Many of today's critical systems offers services that depend upon thecorrect behaviour of one single physical unit. An attacker able to gain control over one component by exploiting a vulnerability its software, only needs to control this component to control the system as a whole. An Intrusion Tolerant System (ITS) offers diversity andredundancy to the provided service, meaning the attacker needs tocontrol several different components to control the system. Thisthesis studies the components in an ITS and its anatomy. Theimplementation of an ITS is described. Both existing systems and thesystem developed in conjunction with this thesis, is compared andevaluated. The investigated, existing systems are: a heterogeneousserver load balancing system, a system developed by SRI/LAAS, a systemdeveloped by Min and Choi and lastly SITAR developed by Wang et al.
Pitfalls in design of ITS-systems are pointed out. The most seriouserrors committed are violation of the required diversity among thecomponents and an opening of new attack vectors by offeringnon-critical services. It seems hard to eliminate a «Single Point ofFailure» since one and only one component sends the final reply backto the client. One can tolerate a «Single Point of Failure» in onecomponent, but this requires hardening and protection of thiscomponent. Like other security mechanisms, ITS is not the perfectsolution, but may constitute as a part of security in depth, along with other mechanisms. An ITS offers protection of the provided service when an error in application software is exploited by an attacker.