Two-Person Control Administration: Preventing Administration Faults Through Duplication

Shaya Potter, Steven M. Bellovin, Jason Nieh

Proceedings of the 23rd Large Installation System Administration Conference (LISA 2009), Baltimore, MD, November 1-6, 2009, pp. 15-27


Modern computing systems are complex and difficult to administer, making them more prone to system admin- istration faults. Faults can occur simply due to mistakes in the process of administering a complex system. These mistakes can make the system insecure or unavailable. Faults can also occur due to a malicious act of the system administrator. Systems provide little protection against system administrators who install a backdoor or other- wise hide their actions. To prevent these types of sys- tem administration faults, we created ISE-T (I See Ev- erything Twice), a system that applies the two-person control model to system administration. ISE-T requires two separate system administrators to perform each ad- ministration task. ISE-T then compares the results of the two administrators’ actions for equivalence. ISE-T only applies the results of the actions to the real sys- tem if they are equivalent. This provides a higher level of assurance that administration tasks are completed in a manner that will not introduce faults into the system. While the two-person control model is expensive, it is a natural fit for many financial, government, and mili- tary systems that require higher levels of assurance. We implemented a prototype ISE-T system for Linux using virtual machines and a unioning file system. Using this system, we conducted a real user study to test its ability to capture changes performed by seperate system admin- istrators and compare them for equivalence. Our results show that ISE-T is effective at determining equivalence for many common administration tasks, even when ad- ministrators perform those tasks in different ways.



Columbia University Department of Computer Science