Measuring Relative Attack Surfaces Jeannette Wing School of Computer Science Carnegie Mellon University Joint with Mike Howard and Jon Pincus, Microsoft.

Slides:



Advertisements
Similar presentations
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
Advertisements

Microsoft Windows XP SP2 Urs P. Küderli Strategic Security Advisor Microsoft Schweiz GmbH.
1 Configuring Internet- related services (April 22, 2015) © Abdou Illia, Spring 2015.
DT228/3 Web Development WWW and Client server model.
IIS Technologies.
DT211/3 Internet Application Development Active Server Pages & IIS Web server.
1 Configuring Web services (Week 15, Monday 4/17/2006) © Abdou Illia, Spring 2006.
Introduction to Web Database Processing
Security Awareness: Applying Practical Security in Your World, Second Edition Chapter 3 Internet Security.
DT211/3 Internet Development Application Internet Development Application.
Security Tools CS-480b Dick Steflik. CACLS Windows NT, W2000, XP Displays or modifies access control lists (ACLs) of files.
Using Internet Information Server And Microsoft ® Internet Explorer To Implement Security On The Intranet HTTP.
Introduction to Web Interface Technology (CSE2030)
Information for Developers Windows XP Service Pack 2 Information for Developers.
Introduction to Web Interface Technology (CSE2030)
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Computer Security and Penetration Testing
Internet Information Server (IIS)
Jonas Thomsen, Ph.d. student Computer Science University of Aarhus Best Practices and Techniques for Building Secure Microsoft.
Application Layer. Applications A program or group of programs designed for end users. A program or group of programs designed for end users. Software.
Security of Communication & IT systems Bucharest, 21 st September 2004 Stephen McGibbon Chief Technology Officer, Eastern Europe, Russia & CIS Senior Director,
2851A_C01. Microsoft Windows XP Service Pack 2 Security Technologies Bruce Cowper IT Pro Advisor Microsoft Canada.
Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,
Securing Exchange Server Session Goals: Introduce you to the concepts and mechanisms for securing Exchange Examine the techniques and tools.
Working with Applications Lesson 7. Objectives Administer Internet Explorer Secure Internet Explorer Configure Application Compatibility Configure Application.
Guide to Operating System Security Chapter 9 Web, Remote Access, and VPN Security.
INTRODUCTION TO WEB DATABASE PROGRAMMING
To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.
 2000 Deitel & Associates, Inc. All rights reserved. Chapter 24 – Web Servers (PWS, IIS, Apache, Jigsaw) Outline 24.1Introduction 24.2Microsoft Personal.
Web Servers Web server software is a product that works with the operating system The server computer can run more than one software product such as .
Information for Developers Windows XP Service Pack 2 Information for Developers Tony Goodhew Product manager Developer Division Microsoft Corp
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Masud Hasan Secue VS Hushmail Project 2.
To receive our video stream in LiveMeeting: - Click on “Voice & Video” - Click the drop down next to the camera icon - Select “Show Main Video” Dial-in.
A Security Review Process for Existing Software Applications
Filtering Out Exploits By Learning Trusted Functionality Martin Rinard Department of Electrical Engineering and Computer Science Computer Science.
Copyright 2000 eMation SECURITY - Controlling Data Access with
3-Protecting Systems Dr. John P. Abraham Professor UTPA.
1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.
CN1176 Computer Support Kemtis Kunanuraksapong MSIS with Distinction MCT, MCTS, MCDST, MCP, A+
Microsoft Internet Explorer and the Internet Using Microsoft Explorer 5.
IIS Security Sridurga Mavram. Contents -Introduction -Security Consideration -Creating a web page -Drawbacks -Security Tools -Conclusion -References.
Security Scanners Mark Shtern. Popular attack targets Web – Web platform – Web application Windows OS Mac OS Linux OS Smartphone.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
Active Server Pages  In this chapter, you will learn:  How browsers and servers interacted on the Internet when the Internet first became popular 
Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.
Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce.
Section 11: Implementing Software Restriction Policies and AppLocker What Is a Software Restriction Policy? Creating a Software Restriction Policy Using.
The Top 10 Bugs in Windows 2000 From Jesper Johanssen’s W2K Security Vulnerabilities Lecture.
Module 2 – User Safety Privacy Attacks on end users Browser vulnerabilities.
Lecture 16 Page 1 CS 236 Online Web Security CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
Vulnerability Scanning Vulnerability scanners are automated tools that scan hosts and networks for known vulnerabilities and weaknesses Credentialed vs.
The Problem of State. We will look at… Sometimes web development is just plain weird! Internet / World Wide Web Aspects of their operation The role of.
Measuring a System’s Attack Surface Yin Shi. Overview Introduction State Machine Model Definitions and Examples Attack Surface Measurement Method Linux.
1 Mobile Code l Java Review –Java code is platform independent and runs within a “sandbox”, or a set of restrictions that keep downloaded applets from.
1 Isolating Web Programs in Modern Browser Architectures CS6204: Cloud Environment Spring 2011.
ASP-2-1 SERVER AND CLIENT SIDE SCRITPING Colorado Technical University IT420 Tim Peterson.
Active Directory. Computers in organizations Computers are linked together for communication and sharing of resources There is always a need to administer.
Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.
Vulnerabilities in Operating Systems Michael Gaydeski COSC December 2008.
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Web and Proxy Server.
TMG Client Protection 6NPS – Session 7.
A Security Review Process for Existing Software Applications
Database Driven Websites
Configuring Internet-related services
An Attack Surface Metric
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems
Designing IIS Security (IIS – Internet Information Service)
Presentation transcript:

Measuring Relative Attack Surfaces Jeannette Wing School of Computer Science Carnegie Mellon University Joint with Mike Howard and Jon Pincus, Microsoft Corporation

2Attack SurfaceJeannette M. Wing Motivation How do we measure progress? –What effect has Microsoft’s Trustworthy Computing Initiative had on the security of Windows? Has it paid off? –What metric can we use to say Windows Server 2003 is “more secure’’ than Windows 2000? One approach: Howard’s Relative Attack Surface Quotient (RASQ)

3Attack SurfaceJeannette M. Wing Attackability System’s Surface (e.g., API) Attacks Intuition Reduce the ways attackers can penetrate surface Increase system’s security

4Attack SurfaceJeannette M. Wing Relative Attack Surface Intermediate level of abstraction –Impartial to numbers or types of code-level bugs, e.g., #buffer overruns –More meaningful than counts of CVE/MSRC/CERT bulletins and advisories Focus on attack vectors –Identify potential features to attack, based on past exploits Features to Attack * Security Bugs = Exploits –Fewer features to attack implies fewer exploits Focus on relative comparisons

5Attack SurfaceJeannette M. Wing 20 RASQ Attack Vectors for Windows [Howard03] Open sockets Open RPC endpoints Open named pipes Services Services running by default Services running as SYSTEM Active Web handlers Active ISAPI Filters Dynamic Web pages Executable vdirs Enabled accounts Enabled accounts in admin group Null Sessions to pipes and shares Guest account enabled Weak ACLs in FS Weak ACLs in Registry Weak ACLs on shares VBScript enabled Jscript enabled ActiveX enabled

6Attack SurfaceJeannette M. Wing Relative Attack Surface Quotient  v  AV |V||V| vv where v attack vector  v weight for attack vector AV set of attack vectors simplistic count

7Attack SurfaceJeannette M. Wing RASQ Computations for Three OS Releases Windows NT 4Windows 2000Windows Server 2003 Windows Server 2003 is “more secure” than previous versions.

8Attack SurfaceJeannette M. Wing What’s Really Going On?

9Attack SurfaceJeannette M. Wing Informal Definitions A vulnerability is an error or weakness in design, implementation, or operation. - “error” => actual behavior – intended behavior An attack is the means of exploiting a vulnerability. –“means” => sequence of actions A threat is an adversary motivated and capable of exploiting a vulnerability. –“motivated” => GOAL –“capable” => state entities (processes and data) [Schneider, editor, Trust in Cyberspace, National Academy Press, 1999]

10Attack SurfaceJeannette M. Wing State Machines M = Sset of states s  S, s: Entities  Values I  Sset of initial states Aset of actions Ttransition relation Execution of action a in state s resulting in state s’ ss’ a  T We will use a.pre and a.post for all actions a  A to specify T.

11Attack SurfaceJeannette M. Wing Behaviors An execution of M s 0 a 1 s 1 a 2 … s i-1 a i s i … –s 0  I,  i > 0  T –infinite or finite, in which case it ends in a state. The behavior of state machine M, Beh(M), is the set of all its executions. The set of reachable states, Reach(M), …

12Attack SurfaceJeannette M. Wing System-Under-Attack System = Threat = System-Under-Attack = (System || Threat) X GOAL || denotes parallel composition of two state machines, interleaving semantics GOAL –Predicate on state –Intuitively, adversary’s goal, i.e., “motivation”

13Attack SurfaceJeannette M. Wing Vulnerabilities Actual = Intend = Vul = Beh(Actual) – Beh(Intend) Actual Intend bad good (exploitable) T act – T int   For some action a  A act  A int a int.pre  a act.pre, or a int.post  a act.post I act – I int   Informally, we’ll say “a is a vulnerability.”

14Attack SurfaceJeannette M. Wing System-Under-Attack (Revisited) Actual = Intend = Threat = Adversary can achieve GOAL: System-Under-Attack = (Actual || Threat) X GOAL Adversary cannot achieve GOAL: System-Under-Attack = (Intend || Threat) X GOAL

15Attack SurfaceJeannette M. Wing Attacks in (Actual || Threat) X GOAL An attack is a sequence of action executions s0s0 snsn such that s 0  I GOAL is true in s n There exists 1  i  n such that a i is a vulnerability. a 1 a 2 a 3 … a i … a n

16Attack SurfaceJeannette M. Wing Elements of an Attack Surface: State Entities Running processes, e.g., browsers, mailers, database servers Data resources, e.g., files, directories, registries, access rights –carriers extract_payload: carrier -> executable E.g., viruses, worms, Trojan horses, messages, web pages –executables multiple eval functions, eval: executable -> unit – applications (Word, Excel, …) – browsers (IE, Netscape, …) – mailers (Outlook, Oulook Express, Eudora, …) – services (Web servers, databases, scripting engines, …) – application extensions (Web handlers, add-on dll’s, ActiveX controls, ISAPI filters, device drivers, …) – helper applications (dynamic web pages, …)

17Attack SurfaceJeannette M. Wing Targets and Enablers Target –Any distinguished data resource or running process used or accessed in an attack. “distinguished” is determined by security analyst and is likely to be referred to in Goal. data targetprocess target Enabler – Any state entity used or accessed in an attack that is not a data or process target.

18Attack SurfaceJeannette M. Wing Channels and Protocols Channels: means of communication –Message passing Senders and receivers E.g., sockets, RPC endpoints, named pipes –Shared memory Writers and readers E.g., files, directories, and registries Protocols: rules for exchanging information –Message passing E.g., ftp, RPC, http, streaming –Shared memory E.g., single writer blocks all other readers and writers

19Attack SurfaceJeannette M. Wing Access Rights Access Rights  Principals X Objects X Rights where Principals = Users  Processes Objects = Processes  Data Rights, e.g., {read, write, execute} Derived relations –accounts, which represent principals special accounts, e.g., guest, admin –trust relation or speaks-for relation [LABW92] E.g., ip1 trusts ip2 or Alice speaks-for Bob –privilege level E.g., none < user < root

20Attack SurfaceJeannette M. Wing Attack Surface Dimensions: Summary Channels x Protocols message passing, shared memory RPC, streaming, ftp, R/W, … Access Rights Principals x Objects x Rights Targets & Enablers Processes Data - carriers - executables server-client web connection C Zone Z MSHTML (process target) Browser B (process enabler) Extracted payload E (executable, enabler) HTML document D (carrier, enabler) HTTPD web server W (process enabler)

21Attack SurfaceJeannette M. Wing Reducing the Attack Surface ColloquialFormal Eliminate an eval function for one data type. Avoid giving any executable as an arg to an eval. Eliminate entire types of targets, enablers, channels; restrict access rights. Strengthen post-condition of actual to match intended. Strengthen pre-condition of actual to match intended. Increase likelihood that the authentication mechanism’s pre-condition is met. Turn off macros Block attachments in Outlook Secure by default Check for buffer overruns Validate your input. Change your password every 90 days.

22Attack SurfaceJeannette M. Wing Attack Surface Dimensions: Summary Channels x Protocols message passing shared memory Access Rights Principals x Objects x Rights Targets & Enablers Processes Data - carriers - executables

Examples

24Attack SurfaceJeannette M. Wing MS Cumulative Patch for Internet Explorer (vulnerability 1) Informally: An HTML document (a web page sent back from a server or HTML ) can embed another object using the EMBED tag the processing for this tag involves a buffer overrun so a well-crafted (valid, but long) tag can lead to arbitrary code execution within the security context of the user.

25Attack SurfaceJeannette M. Wing MS02-005(1): Vulnerability Action: Action: MSHTML processes HTML document D in zone Z Intended Precondition: true Actual Precondition: D contains => length(X) <= 512 Intended Postcondition: [D contains and "Run ActiveX Controls and Plugins" is enabled for Z] => display(X) // and many other clauses... Actual Postcondition (due to non-trivial precondition): [D contains and "Run ActiveX Controls and Plugins" is enabled for Z] => [length(X) > 512 & extract_payload(X) = E] => [E.pre => E.post] and [length(X) display(X) // and many other clauses...

26Attack SurfaceJeannette M. Wing MS02-005(1): Web server attack on client ResourceCarrier?Channel?Target? HTTPD (Web server; process) Server-client web connection CMsg Passing Browser (process) B HTML document DY MSHTML (process)Y Goal: execute arbitrary code on client via browser

27Attack SurfaceJeannette M. Wing MS02-005(1): Web Server Attack Details Preconditions (for attack): –victim requests a web page from adversary site S –victim has mapped S into zone Z –victim has "Run ActiveX Controls and Plugins" security option enabled for zone Z –adversary creates HTML document D with a maliciously-formatted embed tag, where length(X) > 512 and extract_payload(X) = E Actions: 1.S sends HTML document D to browser B over connection C 2.B passes D to MSHTML (with zone = Z) 3.MSHTML processes D in zone Z. Postcondition (result of attack): arbitrary effects (due to post-condition of evaluating E)

28Attack SurfaceJeannette M. Wing MS02-005(1): HTML mail attack ResourceCarrier?Channel?Target? Mail server S Server-client mail connection CMsg Passing Outlook Express (process) OE HTML document DY MSHTML (process)Y Goal: execute arbitrary code on client via OE

29Attack SurfaceJeannette M. Wing MS02-005(1): Web Server Attack Details Preconditions (for attack): –victim able to receive mail from adversary –victim receives HTML in zone Z (where Z != “Restricted Zone”) –victim has "Run ActiveX Controls and Plugins" security option enabled for zone Z –adversary creates HTML document D with a maliciously-formatted embed tag, where length(X) > 512 and extract_payload(X) = E Actions: 1.adversary sends HTML document D to victim via (via C) 2.victim views (or previews) D in OE 3.OE passes D to MSHTML (with zone = Z) 4.MSHTML processes D in zone Z. Postcondition (result of attack): arbitrary effects (due to post-condition of evaluating E)

Estimating attack surface, revisited

31Attack SurfaceJeannette M. Wing Measuring the Attack Surface surface_area = f (targets, enablers, channels, access rights) f is defined in terms of –relationships on targets, enablers, channels, … E.g., number of channels per instance of target type. –weights on targets, enablers, channels, … E.g., to reflect that some targets are more critical than others or that certain instances of channels are less critical than others. –Likely to be some function of targets, enablers, channels “subject to” the constraints in access rights.

32Attack SurfaceJeannette M. Wing Mike’s Sample Attack Vectors Channels: Open sockets Open RPC endpoints Open named pipes Null Sessions to pipes and shares Process Targets: Services Services running by default * Services running as SYSTEM * Active Web handlers Active ISAPI Filters Data Targets: Dynamic Web pages Executable vdirs Enabled Accounts Enabled Accounts in admin group * Guest account enabled * Weak ACLs in FS * Weak ACLs in Registry * Weak ACLs on shares * * = constrained by access rights

33Attack SurfaceJeannette M. Wing Computing RASQ (Mike’s model) RASQ = surf ch + surf pt + surf dt where surf ch = channel surface surf pt = process target surface surf dt = data target surface (each as constrained by access rights)

34Attack SurfaceJeannette M. Wing Computing “channel surface” (Mike’s model) chtypes = { socket, endpoint, namedpipe, nullsession } |c| surf ch = [   weight(c i ) ]  A c ε i = 1 chtypes Where weight(s: socket) = 1 weight(e: endpoint) = 0.9 weight(n: namedpipe) = 0.8 weight(n: nullsession) = 0.9

35Attack SurfaceJeannette M. Wing Computing “process target surface” (Mike’s model) pttypes = { service, webhandler, isapi, dynpage } |p| surf pt = [   weight(p i ) ]  A p ε i = 1 pttypes Where weight(s: service) = default (s) + admin (s) where default (s) = 0.8 if s = default, 0 otherwise admin (s) = 0.9 if s = admin, 0 otherwise weight(w: webhandler) = 1.0 weight(i: isapi) = 1.0 weight(d: dynpage) = 0.6

36Attack SurfaceJeannette M. Wing Computing “data target surface” (Mike’s model) dttypes = { accounts, files, regkeys, shares, vdirs} |d| surf dt = [   weight(d i ) ]  A d ε i = 1 dttypes Where weight(a: account) = admin(a) + guest(a) where admin(a) = 0.9 if a  AdminGroup, 0 otherwise guest(a) = 0.9 if a.name = “Guest”, 0 otherwise. weight(f: file) = 0.7 if weakACL(f), 0 otherwise weight(r: regkey) = 0.4 if weakACL(r), 0 otherwise weight(s: share) = 0.9 if weakACL(s), 0 otherwise weight(v: vdir) = 1.0 if v is executable, 0 otherwise

37Attack SurfaceJeannette M. Wing RASQ Computations for OS Releases Windows NT 4Windows 2000Windows Server 2003 RASQRASQ with IIS enabledRASQ with IIS Lockdown 2. Windows w/IIS enabled is only slightly worse for Windows Server 2003, in contrast to its predecessors. 1. Windows Server 2003 is “more secure” than previous versions. 3. Windows in “lockdown” mode for NT4.0 and 2000 are each more secure than raw mode.

38Attack SurfaceJeannette M. Wing MS02-005a: Cumulative Patch for IE 1.HTTPD web server W sends document D to browser B over connection C. 2.B passes D to MSHTML in zone Z. 3.MSHTML processes D in zone Z, extracting and evaluating E. Attack Sequence: = Actual Behavior – Intended Behavior Actual Behavior: D contains  “Run ActiveX Controls” is enabled for Z  length(X) > 512 => extract_payload(X) = E and eval(E) Intended Behavior: D contains  “Run ActiveX Controls” is enabled for Z => display(X) Attacker’s Goal: Execute arbitrary code E on client V ulnerability extract_payload: carrier  executable eval: executable  ()

39Attack SurfaceJeannette M. Wing Caveats RASQ numbers are for a given configuration of a running system. –They say NOTHING about the inherent “security” of the system after you’ve turned on the features that were initially off by default! It’s better to look at numbers for individual attack vector classes rather than read too much into overall RASQ number. Mustn’t compare apples to oranges. –Attack vectors for Linux will be different than those for Windows. –Threat models are different.

40Attack SurfaceJeannette M. Wing Short-term technical challenges Missing some vectors (ActiveX, enablers like scripting engines, etc.) –Approach: analyze MSRC bulletins “not all sockets are created equal” –Approach: include notion of protocols in RASQ Does it really mean anything? –Approach: validate with lockdown scenarios, Win2k3 experiences

41Attack SurfaceJeannette M. Wing Research opportunities Research on RASQ –Measurement aspects: “weights”, combining by adding –Applying to things other than the OS –Extend to privacy (PASQ?) –Finer granularity than “whole system” What things compose? Related areas –Interactions with threat modeling, attack graphs –Identifying opportunities for mitigation –Relating to architecture and design principles

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.