A combined safety/security approach for co-operative distributed systems

Actually, there is growing consensus that for many system applications, safety as well as security demands have to be observed in a coherent manner. In this paper we describe such an integrated approach to protect the nodes of distributed co-operative systems against malicious attacks and unplanned system failures. The basic strategy is the use of special diagnostic agents for that purpose. This agent concept is supported by means of additional diagnostic units modularly added to the processor/memory interface of each node of the system. These units have their own autonomous control which cannot be altered by their corresponding processor. Each instruction transferred to the processor, and each data word transferred to/from the processor, in a side step can be scanned by the diagnosis unit. In case of a suspicion for malicious or non-malicious faults, the diagnosis unit can take over control of the corresponding processor to run diagnostic routines, and can trigger bootstrap or recovery procedures to restore a proper state of the processor of the node. The diagnostic unit also can communicate with the diagnostic units of the other nodes about the state of the entire system. Thus, after detecting suspicious behaviour in its own node, by alarming the diagnostic units of the other nodes, further spreading of an attack is tried to be hindered. Even in case the attack spreads quicker within the system than the diagnosis can initially assess and confine it, the co-operating diagnostic units remain a functioning distributed hardcore which can start and carry out a recovery of the system. The resulting impact on system reliability is derived; here also a modelling approach is discussed to describe especially malicious intrusion faults in a more refined way, by distinguishing different classes of attackers. The resulting reliability of the presented architecture is sketched