Vulnerability Analysis 120110244 허영일
1. Introduction 2. Penetration Studies 3 1. Introduction 2. Penetration Studies 3. Vulnerability Classification 4. Frameworks
1. Introduction Definition - computer system : the policies, procedures, and organization under which that hardware and software is used. - Vulnerability(security flaw) : someone breaks into a computer system, that person takes advantage allowing unauthorized access or action. Penetration testing - Preconditions : state of the system in which the hypothesized security flaw can be exploited(System characteristics, environment, and state) - Postconditions : result of the testing(System state) - if the security policy and the postconditions are inconsistent ⇒ hypothesis is correct
2. Penetration Studies - Penetration study : test for evaluating the strengths of all security controls on the computer system Goals 1. an authorized attempt to violate specific constraints stated in the form of a security or integrity policy example : subsystem designed to provide password protection for user files owner require a password to gaining access to that file goal : test these controls metric : either by not using a password or by gaining unauthorized access to a password
2. Penetration Studies 2. to find some number of vulnerabilities or to find vulnerabilities within a set period of time example : company obtain confidential document from vendor and, after 30 days, publishes them on the web site goal – obtain that file in 30 days alternative goal : gain access to any of these file(no time limit)
2. Penetration Studies Layering of Test 1. External attacker with no knowledge of the system - tester need to have enough information to access the system 2. External attacker with access to the system - can access the system or log in network service - tester try to get more privileged account 3. Internal attacker with access to the system - act as authorized user - tester try to gain unauthorized privileges or informaition for reaching the goal information about specific layer is irrelevant and that layer can be skipped
2. Penetration Studies Flaw Hypothesis Methodology 1. Information gathering - examine the system’s design, implementation, operating procedures, and its use 2. Flaw hypothesis - on knowledge gained in the 1step, of vulnerabilities in other systems, tester hypothesize flaws of the system 3. Flaw testing - tester test their hypothesized flaws (if a flaw does not exist, go back to step 2) 4. Flaw generalization - generalize the vulnerability and find others similar to it 5. Flaw elimination - suggest ways to eliminate the flaw or to use procedural controls to ameliorate it
2. Penetration Studies Example Penetration of the Michigan Terminal System. Goal : acquire access to the terminal control structures 1. information gathering - segment 0 to 4 contain the supervisor, system programs, and system state and were protected by hardware mechanisms. - segment 5 are a system work area(privilege level information) - segment 6 and higher contain user process information and the process can alter them - segment 5 was protected by a virtual memory protection system system mode : can access(alter) its segment 5 user mode : not present in the address space of the process and cannot be modified
2. Penetration Studies 2. Flaw hypothesis - focus on the switch from user to system mode - discover an element of the parameter list could point to a location within the parameter list X X+1 X+2 X is the address of the parameter list, and location X, X+1, X+2 contain addresses of the actual parameters. location X+1 contains the address X+2, X X+2 ····
2. Penetration Studies 3. Flaw testing - take two parameters, alter at least one, and could be made to change the parameter to any of a specific set of value - set up the parameter list so that the address for storing the line number - find out the address of system segment 4. Flaw generalization - test realized the full implications of this flaw (privilege level in segment 5 can control ability of the process to issue supervisor call) - if tester can find a call which turn off the hardware protection for segments 0 to 4, then he can access any data in those segment
3. Vulnerability Classification - classifying the techniques used to exploit them - software and hardware components and interface Goal of vulnerability analysis 1. ability to specify, design, and implement a computer system without vulnerability 2. ability to analyze a computer system to detect vulnerability 3. ability to address any vulnerability introduced during the operation of the computer system 4. ability to detect attempter exploitations of vulnerability before we present several different framework, discuss two security flaws
3. Vulnerability Classification Two Security Flaws 1. xterm - program that emulate a terminal under the X11 window - run as the omnipotent user root - user log all input and output to a log file if file not exist : create it and assign ownership to the user file exist : check the user can write to it before open the file - after access but before open, attacker delete the file and links a system file(password file) to name of the deleted file, he appends logging output to the password file if(access(“/usr/tom/X”, W_OK)==0){ if((fd=open(“.usr/tom/X”, 0_WRONLY|0_APPEND))<0){ /* handle error: cannot open file */ }
3. Vulnerability Classification 2. finger - obtain information about the users of a remote system - receive a name of at most 512 characters - server does not check the length of the name - attack sent 512+24 byte - next 24 byte make return to input buffer - attacker has access to the system
4. Frameworks Goal - dictate the framework’s structure - example · guide the development of an attack detection tool · aid the software development process each frameworks classifies a vulnerability as an n-tuple, each elements of the n-tuple being the specific classes into which the vulnerability falls
4. Frameworks The RISOS Study - Research Into Secure Operating Systems - aid computer and system managers and information processing specialists in understanding issues in operating systems and to help them determine the level of effort required to enhance their system security 1. Incomplete parameter validation 2. Inconsistent parameter validation 3. Implicit sharing of privileged/confidential data 4. Asynchronous validation/inadequate serialization 5. Inadequate identification/authentication/authorization 6. Violable prohibition/limit 7. Exploitable logic error
4. Frameworks Protection Analysis Model(PA) - break the operating system protection problem into smaller, more manageable pieces 1. Improper protection domain initialization and enforcement a. Improper choice of initial protection domain (domain) b. Improper isolation of implementation detail (exposed representations) c. Improper change (consistency of data over time) d. Improper naming (naming) e. Improper deallocation or deletion (residuals) 2. Improper validation (validation of operands, queue management dependencies) 3. Improper synchronization a. Improper indivisibility (interripted atomic operations) b. Improper sequencing (serialization) 4. Improper choice of operand or operation ( critical operator selection errors)
4. Frameworks The NRL Taxonomy - how did the flaw enter the system - when did it enter the system - where in the system is it manifest nonreplicating Trojan horse replicating malicious trapdoor intentional Logic/time bomb storage genesis Covert channel nonmalicious timing other inadvertent
4. Frameworks Requirement/ specification/design development Source code Time of introduction maintenance Object code operation Operation system software support location application hardware
4. Frameworks Aslam’s Model - a classification scheme for security flaws that categorized fault and grouped similar faults together 1. coding fault a. synchronization error b. validation error 2. emergent fault a. configuration error b. environment fault
4. Frameworks Comparison and analysis - view of three process : flawed process, attacker process, operating system service routine - any of these processes may differ from the view of the other two 1. the xterm log file flaw - PA taxonomy · xterm process : improper change name changed between check and use · attacker process : improper deallocation or deletion file and link are deleted · operation system : improper indivisibility open the file should atomically check when access is allowed
4. Frameworks 2. the fingerd buffer overflow flaw - RISOS taxonomy · fingerd process : violable prohibition/limit limit on input data to be sent can be ignored · attacker process : incomplete parameter validation failure to check parameter (allowing the buffer to overflow) · operation system : inadequate identification/authentication/authorization user allowed to write directly in the space of the process 3. - flaw classification is not consistent - refine the flaws, then flaws may shift class, so if overlap of the flaw classification, we can ameliorate.
Vulnerability taxonomy in Internet software
보안업체의 penetration test 과정 현재의 추세 Penetration testing and penetration tester are obsolete. Originally, pen testing was a simulation of what real attackers would do. Then it became more about validating vulnerabilities scan/assessment result. Vulnerability assessment pretty much no longer requires a skilled tester. There are now and have been for a while appliances and (products which can schedule) and automate vulnerability scans. There are a limited number of really skilled testers who can do what real attackers can do. A large number of pen test companies employ people who know how to run tools but not much more than that.