1 / 35

Vulnerability Analysis Using Attack Graphs

Vulnerability Analysis Using Attack Graphs. Jeannette M. Wing School of Computer Science Carnegie Mellon University Pittsburgh, PA USA. joint work with Somesh Jha (Wisconsin) and Oleg Sheyner (CMU). Arsenal of Actions buffer overflow ftp .rhosts remote login …. Network of Networks.

khines
Download Presentation

Vulnerability Analysis Using Attack Graphs

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Vulnerability Analysis Using Attack Graphs Jeannette M. Wing School of Computer ScienceCarnegie Mellon UniversityPittsburgh, PA USA joint work with Somesh Jha (Wisconsin) and Oleg Sheyner (CMU)

  2. Arsenal of Actions • buffer overflow • ftp .rhosts • remote login • … Network of Networks MIT Microsoft Office of Homeland Security Carnegie Mellon Jeannette M. Wing

  3. Example of Attack Graph Developed by a Professional Red Team Drawn By Hand • Sandia Red Team “White Board” attack tree from DARPA CC20008 Information battle space preparation experiment Sandia Red Team “White Board” attack graph from DARPA CC20008 Information battle space preparation experiment Jeannette M. Wing

  4. Vulnerability Analysis by System Administrators • Information-gathering • What attacks is my system vulnerable to? • Is a different configuration of my system less “attackable”? • What is the likelihood of this attack? • Is this on-going attack similar to any of the known attacks? • Decision-making • If I put this set of security measures in place, what attacks can I prevent? • Given the likelihood of certain attacks, deploying which measures will increase the security of my system? • What is the most cost-effective set of measures I should deploy, to increase the security of my system? Jeannette M. Wing

  5. Problem Statement • Problem: Generating attack graphs by hand is tedious, error-prone, and impractical for large systems. • Our Goal: Automate the generation and analysis of attack graphs. • Generation • Must be fast and completely automatic • Must handle large, realistic examples • Should guarantee properties of attack graphs • Analysis • Must enable further security analysis by system administrators • Should support incremental, partial specification Jeannette M. Wing

  6. System Model Security Property Generator Phase 1 Attack Graph Annotations Query: What actions are necessary for the intruder to succeed? Query: What is the likelihood that the intruder goes undetected? Phase 2 CostAnalyzer ReliabilityAnalyzer MinimizationAnalyzer … Attack Subgraph Probabilistic Attack Graph Overview of Our Method Query: What is the cost benefit of deploying this security measure? Jeannette M. Wing

  7. Why Model Checking? • Pragmatic reasons • Off-the-shelf technology • Major verification success story • Technical reasons • Fast, automatic • Large state spaces • Handles safety and liveness properties • Generates counterexamples Jeannette M. Wing

  8. yes counterexample Fis falsified here. Model Checking Primer Finite State Machine model M Temporal Logicproperty F F = AG p AF p, EG p, EF p Model Checker Jeannette M. Wing

  9. For example, F  AG (intruder does not have admin access to host H) Hence, an attack (violation of F) is an example of how the intruder can gain unauthorized access to H. Counterexample = Attack F  AG p single counterexample = violation of F = path by which intruder succeeds = attack Jeannette M. Wing

  10. Definition of Attack Graph • Given • a finite state model, M, of network • a security property  • An attack is an execution of Mthat violates . • An attack graph is a set of attacks of M. Jeannette M. Wing

  11. Properties of Attack Graphs • Exhaustive • All possible attacks are represented in G. • Succinct • Only relevant states are contained in G. • Only relevant transitions are contained in G. The next two algorithms satisfy these properties. Jeannette M. Wing

  12. Symbolic-State Attack Graph Generation Algorithm Inputs • M = <S, S0 S, R  S X S> • F = AG (~unsafe)(a safety property in CTL) Output • Attack graph G = (Sunsafe, S0F, RF) Algorithm • Sunsafe = modelCheck(S, S0, R, F) (* Use an iterative algorithm derived from the fixpoint characterization of AG operator. *) • S0F= S0Sunsafe • RF= R (Sunsafe X Sunsafe) Jeannette M. Wing

  13. (request  (response)) Explicit-State Attack Graph Generation Algorithm Inputs • M • F = LTL property (safety or liveness) Algorithm • Interpret both network model M and security property F as Buchi automata. • M and F induce languages L(M ) and L(F). • Compute L(M )\L(F) = executions of M that violate F. • Construct M~F by computing intersection of Buchi automata. Output - Attack graph G s.t. L(G) = L(M~) Jeannette M. Wing

  14. 1200.00 1200.00 1000.00 1000.00 800.00 800.00 sec sec 600.00 600.00 400.00 400.00 200.00 200.00 0.00 0.00 5 5 2 4 2 4 Hosts Hosts 3 3 4 4 3 3 5 5 6 6 7 7 Actions Actions 8 8 Performance Charts Symbolic-state algorithm Explicit-state algorithm Jeannette M. Wing

  15. Performance Linear Regression R2= 0.9967 Jeannette M. Wing

  16. Windows IIS Web Server IDS attacker ftp firewall firewall database Linux Action Arsenal IIS buffer overflow: remotely get root Squid portscan: port scan LICQ remote-to-user: gain user privileges remotely scripting exploit: gain user privileges remotely local buffer overflow: locally get root Always Detected An Illustrative Example Jeannette M. Wing

  17. Set of hosts H running services CVE vulnerabilities trust relationships misc. configuration Set of networks N each network n N is a subset of H packet filter between each pair of networks n1, n2 Intrusion detection systems placement: P N N detectability per action Intruder store of knowledge privileges on each host Set of actions A preconditions postconditions Modeling a Network and Intruder Jeannette M. Wing

  18. Begin IIS buffer overflow CAN-2002-0364 Squid portscan CVE-2001-1030 Example Attack Graph  = G (intruder.privilege(Linux) < root) LICQ remote- to-user CVE-2001-0439 Local buffer overflow CVE-2002-0004 Done! Jeannette M. Wing

  19. System Model Security Property Generator Phase 1 Attack Graph Annotations Query: What actions are necessary for the intruder to succeed? Phase 2 CostAnalyzer ReliabilityAnalyzer MinimizationAnalyzer … Attack Subgraph Overview of Our Method Jeannette M. Wing

  20. Minimization Analysis Scenario: The system analyst must decide • among several different firewall configurations, or • among several vulnerabilities to patch, or • among several intrusion detection systems to set up, each of which prevents different subsets of actions. What should he do? Problem Question (Minimum Critical Set of Actions): What is a minimum set of actions that must be prevented to guarantee the intruder cannot achieve his goal? Solution (Sketch): • Reduce MCSA to Minimum Hitting Set (MHS) Problem [JSW02]. • Reduce MHS to Minimum Set Covering (MSC) Problem [ADG80]. • Use textbook Greedy Approximation Algorithm to approximate solution [CLR85]. Jeannette M. Wing

  21. Minimum Critical Set of Actions A = the set of actions available to the intruder Def 1: A set of actions C is critical if the intruder cannot achieve his goal using only actions in A \ C. Def 2: A set of actions C is realizable if the intruder can achieve his goal using only actions in C. Def 3: A critical set of actions C is minimum if there is no critical action set of smaller size. • Minimum Critical Set of Actions (MCSA): • Given a set of actions A and an attack graph G, find • a minimum critical action subset CA Finding a minimum set: NP-complete Jeannette M. Wing

  22. Reduction to Minimum Hitting Set Problem • Minimum Hitting Set (MHS): • Given a collectionCof subsets of a finite setS, find a minimum subsetS’Ssuch that each subset inCcontains at least one element fromS’. MCSA and MHS are polynomially-equivalent. MHS: Collection of subsets C MCSA: Collection of realizable sets of actions [JSW02b] Jha, Sheyner, Wing, “Two Formal Analyses of Attack Graphs,” Computer Security Foundations Workshop, Nova Scotia, June 2002. Jeannette M. Wing

  23. H B G C D I F H E G H S1 = {G,H,I} I S2 = {C,E,F,H} C B S3 = {B,D,E} F D E E Sketch of Reduction from MCSA to MHS B C A D E F G H I Jeannette M. Wing

  24. Reduction of MHS to Minimum Set Covering • Minimum Set-Covering (MSC): • Given a collectionCof subsets of a finite setSthat coversS, find a minimum sub-collectionC’C that covers S. MHSandMSC are polynomially-equivalent [ADP80]. Use textbook Greedy Approximation Algorithm for MSC [CLR85, p. 975.] Jeannette M. Wing

  25. LICQ Coverage  = G (intruder.privilege(Linux) < root) Jeannette M. Wing

  26. Other Minimization Analyses [JSW02b, S04] Scenario: The system analyst has a set of measures, each of which prohibits a subset of actions. E.g., M = {packet filter firewall, application firewall, smart cards, one-time passwords, authentication policy servers, VPNs, anti-virus software, email filters, database encryption, host-based IDS, net-based IDS, network monitors, auditing, key stroke replicator, log analysis, forensic software, hardened O/S} • Problem Question 1:If he deploys all measures, does the system become safe? [JSW02b] • Solution Approach (Naïve): Remove all edges from graph that are “covered” by the measures. Reachability analysis is linear time in size of graph. • Problem Question 2:What is the smallest subset of measures he can deploy to make the system safe? [S04] • Solution Approach: Greedy algorithm with provable bounds. General case is NP-complete (slightly more complex than minimum cover problem). Jeannette M. Wing

  27. System Model Security Property Generator Phase 1 Attack Graph Annotations Query: What is the likelihood that the intruder goes undetected? Phase 2 CostAnalyzer ReliabilityAnalyzer MinimizationAnalyzer … Probabilistic Attack Graph Overview of Our Method Jeannette M. Wing

  28. Reliability Analysis Scenario: The system analyst must decide between installing a network-based IDS between host 1 and host 2 or a host-based IDS on host 2. Which increases the likelihood that he will detect an intruder? Problem Question: What is the probability of the intruder succeeding? I.e., what is the worst-case probability of reaching an unsafe state? Solution Approach: • Annotate attack graph with probabilities. • Interpret annotated attack graph as a Markov Decision Process. • Run the standard MDP value iteration algorithm to compute the optimal policy that results in maximum benefit/minimum cost for system analyst (decision maker). Jeannette M. Wing

  29. Model Builder <XML/> Host Configuration Data Outpost Server SQL database System and Goal Specification MITRE Lockheed Library of Actions Nessus Outpost Clients Graphical User Interface Status of Tool Suite Network Configuration Data Attack Graph Generators Attack Graph Analyzers Jeannette M. Wing

  30. XML Specification of a Host <host name=“lin" ip="192.168.0.4" network="internal"> <services> <Squid/> <LICQ/> <database/> </services> <connectivity> <remote id="ferrari"> <W3SVC/> </remote> <remote id="smilla"> <ftp/> <sshd/> </remote> </connectivity> <cve> <CVE_2002_0004/> <CVE_2001_1030/> <CVE_2001_0439/> </cve> </host> Jeannette M. Wing

  31. XML Specification of an Action <action name=“licq_r2u" cve1=“CVE-2001-0439"> <local_preconditions> <privilege host=“source” rel=“gte” value=“user”/> <privilege host=“target” rel=“eq” value=“none”/> <knowledge name=“scan” value=“TRUE”/> </local_preconditions> <global_preconditions> <service host=“target” name=“LICQ”/> <connectivity from=“source” service=“LICQ”/> </global_preconditions> <local_effects> <privilege host=“target” value=“user”/> </local_effects> <global_effects> <detectable mode=“yes”/> </global_effects> </action> Jeannette M. Wing

  32. MITRE Corp. Outpost Host identification Vulnerabilities Services Lockheed ATL Next Generation Infrastructure (ANGI) Network topology Connectivity Nessus vulnerability scan info Information Sources <host name=“lin“ ip=|Outpost|> <servicessource=|Nessus|> <connectivity source=|ANGI|> <cvesource=|Outpost|> </host> Jeannette M. Wing

  33. Related Work • Philips and Swiler 1998 • Tool constructs “attack graph” by forward exploration starting from initial state. Also based on model checking. • Our backward algorithm saves space (vulnerabilities not relevant are not explored) and can handle liveness properties. • Models only attacks • Our modeling framework can handle arbitrary state transitions (actions), not just actions. • Dacier 1994, Orlato et al. 1999 • Privilege graphs: nodes = sets of user privileges, edges = vulnerabilities. Explore privilege graphs to construct attack graphs. • Defines a metric, Mean-Effort-To-Failure, based on attack graphs. • Ritchey and Ammann 2001 • Also use model checking. Produces only one counter-example (attack). • No post-facto analysis. Jeannette M. Wing

  34. Limitations => Current and Future Work • Input to graph generation • Need a library of specifications of actions (with CMU students) • CERT advisories, MSR security bulletins, Symantec, … • Ontology for vulnerabilities and exploits • Discover new attacks • More analyses • Reduction of “attack surface” • Which configuration of my system is less “attackable”? • Ongoing with Jon Pincus at MSR/Redmond and CMU students • Cost-benefit analysis • Exploit MDP theory further Jeannette M. Wing

  35. Recent References [JSW02a] Jha, Sheyner, and Wing, “Minimization and Reliability Analyses of Attack Graphs,” Carnegie Mellon technical report, CMU-CS-02-109, February 2002. [JSW02b] Jha, Sheyner, Wing, “Two Formal Analyses of Attack Graphs, Computer Security Foundations Workshop, Nova Scotia, June 2002. [SHJ+02] Sheyner, Haines, Jha, Lippmann, and Wing, “Automated Generation and Analysis of Attack Graphs,” IEEE Symposium on Security and Privacy, May 2002. Jeannette M. Wing

More Related