Presentation is loading. Please wait.

Presentation is loading. Please wait.

Measuring a System’s Attack Surface Yin Shi. Overview Introduction State Machine Model Definitions and Examples Attack Surface Measurement Method Linux.

Published byBritney Campbell Modified over 9 years ago

Similar presentations

Presentation on theme: "Measuring a System’s Attack Surface Yin Shi. Overview Introduction State Machine Model Definitions and Examples Attack Surface Measurement Method Linux."— Presentation transcript:

1 Measuring a System’s Attack Surface Yin Shi

2 Overview Introduction State Machine Model Definitions and Examples Attack Surface Measurement Method Linux Example Discussion Related Work Conclusions

3 Introduction Questions faced by industry today Two measurements are commonly used today by us –At the code level –At the system level (CERT) A new security metric based on the notion of attack surface Not all system resource should be treated equally What is the attack surface? What is the attack class?

4 State Machine Model Informal Overview –Differences from standard state machine We explicitly represent an access matrix in the state of the state machine, allowing us to represent the set of principals explicitly We represent the system itself as a separate entity in our model and not as a principal We distinguish both the threat and the system administrator as system principals different from other system users

5 State Machine Model Formal Definition –M = S is the set of states I  S is the set of initial states A is the set of actions T is the transition relation –Type State is defined as State = Env x Store x Access_Matrix Env = Name → Resource Store = Resource → Value Access_Matrix = Principal x Resource x Rights Principal = {Threat, Administrator, User} Access rights definitions are specific to the system being modeled. ie. Rights = {r, w, x}

6 State Machine Model Formal Definition –A = A S  A T  A A  A U –T  S x A x S For any action a  A, if a.pre and a.post are the pre- and post-conditions of a a.T = {(x, a, x’): S x A x S | a.pre(x)  a.post(x, x’)} T is the union of all such sets, a.T, for each action a  A –A state transition, is the execution of action a in state x resulting in the new state x’

7 Definitions and Examples Definition 1 (Attack) –An attack is a finite sequence of action executions a 1, …, a i, …, a n such that: 1 ≤ i ≤ nai  A; a1  A T; 1 < i ≤ nai  As; and Goal is satisfied in the state reached by M after execution of a n Consider the specification of two actions: –SEND_STRING T and PROCESS_STRING S –A system state is a triple, –x¯, to denote the resource itself –x’, to denote its value in the post-state

8 Definitions and Examples

9 –Give a hypothetical attack The Threat exploits a buffer overrun in a process P running in the system by sending a string X through the channel C whose length exceeds 512. –Res(PROCESS_STRING) = (I, C, E, P) P is the target of attack The post-condition of PROCESS_STRING reflects the vulnerability of the system. The intended behavior for PROCESS_STRING is to display the input string I, no matter what its length.

10 Definitions and Examples

11 Definition 2 (Attack Surface) –The attack surface of the System is the pair, (aAs), where the first component is the set of system actions and the second is the collective set of resource, Res(a), for each system action, a  As –Every system resource can potentially be part of an attack surface. –In reality, not all system resources have the same likelihood of being a target of an attack.

12 Definitions and Examples Definition 3 (Attack Class) –Given a set of properties, Prop, and a set of resource types, Type, let Type_Hierarchy be the subtype hierarchy induced by Prop on Type, ie., Induce (, ). The attack classes of a system are all the types in Type_Hierarchy that are leaf nodes, which have no subtypes of their own. –Ensure that all attack classes are disjoint, will not double count resources –The set of properties specified by the user captures how likely resources of a given type will be attacked.

13 Attack Surface Measurement Method Impractical way –To enumerate the set of system actions of a given system and count the number of resources in each of the action’s resource set. Practical way –Identify the resources that are potential targets, let Type be the set of types –Induce a type hierarchy over the set, Type. Every leaf node is an attack class (Attack_Class) –Define a payoff function, assign payoffs to each attack class –Choose some k attack classes –Compare the two versions of the system with respect to these k attack classes to obtain their relative attack surface exposure

14 Attack Surface Measurement Method Reducing the Attack Surface –Reduce the number of system actions –Remove a known or potential system vulnerability by strengthening the pre- and post-conditions of a system action a  As –Eliminate an entire attack class –Reduce the number of instances of an attack class

15 Linux Example Measuring the attack surface of four versions of the Linux operating system –Consider potential targets of attack (MITRE CVEs) –Induce a type hierarchy –assign payoffs to the attack classes –Assume a higher payoff for an attack class if the resources of that attack class appear a greater number of times in the CVEs –Chose 11 attack classes for attack surface measurement –Count the number of instances of each of the 11 attack classes for four versions

16 Linux Example

17 Different ways to compare the security of different versions of a system –Default comparison: Debian and RH Default Relative security of different versions of system –Customized usage-based comparison: RH Default and RH Facilities Changes in the security level based on its customization –Time-based comparison: RH Facilities and RH used Security level of a system as it changes over time

18 Linux Example

19 Discussion Some General Caveats –Measure the security of a running instance of a system –Unlike a count of the number bugs in the code, it is a dynamic, not static measure –Measure the security of a system in a given configuration. Realize that system’s security level will change as its configuration changes over time.

20 Discussion Advantages using attack surface measurement –Our metric is a relative measure of security. –Our metric can be used to track the security level of the system over time by measuring the attack surface at regular intervals. –Our method of measuring the attack surface leverages our knowledge of and experience with the system.

21 Related Work The use of attack surface to measure the system relative security is a novel idea. –Michael Howard of Microsoft first introduced it for the Windows OS –Choose 10 out of 20 attack classes of Windows –Choose 10 out of 14 attack classes of Linux

22 Related Work

23 Studies focus on vulnerabilities with respect to their discovery –Browne –Beattie Works focus on the vulnerabilities of a system as a measure of its security –Brocklehurst –Alves-Foss –Voas (MTTI) –Ortalo

24 Conclusions Our state machine model is general enough to model the behavior of –The system, the threat, the administrator and the users on the system Our attack surface measurement method can be applied to any system. We view our work as a first step towards a meaningful and practical metric for security measurement. We believe our understanding would lead us to more meaningful and useful quantitative metrics for security measurement.

25 Questions Discussion Questions

Download ppt "Measuring a System’s Attack Surface Yin Shi. Overview Introduction State Machine Model Definitions and Examples Attack Surface Measurement Method Linux."

Similar presentations

1 Verification by Model Checking. 2 Part 1 : Motivation.

1 Verification by Model Checking. 2 Part 1 : Motivation.
Design by Contract.

Design by Contract.
Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.

Giving a formal meaning to “Specialization” In these note we try to give a formal meaning to specifications, implementations, their comparisons. We define.
Microsoft Visual Basic: Reloaded Chapter Seven More on the Repetition Structure.

Microsoft Visual Basic: Reloaded Chapter Seven More on the Repetition Structure.
Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: Big data security evaluation UNIFI-CNR Nicola Nostro, Andrea.

Ranking of security controlling strategies driven by quantitative threat analysis. Tavolo 2: "Big data security evaluation" UNIFI-CNR Nicola Nostro, Andrea.
Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.

Abhinn Kothari, 2009CS10172 Parth Jaiswal 2009CS10205 Group: 3 Supervisor : Huzur Saran.
The Web Warrior Guide to Web Design Technologies

The Web Warrior Guide to Web Design Technologies
ITIL: Service Transition

ITIL: Service Transition
Winter 2007SEG2101 Chapter 41 Chapter 4 SDL – Structure and Behavior.

Winter 2007SEG2101 Chapter 41 Chapter 4 SDL – Structure and Behavior.
Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.

Models and Security Requirements for IDS. Overview The system and attack model Security requirements for IDS –Sensitivity –Detection Analysis methodology.
Can you fool me? Towards automatically checking protocol gullibility Milan StanojevićRatul Mahajan Todd MillsteinMadanlal Musuvathi UCLAMicrosoft Research.

Can you fool me? Towards automatically checking protocol gullibility Milan StanojevićRatul Mahajan Todd MillsteinMadanlal Musuvathi UCLAMicrosoft Research.
1 Introduction to Computability Theory Lecture11: Variants of Turing Machines Prof. Amos Israeli.

1 Introduction to Computability Theory Lecture11: Variants of Turing Machines Prof. Amos Israeli.
1 Complexity of Network Synchronization Raeda Naamnieh.

1 Complexity of Network Synchronization Raeda Naamnieh.
A State-based Programming Model and System for Wireless Sensor Networks Reporter : Zhi-Yuan Yang 2010/5/24.

A State-based Programming Model and System for Wireless Sensor Networks Reporter : Zhi-Yuan Yang 2010/5/24.
Chapter 15 Chapter 15: Network Monitoring and Tuning.

Chapter 15 Chapter 15: Network Monitoring and Tuning.
6/29/20151 Efficient Algorithms for Motif Search Sudha Balla Sanguthevar Rajasekaran University of Connecticut.

6/29/20151 Efficient Algorithms for Motif Search Sudha Balla Sanguthevar Rajasekaran University of Connecticut.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Introduction to Unix (CA263) Introduction to Shell Script Programming By Tariq Ibn Aziz.

Introduction to Unix (CA263) Introduction to Shell Script Programming By Tariq Ibn Aziz.
Create a Web Site with Frames

Create a Web Site with Frames
Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Methods For The Prevention, Detection And Removal Of Software Security Vulnerabilities Jay-Evan J. Tevis Department of Computer Science and Software Engineering.

Similar presentations

Ads by Google