Surviving Attacks and Intrusions: What can we Learn from Fault Models

When designing or analyzing applications or infrastructures with high reliability, safety, security, or survivability demands, the fundamental questions are: what is required of the application and can the infrastructure support these requirements. In the design and analysis of fault-tolerant systems, fault models have served us well to describe the theoretical limits. But with the inclusion of malicious acts, the direct application of fault models has exposed limited applicability. However, we can take advantage of the powerful fault models if we defer their direct application from the events that lead to faults, that is, the fault causes, and instead focus on the effects. This way one can avoid questions referring to the meaning of fault models in the context of previously unsuitable faults like Trojan horses or Denial of Service (DoS) attacks. Instead, we can use fault models at the level of abstraction where the application maps on the infrastructure. In this paper fault models are discussed in the context of system survivability and malicious act. It is shown that these models can be used to balance the demands put on the application and the capabilities of the underlying infrastructure. Active and imposed fault descriptions are defined that allow to match the mechanisms that provide survivability to the application with the infrastructure-imposed limitations. By defining a system as a collection of functionalities, individual functionalities and their associated fault descriptions can be analyzed in isolation.