Abstract
An intrusion-tolerant distributed system is a system which is designed
so that any intrusion into a part of the system will not endanger
confidentiality, integrity and availability. This approach is suitable
for distributed systems, because distribution enables isolation of elements
so that an intrusion gives physical access to only a part of the system.
By intrusion, we mean not only computer break-ins by non-registered people,
but also attemps by registered users to exceed or to abuse their privileges.
In particular, possible malice of security administrators is taken into
account. This paper describes how some functions of distributed systems
can be designed to tolerate intrusions, in particular security functions
such as user authentication and authorization, and application functions
such as file management.