slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
STIF [Security Tools Integration Framework] STIF-WARE EVOLUTION PowerPoint Presentation
Download Presentation
STIF [Security Tools Integration Framework] STIF-WARE EVOLUTION

Loading in 2 Seconds...

play fullscreen
1 / 37

STIF [Security Tools Integration Framework] STIF-WARE EVOLUTION - PowerPoint PPT Presentation


  • 111 Views
  • Uploaded on

STIF [Security Tools Integration Framework] STIF-WARE EVOLUTION Fyodor Yarochkin Meder Kydyraliev fyodor@o0o.nu meder@o0o.nu. HackInTheBox, Kuala Lumpur - 2005. http://o0o.nu/. Agenda (best question gets an “Industry Slave” HITB T-shirt). Introduction to STIF-ware concepts

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'STIF [Security Tools Integration Framework] STIF-WARE EVOLUTION' - kreeli


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
slide1

STIF

[Security Tools Integration Framework]

STIF-WARE

EVOLUTION

Fyodor Yarochkin Meder Kydyraliev

fyodor@o0o.nu meder@o0o.nu

HackInTheBox, Kuala Lumpur - 2005

agenda best question gets an industry slave hitb t shirt

http://o0o.nu/

Agenda(best question gets an “Industry Slave” HITB T-shirt)
  • Introduction to STIF-ware concepts
  • First generation of STIF (automation, integration, unification)
  • Demonstration
  • Problems with the first generation of STIF
  • STIF2 – wider coverage of knowledge representation format, functionality decoupling, distributed multi-agent system, open system architecture
  • STIF2 prototype
slide3

http://o0o.nu/

Introduction

Security Tools Integration Framework (STIF) is aimed to provide a unified environment and data exchange platform for automated security assessments in heterogeneous environments.

In simple words it is a platform for “hacking” automation, where STIF emulates the “brain” of a security analyst to perform repetitive tasks.

slide4

http://o0o.nu/

Why automation?

  • machine-based knowledge processing
  • automate routine tasks, spend more time on tasks that require brain power
  • create intrusion scenarios, and let machine probe them (nIDS testing)
  • ‘human’ error mitigation
  • reduce human labor involvement in modern corporate pen-testing sweatshop
slide5

http://o0o.nu/

Why integration?

  • Various security tools, written in different languages, are available, but no unified format for data exchange and representation;
  • No machine data analysis, aggregation and correlation possibilities;
  • Handling large-scale assessments w/ disintegrated tools is a nightmare;
  • No possibilities to automate distributed attacks
slide6

http://o0o.nu/

Typical scenario for security analyst

slide7

http://o0o.nu/

Want to see what happened to Joe the analyst after one month?

slide8

http://o0o.nu/

Poor Joe…

Look what repetitive and boring “hacking” has done to him…

slide9

http://o0o.nu/

Why not let machine do the boring part???

slide10

http://o0o.nu/

Of course, you can ...

  • script it: `ls –al ~/code/scripts/`
  • (ab)use security scanners (nessus);
  • (ab)use exploit toolkits (e.g metasploit);
  • hire a full room of pen-testing monkeys, that will do the boring part (sweatshop production);
slide11

http://o0o.nu/

Scanners vs. STIF

  • Problems with scanners:
  • hardcoded sequence of execution;
  • vendor-specific integration (e.g. NASL, plug-in APIs), requires rewrite or code hacking;
  • vendor-specific data representation/storage (hard to integrate into existing solutions, e.g. custom DBs);
slide12

http://o0o.nu/

STIF solution

STIF is designed to solve the problems outlined earlier, by introducing the common format for data representation and by providing a platform for data exchange among tools.

slide13

http://o0o.nu/

First generation STIF provides:

  • Highly customizable rule-based inference engine, which enables analyst to script out ANY scenario based on the data that was returned by tools;
  • Unified data exchange and representation format;
  • Generic database publishing module (save data from tools in DB w/ any scheme);
  • IRC BOT interface: data publisher and importer
slide14

http://o0o.nu/

STIF Features (continued)

  • Distributed architecture
  • ready to use DB schema
  • STIF is written in Java
    • the reason for that decision is simple: quicker development cycle, cross-platform compatibility;
slide15

http://o0o.nu/

Data representation unification

STIF encapsulates data in a set of XML messages (STIF-Message)

Input data, provided in XML format, converted by Exec module into the form, which could be understood by the tool

The results of tools execution are converted to STIF and are fed back into the Inference Engine.

slide16

http://o0o.nu/

STIF-Message

Sample STIF-Message:

<STIF-Message created="2004-09-02T15:03:01+6">

<Port number="80" state="open" protocol="tcp">

<Address type="ipv4-addr">192.168.1.1</Address>

<Protocol>

HTTP

<Application>

Apache/1.3.27 (Unix) PHP/4.3.1

</Application>

</Protocol>

</Port>

</STIF-Message>

slide17

http://o0o.nu/

Inference engine

  • responsible for data interflow between various tools;
  • makes decisions on which tools to be executed, when new data appears
  • provides data aggregation and correlation facilities(including regular expressions based matching to the
  • knowledge base facts);
  • maintains execution flow using rule-based scenarios;
slide18

http://o0o.nu/

Data Publishing facility

Publishing in STIF environment means providing the Publisher with newly arrived facts (STIF-Messages from tools).

STIF is able to execute several data/fact publishing modules simultaneously (e.g. database publishing, IRC publishing).

slide19

http://o0o.nu/

SQL Publisher

STIF comes with SQL publishing module, which can publish/store data received from tools in a form of a STIF-Message, in databases of arbitrary scheme.

<message type="Target">

<query>

INSERT INTO ip_address VALUES(NULL,'%h');

</query> </message>

<message type="Port">

<query>

SELECT id FROM ip_address WHEREip_address='%h';

</query>

<query>

INSERT INTO port VALUES(NULL, $1, '%n', '%P', '%S', '%p', '%a'); </query>

</message>

slide20

http://o0o.nu/

IRC Importer/Publisher

STIF supports command input over IRC and can publish new facts to an IRC channel or using private messages.

Other software tools can act as STIF “nodes” embedding the IRC importer/publisher functionality

slide21

http://o0o.nu/

Your favorite tools integration to support STIF?

  • STIF provides several means to import data into STIF inference engine:
  • Generic2STIFConverter, extracts data from output using regular expressions to form STIF-Message;
  • Tool-specific wrappers
slide22

http://o0o.nu/

Integration using STIF Generic2STIF Converter

Define rules in parser.xml:

<?xml version="1.0"?>

<Config>

<Tool name="nmap-syn-version">

<Group name="target address">

<Delimeter>Interesting</Delimeter>

<Regex name="address" required="true">

.*ports on .*\(([\d\.]+)\):.+

</Regex>

<Group name="port" generate="port">

<Delimeter>

newline

</Delimeter>

<Regex name="portNumber" required="true">

^(\d+)/(?:tcp|udp).+

</Regex>

slide23

http://o0o.nu/

  • <Regex name="portProtocol" required="true">
  • ^\d+/(tcp|udp).+
  • </Regex>
  • <Regex name="portState" required="true">
  • ^\d+/(?:tcp|udp)\s+(open|closed|filtered).+
  • </Regex>
  • <Regex name="portService" required="true">
  • ^\d+/(?:tcp|udp)\s+(?:open|closed|filtered)\s+([\w-]+).*
  • </Regex>
  • <Regex name="portApplication" required="false">
  • ^\d+/(?:tcp|udp)\s+(?:open|closed|filtered)\s+[\w-]+\s+(.+)
  • </Regex>
  • </Group>
  • </Group>
  • </Tool>
  • </Config>
slide24

STIF-compliant?

http://o0o.nu/

How can you help?

  • You can do several things to contribute
  • to our efforts:
  • Try it!!!
  • Ask your favorite tool’s author to become STIF-compliant;
  • Write regular expressions to parse output for Generic2STIFConverter;
  • Patch you favorite tools to be STIF-compliant;
  • or.. wait until STIF2 is out
slide25

http://o0o.nu/

First generation STIF Demonstation

problems with current stif implementation

http://o0o.nu/

Problems with current STIF implementation
  • Complexity: massive coupled piece of code
  • Centralized system: limited support for task distribution
  • Non-dynamic (fixed at startup) inference engine rules
  • Knowledge interchange format needs to be extended
stif2 concepts

http://o0o.nu/

STIF2 Concepts

Functionality decoupling

stif2 concepts1

http://o0o.nu/

STIF2 Concepts
  • Platform independent
  • Composed of independent agents
  • Agents communicate with each other using messaging protocol
  • Agent capability service exists to provide agent capability lookup and matching facility
stif2 multi agent architecture

http://o0o.nu/

STIF2 Multi-Agent Architecture
  • Multi-agent architecture
    • Tool wrapper Agents
      • Scanning, connection forwarding, attack launching
    • Logic Execution Agents
    • User Interface Agents
    • And more
message exchange framework

http://o0o.nu/

Message Exchange Framework
  • Provides facilities for agent communication
  • Provides facilities for communication channel selection (covert channels, tunneling, stenography)
goal driven execution

http://o0o.nu/

Goal-Driven execution
  • Goal-driven execution flow
    • Each agent describes its functionality with a set of capabilities. Each capability can be executed on certain type of data object (network, host, user, URL)
    • Each agent is given task to execute the capability, which becomes agent goal. Agent may have different plans to execute the same capability. Plans are scored based on execution success rate
goal driven execution1

http://o0o.nu/

Goal Driven execution
  • Each also plan may be assigned with qualifiers:
    • Stealth-ness
    • Latency

Which can be matched to current ‘environment’ settings

event driven execution

http://o0o.nu/

Event-driven execution
  • Event-driven execution flow
    • Each agent may subscribe to ‘interests’, expressing its interest to certain types of data objects, which agent is interested in (network, host, open port, URL, a valid user)
    • When an agent discovers a new data. The “interests” list is queried for the list of interested agents. The agent is responsible to forward the data to interested partners.
agent data cache beliefs

http://o0o.nu/

Agent Data Cache (beliefs)
  • Agent caches data locally (local data Cache, beliefs)
  • Agent may query other agents or KB for missing data
current implementation prototype

http://o0o.nu/

Current Implementation prototype
  • Based on Java/JADE framework
  • The communication protocol: in progress
  • The knowledge interchange format: reviewing current standards (KIF, DAML)
  • Once the communication framework is finalized, JADE messaging framework to be replaced with home-brewed implementations (ports for different languages)
slide36

http://o0o.nu/

Questions (remember we give out T-shirt for best question)?

Suggestions ?

fyodor@o0o.nu

meder@o0o.nu

http://o0o.nu/sec/STIF/

slide37

http://o0o.nu/

Thanks!!!!