SLG in MulVAL - PowerPoint PPT Presentation

About This Presentation
Title:

SLG in MulVAL

Description:

... .00 69560.00 10710.00 69560.00 500.00 107900.00 18540.00 107900.00 600.00 154700.00 19820.00 154700.00 700.00 210000.00 25610.00 210000.00 800.00 273700.00 ... – PowerPoint PPT presentation

Number of Views:23
Avg rating:3.0/5.0
Slides: 31
Provided by: csPrincet
Category:
Tags: mulval | slg

less

Transcript and Presenter's Notes

Title: SLG in MulVAL


1
SLG in MulVAL
netAccess(H2, Protocol, Port) -
execCode(H1, User), reachable(H1, H2,
Protocol, Port).
netAccess()
execCode()
from input tuples
Possible instantiations
Possible instantiations
table for first subgoal
table for goal
2
SLG complexity for Datalog
  • Total time dominated by the rule that has the
    maximum number of instantiations
  • Time for computing one table
  • Computation of the
    subgoals
  • retrieving information from
    input tuples
  • matching results in the
    rules bodies
  • Time for computing all tables
  • retrieving information
    from input tuples
  • matching results in the
    rules bodies
  • See On the Complexity of Tabled Datalog
    Programs http//www.cs.sunysb.edu/warren/xsbbook
    /node21.html

3
MulVAL complexity in SLG
execCode(Host, User) - vulExists(Host,
_, Program,
remote, privilegeEscalation),
networkService(Host, Program,
Protocol, Port, User),
netAccess(Host, Protocol, Port).
Scale with network size
O(N) different instantiations
4
MulVAL complexity in SLG
netAccess(H2, Protocol, Port) -
execCode(H1, _), reachable(H1, H2,
Protocol, Port).
Scale with network size
Complexity of MulVAL
O(N2) different instantiations
5
Datalog proof generation
  • In security analysis, not only do we want to know
    what attacks could happen, but also we want to
    know how attacks can happen
  • Thus, we need more than an yes/no answer for
    queries.
  • We need the proofs for the true queries, which in
    the case of security analysis will be attack
    paths.
  • We also want to know all possible attack paths
    thus we need exhaustive proof generation.

6
An obvious approach
execCode(Host, PrivilegeLevel) -
vulExists(Host, Program, remote,
privilegeEscalation), serviceRunning(Host,
Program, Protocol, Port, PrivilegeLevel),
networkAccess(Host, Protocol, Port).
execCode(Host, PrivilegeLevel, Pf) -
vulExists(Host, Program, remote,
privilegeEscalation, Pf1),
serviceRunning(Host, Program, Protocol, Port,
PrivilegeLevel, Pf2), networkAccess(Host,
Protocol, Port, Pf3), Pf(execCode(Host,
PrivilegeLevel), Pf1, Pf2, Pf3).
This will break the bounded-term property and
result in non-termination for cyclic Datalog
programs
7
MulVAL Attack-Graph Toolkit
Ou, Boyer, and McQueen. ACM CCS 2006
Datalog rules
Security advisories
Translated rules
Graph Builder
Network configuration
Datalog representation
Datalog proof graph
Machine configuration
Joint work with Idaho National Laboratory
8
Stage 1 Rule Translation
netAccess(H2, Protocol, Port, ProofStep) -
execCode(H1, User), reachable(H1,
H2, Protocol, Port), ProofStep
because( multi-hop network
access', netAccess(H2, Protocol,
Port), execCode(H1, User),
reachable(H1, H2, Protocol,
Port) ).
Proof step
9
Stage 2 Build the Exhaustive Proof
because(multi-hop network access',
netAccess(fileServer, rpc, 100003),
execCode(webServer, apache),
reachable(webServer, fileServer, rpc,
100003))
execCode(webServer, apache)
multi-hop network access
netAccess(fileServer, rpc, 100003)
reachable(webServer, fileServer,
rpc, 100003)
10
Complexity of Proof Building
  • O(N2) to complete Datalog evaluation
  • With proof steps generated
  • O(N2) to build a proof graph from proof steps
  • Need to build O(N2) graph components
  • Building of one component
  • Find the predecessor table lookup
  • Find the successors table lookup

Total time O(N2),
if table lookup is constant time
11
Logical Attack Graphs
NFS shell
accessFile(attacker,fileServer,
write,/export)
Trojan horse installation
netAccess(attacker,webServer,
tcp,80)
NFS semantics
Remote exploit
execCode(attacker, webServer,apache)
accessFile(attacker,workStation,
write,/usr/local/share)
vulExists(webServer, CAN-2002-0392,
httpd, remoteExploit, privEscalation)
execCode(attacker,workStation,root)
OR
AND
networkService (webServer,httpd,tcp,80,apache)
ground fact
12
Performance and Scalability
13
Related Work
  • Sheyners attack graph tool (CMU)
  • Based on model-checking
  • Cauldron attack graph tool (GMU)
  • Based on graph-search algorithms
  • NetSPA attack graph tool (MIT LL)
  • Graph-search based on a simple attack model

14
Advantages of the Logic-programming Approach
  • Publishing and incorporation of
    knowledge/information through well-understood
    logical semantics
  • Efficient and sound analysis by leveraging the
    reasoning power of well-developed logic-deduction
    systems

15
SAT-based Security Hardening
  • MulVAL proof graph provides information on
    potential consequences of vulnerabilities.
  • How do we use this information to improve
    security?
  • Datalog proof turned to Boolean formula
  • SAT solver searches for optimal solution

SAT-Solving Approaches to Context-Aware
Enterprise Network Security Management. John
Homer, Xinming Ou. In IEEE Journal on Selected
Areas in Communications (JSAC).
16
Benefit of SAT
  • Impossible for human to understand all
    configuration options and ramifications.
  • Computers can do it better
  • Balance security and usability
  • Essentially a constraint solving process
  • Provides automated, reliable approach to reason
    about conflicting requirements

17
Vision for Network Security Management
Suggested Configuration Changes
Training Guidance
Usability Requirement
MulVAL
Problematic Configuration
Graph to Boolean formula
Desirable Configuration
SAT Solver
F
MulVAL Proof Graph
18
SAT-Solving Techniques
  • MinCostSAT
  • Utilize user-provided discrete cost values to
    find mitigation solution that minimizes cost
  • UNSAT Core Elimination
  • Reduce complexity in reconfiguration to simple
    choices between conflicting requirements
  • Use partial-ordering lattice to further reduce
    scope of choices, based on past decisions

19
Benefits
  • Human user only addresses problem areas in
    network configuration
  • Reduces complex problem to more manageable
    proportions

20
Example
buffer overrun
webServer
NFS shell
Remote exploit
fileServer
21
MulVAL Proof Graph
p2
e3
e2
privilege
c5
c4
c6
p1
c7
exploit
e1
configuration setting
c1
c3
c2
22
Circuit to CNF Conversion
From Sharad Maliks slides
  • Tseitin Transformation
  • Can e ever become true?

Consistency conditions for circuit variables
Is (e)(a b d)(ad)(bd)(cde)(de)(ce)
satisfiable?
23
Boolean Transformation
p2
c1 ? ? c2 ? c3 ? p1 c4 ? ? c5 ?
p1 ? p2 c6 ? ? c7 ? p1 ? p2
e1 e2 e3
c1 ? c2 ? c3 ? p1 c4 ? c5 ? p1 ?
p2 c6 ? c7 ? p1 ? p2
e3
e2
attack possibility constraints
c5
c4
c6
p1
c7
F e1 ? e2 ? e3
? F ? c3 ? p2
e1
policy requirement
zChaff SAT solver
c1
c3
c2
24
MinCostSAT
  • Given ? with n variables x1,x2,...,xn with cost
    ci 0,
  • ?nd assignment X ? 0, 1n to satisfy ? and
    minimize
  • C ? cixi
  • MinCostSAT in network reconfiguration
  • Privilege variables incur cost when assigned true
  • Configuration variables incur cost when assigned
    false
  • Allow variables to be forced true or false

25
MinCostSAT
Privilege Variables Cost
Execute code (file server) p2 1000
Execute code (web server) p1 50
Configuration settings Variables Cost
Access to web server c1 100
Active service (web server) c2 100
Active service (file server) c4 50
Vulnerability (file server) c5 20
File access on file server c6 50
NFS table (file server) c7 10
buffer overrun
webServer
NFS shell
Minimal Cost Solution total cost 80 Minimal Cost Solution total cost 80
Allow privileges on web server (p1) 50
Patch vulnerability on file server (c5) 20
Change NFS table settings (c7) 10
Remote exploit
fileServer
26
Scalability Testing
Size Cost func. Num. of variables Num. of clauses Run time (sec)
100 hosts (10 subnets) A 11,853 12,053 0.11
100 hosts (10 subnets) B 11,853 12,053 0.21
250 hosts (25 subnets) A 70,803 72,553 3.03
250 hosts (25 subnets) B 70,803 72,553 6.49
27
Iterative UNSAT Core Elimination
  • UNSAT Core subset of original CNF clauses that
    are unsatisfiable by themselves
  • For unsatisfiable formula ? and UNSAT core
    µ???µ1, µ2,..., µn ? ?, ? will remain
    unsatisfiable while µ?remains unchanged
  • To resolve, a user needs to decide relative
    values of only a few network components

28
Iterative UNSAT Core Elimination
  • Requires no up-front cost assignments,
  • relies on human decisions as needed
  • Further reduce user decisions by keeping
    partial-ordering lattice to store relative
    priorities established by prior decisions
  • When two variables with known ordering appear in
    an UNSAT core, only lower-priority variable is
    presented to user

29
Open Problems
  • How to come up with the numbers?
  • Monetary units?
  • How to estimate the costs?
  • How to capture the difficulty level of attacks?
  • More difficult exploits reduces the risk?
  • Can this be done inline?
  • How about zero-day vulnerabilities?
  • Scalability in production systems.

30
Thats it.
  • Questions?
Write a Comment
User Comments (0)
About PowerShow.com