Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce.

Slides:



Advertisements
Similar presentations
ISBN Chapter 3 Describing Syntax and Semantics.
Advertisements

Copyright © 2006 Addison-Wesley. All rights reserved. 3.5 Dynamic Semantics Meanings of expressions, statements, and program units Static semantics – type.
1 Semantic Description of Programming languages. 2 Static versus Dynamic Semantics n Static Semantics represents legal forms of programs that cannot be.
Windows Vista Security model and vulnerabilities.
Web Defacement Anh Nguyen May 6 th, Organization Introduction How Hackers Deface Web Pages Solutions to Web Defacement Conclusions 2.
Polymorphic blending attacks Prahlad Fogla et al USENIX 2006 Presented By Himanshu Pagey.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
Winter 2007SEG2101 Chapter 41 Chapter 4 SDL – Structure and Behavior.
CSCI 530L Vulnerability Assessment. Process of identifying vulnerabilities that exist in a computer system Has many similarities to risk assessment Four.
Are You Sure What Failures Your Tests Produce? Lee White.
Distributed System’s Middleware: DCOM's ActiveX versus Java's JavaBeans and CORBA's IIOP.
Describing Syntax and Semantics
Systems Analysis and Design in a Changing World, 6th Edition
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
DEEDS Meeting Oct., 26th 2006 Dependable, Embedded Systems and Software Group Department of Computer Science Darmstadt University of Technology Summary.
HUIT Queue Managers Forum May 7, Agenda Welcome The Role of the Service Owner Service Metrics “IT Order Takers” ServiceNow Best Practices, Tips.
1 Internet Security Threat Report X Internet Security Threat Report VI Figure 1.Distribution Of Attacks Targeting Web Browsers.
A Taxonomy of Network and Computer Attacks Simon Hansman & Ray Hunt Computers & Security (2005) Present by Mike Hsiao, S. Hansman and R. Hunt,
TEST SUITE DEVELOPMENT FOR CONFORMANCE TESTING OF PROTOCOLS Anastasia Tugaenko Scientific Adviser: Nikolay Pakulin, PhD Institute for System Programming.
Architecting secure software systems
Measuring Relative Attack Surfaces Jeannette Wing School of Computer Science Carnegie Mellon University Joint with Mike Howard and Jon Pincus, Microsoft.
Model Based Conformance Testing for Extensible Internet Protocols Anastasia Tugaenko Scientific Adviser: Nikolay Pakulin, PhD.
The Protection of Information in Computer Systems Part I. Basic Principles of Information Protection Jerome Saltzer & Michael Schroeder Presented by Bert.
CSCE 201 Web Browser Security Fall CSCE Farkas2 Web Evolution Web Evolution Past: Human usage – HTTP – Static Web pages (HTML) Current: Human.
1 Nasser Alsaedi. The ultimate goal for any computer system design are reliable execution of task and on time delivery of service. To increase system.
Carnegie Mellon University 10/23/2015 Survivability Analysis via Model Checking Oleg Sheyner Jeannette Wing Carnegie Mellon University.
Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.
MetriCon 1.0 An Attack Surface Metric Pratyusa K. Manadhata Jeannette M. Wing Carnegie Mellon University {pratyus,
An Ontological Framework for Web Service Processes By Claus Pahl and Ronan Barrett.
Evaluating Network Security with Two-Layer Attack Graphs Anming Xie Zhuhua Cai Cong Tang Jianbin Hu Zhong Chen ACSAC (Dec., 2009) 2010/6/151.
The TAOS Authentication System: Reasoning Formally About Security Brad Karp UCL Computer Science CS GZ03 / M th November, 2008.
Hands-On Threat Modeling with Trike v1. Generating Threats.
13-Nov-1513-Nov-1513-Nov-15 State Machines. What is a state machine? A state machine is a different way of thinking about computation A state machine.
Scott Kohn with Tammy Dahlgren, Tom Epperly, and Gary Kumfert Center for Applied Scientific Computing Lawrence Livermore National Laboratory October 2,
ISBN Chapter 3 Describing Semantics.
Chapter 3 Part II Describing Syntax and Semantics.
Programming Languages and Design Lecture 3 Semantic Specifications of Programming Languages Instructor: Li Ma Department of Computer Science Texas Southern.
Measuring a System’s Attack Surface Yin Shi. Overview Introduction State Machine Model Definitions and Examples Attack Surface Measurement Method Linux.
1 A Network Security Monitor Paper By: Heberlein et. al. Presentation By: Eric Hawkins.
Module 7: Implementing Security Using Group Policy.
CS 106 Introduction to Computer Science I 04 / 18 / 2008 Instructor: Michael Eckmann.
An Enhanced Cellular Automata and Image Pyramid Decomposition Based Algorithm for Image Segmentation : A New Concept Anand Prakash Shukla Suneeta Agarwal.
Privilege Escalation Two case studies. Privilege Escalation To better understand how privilege escalation can work, we will look at two relatively recent.
Firewalls A brief introduction to firewalls. What does a Firewall do? Firewalls are essential tools in managing and controlling network traffic Firewalls.
Ordering of Events in Distributed Systems UNIVERSITY of WISCONSIN-MADISON Computer Sciences Department CS 739 Distributed Systems Andrea C. Arpaci-Dusseau.
Role Of Network IDS in Network Perimeter Defense.
Module 8 Implementing Security Using Group Policy.
Module 3 l Objectives –Identify the security risks associated with specific NT Services –Understand the risk introduced by specific protocols –Identify.
Module 7: Designing Security for Accounts and Services.
CSC3315 (Spring 2009)1 CSC 3315 Languages & Compilers Hamid Harroud School of Science and Engineering, Akhawayn University
Using system security metrics to enhance resiliency Dr. Sara Bitan ENGINEERING RESILIENT & ROBUST SYSTEMS 24-Jan-2011 Bitan: Using system security metrics.
Finite State Machines Logical and Artificial Intelligence in Games Lecture 3a.
Active X and Signed Applets Chad Bollard. Overview ActiveX  Security Features  Hidden Problems Signed Applets  Security Features  Security Problems.
Lecture 2 Page 1 CS 236 Online Security Policies Security policies describe how a secure system should behave Policy says what should happen, not how you.
Network Security Laboratory Graduate School of Soongsil University Graduate School of Soongsil University Jeon Youngho
Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.
Modularity Most useful abstractions an OS wants to offer can’t be directly realized by hardware Modularity is one technique the OS uses to provide better.
Tactic 1: Adopt Least Privilege
Evaluating Existing Systems
Evaluating Existing Systems
Modeling Cyberspace Operations
INFS 6225 – Object-Oriented Systems Analysis & Design
Computer Security Distributed System Security
State Machines 6-Apr-196-Apr-19.
An Attack Surface Metric
State Machines 8-May-19.
State Machines 16-May-19.
Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher.
6. Application Software Security
Presentation transcript:

Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce

Abstract Propose metric for measuring relative level of security of 2 systems Base measurement is “attack opportunities” Measured along 3 dimensions to generate an attack surface Larger surface=>more attack opportunities => more likely a target

Limitations Metric is relative, not absolute –Can compare 2 systems Restrictions –Same environment –same capabilities –i.e. 2 releases of same system

Goal Measure if a new release of a system has improved its security

Motivation Building on previous work of one of the authors –He defined 17 attack vectors –Defined Relative Attack Surface Quotient (RASC) Current paper adds 3 attack vectors Compute RASQ for 5 versions of Windows Claim relative security levels agree with anecdotal evidence

RASQ Calculations

Attackability Proposed unit of measurement for security Higher level than bug count Lower level than count of system vulnerabilities reported in bulletins and advisories

Attackability Define 3 dimensions to measure –Targets and Enablers –Channels and Protocols –Access Rights From these create system’s Attack Surface

System Model System to be measured and environment modeled as Finite State Machines 3 Key terms –Vulnerability – weakness in design, implementation or operation –Attack – exploit the vulnerability –Threat – the adversary doing the attack

State Models Think of System as FSM with states, initial states and transitions Threat modeled the same way Create new FSM out of union of System and Threat

State Models The attacker has Goal States of the System he wants to obtain We want to defines the system FSM so Goal States can’t be reached

Vulnerabilities Look at 2 System FSMs –Intended machine (I) & Actual machine (A) Behaviors = set of execution sequences of an FSM Vulnerabilities = Behavior(A) – Behavior(I) –Note: Set difference

Vulnerabilities (States of A – States of I) not empty => unintended states (Initial states of A - Initial states of I) not empty => we can start actual system where we shouldn’t

Vulnerabilities (Action set of A – Action set of I) not empty => A can have unexpected behavior (Transition set of A – Transition set of I) not empty => A can have unintended transitions

Attack A sequence of action executions which include vulnerabilities and which leads to attacker’s Goal State

Dimension #1 Targets and Enablers Target – part of system to be controlled Enabler – part of system providing means for attack –Evaluator – runs attacking code –Carrier – embeds attacking code

Dimension #2 Channels and Protocols How attacker gets into the system Channel –Message passing –Shared memory Protocol – rules for message passing

Dimension #3 Access Rights Accounts –How many individual, admin, guest Trust Relationships –Among users and processes Privilege Level Reducing the dimension = Principal of Least Privilege

Example Use actual MS Security Bulletin Provide template for describing Vulnerabilities and Attacks –Vulnerabilities: describe intended and actual pre and post conditions –Attacks: describe goal, resources, preconditions, attack sequence, postconditions

Example Use of the preceding model: –Some use of FSM transitions in Vulnerability description –Resources described in terms of the three dimensions

Attack Surface Some complex function of the 5 components of the dimensions Authors punt on specific function Instead they suggest reducing it by: –Reducing values of dimensions –Reducing vulnerabilities (Intended - Actual) –Reduce types of attacks (better technology)

Attack Surface Metric List 20 attack vectors Examples: –Open port –Services running as SYSTEM –ActiveX enabled

Attack Surface Metric Calculation Each vector given a weight “Surfaces” are calculated for 4 vector types –Channels –Process Targets –Data Targets –Process Enablers

Attack Surface Metric Calculation Each surface is sum of weights of each type of vector Total surface is sum of these 4 I assume this is the RASQ (they don’t make an explicit connection) Values of weights are not explained

Results

Win NT with IIS is much less secure than without it Win Server 2003 doesn’t lose much security with IIS on Relative security of 3 seems to match the order shown

Analysis of RASQ Can’t apply if systems are different –RASQ isn’t absolute metric –Doesn’t measure over time as features or configurations change –Certainly doesn’t apply to different operating systems Should focus more on individual attack vectors than a single number

Presenter’s Comments A relatively simple idea dressed up in elegant mathematical clothing Formalizes stuff we already know –Formalization can obfuscate the obvious Confusing point: start with 3 dimensions based on 5 factors and end up with 4 surface categories

Presenter’s Comments “Surface” => area => product of dimensions –Not done here More like each term adds a “pixel”, a small patch, to a surface to form total area Or each term pokes hole in surface dimension to increase porosity

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2025 SlidePlayer.com. Inc. All rights reserved.