Embed Size (px)
Citation preview
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0
Vulnerability Take Grant (VTG): An efficient approachto analyze network vulnerabilities
Hamid Reza Shahriari*, Rasool Jalili
Network Security Center, Department of Computer Engineering, Sharif University of Technology, Azadi Avenue, Tehran, Iran
a r t i c l e i n f o
Article history:
Received 27 February 2006
Accepted 9 March 2007
Keywords:
Network security
Access control
Vulnerability
Vulnerability analysis
Safety problem
Vulnerability Take-Grant model
Multiphase attack analysis
a b s t r a c t
Modeling and analyzing information system vulnerabilities help predict possible attacks to
computer networks using vulnerabilities information and the network configuration. In
this paper, we propose a comprehensive approach to analyze network vulnerabilities in
order to answer the safety problem focusing on vulnerabilities. The approach which is called
Vulnerability Take Grant (VTG) is a graph-based model consists of subject/objects as nodes
and rights/relations as edges to represent the system protection state. Each node may have
properties including single vulnerabilities such as buffer overflow. We use the new concept
of vulnerability rewriting rule to specify the requirements and consequences of exploiting
vulnerabilities. Analysis of the model is achieved using our bounded polynomial algorithm,
which generates the most permissive graph in order to verify whether a subject can obtain
an access right over an object. The algorithm also finds the likely attack scenarios. Appli-
cability of the approach is investigated by modeling widespread vulnerabilities in their
general patterns. A real network is modeled as a case study in order to examine how an
attacker can gain unauthorized access via exploiting the chain of vulnerabilities. Our expe-
rience shows the efficiency, applicability, and expressiveness in modeling a broader range
of vulnerabilities in our approach in comparison to the previous approaches.
ª 2007 Elsevier Ltd. All rights reserved.
ava i lab le at www.sc ienced i rec t . com
journa l homepage : www.e lsev ie r . com/ loca te /cose
1. Introduction
The goal of vulnerability analysis in computer and network
systems is to analyze vulnerabilities’ dependencies to find
the attack scenarios before malicious attackers find them.
Currently, several tools exist which analyze the single host
vulnerabilities in isolation. However, protecting networks
against attacks requires considering all network vulnerabil-
ities; vulnerabilities inter-dependencies; and the dependency
among services.
Considering individually, a service may provide an accept-
able level of security, but a combination of such services may
lead to subtle attack scenarios. For example, the file transfer
protocol (ftp) and the hypertext transfer protocol (http),
provided simultaneously in the same host, may permit an at-
tacker to write into a web directory using ftp. This causes the
web server to execute a program written by the attacker. Ac-
cordingly, a comprehensive analysis of network vulnerabil-
ities needs consideration of individual hosts as well as their
relationships.
The complexity of analyzing network vulnerabilities in-
creases extremely as the number of hosts and services in-
creases. Manual handling of such complexity is very difficult
or even impossible in the case of current enormous networks.
Accordingly, automated approaches are necessary for vulner-
ability analysis.
Our vulnerability analysis problem is to determine whether
an attacker can obtain unauthorized access to a particular
* Corresponding author. Tel.: þ98 21 66164020.E-mail addresses: [email protected] (H.R. Shahriari), [email protected] (R. Jalili).
0167-4048/$ – see front matter ª 2007 Elsevier Ltd. All rights reserved.doi:10.1016/j.cose.2007.03.002
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0350
resource. This is a specific form of the safety problem, which
asks ‘‘Given an initial configuration of a protection system,
can a subject s obtain some access right r over an object o?’’
(Shapiro, 2003). In other words, we focus on determining
whether a set of known vulnerabilities allows a given subject
to acquire some specific set of rights over an object represent-
ing a resource.
Based on the authors’ knowledge, the previous literature
has not explored the safety problem focusing on vulnerabil-
ities. Approaches proposed in Zerkle and Levitt (1996), Dacier
and Deswarte (1994), Ritchey and Ammann (2001), Ramak-
rishnan and Sekar (2002), Shahriari and Jalili (2004), Noel
et al. (2003, 2004), and Noel and Jajodia (2004) analyze network
vulnerabilities from the point of view of the relations among
individual hosts and network configurations. These ap-
proaches mainly use model checking and graph-based tech-
niques to generate and analyze an attack graph; the task has
been done in exponential time. In Ammann et al. (2002) and
Noel et al. (2003), polynomial time approaches have been sug-
gested for the same problem without any specific upper bound
on polynomial degree.
In this paper, we propose a new access control based model
to address the concept of vulnerabilities and their effects on
the system protection state. The model has been motivated
from the Take-Grant protection model; a graph-based access
control model, where subjects and objects are considered as
nodes of a graph, and access rights as well as administrative
rights (Take and Grant) are considered as the edges (Jones
et al., 1976). We also propose a framework to model vulnera-
bilities based on their pre-conditions and post-conditions as
well as an algorithm to analyze the model with bounded poly-
nomial time in the size of the protection system graph. The
proposed algorithm can generate possible attack scenarios.
The applicability of the framework has been shown through
real examples of vulnerabilities. The examples cover a general
form of widespread vulnerabilities such as buffer-overflow
and cross-site scripting.
The remainder of this paper is organized as follows. In Sec-
tion 2, we review previous works on the Take-Grant protection
model and network vulnerability analysis. The outline of our
proposed approach has been presented in Section 3. The detail
of our approach has been presented in Section 4. Section 5 dis-
cusses the applicability of the approach through modeling
broad types of vulnerabilities and their rewriting rules. Sec-
tion 6 presents an algorithm to analyze the model in order
to answer the safety problem considering vulnerabilities. Sec-
tion 7 provides a real case study. The conclusion and future
works have been presented in Section 8.
2. Related work
The Take-Grant protection model was first developed by Jones
et al. (1976) where the safety problem could be solved in linear
time. They provided the necessary and sufficient conditions
under which rights and information could be transferred be-
tween two entities of the protection system and a linear
time algorithm to test those conditions. Applications of the
Take-Grant model to various systems have been explored
separately (Bishop, 1981, 1996; Jones, 1978; Snyder, 1977;
Wu, 1981; Frank and Bishop, 1996). Extending the initial
Take-Grant model also has been experienced by Frank and
Bishop (1996). They proposed a method of extending the
Take-Grant model to add the notion of information or right
flow cost and to find the most likely path. In nearly all previous
works, in addition to decidability, time complexity of the deci-
sion algorithm has been emphasized. Linear time complexity
of the Take-Grant model for safety problem has made it more
attractive than other formal access control models.
Based on the authors’ knowledge, the Take-Grant protec-
tion model has not been used for host or network vulnerability
analysis so far.1 Previous approaches to network vulnerability
analysis mainly focused on model checking and graph-based
techniques whose time complexity was either exponential or
polynomial. Such approaches mainly depend on some off-
the-shelf tools for scanning individual host vulnerabilities.
Vulnerability scanner tools such as System Scanner (Internet
Security Systems) scan hosts to discover vulnerabilities in the
configuration. However, they do not investigate how a combi-
nation of configurations on the same host or among hosts on
the same network can contribute to the vulnerabilities.
The NetKuang system tries to assess beyond host vulnera-
bilities. It is an extension to a previous work on building a rule-
based expert system, namely Kuang (Zerkle and Levitt, 1996).
NetKuang extends the Kuang’s rule-set to include certain
UNIX network security issues, which are undetectable when
analyzing a single host. NetKuang uses a backtrack search al-
gorithm to identify vulnerabilities.
Dacier proposed the concept of privilege graphs. Privilege
graphs are explored to construct an attack state graph, which
represents different ways in which an intruder may reach
a certain goal, such as root access on a host (Dacier and
Deswarte, 1994).
Ritchey and Ammann (2001) used model checking for vul-
nerability analysis of networks via the model checker SMV.
They could obtain only one attack corresponding to an unsafe
state. The experiment was restricted to only specific vulnera-
bilities. However, the model checking approach has been used
in some other researches to analyze network vulnerabilities
(Sheyner et al., 2002; Jha et al., 2002). The model checking
has the scalability problem which some researchers tried to
overcome (Jajodia et al., 2003). Ramakrishnan and Sekar
(2002) used a model checker to analyze a single host system
with respect to combinations of unknown vulnerabilities.
The key issue in their research was checking infinite space
model using model abstraction. Swiler et al. (2001) presented
a method for generating attack graphs by forward exploration.
In (Shahriari and Jalili, 2004), CSP was used to model and
analyze TCP protocol vulnerabilities. In this approach, the
model checker FDR2 was used to verify some simple security
properties and find attack scenarios. CSP has been used widely
in modeling and analyzing security protocols (Ryan and
Schneider, 2001) and verifying intrusion detection systems
(Rohrmair and Lowe, 2003).
Noel et al. presented TVA in Jajodia et al. (2003), Noel et al.
(2003) and investigated it more in Noel et al. (2004) and Noel
and Jajodia (2004). In their approach, exploits are modeled as
1 Bishop has modeled security breach of SETUID programs inUNIX operating system in his Ph.D. thesis (Bishop, 1984).
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0 351
pre/post-conditions and a specific tool has been used to con-
struct the attack graph. Encoding each exploit individually
resulted in a large and complex model.
Logic-based approaches have been considered in Shahriari
and Jalili (2005) and Ou et al. (2005). The more recent approach
named MulVal (Ou et al., 2005) adopts Datalog (which is a sub-
set of Prolog) as the modeling language of elements in the
analysis. The reasoning engine consists of a collection of
Datalog rules capturing the operating system behavior and
the interactions of various components in the network. The
main problem of MulVal is using a backward search algorithm
for determining whether goals can be achieved from the initial
state. In this kind of reasoning, users always need to define
some goal and then the reasoner will check whether the
goal is satisfiable or not.
In our approach, which is based on the access control
model, vulnerabilities of the same type are modeled in a gen-
eral pattern. For example, all buffer overflow vulnerabilities
are treated similarly and encoded in a single model. It reduces
the size of the model and cost of analysis. Accordingly, we
propose an efficient algorithm to analyze the vulnerabilities
in a bounded polynomial time based on the size of protection
graph.
3. Outline of the approach
The proposed approach is composed of three steps. In the first
step, the network configuration and known vulnerabilities are
collected. In the second step, the gathered information is used
to construct the initial model. The last step involves analyzing
the model to capture all the ways through which the rights
can be transferred. Fig. 1 depicts the schematic outline of
our approach.
To construct the model, we need to know the current host
and network configuration of rights, and the set of host and
network vulnerabilities. The former can be derived by exam-
ining the system and network. Many of the latter can be
determined using vulnerabilities databases and host and net-
work analysis tools. The OVAL scanner is a tool developed
based on the Open Vulnerability Assessment Language
(OVAL) (Wojcik et al., 2003), an XML-based language which is
used to formally describe the host configuration vulnerabil-
ities and the required tests to detect them. This standard
has been proposed by MITRE Corporation on which some ma-
jor operating system vendors have reached consensus. As of
writing this paper, the OVAL definitions for Windows, Redhat
Linux, and Sun Solaris operating systems vulnerabilities are
available. The Nessus vulnerability scanner is a powerful
tool which utilizes the NASL language to find the vulnerabil-
ities of network services remotely (Derasion, 2000). The net-
work topology can be captured using several tools, such as
Cheops-ng.
The initial model of the network, called VTG, will be con-
structed based on the vulnerabilities of the hosts and services,
current configuration of rights, and network topology pro-
vided automatically by the abovementioned tools. At the
core of our model are Vulnerability Rewriting Rules, which spec-
ify how exploiting vulnerabilities changes the system protec-
tion state and represents the requirements and consequences
of exploiting a vulnerability. The Analysis engine takes the ini-
tial model and a database of vulnerability rewriting rules as
input and generates transitive closure of accesses in which
all the achievable access rights have been captured. Having
the closured model, checking for unauthorized acquired
rights based on the security policy will be straightforward. In
case of security policy violation, generating the related attack
scenario is also possible through our approach.
4. Vulnerability Take-Grant model
In this section we present the generalized Vulnerability Take-
Grant model. Our approach is based on extending the initial
take-grant model. Some definitions are provided first and
the formal model is presented later on.
Host 1
OVALScanner
OVALScanner
VTG Model
NetworkConfiguration
AnalysisEngine
VulnerabilityRewriting Rules
Database
Checking forViolation
ModelingNetwork
Nessus Scanner
Closure
SecurityPolicy
AttackScenario
Secure
Information Gathering Modeling Analyzing
Host n
Fig. 1 – The outline of the approach.
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0352
4.1. Basic definitions
Definition 1. The computing system can be defined as the
state machine SYS ¼ ðS; S0; s;SA;SUÞ, where S is the set of all
states, S04S is the set of initial states, s4S� S is the set
of state transitions and SA4S and SU4S represent the set of
authorized and unauthorized states, respectively.
The authorized and unauthorized states are specified by
the system security policy. Any security policy should satisfy
some consistency constraints. As an example, each policy
should disjointly partition the system states, i.e. SAWSU ¼ S;
SAXSU ¼ f, and it should be a surjective function. Specifica-
tion of the security policy and its constraints are beyond the
scope of this paper.
Bishop and Bailey (1996) provided a definition for vulnerable
state:
‘‘A vulnerable state is an authorized state from which an
unauthorized state can be reached using authorized state
transitions.’’
In the definition, not only states but also transitions are
classified into authorized and unauthorized ones. We can
simplify this definition by excluding transitions as the
authorized/unauthorized state transitions depend on the
current state of the system. If the transition is unauthorized,
the system is in a (presumably) disallowed state in which
a prohibited action may be taken or would transition to an un-
authorized state, and hence the system is in an unauthorized
state.
Accordingly, a vulnerable state can be defined as follows:
Definition 2. The state s is vulnerable if it is an authorized state
ðs0˛SAÞ and there is an unauthorized state s0ðs0˛SUÞ and transi-
tions s1; s2;.; sk such that s /s1
/ /sk
s0.
Accordingly, vulnerability is defined as characteristics of
a vulnerable state that distinguishes it from all non-vulnera-
ble states.
4.2. The model
In this section, we define the core of our model to analyze vul-
nerabilities. Exploiting most vulnerabilities leads to a change
in access rights of entities in the system protection state.
This requires some conditions to be met, such as having ac-
cess to a server or running a special version of a service on
the server. In other words, the system must be in a vulnerable
state to provide opportunity for the attacker to exploit the vul-
nerability and change the protection state of the system. For
example, the attacker may acquire root access on the running
server, or may stop a service. The new state may also enable
the attacker to make subsequent state transitions leading to
an unauthorized state.
A general model should allow us to represent the precondi-
tions and postconditions of all types of vulnerabilities in it. As
stated earlier, exploiting most vulnerabilities involve the at-
tacker having some access rights over entities of the system
which in turn leads to acquiring additional access rights. But
not all of the vulnerabilities are of the form ‘‘Requires some
rights/Provides some other rights’’. For example, consider
the Ethernet LAN vulnerability that an attacker may sniff the
transmitted data. To exploit this vulnerability, the attacker
and the victim must be connected to the same LAN. The enti-
ties have no right over each other in the latter case. Therefore,
we need a general type of relationship to address them. More-
over, there are a large number of vulnerabilities that require
certain properties to be present for the individual entities.
For example, running Apache server 1.3.12 is a precondition
of the vulnerability CVE-2000-0868 (Mitre Corporation).
Therefore, we should address three general categories of
the preconditions:
� The set of rights of entities over other entities (E ),
� The set of general relations between entities (Er) (i.e. any
relationships between entities other than access rights),
� The set of attributes of individual entities (Aa).
The notions R and r are used for set of access rights and
general relationships, respectively. Other notations are de-
fined more formally as follows:
Definition 3. The set E is the set of tuples ðu;v;SÞju;v˛V;f S4Rgin which the vertex u has some set of rights (S ) over vertex v.
Definition 4. The set Er is the set of tuples ðu; v; LÞju;v˛V;fL4rg in which the vertex u has some set of relationships (L)
with vertex v.
Our proposed model, which is called Vulnerability Take-
Grant (VTG), is a graph based model and is defined as
follows:
Definition 5. The Vulnerability Take-Grant (VTG) model is de-
fined as a tuple VTG ¼ ðV;E;Er;AaÞ, where V is the set of
vertices representing entities, E is the set of rights the
source vertex has over the destination vertex, Er is the
set of relationships between vertices, and Aa : V/2a is
a function associating the attributes to each entity, where
a is the set of all possible attributes of vertices including
vulnerabilities.
It is worth noting that, although we have changed the ini-
tial Take-Grant protection model, its original rewriting rules
are just applicable to the rights (the set R). In other words,
the set of relations between entities is not changed by the orig-
inal rewriting rules.
4.3. Rewriting rules
As the system executes operations and users interact with the
system, the state of the protection system changes. The initial
Take-Grant model has offered four rewriting rules as the exe-
cutable operations: take, grant, create, and remove rules. As we
have extended the initial Take-Grant model, we review the
take and grant rules (t and g stands for special rights take and
grant, respectively):
1. Take rule: Let x, y, and z be three distinct vertices in a pro-
tection graph G0 and let x be a subject. Also let there be an
edge from x to y labeled g with t˛g and g4R, an edge from y
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0 353
to z labeled b, and a4b4R. Then the take rule defines a new
graph G1 by adding an edge to the protection graph from x
to z labeled a. Fig. 2a shows the take rule graphically.
2. Grant rule: Let x, y, and z be three distinct vertices in a pro-
tection graph G0 and let x be a subject. Also, let there be an
edge from x to y labeled g with g˛g and g4R, an edge from x
to z labeled b, and a4b4R. Then the grant rule defines
a new graph G1 by adding an edge to the protection graph
from y to z labeled a. Fig. 2b shows the grant rule
graphically.
Exploiting vulnerabilities changes the system protection
state. However, there is no rewriting rule to address exploiting
the vulnerabilities. We address these changes through vulner-
ability rewriting rules. Each vulnerability rewriting rule checks
the model for presence of the preconditions of a vulnerability
and applies its postconditions to the model.
We make an assumption which seems to be realistic when
we are dealing with vulnerabilities in the real world. Each ex-
ploit involves only one active entity as an attacker, which acts
to gain extra access rights. We call this entity the active vertex.
Now we define the vulnerability rewriting rule:
Definition 6. A vulnerability rewriting rule is defined as a tuple
VRR ¼ ðGpre; f ;vAÞ, where Gpre is the graph identifying the vul-
nerability precondition; f is a function mapping the vulnerable
state to the destination state; and vA represents the active ver-
tex which utilizes the vulnerability.
In fact, the subgraph Gpre denotes the vulnerability pattern
which is considered as the precondition of the vulnerability in
our model. To be able to exploit the vulnerability, the graph G
should contain an isomorph subgraph to Gpre. Accordingly, an
exploit can be defined as an instance of the vulnerability re-
writing rule which is applied to a specific subgraph of graph
G. It is defined more formally as follows:
Definition 7. Let G is a VTG graph representing the current
protection state of the system. An exploit is defined as a tuple
e ¼ ðG;VRRv;uAÞwhere VRRv is the vulnerability rewriting rule
applying on G, and uA is the vertex representing the system
entity which corresponds the active vertex of VRRv.
In fact, an exploit is an instance of vulnerability rewriting
rule in a vulnerable state.
x
y
z
ty
z
t
x
y z
g
y z
x
xg
(a)
(b)
Fig. 2 – (a) Take rewriting rule and (b) grant rewriting rule.
5. Applicability of the model
Here we show how real-world vulnerabilities can be modeled
using our approach. As stated before, exploiting most vulner-
abilities causes the protection state of the system to be al-
tered. Thus, exploiting vulnerabilities is addressed in our
model by vulnerability rewriting rules. In fact the vulnerability
rewriting rules represent the transitions which are caused by
the vulnerability exploitation. We model some well-known
and realistic vulnerabilities in operating systems and web ap-
plications as rewriting rules in order to demonstrate the appli-
cability of our approach.
First we present a model of program executions in UNIX,
and then the common vulnerabilities in the program execu-
tion are modeled.
Example 1. (SETUID programs in UNIX) In the UNIX environ-
ment, the commands or programs are normally executed
with permissions of the user who invoked the command,
but an SETUID program is executed with the privilege of the
user who owns it. Fig. 3 shows two examples presenting the
model of command execution in the UNIX operating system.
Fig. 3a shows the execution of a regular program (copy) by
the user u. The regular rights (E ) are shown by solid edges
and the relationships (Er) are shown by dashed edges. Al-
though the owner of the copy program is root, this program
has access neither to file 1 nor to device1.
In Fig. 3b mount is executed as an SETUID program by user u.
The user u has no direct access to file1 and device1, but as the
program mount is a SETUID program whose owner is the user
root, it can access both file1 and device1. This fact is represented
in the model by assigning a t (take) right from mount to root.
t
r,w
u
root
mount
file1
r,w
r,w
file2
device 1
own
r,w
u
root
copy
file1
r,w
r,w
file2
device 1
own(a)
(b)
t
x
x
copy is regular program and user uexecutes it with its permissions
mount is a setuid program and user u executes it by root permissions.
Fig. 3 – Modeling execution of programs in UNIX: (a)
a regular program and (b) a SETUID program.
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0354
Applying the take rule enables the mount program to acquire
r and w rights over file1 and device1, respectively.
Example 2. (Buffer-overflow vulnerabilities) Buffer overflow vul-
nerabilities are reported to be the most exploited ones among
network attacks (SANS Research Center). We model all vulner-
abilities of this type by a single rewriting rule.
CVE-2000-0128 is a buffer-overflow vulnerability in Linux
mount and umount programs allowing local users to gain root
privileges via a long relative pathname (Hansman and Hunt,
2005; Mitre Corporation). As Fig. 4 shows, if the mount program
has this vulnerability, then the user u can gain the root privi-
leges. The user u can access file1 only indirectly through mount.
Nevertheless, the user u can exploit the buffer-overflow vulner-
ability in mount and gets the root privileges. This is shown by
adding a take (t) edge from u to the root vertex. Applying the
take rule, the user u obtains the rights read and write over file1.
We can model the buffer-overflow vulnerability rewriting
rule as following:
VRRbof ¼�
Gbof ; fbof ;vA
�;
where
Gbof ¼ ðV;E;Er;AaÞ¼ ðfðX;YÞg; fðX;Y; xÞg;B; fðY; fVULN ¼ BOFgÞgÞ;
and
fbofðV;E;Er;AaÞ ¼ ðV;EWfðX;Y; tÞg;Er;AaÞ;
and
vA ¼ X
t
r, wu root
mount{Vuln=BOF}
file1
own
x
t
r,wu root
mount{Vuln=BOF}
file1
own
x
t
t
r,wu root
mount{Vuln=BOF}
file1
own
x
t
r,w
[Exploiting BOF vulnerability]
[Applying Take rule two times]
(a)
(b)
(c)
t
Fig. 4 – (a) Mount is a SETUID program and has the buffer-
overflow vulnerability, (b) The user u gains the take right
over root account by exploiting the buffer-overflow and (c)
The user u gains the r and w rights over file1 by applying
Take rule.
where X and Y are nodes representing the attacker and vul-
nerable process, respectively. This rule implies that if Y has
a buffer-overflow vulnerability and X has x (execute) right
over Y, then it can exploit and acquire t right over Y.
Example 3. (Cross-site scripting vulnerabilities) Cross-site script-
ing vulnerabilities are a large group of vulnerabilities which
have increasingly populated in web applications. A cross-site
scripting vulnerability (CSS) comes from the failure of a web ap-
plication to validate user input before returning it to the client’s
web-browser. The essence of cross-site scripting is that an
intruder causes a legitimate web server to send a page to a -
victim’s browser That page contains a malicious scriptor HTML
codes of the intruder’s choice. The malicious script runs with
the privileges of a legitimate script originating from the legiti-
mate web server. Consequently, the attacker may access pri-
vate data on the client such as cookies, data files, or may
access restricted web sites on behalf of the victim (Hansman
and Hunt, 2005; CERT Advisory; Isamil et al., 2004). We refer
to this type of CSS as Server-CCS, as the vulnerability is due to
a fault in the web server. For example, the vulnerabilities
CVE-2002-0075 and CVE-2002-0682 are of this type (Mitre Cor-
poration). In other cases, the client browser itself has a vulner-
ability, which allows attacker to run a script within the browser
and access the private data. We refer to this type of CSS as
Client-CSS. CVE-2002-1187 is an example of client-CSS vulnera-
bility. Fig. 5 shows an example of the Server-CCS vulnerability,
in which the malicious attacker Eve has changed certain web
pages on the webserver to include malicious scripts. This can
be easily done in sites allowing users to send feedback or take
part in an auction. When user u browses a link referring to
the malicious page, the malicious script is executed on the cli-
ent, and Eve can access the information belonging to u. Because
the cooperation of u is needed for this vulnerability to be
exploited, we show its affect by adding an edge from u to Eve
labeled g (stands for grant). Applying the grant rule, Eve can
acquire u’s access rights, such as r and w, on the private file doc.
We can model the cross-site scripting vulnerability rewrit-
ing rule as following:
VRRcss ¼�Gcss; fcss;vA
�;
where
Gcss ¼ ðV;E;Er;AaÞ ¼ ðfðX;Y;WÞg; fðX;W; xÞ; ðY;W; xÞg;B;fðW; fVULN ¼ CSSgÞgÞ;
and
fcssðV;E;Er;AaÞ ¼ ðV;EWfðY;X; gÞg;Er;AaÞ;
and
vA ¼ X
where X, Y, and W are nodes representing attacker, legitimate
client, and web server, respectively. This rule implies that if W
has a CSS vulnerability, and X and Y have x right over W, then
the right g is added from Y to X.
Example 4. (Weak password vulnerability) The weak password
vulnerability (which we refer to as WP hereafter) arises
when a user account with a weak password is defined on
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0 355
a host M and the host provides the login service to its
users. Assume that a user has an account U on host M
and he/she has chosen a weak password for the account.
Also assume this host provides the login service through
process P. Having access to the login service, the attacker
A can guess U’s password and obtain all the privileges of
user account U.
Fig. 6 presents the password cracking rewriting rule which
demonstrates how exploiting the WP vulnerability results in
a change in access rights. The preconditions of this rule
have been depicted in Fig. 6a. Fig. 6b shows how the attacker
obtains the new access right t over user account a after
exploiting WP vulnerability. We use the attribute {Vuln¼WP}
to represent it. Also we add the attribute {Srv¼ Login} to the
attributes of vertex P to show the login service provided by
process P.
Based on above discussion, we can model the weak pass-
word vulnerability rewriting rule as following:
VRRwp ¼�
Gwp; fwp;vA
�;
where
Gwp ¼ ðV;E;Er;AaÞ ¼ ðffðA;P;W;UÞg; fðA; P; xÞg;fðM;P; fhostsgÞ; ðM;U; fhostsgÞg; fðP; fSrv ¼ LogingÞ;ðU; fVuln ¼WPgÞggÞ;
r,w
Webserver
Eveu
doc
{Vuln=CSS}
[Exploiting CSS vulnerability]
r,w
Webserver
doc
{Vuln=CSS}
g
u
r,w
doc
{Vuln=CSS}
g
u
[Applying Grant rule]
r,w
Webserver
(a)
(b)
(c)
x x
x x
x x
Eve
Eve
Fig. 5 – Server cross-site scripting vulnerability (Server-CSS).
andfwpðV;E;Er;AaÞ ¼ ðV;EWfðA;Y; tÞg;Er;AaÞ;
and
va ¼ A
6. Analysis
In this section we present our approach to analyzing the
model. Our analysis is based on the following question:
‘‘Is it possible for attacker A to achieve access right r over y
or not?’’
Rights in the Take-Grant protection model can be trans-
ferred either cooperatively or unilaterally. It is also the case
in application of this model in vulnerability analysis. The at-
tacker can exploit some vulnerabilities unilaterally; however,
exploiting other vulnerabilities require cooperation of other
subjects of the system which grant their rights either unknow-
ingly or intentionally. In this section, we consider the capability
of an attacker to acquire rightswithout cooperation of other en-
tities. To be precise, we are interested in the following question:
‘‘Can attacker A achieve access right r over y unilaterally?’’
Grant rules are useless when we focus on unilateral transfor-
mation ofrights. Our mean of unilateral transformationofrights
can be defined more formally in VTG by the predicate can$access:
Definition 8. The predicate can$access (a, x, y, VTG0) is true for
the right a and two vertices x (as subject) and y, if there exist
x
M
A PU
{Vuln=WP}{Srv=Login}
x
M
A P
U
{Vuln=WP}
{Srv=Login}
t
[Cracking the password of account u]
(a)
(b)
host
s
hosts
hosts
host
s
Fig. 6 – Exploiting the weak password vulnerability. (a) The
account u has a weak password vulnerability and (b) the
attacker A exploits the WP vulnerability and gains a take
right over account u.
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0356
protection graphs VTG1,., VTGn such that VTG0w*VTGn using
only take and vulnerability rewriting rules, and in VTGn there
is an edge from x to y labeled a.
The definition allows the attacker to use only take and vul-
nerability rewriting rules which transfer the rights unilater-
ally. To answer can$access, we construct VTG’s closure
regarding de jure and vulnerability rewriting rules. First we
define the concept of closure:
Definition 9. Let A be the set of rewriting rules. We define GA
as the closure of graph G regarding A, if all possible rules of A
have been applied in GA and no more rewriting rules can be
applied in it.
The initial state of VTG graph is changed by both de jure
and vulnerability rewriting rules. Let Gdejure be the closure of
G regarding de jure rewriting rules (which only contains the
take rewriting rule based on the unilateral analysis) and GVRR
be the closure of G regarding vulnerability rewriting rules.
Only one set of rules has been applied in each of these clo-
sures. However, it maybe possible to apply the rewriting rules
of the other closure after constructing one closure. Fig. 7
shows an example of how one can exploit a previously consid-
ered vulnerability through a vulnerability rewriting rule after
applying a de jure rewriting rule.
The closures include all the possible ways through which
the rights could be transferred using the related vulnerability
rewriting rules. The attacker may exploit some sequences of
the vulnerabilities to reach its final goal.
To capture all the possible attack paths, a complete closure
is needed. The following algorithm constructs the complete
closure of G:
The correctness and time complexity of Gen_Complete_
Closure algorithm is dealt in Theorem 1.
Theorem 1. Gen_Complete_Closure constructs the complete closure
of G correctly in Oðn2k þ nkþ3Þ, where n is the number of vertices of
G, and k is the maximum number of nodes in the vulnerabilities pre-
graphs.
Algorithm Gen_Complete_Closure (G)
1 Let list F initially contain all ordered pairs of the from (e, r) where e
denotes edges labeled t, and r denotes its associated right
2 While (! IsEmpty(F ))
//applying all possible de jure rules
3 While (!IsEmpty(F ))
4 Let (e, r)¼ head(F )
5 For each take rule applicable through e
6 Apply the rule on G and add the resulting edge and its associated
right to F, if it has not been inserted yet.
7 Delete (e, r) from F
//applying all possible VRRs
8 for all rw ˛ VRR
9 pattern¼ FindPattern(G, rw, Gpre) // find Gpre-isomorph in G
10 Apply all exploits of the form exp¼ (G, rw, uA) where uA ˛ pattern
11 if exp involves addition of edges like e0 labeled r0 to G then
12 Add all such pairs ðe0; r0Þ to F, If they haven’t been inserted yet.
Proof. At first, we prove that lines 2–7 construct Gidejure given
the input graph Gi at the beginning of the ith round of the al-
gorithm. We should prove that the algorithm adds all possi-
ble edges and rights and also no multiple edges exist
between vertices. Let L¼ {(R1,r1), (R2,r2),.,(Rm,rm)} be a se-
quence of applied rules leading to a correct Gidejure closure,
where R and r stand for a related set of rights and rules, re-
spectively. Assume there are some pairs in L whose rights
are not produced by our algorithm and let (Rk, rk),
1 � k � m, be the first such ordered pair appearing in L. We
define rights t and a in Fig. 2a the basic rights of the take
rule. The basic rights of rk should have been already added
to graph by one of the rules r1 to rk�1, if they were not pres-
ent in the initial graph G. The similar conditions hold for our
algorithm as well; thus, the basic rights of rk have been added
to F (or they had been existed at first) and should be consid-
ered by the algorithm which leads in addition of Rk and con-
tradicts the initial assumption that Rk has not been added by
Gen_Complete_Closure algorithm. Moreover, the condition of
line 6 in the algorithm ensures that no ordered pair will be
added to F repeatedly.
At each round of the algorithm, lines 8–12 consider all the
vulnerability rewriting rules and apply all the possible ones
and append all the newly added rights to list F. The algorithm
terminates when no item has remained in list F. Let jVj be the
maximum number of vulnerabilities and k represents the
maximum number of vertices in graph Gpre of a vulnerability
rewriting rule. We first prove that after at most
nðn� 1k� 1 Þðk� 1Þ!jVj times of executing the external loop, all
the possible rewriting rules have been applied and lines 8–12
do not change the graph anymore. This result is based on
the fact that every active vertex of G participates only once
in a given exploit of the form exp¼ (G, rw, uA) because after
that uA has achieved all the desired rights it could achieve
by applying this rule. It is easy to see that the number of all
possible vulnerability rewriting rules is no more than
nðn� 1k� 1 Þðk� 1Þ!jVj, so if the algorithm applies only one vul-
nerability rewriting rule in each round of the loop at worst,
after at most nðn� 1k� 1 Þðk� 1Þ!jVj times of loop execution all
the rules of this type have been applied.
Now we compute the time complexity of each internal
loop. Lines 2–7 consider each edge of the list F for applying
possible take rewriting rules. The test of line 5 takes O(n).
At each moment, there are O(n2) elements in list F. Thus
time complexity of the first internal loop is O(n3). Notice
that checking the condition of line 6 can be done in O(1) by
using the graph data structure instead of exploring the list
F because the edges and their associated rights are added to
G as well as F. Lines 8–12 consider all the applicable rewriting
rules and apply these rules if possible. The time complexity
of FindPattern and applying the rewriting rule in it is Oð knÞ.
Therefore, the time complexity of the second loop is Oð knÞ con-
sidering that the number of vulnerabilities, jVj, and the maxi-
mum number of vertices in rewriting rule pattern graph, k,
are constant. Thus, the time complexity of the whole algorithm
is Oðn2k þ n3Þ ,
Having a complete closure, it is clear that we can answer the
safety problem introduced at the beginning of this section in
O(1). Therefore the following theorem holds:
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0 357
m
{Srv=Login}
hosts
P
hosts
A
Q {Vuln=BoF}
V {Vuln=WP}x
t
x
x
t
m
{Srv=Login}
hosts
P
hosts
Q {Vuln=BoF}
V {Vuln=WP}x
x
*
Fig. 7 – Applying a de jure rule between two vulnerability rewriting rules. Initially, A cannot exploit BoF vulnerability of Q,
because it has not the x right over Q, but after exploiting weak password vulnerability of V, and applying a take rule, it
acquires the x right over Q, and it is now able to exploit BOF vulnerability of Q.
Theorem 2. Let A be the union of the de jure and vulnerability re-
writing rules. We can construct GA in polynomial time and answer
the safety problem in constant time. ,
It is worth of noting that the initial cost of constructing the
complete closure will be paid once and the attacker’s capabil-
ity to access the network resources can be verified in constant
time afterwards. Moreover, the algorithm can be modified to
generate attack path. The attack path can be tracked by assign-
ing text labels to rights when applying rewriting rules. The
assigned text describes how the vulnerabilities are exploited
or the de jure rules are applied as well as the subjects and ob-
jects involved in the rules. Fig. 8 depicts how a new label can
be generated from two previously generated ones. Assume
that rights p and q have been already added by rewriting rules
and text labels Label ( p) and Label (q) contain the attack sce-
narios which lead to the addition of these rights respectively.
Also, assume we can now apply a new rewriting rule and ob-
tain the new right r. The associated text label of r, Label (r), can
be of the following form:
LabelðrÞ ¼n
LabelðpÞ;LabelðqÞ;
‘‘having access rights p and q;
we can apply rewriting rule x and achieve right r
‘‘o
Subsequently, Label(r) contains the complete attack sce-
nario acquiring right r.
7. Case study
In this section, we represent the application of Vulnerability
Take-Grant model and the acquired results in vulnerability
analysis of a typical network. Besides the previously intro-
duced rewriting rules, we need some general rules to analyze
the real world vulnerabilities. For example, each user’s access
r
Label(p)
p
Label(q)
q
Label(r)
Fig. 8 – Generating attack scenario labels.
rights are a subset of the root’s access rights. This fact can be
shown in the VTG model as a set of take edges drawn from
the root user-account to other user accounts defined on the
same host.
Fig. 9 depicts a local network, where the attacker (Eve) is
placed outside the network. The firewall configuration allows
remote users to have access to web and mail services. Eve’s
goal is to gain access to Bob’s files hosted on Saman. On the
machine NSC, the HTTP and SMTP services are listening to
the associated ports. These services are running with the
user privileges apache and root, respectively. Moreover, SSH
and RPC services are running on the machine FileServer with
the user privilege root, and SMB service is running on Saman
with the same user privilege.
Using the Nessus and OVAL scanners, we found that the
services HTTP on NSC, SMB on Saman and RPC on FileServer
have buffer overflow vulnerability. Moreover, we found that
the user account root on the machine FileServer suffers from
weak password vulnerability and the user Bob has added the
account manager from machine FileServer to its .rhosts file.
The VTG model of network is represented in Fig. 10. To
avoid congestion, unnecessary relations between hosts are ig-
nored in the figure.
By using the complete closure algorithm (Gen_Complete_
Closure) described in the previous section and applying the
rewriting rules on the above VTG graph, GA is acquired.
Some part of GA is depicted in Fig. 11.
As mentioned above, the Eve’s goal is to access Bob’s file on
the Saman. Eve is allowed to access Bob’s file if and only if
there is an edge from Eve to Bob in GA including right r in its
set of access rights. The attack path which brings the Eve to
Bob’s file is shown in a dotted line in Fig. 11. We can obtain
the attack path by using the previously described technique.
One possible attack scenario is as follows:
1. Eve exploits the HTTP buffer overflow vulnerability on the
machine NSC and gains the user privilege apache on this
machine.
2. Now Eve has access to SSH service on machine FileServer
and can try to guess root password.
3. After finding the root password, Eve has all the rights of user
account manager on machine FileServer.
4. Pretending to be manager, Eve acquires Bob’s access rights
on machine Saman.
5. Consequently, Eve reaches its final goal which is having
access to file1 on machine Saman.
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0358
Fig. 9 – Case study network topology.
8. Conclusions and future works
In this paper, we introduced a new method for network vener-
ability analysis, which was motivated from Take-Grant
protection model. This method affords the possibility of
representing the protection state of a network with a formal
model. We demonstrated how different types of vulnerabil-
ities could be represented in our model if an appropriate level
of abstraction is selected. The attacker’s capability to access
the resources of network can be analyzed by the model. We
also introduced the complete closure concept to address all
the possible ways of exploiting vulnerabilities and presented
an algorithm to construct the complete closure graph in Oðn2k þnkþ3Þ where k is a constant value representing the maximum
number of nodes in a vulnerability pre-graph. Having com-
plete closure, the safety problem could be answered in constant
time. Besides analyzing vulnerabilities, the proposed method
could generate possible attack scenarios. Using the model
and its analysis method, network designers and administra-
tors can predict possible attacks to their network resources,
just by providing the network configuration information.
Such information consists of the hosts’ vulnerabilities and
the network topology which can be detected using off-
the-shelf scanning tools as described in Section 3.
It is possible to use the model for more comprehensive anal-
ysis. Answering questions such as finding the critical vulnerable
path, the shortest path to accessing a right and minimum cost path of
accessing rights (considering the possibilities or difficulties of
exploiting different vulnerabilities) can represent further ap-
plications of Vulnerability Take-Grant model in the vulnerabil-
ity analysis. Reducing the time complexity of the analysis can
be considered as well. The proposed algorithm constructs the
complete closure in bounded polynomial time and answers
to safety problem in constant time. Considering the similarity
of de jure and vulnerability rewriting rules, it may be possible
to analyze the vulnerabilities by an algorithm just like can$steal
(Jones et al., 1976) in linear time. The nature of Take-Grant
Evex
hosts
hostshosts
root
apacheowns
http
smtp
NSCDevil
ssh
rpc
root
{Vuln=BoF}
{Vuln=WP}
smb
file1
Saman
{Vuln=BoF}
manager
root
rBob
x
x
x
{Vuln=BoF}
{Vuln=rhost}
g
t
t
t
FileServer
t
hosts
owns
owns
owns
owns
hosts
hostshosts
hosts
hosts hosts
hosts
hosts
x
{Srv=Login}
Fig. 10 – VTG model of NSC network and the Attacker on Devil machine.
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0 359
Evex
hosts
hostshosts
root
apacheowns
http
smtp
NSC
Devil
ssh
rpc
root
smb
file1
Saman
manager
root
rBob
x
x
xg
t
t
t
FileServer
t
hosts
owns
owns
owns
owns
hosts
hostshosts
hosts
hosts hosts
hosts
hosts
x
t
r
ttt
r
hosts
t
Fig. 11 – Part of GA for the case study network.
model makes it most suitable for analyzing the vulnerabilities
based on changes in access rights. Moreover, it is interesting to
generalize this method for analyzing vulnerabilities based on
a proper high-level category of vulnerabilities and their pre-
conditions and postconditions. Having the abstract category
of vulnerabilities, it is possible to explore the safety problem
regarding vulnerabilities more theoretically.
Acknowledgments
The authors are grateful to Reza Sadoddin for his valuable
comments and constant cooperation on finalizing this paper.
The authors also acknowledge the comments of Matt Bishop
on the draft version of this paper and his guides about future
directions.
r e f e r e n c e s
Ammann P, Wijesekera D, Kaushik S. Scalable, graph-basednetwork vulnerability analysis. In: Proceedings of nineth ACMconference on computer and communications security,Washington, DC; November 2002.
Bishop M. Hierarchical take-grant protection systems. In:Proceedings of 8th symposium on operating systemsprincipals; December 1981. p. 107–23.
Bishop M. Practical Take-Grant systems: do they exist? Ph.D.thesis, Department of Computer Sciences, Purdue University,West Lafayette, IN 47097; May 1984.
Bishop M. Conspiracy and information flow in the Take-Grantprotection model. Journal of Computer Security 1996;4(4):331–60.
Bishop M, Bailey D. A critical analysis of vulnerabilitytaxonomies. Technical report CSE-96-11. Department ofComputer Science, University of California at Davis;September 1996.
CERT Advisory CA-2000–02. Malicious HTML tags embedded inclient web requests [online]. Available from: <http://www.cert.org/advisories/CA-2000-02.html>.
Cheops-ng, the network swiss army knife [online]. Availablefrom: <http://cheops-ng.sourceforge.net/>.
Dacier M, Deswarte Y. Privilege graph: an extension to the typedaccess matrix model. Proceedings of third Europeansymposium on research in computer security (ESORICS 94),(Brighton, UK). Lecture Notes in Computer Science: ComputerSecurity 1994;875:319–34 [Springer-Verlag].
Derasion R. The Nessus attack scripting language reference guide[online]. Available from: <http://www.nessus.org>; 2000.
Frank J, Bishop M. Extending the Take-Grant protection system.Technical Report. Department of Computer Science,University of California at Davis; 1996.
Hansman S, Hunt R. A taxonomy of network and computerattacks. Journal of Computer Security 2005;24(1):31–43.
Internet Security Systems. System Scanner information [online].Available from: <http://www.iss.net>.
Isamil O, Etoh M, Kadobayashi Y. A proposal and implementationof automatic detection/collection system for cross-sitescripting vulnerability. In: Proceedings of the 18thinternational conference on advanced informationnetworking and application (AINA’04); 2004.
Jones A, Lipton R, Snyder L. A linear time algorithm fordeciding security. In: Proceedings of 17th annualsymposium on the foundations of computer science;October 1976. p. 33–41.
Jones A. Protection mechanism models: their usefulness,Foundations of secure computing. New York City, NY:Academic Press; 1978. p. 237–54.
Jha S, Sheyner O, Wing J. Two formal analyses of attack graphs.In: Proceedings of 15th IEEE computer security foundationsworkshop, Nova Scotia, Canada; June 2002.
c o m p u t e r s & s e c u r i t y 2 6 ( 2 0 0 7 ) 3 4 9 – 3 6 0360
Jajodia S, Noel S, O’Berry B. Topological analysis of network attackvulnerability. In: Kumar V, Srivastava J, Lazarevic A, editors.Managing cyber threats: issues, approaches and challenges.Kluwer Academic Publisher; 2003.
Mitre Corporation. Common vulnerabilities and exposuredatabase [online]. Available from: <http://cve.mitre.org/>.
Noel S, Jajodia S, O’Berry B, Jacobs M. Efficient minimum-costnetwork hardening via exploit dependency graphs. In:Proceedings of the 19th annual computer security applicationsconference, Las Vegas, Nevada; December 2003.
Noel S, Jajodia S. Managing attack graph complexity throughvisual hierarchical aggregation. In: Proceedings of the ACMCCS workshop on visualization and data mining for computersecurity, Fairfax, Virginia; October 2004.
Noel S, Robertson E, Jajodia S. Correlating intrusion eventsand building attack scenarios through attack graphdistances. In: Proceedings of the 20th annual computersecurity applications conference, Tucson, Arizona;December 2004.
Ou X, Govindavajhala S, Appel AW. MulVal: a logic-based networksecurity analyzer. In: Proceedings of 14th USENIX SecuritySymposium; 2005. p. 113–28.
Ritchey RW, Ammann P. Using model checking to analyzenetwork vulnerabilities. In: Proceedings of IEEE symposium onsecurity and privacy; May 2001. p. 156–65.
Ryan P, Schneider S. Modeling and analysis of Security protocols:a CSP approach. Addison-Wesley; 2001.
Ramakrishnan CR, Sekar R. Model-based analysis of configurationvulnerabilities. Journal of Computer Security 2002;10(1/2):189–209.
Rohrmair G, Lowe G. Using data-independence in the analysisof intrusion detection systems. In: Workshop on issuesin the theory of security (WITS’03), Warsaw, Poland; April2003.
Snyder L. On the synthesis and analysis of protection systems. In:Proceedings of sixth symposium on operating systemsprincipals; November 1977. p. 141–50.
Swiler L, Phillips C, Ellis D, Chakerian S. Computer attackgraph generation tool. In: Proceedings of DARPAinformation survivability conference & exposition II; June2001.
Sheyner O, Haines J, Jha S, Lippmann R, Wing J. Automatedgeneration and analysis of attack graphs. In: Proceedingsof IEEE Symposium on Security and Privacy, Oakland, CA;2002.
Shapiro JS. The practical application of a decidable access controlmodel. Technical Report SRL-2003–04. John HopkinsUniversity; 2003.
SANS Research Center. The SANS top 20 Internet securityvulnerabilities [online]. Available from: <http://www.sans.org/top20/>.
Shahriari HR, Jalili R. Using CSP to model and analyze transmissioncontrol vulnerabilities within the broadcast network. In:Proceedings of the IEEE international networking andcommunication conference (INCC’2004); June 2004. p. 42–7.
Shahriari HR, Jalili R. Modeling and analyzing networkvulnerabilities via a logic-based approach. In: Proceedings ofsecond international symposium of telecommunications (IST2005), September 10–12; 2005. p. 13–8.
Wu M. Hierarchical protection systems. In: Proceedings of 1981symposium on security and privacy; April 1981. p. 113–23.
Wojcik M, Bergeron T, Wittbold T, Roberge R. Introduction toOVAL: A new language to determine the presence of softwarevulnerabilities [online]. Available from: <http://oval.mitre.org/documents/docs03/intro/intro.html>; November 2003.
Zerkle D, Levitt K. NetKuang – a multi-host configurationvulnerability checker. In: Proceedings of the sixth USENIXUNIX security symposium, San Jose, CA; 1996.
Hamid Reza Shahriari received his M.Sc. inComputer Science from Amir-Kabir Univer-sity of Technology, Tehran, Iran, in 2000.He is currently a Ph.D. student in ComputerScience in Sharif University of Technology,working on his thesis on vulnerability analy-sis of computer networks. His research inter-ests are Information Security and FormalMethods in Security.
Rasool Jalili received his Ph.D. in ComputerScience from The University of Sydney, Aus-tralia in 1995. He then joined, as an assistantprofessor, the Department of Computer Engi-neering, Sharif University of Technology,Tehran, Iran, where he is doing research inthe areas of Distributed Systems and Infor-mation Security.
