Abstract
Many of today's critical systems offers services that depend upon the
correct behaviour of one single physical unit. An attacker able to gain control over one component by exploiting a vulnerability its software, only needs to control this component to control the system as a whole. An Intrusion Tolerant System (ITS) offers diversity and
redundancy to the provided service, meaning the attacker needs to
control several different components to control the system. This
thesis studies the components in an ITS and its anatomy. The
implementation of an ITS is described. Both existing systems and the
system developed in conjunction with this thesis, is compared and
evaluated. The investigated, existing systems are: a heterogeneous
server load balancing system, a system developed by SRI/LAAS, a system
developed by Min and Choi and lastly SITAR developed by Wang et al.
Pitfalls in design of ITS-systems are pointed out. The most serious
errors committed are violation of the required diversity among the
components and an opening of new attack vectors by offering
non-critical services. It seems hard to eliminate a «Single Point of
Failure» since one and only one component sends the final reply back
to the client. One can tolerate a «Single Point of Failure» in one
component, but this requires hardening and protection of this
component. Like other security mechanisms, ITS is not the perfect
solution, but may constitute as a part of security in depth, along with other mechanisms. An ITS offers protection of the provided service when an error in application software is exploited by an attacker.