Vulnerability%20Analysis%20Using%20Attack%20Graphs

1
Vulnerability Analysis Using Attack Graphs
Jeannette M. Wing School of Computer
ScienceCarnegie Mellon UniversityPittsburgh, PA
USA

• joint work with Somesh Jha (Wisconsin) and Oleg
  Sheyner (CMU)

2
Network of Networks
MIT
Microsoft
Office of Homeland Security
Carnegie Mellon
3
Example of Attack Graph Developed by a
Professional Red Team
Drawn By Hand

• Sandia Red Team White Board attack tree from
  DARPA CC20008 Information battle space
  preparation experiment

Sandia Red Team White Board attack graph from
DARPA CC20008 Information battle space
preparation experiment
4
Vulnerability Analysis by System Administrators

• Information-gathering
• What attacks is my system vulnerable to?
• Is a different configuration of my system less
  attackable?
• What is the likelihood of this attack?
• Is this on-going attack similar to any of the
  known attacks?
• Decision-making
• If I put this set of security measures in place,
  what attacks can I prevent?
• Given the likelihood of certain attacks,
  deploying which measures will increase the
  security of my system?
• What is the most cost-effective set of measures I
  should deploy, to increase the security of my
  system?

5
Problem Statement

• Problem Generating attack graphs by hand is
  tedious, error-prone, and impractical for large
  systems.
• Our Goal Automate the generation and analysis of
  attack graphs.
• Generation
• Must be fast and completely automatic
• Must handle large, realistic examples
• Should guarantee properties of attack graphs
• Analysis
• Must enable further security analysis by system
  administrators
• Should support incremental, partial specification

6
Overview of Our Method
Query What is the cost benefit of deploying this
security measure?
7
Why Model Checking?

• Pragmatic reasons
• Off-the-shelf technology
• Major verification success story
• Technical reasons
• Fast, automatic
• Large state spaces
• Handles safety and liveness properties
• Generates counterexamples

8
Model Checking Primer
Finite State Machine model M
Temporal Logicproperty F
F AG p
AF p, EG p, EF p
Model Checker
9
Counterexample Attack
F ? AG p
single counterexample violation of F
path by which intruder succeeds
attack
10
Definition of Attack Graph

• Given
• a finite state model, M, of network
• a security property ?
• An attack is an execution of M that violates ?.
• An attack graph is a set of attacks of M.

11
Properties of Attack Graphs

• Exhaustive
• All possible attacks are represented in G.
• Succinct
• Only relevant states are contained in G.
• Only relevant transitions are contained in G.
• The next two algorithms satisfy these properties.

12
Symbolic-State Attack Graph Generation Algorithm

• Inputs
• M ltS, S0 ? S, R ? S X Sgt
• F AG (unsafe) (a safety property in CTL)
• Output
• Attack graph G (Sunsafe, S0F, RF )
• Algorithm
• Sunsafe modelCheck(S, S0, R, F)
• ( Use an iterative algorithm derived from the
  fixpoint characterization of AG operator. )
• S0F S0 ? Sunsafe
• RF R ? (Sunsafe X Sunsafe)

13
Explicit-State Attack Graph Generation Algorithm

• Inputs
• M
• F LTL property (safety or liveness)
• Algorithm
• Interpret both network model M and security
  property F as Buchi automata.
• M and F induce languages L(M ) and L(F).
• Compute L(M )\L(F) executions of M that violate
  F.
• Construct M ? F by computing intersection of
  Buchi automata.

Output - Attack graph G s.t. L(G) L(M ?
?)
14
Performance Charts
Symbolic-state algorithm
Explicit-state algorithm
15
Performance
Linear Regression R2 0.9967
16
An Illustrative Example
17
Modeling a Network and Intruder

• Set of hosts H
• running services
• CVE vulnerabilities
• trust relationships
• misc. configuration
• Set of networks N
• each network n ? N is a subset of H
• packet filter between each pair of networks n1,
  n2
• Intrusion detection systems
• placement P ? N ? N
• detectability per action

• Intruder
• store of knowledge
• privileges on each host
• Set of actions A
• preconditions
• postconditions

18
Example Attack Graph
? G (intruder.privilege(Linux) lt root)
LICQ remote- to-user CVE-2001-0439
Local buffer overflow CVE-2002-0004
Done!
19
Overview of Our Method
20
Minimization Analysis

• Scenario The system analyst must decide
• among several different firewall configurations,
  or
• among several vulnerabilities to patch, or
• among several intrusion detection systems to set
  up,
• each of which prevents different subsets of
  actions.
• What should he do?
• Problem Question (Minimum Critical Set of
  Actions) What is a minimum set of actions that
  must be prevented to guarantee the intruder
  cannot achieve his goal?
• Solution (Sketch)
• Reduce MCSA to Minimum Hitting Set (MHS) Problem
  JSW02.
• Reduce MHS to Minimum Set Covering (MSC) Problem
  ADG80.
• Use textbook Greedy Approximation Algorithm to
  approximate solution CLR85.

21
Minimum Critical Set of Actions
A the set of actions available to the intruder
Def 1 A set of actions C is critical if the
intruder cannot achieve his goal using only
actions in A \ C.
Def 2 A set of actions C is realizable if the
intruder can achieve his goal using only actions
in C.
Def 3 A critical set of actions C is minimum if
there is no critical action set of smaller size.
Minimum Critical Set of Actions (MCSA) Given a
set of actions A and an attack graph G, find a
minimum critical action subset C ? A
Finding a minimum set NP-complete
22
Reduction to Minimum Hitting Set Problem
Minimum Hitting Set (MHS) Given a collection C
of subsets of a finite set S, find a minimum
subset S ? S such that each subset in C contains
at least one element from S.
MCSA and MHS are polynomially-equivalent.
MHS Collection of subsets C
MCSA Collection of realizable sets of actions
JSW02b Jha, Sheyner, Wing, Two Formal Analyses
of Attack Graphs, Computer Security Foundations
Workshop, Nova Scotia, June 2002.
23
Sketch of Reduction from MCSA to MHS
A
B
C
D
E
F
G
H
I
24
Reduction of MHS to Minimum Set Covering
Minimum Set-Covering (MSC) Given a collection C
of subsets of a finite set S that covers S, find
a minimum sub-collection C ? C that covers S.
MHS and MSC are polynomially-equivalent ADP80.
Use textbook Greedy Approximation Algorithm for
MSC CLR85, p. 975.
25
LICQ Coverage
? G (intruder.privilege(Linux) lt root)
26
Other Minimization Analyses JSW02b, S04

• Scenario The system analyst has a set of
  measures, each of which prohibits a subset of
  actions.
• E.g., M packet filter firewall, application
  firewall, smart cards, one-time passwords,
  authentication policy servers, VPNs, anti-virus
  software, email filters, database encryption,
  host-based IDS, net-based IDS, network monitors,
  auditing, key stroke replicator, log analysis,
  forensic software, hardened O/S
• Problem Question 1 If he deploys all measures,
  does the system become safe? JSW02b
• Solution Approach (Naïve) Remove all edges from
  graph that are covered by the measures.
  Reachability analysis is linear time in size of
  graph.
• Problem Question 2 What is the smallest subset
  of measures he can deploy to make the system
  safe? S04
• Solution Approach Greedy algorithm with provable
  bounds. General case is NP-complete (slightly
  more complex than minimum cover problem).

27
Overview of Our Method
28
Reliability Analysis

• Scenario The system analyst must decide between
  installing a network-based IDS between host 1 and
  host 2 or a host-based IDS on host 2. Which
  increases the likelihood that he will detect an
  intruder?
• Problem Question What is the probability of the
  intruder succeeding? I.e., what is the
  worst-case probability of reaching an unsafe
  state?
• Solution Approach
• Annotate attack graph with probabilities.
• Interpret annotated attack graph as a Markov
  Decision Process.
• Run the standard MDP value iteration algorithm to
  compute the optimal policy that results in
  maximum benefit/minimum cost for system analyst
  (decision maker).

29
Status of Tool Suite
Network Configuration Data
Attack Graph Generators
Attack Graph Analyzers
30
XML Specification of a Host
lthost namelin" ip"192.168.0.4"
network"internal"gt ltservicesgt ltSquid/gt
ltLICQ/gt ltdatabase/gt lt/servicesgt
ltconnectivitygt ltremote id"ferrari"gt ltW3SVC/gt
lt/remotegt ltremote id"smilla"gt ltftp/gt ltsshd/gt
lt/remotegt lt/connectivitygt ltcvegt
ltCVE_2002_0004/gt ltCVE_2001_1030/gt
ltCVE_2001_0439/gt lt/cvegt lt/hostgt
31
XML Specification of an Action
ltaction namelicq_r2u" cve1CVE-2001-0439"gt
ltlocal_preconditionsgt ltprivilege
hostsource relgte valueuser/gt
ltprivilege hosttarget releq valuenone/gt
ltknowledge namescan valueTRUE/gt
lt/local_preconditionsgt ltglobal_preconditionsgt
ltservice hosttarget nameLICQ/gt
ltconnectivity fromsource serviceLICQ/gt
lt/global_preconditionsgt ltlocal_effectsgt
ltprivilege hosttarget valueuser/gt
lt/local_effectsgt ltglobal_effectsgt
ltdetectable modeyes/gt lt/global_effectsgt lt/ac
tiongt
32
Information Sources

• MITRE Corp. Outpost
• Host identification
• Vulnerabilities
• Services
• Lockheed ATL Next Generation Infrastructure
  (ANGI)
• Network topology
• Connectivity
• Nessus vulnerability scan info

lthost namelin ipOutpostgt ltservices
sourceNessusgt ltconnectivity sourceANGIgt
ltcve sourceOutpostgt lt/hostgt
33
Related Work

• Philips and Swiler 1998
• Tool constructs attack graph by forward
  exploration starting from initial state. Also
  based on model checking.
• Our backward algorithm saves space
  (vulnerabilities not relevant are not explored)
  and can handle liveness properties.
• Models only attacks
• Our modeling framework can handle arbitrary state
  transitions (actions), not just actions.
• Dacier 1994, Orlato et al. 1999
• Privilege graphs nodes sets of user
  privileges, edges vulnerabilities. Explore
  privilege graphs to construct attack graphs.
• Defines a metric, Mean-Effort-To-Failure, based
  on attack graphs.
• Ritchey and Ammann 2001
• Also use model checking. Produces only one
  counter-example (attack).
• No post-facto analysis.

34
Limitations gt Current and Future Work

• Input to graph generation
• Need a library of specifications of actions (with
  CMU students)
• CERT advisories, MSR security bulletins,
  Symantec,
• Ontology for vulnerabilities and exploits
• Discover new attacks
• More analyses
• Reduction of attack surface
• Which configuration of my system is less
  attackable?
• Ongoing with Jon Pincus at MSR/Redmond and CMU
  students
• Cost-benefit analysis
• Exploit MDP theory further

35
Recent References

• JSW02a Jha, Sheyner, and Wing, Minimization
  and Reliability Analyses of Attack Graphs,
  Carnegie Mellon technical report, CMU-CS-02-109,
  February 2002.
• JSW02b Jha, Sheyner, Wing, Two Formal Analyses
  of Attack Graphs, Computer Security Foundations
  Workshop, Nova Scotia, June 2002.
• SHJ02 Sheyner, Haines, Jha, Lippmann, and
  Wing, Automated Generation and Analysis of
  Attack Graphs, IEEE Symposium on Security and
  Privacy, May 2002.