Presentation is loading. Please wait.

Presentation is loading. Please wait.

Introduction to the Common Attack Pattern Enumeration and Classification (CAPEC) Sean Barnum Sunday, December 09, 2018.

Published byClaus Amsel Modified over 6 years ago

Similar presentations

Presentation on theme: "Introduction to the Common Attack Pattern Enumeration and Classification (CAPEC) Sean Barnum Sunday, December 09, 2018."— Presentation transcript:

1 Introduction to the Common Attack Pattern Enumeration and Classification (CAPEC)
Sean Barnum Sunday, December 09, 2018

2 The Importance of Knowing Your Enemy
An appropriate defense can only be established if you know how it will be attacked Remember! Software Assurance must assume motivated attackers and not simply passive quality issues Attackers are very creative and have powerful tools at their disposal Exploring the attacker’s perspective helps to identify and qualify the risk profile of the software Sunday, December 09, 2018

3 What are Attack Patterns?
Blueprint for creating a specific type of attack Abstracted common attack approaches from the set of known exploits Capture the attacker’s perspective to aid software developers in improving the assurance profile of their software Sunday, December 09, 2018

4 Leveraging Attack Patterns Throughout the SDLC
Guide definition of appropriate policies Guide creation of appropriate security requirements (positive and negative) Provide context for architectural risk analysis Guide risk-driven secure code review Provide context for appropriate security testing Sunday, December 09, 2018

5 What is CAPEC? Effort targeted at:
Standardizing the capture and description of attack patterns Collecting known attack patterns into an integrated enumeration that can be consistently and effectively leveraged by the community Classifying attack patterns such that users can easily identify the subset of the entire enumeration that is appropriate for their context Funded by the DHS NCSD Led by Cigital Sunday, December 09, 2018

6 Current CAPEC Status Extensive research performed and underway to identify and evaluate potential resources for creating attack patterns Schema definition completed In process of fleshing out ~50 preexisting patterns In process of identifying and fleshing out new patterns In process of analyzing set of identified patterns to develop an appropriate classification taxonomy Sunday, December 09, 2018

7 What do Attack Patterns Look Like?
Primary Schema Elements Identifying Information Attack Pattern ID Attack Pattern Name Describing Information Description Related Weaknesses Related Vulnerabilities Method of Attack Examples-Instances References Prescribing Information Solutions and Mitigations Scoping and Delimiting Information Severity Likelihood of Exploit Attack Prerequisites Attacker Skill or Knowledge Required Resources Required Attack Motivation-Consequences Context Description Sunday, December 09, 2018

8 What do Attack Patterns Look Like?
Supporting Schema Elements Describing Information Injection Vector Payload Activation Zone Payload Activation Impact Diagnosing Information Probing Techniques Indicators-Warnings of Attack Obfuscation Techniques Enhancing Information Related Attack Patterns Relevant Security Requirements Relevant Design Patterns Relevant Security Patterns Sunday, December 09, 2018

9 Attack Patterns Example (partial)
Attack Pattern Name Client-side Injection-induced Buffer Overflow Description An attack of this type exploits a buffer overflow vulnerability in targeted client software through injection of malicious content from a custom-built hostile service. Create a custom hostile service Acquire information about the kind of client attaching to your hostile service to determine if it contains an exploitable buffer overflow vulnerability. Intentionally feed malicious data to the client to exploit the buffer overflow vulnerability. Leverage the exploit to execute arbitrary code or to cause a denial of service. Attack Prerequisites Target software must be a client communicating and making requests of a remote service. Related Weaknesses Method of Attack Injection Attacker Skill or Knowledge Required Low  To achieve a denial of service, an attacker can simply overflow a buffer by inserting a long string into an attacker-modifiable injection vector. High  Exploiting a buffer overflow to inject malicious code into the stack of a software system or even the heap requires a more in-depth knowledge and higher skill level. Resources Required Ability to deploy a custom hostile service for access by targeted clients. Attack Motivation-Consequences Run arbitrary code Denial of Service Weakness CWE_ID CWE-0120 Weakness Name Unbounded transfer (‘classic overflow’) Weakness Relationship Type Targeted CWE_ID CWE-0119 Weakness Name Buffer Errors Weakness Relationship Type Targeted CWE_ID CWE-0118 Weakness Name Range errors Weakness Relationship Type Targeted CWE_ID CWE-0020 Weakness Name Input validation Weakness Relationship Type Targeted CWE_ID CWE-0074 Weakness Name Injection Weakness Relationship Type Targeted Sunday, December 09, 2018

10 What to Expect Going Forward
Next step will likely be a draft classification taxonomy in 30 – 60 days Draft attack pattern enumeration should be available for review in 3 – 6 months Initial release of CAPEC including deployment to publicly available website should be 6 – 9 months Sunday, December 09, 2018

11 Opportunities for Involvement
Looking for more resources describing attacks Looking for new attack patterns Looking for added descriptive detail for existing attack patterns including examples Looking for help aligning attack patterns to other appropriate knowledge catalogs Looking for help identifying new value propositions for CAPEC Looking for help spreading the word Sunday, December 09, 2018

12 Additional Explanatory Slides
Sunday, December 09, 2018

13 Knowledge: 48 Attack Patterns
Make the Client Invisible Target Programs That Write to Privileged OS Resources Use a User-Supplied Configuration File to Run Commands That Elevate Privilege Make Use of Configuration File Search Paths Direct Access to Executable Files Embedding Scripts within Scripts Leverage Executable Code in Nonexecutable Files Argument Injection Command Delimiters Multiple Parsers and Double Escapes User-Supplied Variable Passed to File System Calls Postfix NULL Terminator Postfix, Null Terminate, and Backslash Relative Path Traversal Client-Controlled Environment Variables User-Supplied Global Variables (DEBUG=1, PHP Globals, and So Forth) Session ID, Resource ID, and Blind Trust Analog In-Band Switching Signals (aka “Blue Boxing”) Attack Pattern Fragment: Manipulating Terminal Devices Simple Script Injection Embedding Script in Nonscript Elements XSS in HTTP Headers HTTP Query Strings User-Controlled Filename Passing Local Filenames to Functions That Expect a URL Meta-characters in Header File System Function Injection, Content Based Client-side Injection, Buffer Overflow Cause Web Server Misclassification Alternate Encoding the Leading Ghost Characters Using Slashes in Alternate Encoding Using Escaped Slashes in Alternate Encoding Unicode Encoding UTF-8 Encoding URL Encoding Alternative IP Addresses Slashes and URL Encoding Combined Web Logs Overflow Binary Resource File Overflow Variables and Tags Overflow Symbolic Links MIME Conversion HTTP Cookies Filter Failure through Buffer Overflow Buffer Overflow with Environment Variables Buffer Overflow in an API Call Buffer Overflow in Local Command-Line Utilities Parameter Expansion String Format Overflow in syslog() Sunday, December 09, 2018

14 Attack Pattern 1: Make the client invisible
Remove the client from the communications loop and talk directly to the server Leverage incorrect trust model (never trust the client) Example: hacking browsers that lie Sunday, December 09, 2018

15 Attack Pattern 2: Command delimiters
Use off-nominal characters to string together multiple commands Example: shell command injection with delimiters <input type=hidden name=filebase value="bleh; [command]”> cat data_log_; rm -rf /; cat temp.dat Sunday, December 09, 2018

Download ppt "Introduction to the Common Attack Pattern Enumeration and Classification (CAPEC) Sean Barnum Sunday, December 09, 2018."

Similar presentations

PHP Form and File Handling

PHP Form and File Handling
Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.

Cross-Site Scripting Issues and Defenses Ed Skoudis Predictive Systems © 2002, Predictive Systems.
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.

Closing the Gap: Analyzing the Limitations of Web Application Vulnerability Scanners David Shelly Randy Marchany Joseph Tront Virginia Polytechnic Institute.
WebGoat & WebScarab “What is computer security for $1000 Alex?”

WebGoat & WebScarab “What is computer security for $1000 Alex?”
Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.

Automating Bespoke Attack Ruei-Jiun Chapter 13. Outline Uses of bespoke automation ◦ Enumerating identifiers ◦ Harvesting data ◦ Web application fuzzing.
By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.

By Brian Vees.  SQL Injection  Username Enumeration  Cross Site Scripting (XSS)  Remote Code Execution  String Formatting Vulnerabilities.
Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.

Information Networking Security and Assurance Lab National Chung Cheng University The Ten Most Critical Web Application Security Vulnerabilities Ryan J.W.
Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.

Information Networking Security and Assurance Lab National Chung Cheng University 1 Top Vulnerabilities in Web Applications (I) Unvalidated Input:  Information.
How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.

How Clients and Servers Work Together. Objectives Learn about the interaction of clients and servers Explore the features and functions of Web servers.
Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.

Chapter 7 Managing Data Sources. ASP.NET 2.0, Third Edition2.
Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.

Introduction to the OWASP Top 10. Cross Site Scripting (XSS)  Comes in several flavors:  Stored  Reflective  DOM-Based.
Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software

Handling Security Threats in Kentico CMS Karol Jarkovsky Sr. Solution Architect Kentico Software
Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.

Web Application Attacks ECE 4112 Fall 2007 Group 9 Zafeer Khan & Simmon Yau.
Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 

Web Application Vulnerabilities Checklist. EC-Council Parameter Checklist  URL request  URL encoding  Query string  Header  Cookie  Form field 
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)
Prevent Cross-Site Scripting (XSS) attack

Prevent Cross-Site Scripting (XSS) attack
Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.

Lets Make our Web Applications Secure. Dipankar Sinha Project Manager Infrastructure and Hosting.
CSCI 6962: Server-side Design and Programming Secure Web Programming.

CSCI 6962: Server-side Design and Programming Secure Web Programming.

Similar presentations

Ads by Google