Abstract:

A novel approach of structuring mission-critical systems with an emphasis on intrusion tolerance is described. Key components in the proposed system include traf?c regulation, application request processing, state protection, integrity checking, and process/node health monitoring. In particular, the separation of execution and state management enables the use of a single process to manage application requests, thereby reducing run-time overhead and enables highly concurrent executions. Furthermore, intrusion attacks are mitigated by two means: (1) append-only state logging so that a compromised execution node cannot corrupt state updates from other nodes; and (2) acceptance testing as a way to verify the integrity of the execution of application requests. When an attack is detected, the malformed requests that materialized the attack are quarantined, and such requests (current and future ones) are rejected.