ecs236 Winter 2006: Intrusion Detection #2: Vulnerability Analysis
Structured Intrusion Scenario Analysis Course 95-750: Security Architecture and Analysis Andrew...
-
Upload
dorcas-summers -
Category
Documents
-
view
214 -
download
0
Transcript of Structured Intrusion Scenario Analysis Course 95-750: Security Architecture and Analysis Andrew...
Structured IntrusionScenario Analysis
Course 95-750:
Security Architecture and Analysis
Andrew MooreCERT Coordination Center
Software Engineering InstituteCarnegie Mellon University
(412)[email protected]
5 December 2000
-2-
SNA Process
STEP 1: SYSTEM DEFINITION Mission, requirements, environment, and risks definition Architecture definition and elicitation
STEP 2: ESSENTIAL CAPABILITY DEFINITION
• Essential service/asset selection/scenarios• Essential component identification
STEP 3: COMPROMISABLE CAPABILITY DEFINITION
• Intrusion selection/scenarios• Compromisable component identification
STEP 4: SURVIVABILITY ANALYSIS Softspot component (essential & compromisable) identification Resistance, recognition, and recovery analysis Survivability Map development
-3-
Broad Goals of Research
• Develop systematic methods• Manage complexity• Integrate risk analysis techniques • Facilitate populating survivability map• Determine utility of automation• Improve repeatability of results
Identify, document, demonstrate techniques that lessen SNA’s dependence on experience, security expertise
-4-
Overview of Talk
• Attack Trees Introduction• Enterprise-Level Example• Reusing Patterns of Attack• Attack Tree Refinement• Conclusions
Focus on improving intrusion scenario analysis
-6-
Attack Trees
• Provides “formal, methodical way of describing the security of systems, based on varying attacks”
• Decomposes attacker goal– AND decomposition describes time-ordered sequence of sub-goals
graphical: textual: Goal G0
AND G1
G2
– OR decomposition describes alternative sub-goals graphical: textual: Goal G0
OR G1
G2
• Organizes intrusion scenarios G0
G1 G2G3
G5
G1 G2
G0
G3G4
G6G7
G6
G4 G5
G3 ,G5 ,G6
G4 ,G5 ,G6
G4 ,G5
G2
G6
G8 ,G9 G8 G9
G0
G1 G2
G0
G1 G2
-7-
Opening a Safe*
Open Safe
PickLock
LearnCombo
Cut OpenSafe
Listen toConversation
Get Targetto StateCombo
Find WrittenCombo
Get ComboFrom Target
OR
AND
Key
Threaten Blackmail Eavesdrop
PI
P
P
I
I
I
I
P = PossibleI = Impossible
I
I Bribe
InstallImproperly
P
P
P
* Taken from Bruce Schneier, Secrets and Lies, John Wiley & Sons, 2000
-8-
Special Equipment Required?*
Open Safe
PickLock
LearnCombo
Cut OpenSafe
Listen toConversation
Get Targetto StateCombo
Find WrittenCombo
Get ComboFrom Target
Threaten Blackmail Eavesdrop
SESE
NSE
SE
NSE
NSE
NSE
NSE
SE = Special EquipmentNSE = No Special Equipment
NSE
Bribe
InstallImproperly
* Taken from Bruce Schneier, Secrets and Lies, John Wiley & Sons, 2000
-9-
Cost of Attack?*
Open Safe
PickLock
LearnCombo
Cut OpenSafe
Listen toConversation
Get Targetto StateCombo
Find WrittenCombo
Get ComboFrom Target
Threaten Blackmail Eavesdrop
$10K$30K
$20K
$20K
$60K
$75K
$100K
$100K
$40K
$60KBribe
InstallImproperly
$20K
$20K
$10K
* Taken from Bruce Schneier, Secrets and Lies, John Wiley & Sons, 2000
-11-
ACME, Inc. Enterprise Structure
ACME HQ
Parking
Guard FrontGate
Dumpster
FencedPerimeter
Network Services
ACMEFirewall
ACME WebServer
Remote Dial-up Users
Internet Users
Backbone
-12-
High-Level Attack Tree for ACME, Inc.
Attacker Goal: Steal ACME proprietary secretsOR 1.Physically scavenge discarded items from ACME
OR 1. Inspect dumpsters content on-site 2. Inspect refuse after removal from site
2. Monitor emanations (e.g., electromagnetic, visual) from ACME machines AND 1. Survey physical perimeter to determine optimal monitoring position
2. Acquire necessary monitoring equipment3. Setup monitoring site4. Monitor emanations from site
3. Recruit help of trusted ACME insider OR 1. Plant spy as trusted insider
2. Use existing trusted insider4. Physically access ACME networks or machines
OR 1. Get physical, on-site access to Intranet 2. Get physical access to external machines
5. Attack ACME Intranet using its connections with InternetOR 1. Monitor communications over Internet for leakage
2. Get trusted process to send sensitive information to attacker over Internet3. Gain privileged access to ACME Web Server
6. Attack ACME Intranet using its connections with PTNOR 1. Monitor communications over PTN for leakage of sensitive information
2. Gain privileged access to machines on Intranet connected via Internet
-13-
Web Server Attack Refinement
Goal 5.3. Gain privileged access to ACME Web ServerAND 1.Identify ACME domain name
2.Identify ACME firewall IP addressOR 1. Interrogate Domain Name Server
2. Scan for firewall identification3. Trace route through firewall to web server
3.Determine ACME firewall access controlOR 1. Search for specific default listening ports
2. Scan ports broadly for any listening port4.Identify ACME web server operating system and type
OR 1. Scan OS services’ banners for OS identification2. Probe TCP/IP stack for OS characteristic information
5.Exploit ACME Web Server vulnerabilitiesOR 1. Access sensitive shared intranet resources directly
2. Access sensitive data from protected account on Web Server
ImpliedIntrusionScenarios
(1, 2.1, 3.1, 4.1, 5.1)(1, 2.2, 3.1, 4.1, 5.1)(1, 2.3, 3.1, 4.1, 5.1)
(1, 2.1, 3.2, 4.1, 5.1)(1, 2.2, 3.2, 4.1, 5.1)(1, 2.3, 3.2, 4.1, 5.1)
(1, 2.1, 3.1, 4.2, 5.1)(1, 2.2, 3.1, 4.2, 5.1)(1, 2.3, 3.1, 4.2, 5.1)
(1, 2.1, 3.2, 4.2, 5.1)(1, 2.2, 3.2, 4.2, 5.1)(1, 2.3, 3.2, 4.2, 5.1)
. . .
-14-
Populating the Survivability Map
• Ask resist, recognize, recover questions at attack tree nodes– Resist: blocking branch eliminates scenarios that traverse it– Recognize: detecting actions at node help recognize intrusion– Recover: once detected steps to continuing mission
• Prioritize branches (Threat X Vulnerability X Impact)
Attacker Goal: Steal ACME proprietary secretsOR 1. Physically scavenge discarded items from ACME
OR 1. Inspect dumpsters content on-site 2. Inspect refuse after removal from site
2. Monitor emanations (e.g., electromagnetic, visual) from ACME machines AND 1. Survey physical perimeter to determine optimal monitoring position
2. Acquire necessary monitoring equipment3. Setup monitoring site4. Monitor emanations from site
3. Recruit help of trusted ACME insider OR 1. Plant spy as trusted insider
2. Use existing trusted insider4. Physically access ACME networks or machines
OR 1. Get physical, on-site access to Intranet 2. Get physical access to external machines
5. Attack ACME Intranet using its connections with InternetOR 1. Monitor communications over Internet for leakage
2. Get trusted process to send sensitive information to attacker over Internet3. Gain privileged access to ACME Web Server
...
-16-
Reuse via Attack Patterns
attack pattern - an abstract description of a specific attack, containing
– attacker goal– precondition for use– attack tree segment– postcondition
attack profiles - a collection of related attack patterns, each containing
– common reference model– variation points permit instantiation/extension– set of attack patterns– glossary
-17-
Buffer Overflow Attack
Buffer Overflow Attack Pattern:Goal: Exploit buffer overflow vulnerability to perform malicious functionPreCondition: Attacker can execute certain programs on the target systemAttack:
AND 1. Identify program on the target system susceptible to buffer overflow vulnerability
2. Identify code that will perform malicious function when it executes with the program’s privilege
3. Construct input value that will force code to be in the program’s address space
4. Execute program in way that makes it jump to address where code resides
PostCondition: The target system performs malicious function
programcode
...
returnpointer
localvariable
s
buffer...
programinvocation stack
growth
act
iva
tion
re
cord
exe
cutio
n s
tack
overflowprogram
bufferwith
maliciousinput
maliciouscode
...
modified pointer
overwritten values
buffer...
buffergrowth
-18-
Internet-Based Enclave Attack Profile
Buffer Overflow Attack Pattern:Goal: Exploit buffer overflow vulnerability to perform malicious functionPreCondition: Attacker can execute certain programs on SystemAttack:
AND 1. Identify program on System susceptible to buffer overflow vulnerability2. Identify code that will perform malicious function when it executes with the program’s privilege
3. Construct input value that will force code to be in the program’s address space4. Execute program in way that makes it jump to address where code resides
PostCondition: System performs malicious function…
Intranet
Fir
ewal
l
Internet
Attacker
User
The Org Enclave
System
Reference Model :
Attack Patterns :
Glossary :
buffer overflow vulnerability – a flaw in a program that, when executed with excessively long input values, causes the input to overflow into another portion of the execution stack....
-20-
Attack Tree Refinement Process
Enterprise - Mission - Threats - Architecture
yes
no
no
no
no
yes
yes
yes
Attack tree refinedsufficiently to construct survivability map?
Attack tree morerepresentativeof likely attacks?
Extendattack treemanually
Done?
SearchAttack Pattern
Library
KeepSearching?
Instantiateand Apply
Pattern
Undo PatternApplication
Acceptable?
Is there a node of the tree that is an instance of the pattern’s goal?
Applicable?
Consider attack profiles whose reference model represents the enterprise architecture.
Instantiate pattern based on enterprise architecture and goal node; incorporate pattern tree at node.
Use attack treeto constructsurvivability
map.
-21-
Aligning Attack Profile to Architecture
• Requires instantiating variation points– ACME for Org, ACME Firewall for Firewall, ...– Instantiated attack patterns can then be used to refine enterprise-specific attack
tree
Intranet
Fir
ewal
l
Internet
Attacker
User
The Org Enclave
System
ACME HQ
Parking
GuardFrontGate
Dumpster
FencedPerimeter
Network Services
ACME Firewall
ACME Web Server
Remote Dial-up Users
Internet Users
Backbone
-22-
Instantiation and Application
Buffer Overflow Attack Pattern: (instantiated for ACME)Goal: Exploit buffer overflow vulnerability to access privileged accountPreCondition: Attacker can execute certain programs on ACME Web ServerAttack:
AND 1. Identify program on ACME Web Server susceptible to buffer overflow vulnerability
2. Identify code that would provide access to privileged account when executed with the program’s privilege
3. Construct input value that will force code to be in the program’s address space4. Execute program in way that makes it jump to address at which code resides
PostCondition: Attacker can access privileged account
5.3.5.2 Access sensitive data from privileged account on ACME Web ServerAND 1. Get access to privileged account on ACME Web Server
AND 1. Identify program on ACME Web Server susceptible to buffer overflow vulnerability
2. Identify code that would provide access to privileged account when executed with the program’s privilege
3. Construct input value that will force code to be in the program’s address space
4. Execute program in way that makes it jump to address where code resides2. Scan files for sensitive data
-23-
Applying Attack Patterns
GJ
GKGK+nGK+i
...
iGS iGS+m
...
...GJ
GKGK+nGK+i
......
GR
GS GS+m
...+ =
Leaf NodeApplication:
+ iGR achieves GK+i
GJ
GK GK+n
...GJ
GK GK+n
...
GR
GS GS+m
...+ =
Non-Leaf Node Application to OR Decomp:
+ iGR achieves GJ
EnterpriseAttack Tree
AttackPattern
Instantiation (i)Differentiation (d)
ResultingAttack Tree
iGR
iGSiGS+m
...
GJGJ
GK GK+n
...
GR
GS GS+m
...+ =
Non-Leaf Node Application to AND Decomp:
+ iGR achieves GJ
dGJ achieves GJ
iGR
iGSiGS+m
...
dGJ
GK GK+n
...
-24-
Unexpected Operator Attack Pattern
Unexpected Operator Attack Pattern:Goal: Exploit unexpected operator vulnerability to perform malicious functionPreCondition: Attacker can execute certain programs on SystemAttack:
AND 1. Identify program on System susceptible to unexpected operator vulnerability
2. Identify (unexpected) operator that permits composing system calls3. Identify system call that would perform malicious function when
executed with program’s privilege4. Construct unexpected input by composing legal input value with system call
using the unexpected operator 5. Execute program on System with unexpected input
PostCondition: System performs malicious function
program p (fname : string) = … cmd = append (‘‘Open ’’, fname) execute (cmd) ...
expected call: p(“data.txt”)
malicious call: p(“data.txt ; rm -rf *”)
-25-
Instantiating Unexpected Operator Attack Pattern
Unexpected Operator Attack Pattern: (instantiated for ACME)Goal: Exploit unexpected operator vulnerability to access privileged accountPreCondition: Attacker can execute certain programs on ACME Web ServerAttack:
AND 1. Identify program on ACME Web Server susceptible to unexpected operator vulnerability
2. Identify (unexpected) operator that permits composing system calls3. Identify system call that would provide access to privileged account
when executed with program’s privilege4. Construct unexpected input by composing legal input value with system call
using the unexpected operator 5. Execute program on ACME Web Server with unexpected input
PostCondition: Attacker can access privileged account
-26-
Application at a Non-Leaf Node
5.3.5.2 Access sensitive data from privileged account on ACME Web ServerAND 1. Get access to privileged account on ACME Web Server
OR 1. Exploit buffer overflow vulnerability to get access to privileged accountAND 1. Identify program on ACME Web Server susceptible to buffer overflow vulnerability
2. Identify code that would provide access to privileged account when executed with program’s privilege
3. Construct input value that will force code to be in the program’s address space4. Execute program in way that makes it jump to address where code resides
2. Exploit unexpected operator vulnerability to get access to privileged accountAND 1. Identify program on ACME Web Server susceptible to unexpected operator vulnerability
2. Identify (unexpected) operator that permits composing system calls3. Identify system call that would provide access to privileged account when executed with
program’s privilege4. Construct unexpected input by composing legal input value with system call using the
unexpected operator 5. Execute program on ACME Web Server with unexpected input
2. Scan files for sensitive data
5.3.5.2 Access sensitive data from privileged account on ACME Web ServerAND 1. Get access to privileged account on ACME Web Server
AND 1. Identify program on ACME Web Server susceptible to buffer overflow vulnerability2. Identify code that would provide access to privileged account when executed with
program’s privilege3. Construct input value that will force code to be in the program’s address space4. Execute program in way that makes it jump to address where code resides
2. Scan files for sensitive data
Apply Unexpected Operator Attack Pattern
point of application
-27-
Auxiliary Attack Patterns
Access Control Discovery Attack Pattern:Goal: Identify Firewall access controlsPreCondition: 1. Attacker knows Firewall IP addressAttack:
OR 1. Search for specific default listening ports2. Scan ports broadly for any listening ports3. Scan ports stealthily for listening ports
OR 1. Randomize target of scan2. Randomize source of scan3. Scan without touching target host
PostCondition: Attacker knows Firewall access controls
IP Address Discovery Attack Pattern:Goal: Identify Org’s Firewall IP addressPreCondition: 1. Attacker knows Org’s domain nameAttack:
OR 1. Interrogate Domain Name Server2. Trace route through Firewall to Org’s web server3. Scan for Firewall IP address
PostCondition: Attacker knows Firewall IP address
-29-
What We Can Do
• Generate enterprise-specific attack trees• Organize SNA intrusion scenarios• Help populate enterprise survivability map• Reuse previously developed attack patterns• Classify attack patterns to promote discovery/instantiation
-30-
Future Work
• Validate practicality/scalability of approach• Develop/refine broad range of attack profiles• Assess particular attacker’s ability to traverse attack tree• Prioritize branches based on enterprise mission/vulnerability• Formalize model of attack tree refinement/analysis• Determine role of automation
Measure of Success :
Will we use this approach in our next
full-scale SNA application?