Introduction to the common attack pattern enumeration and classification capec
1 / 15

Introduction to the Common Attack Pattern Enumeration and Classification (CAPEC) - PowerPoint PPT Presentation

  • Uploaded on

Introduction to the Common Attack Pattern Enumeration and Classification (CAPEC). Sean Barnum. The Importance of Knowing Your Enemy. An appropriate defense can only be established if you know how it will be attacked Remember!

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about 'Introduction to the Common Attack Pattern Enumeration and Classification (CAPEC)' - oakes

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

The importance of knowing your enemy l.jpg
The Importance of Knowing Your Enemy Classification

  • An appropriate defense can only be established if you know how it will be attacked

  • Remember!

    • Software Assurance must assume motivated attackers and not simply passive quality issues

    • Attackers are very creative and have powerful tools at their disposal

    • Exploring the attacker’s perspective helps to identify and qualify the risk profile of the software

What are attack patterns l.jpg
What are Attack Patterns? Classification

  • Blueprint for creating a specific type of attack

  • Abstracted common attack approaches from the set of known exploits

  • Capture the attacker’s perspective to aid software developers in improving the assurance profile of their software

Leveraging attack patterns throughout the sdlc l.jpg
Leveraging Attack Patterns Throughout the SDLC Classification

  • Guide definition of appropriate policies

  • Guide creation of appropriate security requirements (positive and negative)

  • Provide context for architectural risk analysis

  • Guide risk-driven secure code review

  • Provide context for appropriate security testing

What is capec l.jpg
What is CAPEC? Classification

  • Effort targeted at:

    • Standardizing the capture and description of attack patterns

    • Collecting known attack patterns into an integrated enumeration that can be consistently and effectively leveraged by the community

    • Classifying attack patterns such that users can easily identify the subset of the entire enumeration that is appropriate for their context

  • Funded by the DHS NCSD

  • Led by Cigital

Current capec status l.jpg
Current CAPEC Status Classification

  • Extensive research performed and underway to identify and evaluate potential resources for creating attack patterns

  • Schema definition completed

  • In process of fleshing out ~50 preexisting patterns

  • In process of identifying and fleshing out new patterns

  • In process of analyzing set of identified patterns to develop an appropriate classification taxonomy

What do attack patterns look like l.jpg
What do Attack Patterns Look Like? Classification

  • Primary Schema Elements

    • Identifying Information

      • Attack Pattern ID

      • Attack Pattern Name

    • Describing Information

      • Description

      • Related Weaknesses

      • Related Vulnerabilities

      • Method of Attack

      • Examples-Instances

      • References

    • Prescribing Information

      • Solutions and Mitigations

    • Scoping and Delimiting Information

      • Severity

      • Likelihood of Exploit

      • Attack Prerequisites

      • Attacker Skill or Knowledge Required

      • Resources Required

      • Attack Motivation-Consequences

      • Context Description

What do attack patterns look like8 l.jpg
What do Attack Patterns Look Like? Classification

  • Supporting Schema Elements

    • Describing Information

      • Injection Vector

      • Payload

      • Activation Zone

      • Payload Activation Impact

    • Diagnosing Information

      • Probing Techniques

      • Indicators-Warnings of Attack

      • Obfuscation Techniques

    • Enhancing Information

      • Related Attack Patterns

      • Relevant Security Requirements

      • Relevant Design Patterns

      • Relevant Security Patterns

What to expect going forward l.jpg
What to Expect Going Forward Classification

  • Next step will likely be a draft classification taxonomy in 30 – 60 days

  • Draft attack pattern enumeration should be available for review in 3 – 6 months

  • Initial release of CAPEC including deployment to publicly available website should be 6 – 9 months

Opportunities for involvement l.jpg
Opportunities for Involvement Classification

  • Looking for more resources describing attacks

  • Looking for new attack patterns

  • Looking for added descriptive detail for existing attack patterns including examples

  • Looking for help aligning attack patterns to other appropriate knowledge catalogs

  • Looking for help identifying new value propositions for CAPEC

  • Looking for help spreading the word

Knowledge 48 attack patterns l.jpg

Make the Client Invisible Classification

Target Programs That Write to Privileged OS Resources

Use a User-Supplied Configuration File to Run Commands That Elevate Privilege

Make Use of Configuration File Search Paths

Direct Access to Executable Files

Embedding Scripts within Scripts

Leverage Executable Code in Nonexecutable Files

Argument Injection

Command Delimiters

Multiple Parsers and Double Escapes

User-Supplied Variable Passed to File System Calls

Postfix NULL Terminator

Postfix, Null Terminate, and Backslash

Relative Path Traversal

Client-Controlled Environment Variables

User-Supplied Global Variables (DEBUG=1, PHP Globals, and So Forth)

Session ID, Resource ID, and Blind Trust

Analog In-Band Switching Signals (aka “Blue Boxing”)

Attack Pattern Fragment: Manipulating Terminal Devices

Simple Script Injection

Embedding Script in Nonscript Elements

XSS in HTTP Headers

HTTP Query Strings

User-Controlled Filename

Passing Local Filenames to Functions That Expect a URL

Meta-characters in E-mail Header

File System Function Injection, Content Based

Client-side Injection, Buffer Overflow

Cause Web Server Misclassification

Alternate Encoding the Leading Ghost Characters

Using Slashes in Alternate Encoding

Using Escaped Slashes in Alternate Encoding

Unicode Encoding

UTF-8 Encoding

URL Encoding

Alternative IP Addresses

Slashes and URL Encoding Combined

Web Logs

Overflow Binary Resource File

Overflow Variables and Tags

Overflow Symbolic Links

MIME Conversion

HTTP Cookies

Filter Failure through Buffer Overflow

Buffer Overflow with Environment Variables

Buffer Overflow in an API Call

Buffer Overflow in Local Command-Line Utilities

Parameter Expansion

String Format Overflow in syslog()

Knowledge: 48 Attack Patterns

Attack pattern 1 make the client invisible l.jpg
Attack Pattern 1: Classification Make the client invisible

  • Remove the client from the communications loop and talk directly to the server

  • Leverage incorrect trust model (never trust the client)

  • Example: hacking browsers that lie

Attack pattern 2 command delimiters l.jpg

Use off-nominal characters to string together multiple commands

Example: shell command injection with delimiters

<input type=hidden name=filebase value="bleh; [command]”>

cat data_log_; rm -rf /; cat temp.dat

Attack Pattern 2: Command delimiters