Tolerating penetrations and insider attacks by requiring independent corroboration

Abstract

We describe an approach to building a system that meets its requirements even when some central components are successfully penetrated and/or when insiders attack the system. This goal is a key but elusive facet of information survivability. Our approach relies on independent corroboration, a form of redundancy. Corroboration is easy to pin down; independence is not. How can software judge whether two principals are independent? This paper begins to address the problem. We analyze the word "independence" and find that independence is not absolute, but relative to one's interests; that independence judgments are closely tied to trust; that independence judgments are based largely on known connections between the principals. We then take a two-pronged approach. The first prong is a formal, Bayesian probabilistic model of a system that uses independent corroboration to tolerate compromise. The second is a pragmatic investigation of how independence information may be imported from existing authentication data, and a preliminary look at how knowledge of independence may be dynamically obtained from third parties.