Quantitative Evaluation for Operational Security - an Experiment

1
Quantitative Evaluation for Operational Security
-an Experiment

• Ortalo et al., IEEE Transactions on Software
  Engineering, Sept/Oct 1999
• Group Meeting, Mar 7, 2000

2
Outline

• Introduction
• The Approach
• Privilege graphs
• Attack state graphs
• Mathematical model
• The experiment
• setup and results
• Discussion

3
Introduction

• System security has been usually discussed in
  terms of security requirements and policy
• requires cooperation of all users
• difficult for ordinary users to comprehend
• A quantitative measure for system security is
  easier to comprehend
• a figure representing the degree of security of
  the system can be useful

4
Quantifying security

• Borrowing software reliability theory
• In reliability, a piece of software fails upon
  time of usage the Mean Time To Failure quantify
  the reliability of the software
• Similar, in security, a system can be breached
  upon effort of attacks the Mean Effort to Breach
  can quantify the security of the system

5
The Approach

• Privilege graph
• node a set of privileges owned by a user or set
  of users (e.g., a group in Unix)
• arc a vulnerability that cause a user owning one
  privilege to obtain another, e.g.,

Y
X
There is a method allowing a user owning
privilege X to obtain privilege Y.
6
Examples of vulnerabilities

• Privilege subsets directly issued from the
  protection scheme
• Direct security flaws, e.g., Trojan horse
• System features exploited for attack
• .rhosts, .xinitrc, setuid programs

hwchan1
gds
7
Privilege graph - example
A
6
3
P
Xadmin
B
Key 1 Ys .rhosts is writable by X 2 X can
guess Ys password 3 X can modify Ys .tcshrc 4
X is a member of Y 5 Y uses a program managed by
X 6 X can modify a setuid program owned by Y 7
X is in Ys .rhosts
5
7
1
4
F
insider
2
8
Quantifying vulnerabilities

• Each arc in the privilege graph should be
  assigned a weight to quantify the effort required
  for exploiting the vulnerability
• Different factors should be considered, e.g.,
  expertise, time and equipment
• No good methods to do this yet!

9
Attacker behavior

• In an attack, an attacker begins with some
  minimal privileges, and wants to obtain some
  protected privileges.
• In a privilege graph, the path from the attacker
  node to the target node describes the progress of
  attack

target
attacker
10

• There can be more than one paths from the
  attacker node to the target node
• assumption attacker does not know the shortest
  path
• Two assumptions for attacker behavior
• Total memory (TM) all possibilities of attack
  are considered at any stage of attack
• Memoryless (ML) at each newly visited node, only
  attacks possible from that node are considered

11
Attack state graphs (ML)
I
FI
ABFIPX
IP
FIX
BFIPX
AIP
BFIX
AFIX
12
Attack state graph (TM)
I
FI
ABFIPX
IP
FIX
FIP
BFIPX
AIP
BFIX
AFIX
AFIP
13
Mathematical Model

• Assume the Markov model
• Probability of success in an attack before an
  amount of effort e is spent is
• P(e) 1 - exp(-Le)
• L is the rate of attack, and can be assigned as
  the weight of the vulnerability
• thus, mean effort to succeed is 1/L

14

• mean effort spent in state j is
• Ej 1/summation(Lji), for all i belongs to
  out(j)
• Mean Effort To security Failure (METF) from
  initial state k to state i is
• METFk Ek summation(LkiEkMETFi),
• for all i belongs to out(k)

15
The experiment

• Setup
• Several hundred different workstations
• 700 users sharing one global file system
• privilege graphs, attacker state graph and METF
  computed every day from June 95 to Mar 97 (674
  days)
• vulnerabilities are classified into four levels
  and given rates 10-1, 10-2, 10-3, 10-4

16
Results
17
Conclusion and discussion

• A preliminary investigation about the security
  evaluation of operational systems
• The assignment of rates of the vulnerabilities is
  pretty arbitrary, but is key to the validity of
  the measurement