Upload
others
View
2
Download
0
Embed Size (px)
Citation preview
Master's Thesis Final PresentationFebruary 24th, 2009
Robert Schuppenies
Automatic Extraction of Vulnerability Information for Attack Graphs
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 2
Preamble
Understanding
Technique
Contribution
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 3
Agenda
Vulnerabilities & Attack Graphs
Problem Statement
Vulnerability Information Representation
Vulnerability Information Transformation
Proof of Concept
Conclusion
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 4
Agenda
Vulnerabilities & Attack Graphs
Problem Statement
Vulnerability Information Representation
Vulnerability Information Transformation
Proof of Concept
Conclusion
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 5
Vulnerabilities, cont.
Vulnerability : A Weakness of a systemExploit : Makes use of a weaknessMitigation : Remedies a weakness
Confidentiality : Accessible only to authorized entities1)
Integrity : Modified only by authorized entities1)
Availability : Accessible/Usable when needed1)
Vulnerability Databases (VDBs)Entries written by humans for humans
1) NIST: "Engineering principles for information technology security"
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 6
Multi-step Attacks
Internet Intranet DB
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 7
Attack Graph example
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 8
Attack Graphs - Benefits
Allow to describe attack combinations
Find the shortest path
Identify pivotal points in a graph
Cost/benefit analysis for network design
Correlate “unrelated” events to identify attacks
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 9
Attack Graphs - Workflow
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 10
Agenda
Vulnerabilities & Attack Graphs
Problem Statement
Vulnerability Information Representation
Vulnerability Information Transformation
Proof of Concept
Conclusion
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 11
Problem Statement
?
Attack graph models have .. .. No automatic extraction of attack pre- and postconditions .. Very simple or too complex attack models
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 12
Master's Thesis - Objectives
Provide data structure to link vulnerabilitiesAutomatic extraction of vulnerability information for attack graphs
pre 0 Sinitial
post A →
pre A Ssniffed
post B →
pre B SDoS
post C
!
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 13
Attack Graphs - Workflow
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 14
Master's Thesis - Steps
1. Propose data structure
2. Investigate & Extract available VDB information
3. Implement prototype
4. Proof concept with existing attack graph tool
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 15
Agenda
Vulnerabilities & Attack Graphs
Problem Statement
Vulnerability Information Representation
Vulnerability Information Transformation
Proof of Concept
Conclusion
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 16
Data Structure – System Properties
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 17
Data Structure – Influence Properties
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 18
Data Structure – Conceptual View
property: program, account, data, ...
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 19
Attack Graphs - Workflow
!
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 20
Agenda
Vulnerabilities & Attack Graphs
Problem Statement
Vulnerability Information Representation
Vulnerability Information Transformation
Proof of Concept
Conclusion
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 21
Provided Information by VDBs
X-Force US-CERTvendor-specific ID x x x x x x x
x x x x x x x x x xtitle x x x x x x x x xdescription x x x x x x x x x xrange x x x x x x x xOS x x x x x x x x x xsoftware x x x x x x x x
x x x xcritical x x x x x x ximpact x x x x x x x x xauthentication xclass x x x xaccess complexity xreferences x x x x x x x x x xformat 2) H H H H H H H H, X C, H, M, S, X Hexploit x x x x xsolution status x x x x x x x x x xsolution x x x x x x x xrelease date x x x x x x x xlast update x x x x xpopularity x x
D.Soft S.Focus Secunia Securit. CoopVDB DoE-CIRC NVD OSVDB
CVE reference
CVSS
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 22
Considered Formats
HTMLnot standardized syntax and semantics
Common Vulnerability Scoring System (CVSS)Base Metrics, Temporal Metrics, Environmental Metricsstandardized syntax and semantics
Open Vulnerability and Assessment Language (OVAL)system configuration descriptionsstandardized syntax only
Text Parsingno standard, but surprisingly uniform
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 23
“The Server service in Microsoft Windows 2000 SP4, XP SP2 and SP3, Server 2003 SP1 and SP2, Vista Gold and SP1, Server 2008, and 7 Pre-Beta allows remote attackers to execute arbitrary code via a crafted RPC request that triggers the overflow during path canonicalization, as exploited in the wild by Gimmiv.A in October 2008, aka "Server Service Vulnerability." ”
Text Parsing
Vulnerability Attributes contained in Textual Descriptions:
Identify Attributes based on context
Comparison based on CVSS entries
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 24
Text Parsing, cont.
Range Conf identiality Integrity Availability
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Extraction from Descriptions
correct incorrect
Attribute
Cor
rect
ly Id
entif
ied
range: assume remote range if not specified
CIA : ignore cross-site scripting entries
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 25
Text Parsing, cont.
Range Conf identiality Integrity Availability
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Extraction from Descriptions
correct incorrect
Attribute
Cor
rect
ly Id
entif
ied
Range Conf identiality Integrity Availability
0%
10%
20%
30%
40%
50%
60%
70%
80%
90%
100%
Extraction from Descriptions (with assumptions)
correct incorrect
Attribute
Cor
rect
ly Id
entif
ied
range: assume remote range if not specified
CIA : ignore cross-site scripting entries
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 26
Attack Graphs - Workflow
!
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 27
Agenda
Vulnerabilities & Attack Graphs
Problem Statement
Vulnerability Information Representation
Vulnerability Information Transformation
Proof of Concept
Conclusion
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 28
Proof Of Concept - Design
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 29
Proof Of Concept – A Web-Frontend
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 30
Demonstration with MulVAL
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 31
Agenda
Vulnerabilities & Attack Graphs
Problem Statement
Vulnerability Information Representation
Vulnerability Information Transformation
Proof of Concept
Conclusion
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 32
Contributions
Common data structure for vulnerability information representation
Analysis of vulnerability databases
Automation of vulnerability database transformation
Automatic transformation of textual vulnerability descriptions
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 33
Future Work
Implement adapters for other Attack Graph tools
Research the new possibilities of AG generation based on extended information
Apply data structure to other information types
Implement adapters to auto-generate NVD/OVAL/CVSS entries
Research semantics of vulnerability descriptions
Robert Schuppenies | Master's Thesis Final Presentation | Feb 24th, 2009 34
Questions
Master's Thesis Final PresentationFebruary 24th, 2009
Robert Schuppenies
Automatic Vulnerability Extraction for Attack Graphs