactions. Un-informed adaptation of new technologies can be fatal and expensive (penalties, liabilities). We anticipate that innovative approaches to privacy, access control, accountability and trust management will be necessary to address these challenges. REFERENCES [1] [2] [3] V. CONCLUSIONS SOA, cloud services and semantic web are three examples of emerging technologies that have the potential to alter the way survivable systems will be built in future. We showed where the existing intrusion tolerance technologies can help (e.g., supporting defense in depth), where they fall short (e.g., data protection and dynamic management of security), and also described promising lines of research that can help fill the gap. We argued that the emerging technologies will provide an opportunity to apply the existing intrusion tolerant technologies to a wider set of applications because they make provisioning and re-provisioning network, CPU and memory resources easier and more dynamic. On the other hand, there are cases where the current SOA, cloud and semantic web offering has inherent vulnerability that can be exploited by a malicious adversary. Now is also the time to develop technologies to address them and infuse the emerging technologies with the appropriate security and survivability value-adds. We also argued that the electricity grid will provide a fertile ground to study some of the issues and validate some of the solution approaches we discussed here. Finally, more awareness of the new challenges that arise at the confluence of SOA, cloud and Semantic web is clearly needed. New law enforcement requirements such as CALEA, HIPPA etc. further complicate the space of technical solutions. View publication stats [4] [5] [6] [7] [8] [9] [10] [11] [12] [13] [14] Vaquero, L. M., Rodero-Merino, L., Caceres, J., and Lindner, M. A break in the clouds: towards a cloud definition. SIGCOMM Comput. Commun. Rev. 39, 1 (Dec. 2008), 50-55. Erl, T. Service-oriented Architecture: Concepts, Technology, and Design. Upper Saddle River: Prentice Hall PTR. 2005. Berners-Lee, T., Hendler, J., and Lassila, O. The Semantic Web. Scientific American Magazine.May 17, 2001. Wang, H., Liu, P., and Li, L. Evaluating the survivability of Intrusion Tolerant Database systems and the impact of intrusion detection deficiencies. Int. J. Inf. Comput. Secur. 1, 3 (Jun. 2007), 315-340. Valdes, A., Almgren, M., Cheung, S., Deswarte, Y., Dutertre, B., Levy, J., Saïdi, H., Stavridou, V., and Uribe, T. E. Dependable Intrusion Tolerance: Technology Demo. DARPA Information Survivability Conference and Exposition - Volume II, 2003 Chong, J., Pal, P., Atighetchi, M., Rubel, P., Webber, F. Survivability Architecture of a Mission Critical System: The DPASA Example. ACSAC 2005: 495-504 http://en.wikipedia.org/wiki/Global_Information_Grid Rushby, J. Design and Verification of Secure Systems. Proc. 8th ACM Symposium on Operating System Principles: 12–21, 1981 http://altornetworks.com/products/vnf/ https://www.trustedcomputinggroup.org/groups/ Kissner, L., and Song, D. Privacy-preserving Set Operations. Advances in Cryptology, 2005. Wall Street Journal, Electriciy Grid in U.S. Penetrated by Spies (April 8, 2009): http://online.wsj.com/article/SB123914805204099085.html Trustworthy Cyber Infrastructure for the Power Grid (TCIP) home page: http://www.iti.illinois.edu/content/tcip-trustworthy-cyber-infrastructurepower-grid CRitical UTility InfrastructurAL resilience (CRUTIAL) project home page: http://crutial.cesiricerca.it/