MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel Princeton University 14th USENIX Security Symposium,

Slides:

Advertisements

Similar presentations

Example One Internet is allowed to access the web server through HTTP protocol and port CVE was identified on web server.

Advertisements

Guide to Network Defense and Countermeasures Second Edition

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

CWE-732 Incorrect Permission Assignment for Critical Resource

GPN 2009 May 29, Kansas City, Missouri An open security defense architecture for open collaborative cyber infrastructures Xinming (Simon) Ou Kansas State.

Logic-based, data-driven enterprise network security analysis Xinming (Simon) Ou Assistant Professor CIS Department Kansas State University COS 598D: Formal.

System Security Scanning and Discovery Chapter 14.

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

System and Network Security Practices COEN 351 E-Commerce Security.

 Firewalls and Application Level Gateways (ALGs)  Usually configured to protect from at least two types of attack ▪ Control sites which local users.

Network Security Testing Techniques Presented By:- Sachin Vador.

Firewall Policy Queries Author: Alex X. Liu, Mohamed G. Gouda Publisher: IEEE Transaction on Parallel and Distributed Systems 2009 Presenter: Chen-Yu Chang.

70-290: MCSE Guide to Managing a Microsoft Windows Server 2003 Environment Chapter 5: Managing File Access.

An Integrated Framework for Dependable Revivable Architectures Using Multi-core Processors Weiding Shi, Hsien-Hsin S. Lee, Laura Falk, and Mrinmoy Ghosh.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Web server security Dr Jim Briggs WEBP security1.

Computer Security and Penetration Testing

Application Security Chapter 8 Copyright Pearson Prentice Hall 2013.

Patching MIT SUS Services IS&T Network Infrastructure Services Team.

McGraw-Hill The McGraw-Hill Companies, Inc., 2000 SNMP Simple Network Management Protocol.

Presented by INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used?

D ATABASE S ECURITY Proposed by Abdulrahman Aldekhelallah University of Scranton – CS521 Spring2015.

Directory and File Transfer Services Chapter 7. Learning Objectives Explain benefits offered by centralized enterprise directory services such as LDAP.

1 Security Risk Analysis of Computer Networks: Techniques and Challenges Anoop Singhal Computer Security Division National Institute of Standards and Technology.

Computer Security & OS Lab. DKU May 26 Younsik Jeong Ph.D. Student.

LIGHT WEIGHT DIRECTORY ACCESS PROTOCOL Presented by Chaithra H.T.

Lecture slides prepared for “Computer Security: Principles and Practice”, 3/e, by William Stallings and Lawrie Brown, Chapter 5 “Database and Cloud Security”.

A Z Approach in Validating ORA-SS Data Models Scott Uk-Jin Lee Jing Sun Gillian Dobbie Yuan Fang Li.

SATAN Presented By Rick Rossano 4/10/00. OUTLINE What is SATAN? Why build it? How it works Capabilities Why use it? Dangers of SATAN Legalities Future.

Final Introduction ---- Web Security, DDoS, others

1 Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli.

PRESENTED BY P. PRAVEEN Roll No: 1009 – 11 – NETWORK SECURITY M.C.A III Year II Sem.

Linux Networking and Security

A VIRTUAL HONEYPOT FRAMEWORK Author : Niels Provos Publication: Usenix Security Symposium Presenter: Hiral Chhaya for CAP6103.

Fundamentals of Proxying. Proxy Server Fundamentals  Proxy simply means acting on someone other’s behalf  A Proxy acts on behalf of the client or user.

Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

Scanning & Enumeration Lab 3 Once attacker knows who to attack, and knows some of what is there (e.g. DNS servers, mail servers, etc.) the next step is.

CIS 450 – Network Security Chapter 14 – Specific Exploits for UNIX.

Presented by: Reem Alshahrani. Outlines What is Virtualization Virtual environment components Advantages Security Challenges in virtualized environments.

Network Security Chapter 11 powered by DJ 1. Chapter Objectives  Describe today's increasing network security threats and explain the need to implement.

Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.

BY SYDNEY FERNANDES T.E COMP ROLL NO: INTRODUCTION Networks are used as a medium inorder to exchange data packets between the server and clients.

Core 3: Communication Systems. Network software includes the Network Operating Software (NOS) and also network based applications such as those running.

Network Management Security

PwC New Technologies New Risks. PricewaterhouseCoopers Technology and Security Evolution Mainframe Technology –Single host –Limited Trusted users Security.

INTRUSION DETECTION SYSYTEM. CONTENT Basically this presentation contains, What is TripWire? How does TripWire work? Where is TripWire used? Tripwire.

June 13-15, 2007Policy 2007 Infrastructure-aware Autonomic Manager for Change Management H. Abdel SalamK. Maly R. MukkamalaM. Zubair Department of Computer.

MOPS: an Infrastructure for Examining Security Properties of Software Authors Hao Chen and David Wagner Appears in ACM Conference on Computer and Communications.

Security-Enhanced Linux Stephanie Stelling Center for Information Security Department of Computer Science University of Tulsa, Tulsa, OK

Network Security SUBMITTED BY:- HARENDRA KUMAR IT-3 RD YR. 1.

Chapter 27 Network Management Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

By: Brett Belin. Used to be only tackled by highly trained professionals As the internet grew, more and more people became familiar with securing a network.

Some Great Open Source Intrusion Detection Systems (IDSs)

Database and Cloud Security

Network security Vlasov Illia

CMSC 345 Defensive Programming Practices from Software Engineering 6th Edition by Ian Sommerville.

Port Knocking Benjamin DiYanni.

Critical Security Controls

Security Testing Methods

Execution with Unnecessary Privileges

Module 4 Remote Login.

A Security Review Process for Existing Software Applications

Introduction to Networking

Backtracking Intrusions

IS3440 Linux Security Unit 9 Linux System Logging and Monitoring

Firewalls Jiang Long Spring 2002.

Chapter 7 – and 8 pp 155 – 202 of Web security by Lincoln D. Stein

Creating and Managing Folders

SHELLSHOCK ATTACK.

Presentation transcript:

MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel Princeton University 14th USENIX Security Symposium, August 2005 Presented by Mike Hsiao,

Outline MulVAL: A logic-based network security analyzer 2  Introduction  Representation  Vulnerability Specification  The MulVAL Reasoning System  Examples  Hypothetical Analysis  Performance and Scalability  Related Work  Conclusion

Introduction MulVAL: A logic-based network security analyzer 3  Two features are critical for vulnerability analysis tool  Can automatically integrate formal vulnerability spec  Be able to scale to networks with thousands of machine  MulVAL  An end-to-end framework and reasoning system  Conducts multi-host, multi-stage vulnerability analysis  Adopt Datalog as modeling language  Bug spec, configuration, reasoning rules, system permission, privilege  The authors can leverage existing vulnerability database and scanning tools by Datalog and feeding it into MulVAL reasoning engine to perform analysis in seconds.  for networks with thousands of machines

Introduction MulVAL: A logic-based network security analyzer 4  One of a sysadmin’s daily chores is  to read bug reports from various sources  such as CERT, BugTraq etc  to understand which reported bugs are actually security vulnerabilities in the context of his own network  to assessment of their security impact on the network  patch and reboot, reconfigure a firewall, dismount a file-server partition, and so on  A vulnerability analysis tool can be useful,  if it can automatically do so,  and only if it is scalable.

The inputs to MulVAL’s analysis are MulVAL: A logic-based network security analyzer 5  Advisories  What vulnerabilities have been reported and do they exist on my machines?  Host configuration  What software and services are running on my hosts, and how are they configured?  Network configuration  How are my network routers and firewalls configured?  Principals  Who are the users of my network?  Interaction  What is the model of how all these components interact?  Policy  What accesses do I want to permit?

Representation (1/2) MulVAL: A logic-based network security analyzer 6  Advisories  vulExists(webServer, ’CAN ’, httpd)  vulProperty(’CAN ’, remoteExploit, privilegeEscalation)  Host configuration  networkService(webServer, httpd, TCP, 80, apache)  Network configuration  hacl(internet, webServer, TCP, 80) // host access control lists  Principals  hasAccount(user, projectPC, userAccount)  hasAccount(sysAdmin, webServer, root)

Representation (2/2) MulVAL: A logic-based network security analyzer 7  Interaction  execCode(Attacker, Host, Priv) :- vulExists(Host, VulID, Program), vulProperty(VulID, remoteExploit, privEscalation), networkService(Host, Program, Protocol, Port, Priv), netAccess(Attacker, Host, Protocol, Port), malicious(Attacker).  Policy  allow(Everyone, read, webPages)  allow(systemAdmin, write, webPages)

The MulVAL framework MulVAL: A logic-based network security analyzer 8

Vulnerability Specification MulVAL: A logic-based network security analyzer 9  A specification of a security bug consists of two parts  how to recognize the existence of the bug on a system  what is the effect of the bug on a system  Formal, machine-readable formats  OVAL (Open Vulnerability Assessment Language)  a formal specification language for recognizing vulnerabilities   ICAT (or National Vulnerability Database)  a database that provides a vulnerability’s effect 

The OVAL language and scanner MulVAL: A logic-based network security analyzer 10  XML-based language  an OVAL definition can specify how to check a machine for the existence of a new software vulnerability  an OVAL-compatible scanner will conduct the specified tests and report the result  networkService(Host, Program, Protocol, Port, Priv).  clientProgram(Host, Program, Priv).  setuidProgram(Host, Program, Owner).  filePath(H, Owner, Path).  nfsExport(Server, Path, Access, Client).  nfsMountTable(Client, ClientPath, Server, ServerPath).

Vulnerability effect (in ICAT) MulVAL: A logic-based network security analyzer 11  exploitable range  Local: a local exploit requires that the attacker already have some local access on the host  Remote  consequence  confidentiality loss  integrity loss  denial of service  privilege escalation Example: vulProperty(’CVE ’, localExploit, privEscalation).

The MulVAL Reasoning System MulVAL: A logic-based network security analyzer 12  A literal, p(t 1,..., t k ) is a predicate applied to its arguments, each of which is either a constant or a variable.  Let L 0,...,L n be literals, a sentence in MulVAL is represented as L 0 :- L 1,...,L n  Semantically, it means if L 1,...,L n are true then L 0 is also true.  A clause with an empty body (right-hand side) is called a fact.  A clause with a nonempty body is called a rule.

Exploit rules MulVAL: A logic-based network security analyzer 13  execCode(P, H, UserPriv)  Principal P can execute arbitrary code with privilege UserPriv on machine H  netAccess(P, H, Protocol, Port)  Principal P can send packets to Port on machine H through Protocol Example: remote exploit of a client program execCode(Attacker, Host, Priv) :- vulExists(Host, VulID, Program), vulProperty(VulID, remoteExploit, privEscalation), clientProgram(Host, Program, Priv), malicious(Attacker). * 84% of vulnerabilities are labeled with privilege escalation or only labeled with DoS

Multistage attacks MulVAL: A logic-based network security analyzer 14  if an attacker P can access machine H with Owner’s privilege, then he can have arbitrary access to files owned by Owner.  accessFile(P, H, Access, Path) :- execCode(P, H, Owner), filePath(H, Owner, Path).  if an attacker can modify files under Owner’s directory, he can gain privilege of Owner.  execCode(Attacker, H, Owner) :- accessFile(Attacker, H, write, Path), filePath(H, Owner, Path), malicious(Attacker).

Host Access Control List/ Policy spec MulVAL: A logic-based network security analyzer 15  hacl(Source, Destination, Protocol, DestPort)  Multihop network access  netAccess(P, H2, Protocol, Port) :- execCode(P, H1, Priv), hacl(H1, H2, Protocol, Port).  allow(Principal, Access, Data)  allow(Everyone, read, webPages).  allow(user, Access, projectPlan).  allow(sysAdmin, Access, Data).

Binding information / Algorithm MulVAL: A logic-based network security analyzer 16  hasAccount(user, projectPC, userAccount).  hasAccount(sysAdmin, webServer, root).  dataBind(projectPlan,workstation,’/home’).  dataBind(webPages, webServer, ’/www’).  access(P, Access, Data) :- dataBind(Data, H, Path), accessFile(P, H, Access, Path).  policyViolation(P, Access, Data) :- access(P, Access, Data), not allow(P, Access, Data).

Example MulVAL: A logic-based network security analyzer 17 Security policy: The administrators need to ensure that the confidentiality and the integrity of users’ files will not be compromised by an attacker. allow(Anyone, read, webPages). allow(user, AnyAccess, projectPlan). allow(sysAdmin, AnyAccess, Data).

Hypothetical analysis MulVAL: A logic-based network security analyzer 18  One important usage of vulnerability reasoning tools is to conduct “what if” analysis.  The authors introduce a predicate bugHyp to represent hypothetical software vulnerabilities  vulExists(Host, VulID, Prog) :- bugHyp(Host, Prog, Range, Consequence).  vulProperty(VulID, Range, Consequence) :- bugHyp(Host, Prog, Range, Consequence).

Execution time for hypothetical analysis MulVAL: A logic-based network security analyzer 19 Since the hypothetical analysis goes through all combination of programs to inject bugs, the running time is dependent on both the number of programs and the number of hypothetical bugs.

Related Work MulVAL: A logic-based network security analyzer 20  Old works did not how to automatically integrate vulnerability specifications from the bug-reporting community into the reasoning model.  The difference between Datalog and model-checking is that derivation in Datalog is a process of accumulating true facts.  Since the number of facts is polynomial in the size of the network, the process will terminate efficiently.  Model checking checks temporal properties of every possible state-change sequence.  The number of all possible states is exponential in the size of the network

Related Work (cont’d) MulVAL: A logic-based network security analyzer 21  For network attacks, one can assume the monotonicity property—gaining privileges does not hurt an attacker’s ability to launch more attacks.  If at a certain stage an attacker has multiple choices for his next step, the order in which he carries out the next attack steps is irrelevant for vulnerability analysis under the monotonicity assumption.  While it is possible that a model checker can be tuned to utilize the monotonicity property and prune attack paths that do not need to be examined  model checking is intended to check rich temporal properties of a state-transition system.

Conclusion MulVAL: A logic-based network security analyzer 22  We have demonstrated how to model a network system in Datalog so that network vulnerability analysis can be performed automatically and efficiently.  A simple Prolog programcan perform “what-if” analysis for hypothetical software bugs efficiently.

Comments MulVAL: A logic-based network security analyzer 23  Including all the possible “elements” to describe attack’s behaviors/host configurations/vulnerability/network.  It’s difficult to design a model to fit into all different kinds of attacks.  The “security policy” is a little bit weak (only base on access privilege)?  Limit to vulnerability-exploit attack  Using Prolog is a good design.  “What if” is attractive.