Abstract

We propose and study proactive replacement as a strategy for ensuring that the number of intrusions does not exceed the design threshold within an intrusion-tolerant system. State machine replicas periodically replace themselves, en masse, by selecting a successor set from a large server farm housing spare machines that have been cleaned-up subsequent to any prior use. Selection is random to thwart adversary’s preference for any particular type of successor machines. Optionally, successors’ identities can be kept anonymous from selecting replicas, forcing the adversary to discover first the new replicas’ identities before launching attacks. Practicability of the proposed strategy is established in two ways. Architecture and combinations of well-known protocols for selection and state-transfer are outlined for the three replacement schemes proposed. Using analytical estimations and simulations, the replacement schemes are shown to be effective in sustaining tolerance capability by comparing them with a proactive recovery scheme that is assisted by an idealized Wormhole. With the availability and affordability of redundant machines, proactive replacement is a useful tolerance-sustaining strategy either on its own or in combination with its orthogonal counter-part, proactive recovery.

Keywords

Intrusion Tolerance, Replication, Byzantine Agreement, State Machines, Asynchronous Ordering, Proactive Recovery, Probabilistic Evaluations.