Using Model Checking to Analyze Network Vulnerabilities

Transcription

1 Uing Model Checking to Analyze Netwok Vulneabilitie Ronald W. Ritchey Paul Ammann * National Secuity Team Infomation and Softwae Engineeing Depatment Booz Allen & Hamilton Geoge Maon Univeity Fall Chuch, Viginia Faifax, Viginia itchey_onald@bah.com pammann@gmu.edu Abtact Even well adminiteed netwok ae vulneable to attack due to the ecuity amification of offeing a vaiety of combined evice. That i, evice that ae ecue when offeed in iolation nonethele povide an attacke with a vulneability to exploit when offeed imultaneouly. Many cuent tool adde vulneabilitie in the context of a ingle hot. In thi pape we adde vulneabilitie due to the configuation of vaiou hot in a netwok. In a diffeent line of eeach, fomal method ae often ueful fo geneating tet cae, and model checke ae paticulaly adept at thi tak due to thei ability to geneate counteexample. In thi pape, we adde the netwok vulneability poblem with tet cae, which amount to attack cenaio, geneated by a model checke. We encode the vulneabilitie in a tate machine deciption uitable fo a model checke and then aet that an attacke cannot acquie a given pivilege on a given hot. The model checke eithe offe auance that the aetion i tue on the actual netwok o povide a counteexample detailing each tep of a ucceful attack. 1. Intoduction Even well adminiteed netwok have difficulty defending againt netwok attack. One undelying eaon i the poblem of detemining the ecuity amification of offeing combined evice. Many evice ae pefectly ecue when offeed in iolation, but when combined with othe evice eult in an exploitable vulneability. A imple example would be file tanfe potocol (ftp) evice and hypetext tanfe potocol (http) evice hoted on the ame machine. If the attacke can ue the ftp evice to wite data to a diectoy that the web eve can ead, it may be poible fo the attacke to caue the web eve to execute a pogam witten by the attacke. *Suppoted in pat by the National Science Foundation unde gant CCR Thee ae many tool available to help locate individual vulneabilitie in a hot. Pogam uch a Compute Oacle and Pawod Sytem (COPS) [7], Sytem Scanne by ISS [9], and CybeCop by Netwok Aociate [12] can hot to attempt to dicove vulneabilitie in the hot configuation. Howeve, they do not attempt to identify how combination of configuation on the ame hot o between hot on the ame netwok can contibute to the vulneabilitie of a netwok. A compehenive view of the oveall ecuity of a netwok equie analyi not only of the vulneabilitie on a ingle hot, but alo mut take into account the elationhip between hot on a netwok. Peviou wok in NetKuang [15] demontate the powe of extending beyond hot- only vulneability aement. They accomplihed thi by developing a ditibuted veion of the ule-baed expet ytem Kuang [2] and extending Kuang uleet to include cetain pecific Unix netwok ecuity iue. NetKuang i able to uccefully dicove ecuity poblem that ae undetectable when eaching a ingle hot. NetKuang ued a tailo-made each algoithm to accomplih the identification of vulneabilitie; hee we employ a moe geneal and moe expeive technique baed upon model checking. In thi pape we decibe a modeling baed appoach that can be ued to analyze the oveall ecuity of a netwok baed on the inteaction of vulneabilitie within a ingle hot and within a netwok of hot. We apply model checking tool to pefom thi analyi. We peent a model that can be ued to decibe a netwok oveall vulneability to attack baed on the individual configuation of each hot, then demontate how model checking can be ued to analyze the eulting model to detemine the tue vulneability of the ytem, including how combined evice affect the ecuity of the netwok. We alo how how a model checke ability to poduce counteexample can be ued to geneate attack cenaio fo a vulneable netwok.

2 2. Netwok exploitation method Thi ection peent the netwok intuion methodology that we ued to develop the model peented in thi pape Vulneability Beaking into a compute netwok equie that vulneabilitie exit in the netwok and that exploit fo the vulneabilitie ae known. Any netwok that an attacke ha connectivity with will have ome level of vulneability. The goal of netwok ecuity i to ty to limit vulneability while till allowing the netwok to fulfill it pupoe. Netwok vulneability i impoible to entiely eliminate. Thi i due to eveal facto. Fo a netwok to be ueful it mut offe evice. Thee evice ae implemented in oftwae and it i difficult to guaantee that any complex piece of oftwae doe not contain ome flaw [3]. Thee flaw fequently tanlate into ecuity vulneabilitie. If exploitable flaw exit in a evice, even if the flaw have not been dicoveed, they till epeent a potential fo netwok intuion. New ecuity bug ae fequently dicoveed in eve oftwae. The wot poible ituation fo the ecuity of a netwok i fo an attacke to know about a ecuity flaw in the oftwae that the netwok elie on that i unknown to the netwok adminitato. Sometime, even when a ecuity flaw i known, the opeational need to offe a evice with the vulneability upecede the need fo the netwok to be totally ecue. Thee type of deciion ae nomally peented a ik veu ewad agument. If the ik of a netwok intuion i judged mall and the ewad o convenience of offeing a evice i high many ite may chooe to implement evice that contain known ecuity flaw. A netwok may alo contain hot that ae miconfigued. Given the lage numbe of hot on ome netwok, it i not upiing that ome of them may not be et up to maximize thei defene. Many hot ae adminiteed by the pimay ue of the ytem, who may lack the pope taining to configue a ecue compute ytem Exploitation Befoe an attacke can attempt to beak into a compute ytem eveal condition mut be met. To tat with the attacke mut know a technique (efeed to thoughout thi pape a an exploit) that can be ued to attempt the attack. Howeve, knowing the exploit i not enough. Befoe an exploit can be ued it pecondition mut be met. Thee pecondition include the et of vulneabilitie that the exploit elie on, ufficient ue ight on the taget, ufficient ue ight on the attacking hot, and baic connectivity. The eult of a ucceful exploit i not neceaily a compomied ytem; mot exploit imply caue an inceae in the vulneability of the netwok. Reult of a ucceful exploit could include dicoveing valuable infomation about the netwok, elevating ue ight, defeating filte, and adding tut elationhip among othe poible effect. Mot ucceful attack conit of a eie of exploit that gadually inceae the vulneability of the netwok until the peequiite of the final exploit ae met. A an example, take the cae of a public web eve that i (1) uing the phf common gateway inteface (CGI) pogam to offe a white page diectoy evice, (2) doe not ue a pawod hadow file, and (3) allow telnet acce. A veion of phf wa ditibuted with eveal veion of the NCSA and Apache web eve that allowed an attacke to execute abitay command on the hot unning the web eve at the http daemon pivilege level. With the peence of the vulneable veion of phf, the attacke can execute pogam at the http daemon pivilege level. With level acce, the attacke can captue the pawod file fo the ytem. Since no pawod hadow file i being ued, the pawod file will contain the pawod hahe. With the pawod hahe, a pawod cacking utility can be un by the attacke to potentially eveal the unencypted pawod fo each ue on the ytem including the oot ue. With the oot pawod and the ability to log into the ytem uing telnet, the attacke i able to become the oot ue on the ytem. Figue 1 how a tate chat illutating how thi would be modeled. PHF cgi no hadow file none PHF change acce level to PHF cgi no hadow file pwd hahe known oot pwd known oot PHF cgi no hadow file telnet login a oot change acce level to oot Captue pawod hahe add pwd hahe known PHF cgi no hadow file pwd hahe known oot pwd known PHF cgi no hadow file pwd hahe known Bute Foce Cacke Pogam Pawod oot pwd known Figue 1. Example netwok ecuity analyi fo a ingle hot Netwok attacke nomally tat thei wok by eaching fo vulneabilitie on the hot they can communicate with on the taget netwok. When a vulneability i dicoveed they ue it to inceae the vulneability level of the hot. Once a hot i compomied to the point that the attacke ha ome emote contol of it, the hot can be ued to launch attack futhe into the netwok. Thi will moe than likely

3 include hot that the attacke can not each diectly. The attacke will ue thi new point of view to extend the numbe of hot that can be eached fo vulneabilitie; pehap dicoveing new hot that can eventually be taken ove. Thi poce can be continued until the netwok i fully compomied, the attacke can no longe find additional vulneabilitie to exploit, o the attacke goal ae met. ule that ae being enfoced at the bode oute. S ouce Adde Table 1. Bode filteing ule D etination Adde Actio n Any Allo w /24 Not Allo w 3. A motivating example Any Any Deny Suppoe a mall oganization ha a web eve that they ue to povide infomation to thei cutome. Becaue thi effot ha a mall budget, public domain oftwae i ued to educe cot. The web eve they have choen to ue i the widely ued Apache web eve [1]. They have intalled the web eve uing the copy that wa included on an old RedHat Linux [13] ditibution. The veion of the Apache eve i They have alo decided to implement a white page diectoy evice on the web eve uing the phf pogam included with the Apache ditibution. Becaue they ae a mall company they only maintain one netwok egment o the web eve get placed on the ame egment a thei file eve. Thi netwok tuctue i hown in figue 2. Attacke Public Web Seve Intenet Bode Route Pivate File Seve /24 Figue 2. Example netwok diagam Pivate Woktation To potect thi pivate eve fom the Intenet they have intalled packet filteing ule on thei bode oute. Thee ule allow hot on the Intenet to connect to the web eve, but not with the pivate eve. Table 1 how the filteing Extenal ue ue web bowe to communicate with the public web eve but they ae not uppoed to have any othe acce to the netwok. Pivate ue ely on the pivate file eve to hold thei home diectoie that often contain company popietay data. Thee diectoie ae haed with the ue of the netwok uing Netwok File Sevice (NFS). They alo occaionally ue a cutom databae application located on the file eve that they acce by emotely logging in to the eve uing the login command fom thei woktation. We ue thi example to illutate ou technique thoughout the emainde of the pape, but fit we mut dicu model checking in the context of netwok ecuity. 4. Model checking netwok ecuity A model checking pecification conit of two pat. One pat i the model: a tate machine defined in tem of vaiable, initial value fo the vaiable, and a deciption of the condition unde which vaiable may change value. The econd pat i tempoal logic containt ove tate and execution path. Conceptually, a model checke viit all eachable tate and veifie that the tempoal logic popetie ae atified ove each poible path, that i, the model checke detemine if the tate machine i a model fo the tempoal logic fomula. Model checke exploit cleve way of avoiding bute foce exploation of the tate pace, fo example, ee [4]. If a popety i not atified, the model checke attempt to geneate a counteexample in the fom of a tace o equence of tate. Fo ome tempoal logic popetie, no counteexample i poible. Fo example, if the popety tate that at leat one poible execution path lead to a cetain tate and in fact no execution path lead to that tate, thee i no counteexample to exhibit. The model checking appoach to fomal method ha eceived conideable attention in the liteatue, and eadily available tool uch a SMV, SPIN, and Muø ae capable of handling the tate pace aociated with ealitic poblem [6]. We ue the SMV model checke, which i

4 feely available fom Canegie Mellon Univeity and elewhee. Although model checking began a a method fo veifying hadwae deign, thee i gowing evidence that model checking can be applied with conideable automation to pecification fo elatively lage oftwae ytem, uch a TCAS II [5]. Model checking ha been uccefully applied to a wide vaiety of pactical poblem. Thee include hadwae deign, potocol analyi, opeating ytem, eactive ytem analyi, fault toleance, and ecuity [8]. The chief advantage of model checking ove the competing appoach of theoem poving i complete automation. Human inteaction i geneally equied to pove all but the mot tivial theoem. The inceaing uefulne of model checke fo oftwae ytem make model checke attactive taget fo ue in apect of oftwae development othe than pue analyi, which i thei pimay ole today. Model checke ae deiable tool to incopoate becaue they ae explicitly deigned to handle lage tate pace and they geneate counteexample efficiently. Thu they povide a mechanim to avoid cutom building thee ame capabilitie into pecial pupoe tool. Fo thee eaon, in thi pape we encode the ecuity of a compute netwok in a finite tate deciption and then wite aetion in the tempoal logic to the effect that an attacke can neve acquie cetain ight on a given hot. We then ue the model checke to veify that the claim hold in the model o to geneate an attack cenaio againt the netwok that how how the attacke penetate the ytem. Thee ae eveal advantage to uing a model checke ove cutom built analyi engine fo the each poblem at the heat of thi pape. Fit, although it i poible in theoy to epeat the implementation of a model checke in a ecuity analyi engine, uch an appoach would equie a ignificant invetment of eouce and thi invetment i typically not done [10][15]. A a eult, cutom analyi method tend to be moe limited, both in the ize of the tate pace that can be handled and in the type of queie that can be poed. With epect to the latte, we ague that the tempoal logic uppoted by model checke offe a ich language fo pecifying ecuity equiement. Put anothe way, the equiement of a ecuity policy, uch a a cetain cla of machine hould only be acceible by the following type of ue have elatively taight fowad tanlation into tempoal logic Deciption of the model Thee ae fou majo element that make up ou netwok ecuity model. Hot on the netwok including thei vulneabilitie Connectivity of the hot Cuent point of view of the attacke Exploit that can be ued to change the tate of the model. Hot Deciption Hot ae decibed by thei tating et of vulneabilitie and the cuent acce level of the attacke within the hot. In ou model, a vulneability i any featue of a ytem that could poible be a facto in any exploit attempt. Thi include obviou ecuity poblem, uch a unning an outdated veion of endmail. It alo include geneal configuation infomation about the hot, uch a opeating ytem type and veion, type of authentication, maximum length of pawod, and netwok evice by oftwae type and veion. It i woth eiteating that ou definition of vulneability i quite boad. Fo ou model, vulneability i any obevable ytem attibute that could poibly be ued a a peequiite fo an exploit. Theefoe, the domain of the et of vulneabilitie can be defined by the total et of all vulneabilitie that exit in the union of all peequiite fo all exploit known by the model. Acce level i ued to detemine whethe an attacke ha the ight to execute pogam on a hot. Thi can be equated to ue goup membehip. Thee ae two pecial acce level, none and oot. Acce level none mean the attacke ha no ability to execute pogam on the hot. Acce level oot mean the attacke can execute any pogam on the hot. If acce level i not none, the attacke can execute pogam with whateve ue ight ae ganted by the cuent acce level. Though we have not hown it in ou example, acce level can alo be ued to model denial of evice attack. Thi would equie a thid pecial cae that would eflect a tate diffeent fom none, but till deny an attacke the ability to attack fom the hot point of view. Connectivity Connectivity i defined a a hot ability to communicate with othe hot in the model. Becaue a key ecuity technique i netwok laye filteing, it i impotant fo the model to be able to epeent the connectivity between hot that emain afte all filte that exit between the hot have been examined. Unlike vulneabilitie and acce level, connectivity can not change duing the analyi. Intead attacke point of view i ued to allow change in the filteing that may occu upon a ucceful exploit by an attacke. Attacke Point of View Attacke point of view i defined a the hot within the model that the attacke i cuently attacking fom. If an attacke can gain ufficient acce to a hot, it i poible

5 fo the attacke to ue the hot to launch exploit. Thi new launch point fo the attack may allow the attacke to cicumvent netwok filte. Any hot with an acce level highe than none may potentially be ued to launch an exploit. Exploit Exploit ae defined by the et of vulneabilitie, ouce acce level, taget acce level, and connectivity they equie, plu the eult they have on the tate of the model if they ae ucceful. Exploit ae ued by the model to affect change to the ecuity of the hot unde analyi. The quality and quantity of exploit encoded in the model have a diect elationhip with the quality of the analyi that can be pefomed with the model Initialization of the model Fou main effot need to be undetaken to populate ou model. Exploit deciption Hot initialization Connectivity deciption Failue definition. Exploit Deciption Each exploit included in the analyi mut be decibed in tem of it equied peequiite vulneabilitie, equied acce level on the hot being ued to launch the attack, equied acce level on the taget of the attack, and eult of the attack if the exploit i ucceful. The peequiite, ouce acce level, and taget acce level ae conveted into a boolean tatement that i ued to tet a hot unde attack. If the tatement i tue and the attacke ha connectivity to the hot, the exploit will ucceed and the eult fo the exploit will be applied to the hot. The poible change to the hot include additional vulneabilitie being added to the hot and change to the attacke cuent acce level on the hot. Table 2 how a ample uing the phf exploit. Peequiite eequiite (Apache veion up to OR NCSA veion up to 1.5a) AND phf pogam Table 2. Sample exploit Souc ouce Acce Level ANY Tage aget Acce Level ANY Reult eult Acce level changed to Hot Initialization The econd initialization tep fo the model i detemining which vulneabilitie hould be aigned to the hot that make up the netwok. Thi i done by caefully eviewing the configuation of each hot. Fo ou example we have conducted thi eview manually. It i entiely feaible though to poduce tool that would each fo the vulneabilitie automatically. Tool that pefom hot ecuity canning uch a COPS, o Intenet Secuity Sytem Sytem Scanne ae good example of thi type of capability. The tool would need to be cutomized to each fo the et of vulneabilitie cuently defined by the peequiite of the model et of exploit. A new exploit ae encoded into the model, the tool would need to be extended to each fo any new peequiite equied by the new exploit. Table 3 how a ample initialization fo a typical hot. Table 3. Sample hot -- PublicWebSeve V ulneabilitie Solai veion Apache veion 1.04 count.cgi phf.cgi ftpd dtappgathe Cuent Acce Leve l None In addition to the vulneability lit, the initial cuent acce level fo each hot mut be aigned. One of the ueful featue of ou technique i the ability to model diffeent attacke cenaio by modifying the tating value of cuent acce level. Fo an extenal attack, acce level would nomally be et to none fo all hot on the netwok. If we ae tying to model an attack by an employee o othe tuted individual, we may want to tat the attacke with highe acce pivilege on ome hot. Connectivity Deciption The thid tep duing the initialization i to decide which hot can communicate with which hot. A with hot initialization, thi tep can be automated. Thee ae many netwok dicovey tool available that could be cipted to execute fom each hot that i to be included in the model. The eult could be tabulated to ceate the netwok connectivity matix. A moe inteeting appoach i peented in FANG [10]. Thei method build a model of the netwok connectivity by analyzing the configuation of each netwok filteing device that exit on the netwok. In ou SMV example we have modeled connectivity with a boolean matix that ha the ditinct diadvantage of not allowing ou model to decibe patial connectivity. Thi choice wa made to implify ou example. It would be an eay tak to add a iche connectivity deciption to ou method that include common netwok connectivity detail uch a pot numbe. Table 4 how the connectivity matix fo ou example netwok.

6 A ttacke B ode Route Public Web Seve Pivate File Seve Table 4. Connectivity matix Attacke ttacke N/ A No Failue Definition To allow the model checke to know when it ha dicoveed a tate woth epoting, the model mut include tatement that indicate a ecuity failue. Thee ae witten a invaiant tatement in the model checke tempoal logic fomula language. In SMV pecification language AG deignate a tatement that hould be tue in evey tate, i.e. an invaiant. If we want SMV to veify that an extenal attacke could neve gain acce to the file eve we would wite the following pecification tatement. AG PivateFileSeve.Acce = None If the model checke can each any tate whee thi tatement i fale then we know that it i poible fo an extenal attacke to gain ome level of acce to the pivate eve Analye method Bode ode Route N/ A Public Web Seve N/ A Pivate File Seve To pefom the analyi, a each i conducted fom the initial point of view of the attacke fo a hot that the attacke can communicate with and that include all the peequiite vulneabilitie fo one of the exploit known to the model. If thee equiement ae met, then the model can change tate baed on the ule defined fo the exploit. Thi could eult in additional vulneabilitie being added to the taget hot et of vulneabilitie, o change to the attacke cuent acce level on the hot. If a hot exit on the netwok with an acce level above none, the model can alo change the attacke cuent point of view to the hot. In mot cae thi will change the et of hot that the attacke can each. Each of thee eult epeent a change to the tate of the model and a geneal eduction in the ecuity of the netwok. Thee change may allow othe exploit to be employed futhe educing the ecuity of the netwok. Eventually a tate will be eached whee one of ou invaiant tatement ha been violated o no moe exploit can be employed. No N/ A 4.4. Counteexample When a model checke i able to pove one of the pecification tatement untue, it poduce a epot detailing the ode of tate that wa equied to each the tate that dipove the pecification tatement. Since evey tate change in ou model i the eult of an exploit, the counteexample epeent the eie of exploit that need to be un to achieve the level of netwok beak-in defined by the ecuity invaiant that ha been violated. Thi epeent an attacke cenaio fo the netwok (ee figue 3). Figue 3. Counte example geneation Taking the example fom figue 1, if the ecuity invaiant wa AG! hot.acce = oot then the lat tate in the figue would pove the invaiant fale. The counteexample poduced by the model checke in thi cae would duplicate the tate lit and ode that i hown in figue Encoding the example model in SMV Thi ection will decibe how we tanlated ou netwok model into the SMV [14] model checking language. It i impotant to note that mot of thi tanlation i mechanical; i.e. it i entiely feaible to automate thi tanlation. Indeed thi would be equied befoe thi technique would be pactical fo the analyi of eal netwok. Ou technique hould be applicable to eveal model checking tool including SPIN [8] and Muø [11]. We choe to ue SMV becaue of ou peviou familiaity with the tool.

7 5.1. Hot A decibed ealie, hot ae decibed by thei vulneabilitie and the cuent acce level of the attacke on the hot. In addition to thee we needed to add the exploit that have been ued uccefully againt the hot and a hot id ued to index into the connection matix. The exploit et i ued to allow the model to emembe what exploit have been ued againt a hot. Ou model ue epaate attack and eult module. When an attack i ucceful, it i ecoded in the exploit et. The eult module ead thi aay to detemine when the affect of an exploit hould be applied to a hot. Hee i the hot module that we ued in ou example. MODULE machine VAR acce : { none, ue, oot }; ecod - cuent attacke acce level on thi - hot exploit : aay 1..6 of boolean; ecod - which of the ix exploit in the model have been ued againt the hot hotid : { 1, 2, 3, 4}; ued to index into - the ow and column of the connection - table vulneability : aay of boolean; - ecod which of the 15 vulneabilitie - in the model that the hot cuently ha SMV doe not uppot a et vaiable o we have epeented the hot vulneability et a a boolean aay. Each vulneability known to the ytem i aigned a unique, equentially aigned ID that i ued to index into the hot vulneability aay. The hot exploit et i imilaly implemented. Each vaiable in the hot mut be given pecific tating value. Exploit ae initialized by etting each value in the aay to zeo. init(exploit[1]) := 0; init(exploit[2]) := 0; init(exploit[3]) := 0; init(exploit[4]) := 0; init(exploit[5]) := 0; init(exploit[6]) := 0; Hotid i equentially aigned to each hot and i ued to index into the ow and column of the connectivity matix. The attacke i aigned hotid one, o the hotid numbeing tat at two. Since hotid doe not change once it i aigned, we mut aign both an initial value and a next value in SMV to pevent the model checke fom changing the value. init(boderoute.hotid) := 2; next(boderoute.hotid) := 2; init(publicwebseve.hotid) := 3; next(publicwebseve.hotid) := 3; init(pivatefileseve.hotid) := 4; next(pivatefileseve.hotid) := 4; Vulneabilitie ae aigned by examining the total et of vulneabilitie in the model to detemine the vulneabilitie that exit fo a paticula hot. Hee i a patial initialization fo the PublicWebSeve vulneability et. init(publicwebseve.vulneability[1]) := 1; Apache/1.04 init(publicwebseve.vulneability[2]) := 0; home diectoie expoted w (ALL) init(publicwebseve.vulneability[3]) := 0; ftpd init(publicwebseve.vulneability[4]) := 0; nfd init(publicwebseve.vulneability[5]) := 1; No hadow file It i impotant to note that the hot exploit and vulneability aay ae ized baed on the total numbe of exploit and vulneabilitie that ae decibed in the model. If the model mut epeent a lage numbe of vulneabilitie and exploit thee aay will alo be lage. Since the addition of vulneabilitie and exploit i a lage pat of how thi model eaon, the ize of thee aay ha a diect impact on the ize of the tate pace. Acce i et to the appopiate acce level fo the cenaio that i being modeled. Fo an extenal attack, acce level i nomally et to none fo all hot on the netwok. init(publicwebseve.acce) := none; 5.2. Connectivity matix The connectivity matix i ued to detemine whethe a hot can communicate with anothe hot. The matix i epeented by an aay of an aay of boolean value. The hot id fo the ouce and detination hot ae ued to index into the ow and column of the matix to detemine if communication i poible. Thi example how the attacke connectivity being initialized. init(connect[1][1]) := 1; next(connect[1][1]) := 1; Attacke to Attacke init(connect[1][2]) := 1; next(connect[1][2]) := 1; Attacke to BodeRoute

8 init(connect[1][3]) := 1; next(connect[1][3]) := 1; Attacke to PublicWebSeve init(connect[1][4]) := 0; next(connect[1][4]) := 0; Attacke to PivateFileSeve 5.3. Exploit Exploit ae implemented in two module of the model, attack and eult. Attack Module In the attack module, an exploit i decibed by a cae tatement that detemine whethe all of the peequiite fo the exploit have been met. If they ae met, the cae tatement add the exploit to the hot exploit et. Hee i an example of the phf vulneability exploit implementation in the attack module. next(m.exploit[4]) := PHF.cgi cae Make ue that we ae attempting the - cuent exploit a = 4 & Check that we have ufficient - connectivity fo thi exploit ( (c = 1 & m.hotid = 1 & conn[1][1]) (c = 1 & m.hotid = 2 & conn[1][2]) (c = 1 & m.hotid = 3 & conn[1][3]) (c = 1 & m.hotid = 4 & conn[1][4]) (c = 2 & m.hotid = 1 & conn[2][1]) (c = 2 & m.hotid = 2 & conn[2][2]) (c = 2 & m.hotid = 3 & conn[2][3]) (c = 2 & m.hotid = 4 & conn[2][4]) (c = 3 & m.hotid = 1 & conn[3][1]) (c = 3 & m.hotid = 2 & conn[3][2]) (c = 3 & m.hotid = 3 & conn[3][3]) (c = 3 & m.hotid = 4 & conn[3][4]) (c = 4 & m.hotid = 1 & conn[4][1]) (c = 4 & m.hotid = 2 & conn[4][2]) (c = 4 & m.hotid = 3 & conn[4][3]) (c = 4 & m.hotid = 4 & conn[4][4]) ) & Check fo equied peequiite - vulneabilitie m.vulneability[1] & Apache/1.04 m.vulneability[6] PHF.cgi : 1; Exploit ucceful 1 : m.exploit[4]; Exploit failed eac; The a vaiable teted at the top of the cae tatement i et at the top of the attack module. It i ued to pevent SMV fom applying moe than one exploit at a time. Befoe each attack a i nondeteminitically aigned a value fom 1 to the total numbe of exploit. Thi numbe i ued to detemine the exploit that the model will attempt next. The next eie of tatement check fo ufficient connectivity. The neted natue of the check i equied becaue SMV equie that tem on the left hand ide of a cae tatement be tatic. A tatement of the fom conn[c][dt] i not allowed becaue c and dt ae vaiable. The lat check i fo the exploit peequiite. In the cae of the PHF exploit, thee ae a vulneable veion of the Apache web eve and a copy of the PHF.cgi pogam located in the web eve cgi-bin diectoy. Reult Module The eult module ue the hot exploit aay to detemine whethe to add vulneabilitie to the hot and whethe to change the attacke acce level on the hot. Each vulneability that may change ha a cae tatement aociated with it that check to ee if any exploit that would add the vulneability ha been et on the hot. Fo example, the following code i ued to check if the pawod hahe known vulneability hould be added to the hot. next(m.vulneability[7]) := Pawod Hahe Known cae m.exploit[3] : 1; Captue Pawod Hahe 1 : m.vulneability[7]; eac; Acce level i et by checking fo each exploit that caue an acce level change. next(m.acce) := cae m.exploit[4] PHF.cgi OR m.exploit[6] hell login a ue : ue; m.exploit[5] : oot; hell login a oot 1 : m.acce; eac; 5.4. Example eult The example netwok decibed in Section 3 wa tanlated into ou model and peented to SMV. We ued the invaiant AG!(PivateFileSeve = oot). The following i the counteexample poduced that how how the PivateFileSeve might be taken ove fom an extenal attacke.

9 State 2.1: many line of initialization omitted ouce = 1 tate 2.2: AttackPublicWebSeve.a = 4 [executing poce AttackPublicWebSeve] tate 2.3: PublicWebSeve.exploit[4] = 1 AttackPublicWebSeve.a = 6 [executing poce ReultPublicWebSeve] tate 2.4: PublicWebSeve.acce = ue AttackPublicWebSeve.a = 3 [executing poce AttackPublicWebSeve] tate 2.5: PublicWebSeve.exploit[3] = 1 PublicWebSeve.exploit[4] = 0 AttackPublicWebSeve.a = 6 [executing poce ReultPublicWebSeve] tate 2.6: PublicWebSeve.vulneability[7] = 1 AttackPublicWebSeve.a = 2 [executing poce AttackPublicWebSeve] tate 2.7: PublicWebSeve.exploit[2] = 1 PublicWebSeve.exploit[3] = 0 AttackPublicWebSeve.a = 6 [executing poce ReultPublicWebSeve] tate 2.8: PublicWebSeve.vulneability[9] = 1 AttackPublicWebSeve.a = 5 [executing poce AttackPublicWebSeve] tate 2.9: PublicWebSeve.exploit[2] = 0 PublicWebSeve.exploit[5] = 1 AttackPublicWebSeve.a = 6 [executing poce ReultPublicWebSeve] tate 2.10: PublicWebSeve.acce = oot PublicWebSeve.vulneability[15] = 1 [tutteing] tate 2.11: ouce = 3 AttackPivateFileSeve.a = 5 [executing poce AttackPivateFileSeve] Afte the initialization tate 2.1, the model will tat to altenate between unning the attack and eult module fo the hot that i cuently unde attack. Thi counteexample tat off attacking the PublicWebSeve fom the point of view of the extenal attacke. Thi can be detemined by noting that in tate 2.1, ouce i et to 1 (the attacke) and in tate 2.2, the PublicWebSeveAttack module i being executed. Fom tate 2.2 though 2.10 the attack and eult module fo PublicWebSeve ae executed one afte the othe. You can detemine which exploit i being attempted in each attack by looking at the value of the a vaiable. In the eult module execution, you can ee any eulting change of acce o addition of vulneability applied to the hot. The following table illutate the complete exploit cenaio a deived fom the counteexample. Table 5. Counteexample eult fo the example netwok Hacke Hacke Hacke Hacke S ouce PublicWebSeve T age t PublicWebSeve PublicWebSeve PublicWebSeve PublicWebSeve PivateFileSeve phf E xploi t Captue pwd hahe ButeFocePawod Shell login a oot Shell login a oot Reul t Ue acce on PublicWebSeve PublicWebSeve' pawod hahe known to hacke Hacke know PublicWebSeve' oot pawod Hacke' acce level on PublicWebSeve changed to oot Hacke' acce level on PivateFileSeve changed to oot It i inteeting to note that when we ceated thi example we had intended that the attacke be foced to ue the ovely pemiive nf hae to add a tut elationhip between the PublicWebSeve and the PivateFileSeve. We had fogotten that duing implementation of the model we had decided that it would be likely that thee eve would have BSD tut et up between them. When we an the analyi we wee a bit upied when the model checke (coectly) omitted the Add BSD tut elationhip exploit fom it counteexample. tate 2.12: PivateFileSeve.exploit[5] = 1 AttackPivateFileSeve.a = 6 [executing poce ReultPivateFileSeve] tate 2.13: PivateFileSeve.acce = oot PivateFileSeve.vulneability[15] = 1 [tutteing]

10 6. Concluion Thee two key featue of ou analyi technique that we believe povide ubtantial benefit to the analyi of netwok ecuity. Fit, the technique automatically exploe the total ecuity amification of a vulneability that i acceible to an attacke. Uing thi technique it i eay to demontate why defene in depth i impotant in the deign of netwok ecuity. Second, the technique allow multiple attack cenaio to be teted uing the ame model deciption. Once the model ha been et up it i a tivial modification to how what acce can be gained by allowing the attacke to tat with diffeent level of acce into the ytem. To model an inide attack equie that the hot the inide would tat on have it acce level changed to the level appopiate to the ue (fequently thi would gant oot acce on thi hot to the attacke). It may alo be inteeting to ee what level of acce an extenal attacke would have if they aleady have gained a foothold on one of the netwok public eve. Thi i ueful to model the eult of a new vulneability being dicoveed in one of the public evice the netwok offe to extenal ue. Acknowledgement The autho ae gateful to eveal people fo aitance with the ceation of thi pape. We would like to pecifically thank Bian O Bey and Scott Bike fo eviewing the pape and making uggetion concening the example exploit we hould include. We would alo like to thank Shaon Ritchey fo editing the daft and poviding uppot thoughout the duation of thi effot. 7. Refeence [6] E. Clake, O. Gumbeg, and D. Peled, Model Checking, Cambidge, MA: MIT Pe, [7] Compute Oacle and Pawod Sytem (COPS) infomation and oftwae on the web at <ftp.cet.og/pub/tool/cop>. [8] G. Holzmann, The Model Checke SPIN, IEEE Tanaction on Softwae Engineeing, 23(5): , May [9] Intenet Secuity Sytem, Sytem Scanne infomation on the web at < [10] A. Maye, A. Wool, E. Zikind. Fang: A Fiewall Analyi Engine, In Poceeding of the IEEE Sympoium on Secuity and Pivacy, Oakland, CA, May [11] J.C. Mitchell, M. Mitchell, and U. Sten, Automated analyi of cyptogaphic potocol uing Muø, In Poceeding of the IEEE Sympoium on Secuity and Pivacy, , Oakland, CA, May [12] Netwok Aociate, CybeCop Scanne infomation on the web at < poduct/tn/cccanne_into.ap>. [13] RedHat Linux infomation and oftwae on the web at < [14] SMV infomation and oftwae on the web at < [15] D. Zekle, K. Levitt, NetKuang A Multi-Hot Configuation Vulneability Checke, In Poceeding of the Sixth USENIX Unix Secuity Sympoium, San Joe, CA, [1] Apache Web Seve infomation and oftwae on the web at < [2] R. Baldwin, Kuang: Rule-baed ecuity checking. Infomation at <ftp://ftp.cet.og/pub/tool/cop/ 1.04/cop.104.ta>. [3] B. Beize, Softwae Teting Technique, 2 nd edition, Thomon Compute Pe, [4] J. Bich, E. Clake, K. McMillan, D. Dill, and L.J. Hwang, Symbolic Model Checking: State and Beyond, Poceeding of the ACM/SIGDA Intenational Wokhop in Fomal Method in VLSI Deign, Januay [5] W. Chan, R. Andeon, P. Beame, S. Bun, F. Modugno, and D. Notkin, Model Checking Lage Softwae Specification, IEEE Tanaction on Softwae Engineeing, 24(7): , July 1998.