A system has resilient security if it retains a degree of secure functioning despite the compromise of some components. Since vulnerable components will long be in widespread use, resilient security is what counts against sophisticated adversaries with persistent footholds in American systems. Resiliency infrastructures can help secure application components that may have many intrinsic weaknesses. They can structure systems so the risk of successful attack can be meaningfully measured. Resiliency is more achievable than previously, because of recent architectural changes. One is virtualization , allowing many virtual machines to execute on a physical platform. Some virtual machines may serve as resiliency infrastructure nodes, controlling adjacent application nodes. Second, software attestation and appraisal, supported by Trusted Platform Modules and secure virtualization, allow a component to appraise the software state of remote peers. We add three architectural ideas. Emulsification means breaking application functionality into small pieces, implemented as separate virtual machines. Second, their interactions can be monitored and secured by infrastructure nodes. Monitoring includes auditing, filtering , and modifying messages among application components. Third, data provenance uses annotations prepared by infrastructure nodes and stored with data objects. Game theory applies to attacks that must succeed against several components, spread between the infrastructure level and the application level. Networks with randomized components force the adversary to use probabilistic strategies with low probability of defeating all of a sequence of components. Broader impacts: Our society depends on information systems riddled with vulnerabilities. New architectures will reduce the severity of this problem , and provide measurements of risk.
TC: EAGER: Measuring Architectures for Resilient Security (MARS)