Combinatorial Analysis of Network Security



Similar documents
The example is taken from Sect. 1.2 of Vol. 1 of the CPN book.

Architecture of the proposed standard

Key Management System Framework for Cloud Storage Singa Suparman, Eng Pin Kwang Temasek Polytechnic

Parallel and Distributed Programming. Performance Metrics

Adverse Selection and Moral Hazard in a Model With 2 States of the World

C H A P T E R 1 Writing Reports with SAS

Continuity Cloud Virtual Firewall Guide

QUANTITATIVE METHODS CLASSES WEEK SEVEN

REPORT' Meeting Date: April 19,201 2 Audit Committee

by John Donald, Lecturer, School of Accounting, Economics and Finance, Deakin University, Australia

Lecture 3: Diffusion: Fick s first law

5 2 index. e e. Prime numbers. Prime factors and factor trees. Powers. worked example 10. base. power

User-Perceived Quality of Service in Hybrid Broadcast and Telecommunication Networks

CPS 220 Theory of Computation REGULAR LANGUAGES. Regular expressions

Entity-Relationship Model

A Project Management framework for Software Implementation Planning and Management

FACULTY SALARIES FALL NKU CUPA Data Compared To Published National Data

STATEMENT OF INSOLVENCY PRACTICE 3.2

Data warehouse on Manpower Employment for Decision Support System

Econ 371: Answer Key for Problem Set 1 (Chapter 12-13)

WORKERS' COMPENSATION ANALYST, 1774 SENIOR WORKERS' COMPENSATION ANALYST, 1769

Hardware Modules of the RSA Algorithm

IBM Healthcare Home Care Monitoring

An Broad outline of Redundant Array of Inexpensive Disks Shaifali Shrivastava 1 Department of Computer Science and Engineering AITR, Indore

Planning and Managing Copper Cable Maintenance through Cost- Benefit Modeling

Remember you can apply online. It s quick and easy. Go to Title. Forename(s) Surname. Sex. Male Date of birth D

Asset set Liability Management for

Enforcing Fine-grained Authorization Policies for Java Mobile Agents

Sci.Int.(Lahore),26(1), ,2014 ISSN ; CODEN: SINTE 8 131

Development of Financial Management Reporting in MPLS

Question 3: How do you find the relative extrema of a function?

IHE IT Infrastructure (ITI) Technical Framework Supplement. Cross-Enterprise Document Workflow (XDW) Trial Implementation

Personal Identity Verification (PIV) Enablement Solutions

Abstract. Introduction. Statistical Approach for Analyzing Cell Phone Handoff Behavior. Volume 3, Issue 1, 2009

A Theoretical Model of Public Response to the Homeland Security Advisory System

Entry Voice Mail for HiPath Systems. User Manual for Your Telephone

A Secure Web Services for Location Based Services in Wireless Networks*

Moving Securely Around Space: The Case of ESA

Free ACA SOLUTION (IRS 1094&1095 Reporting)

Lecture 20: Emitter Follower and Differential Amplifiers

Important Information Call Through... 8 Internet Telephony... 6 two PBX systems Internet Calls... 3 Internet Telephony... 2

Keywords Cloud Computing, Service level agreement, cloud provider, business level policies, performance objectives.

EFFECT OF GEOMETRICAL PARAMETERS ON HEAT TRANSFER PERFORMACE OF RECTANGULAR CIRCUMFERENTIAL FINS

Teaching Computer Networking with the Help of Personal Computer Networks

ITIL & Service Predictability/Modeling Plexent

Designing a Secure DNS Architecture

Developing Economies and Cloud Security: A Study of Africa Mathias Mujinga School of Computing, University of South Africa mujinm@unisa.ac.

Use a high-level conceptual data model (ER Model). Identify objects of interest (entities) and relationships between these objects

Global Sourcing: lessons from lean companies to improve supply chain performances

Cloud and Big Data Summer School, Stockholm, Aug., 2015 Jeffrey D. Ullman

Contents. Presentation contents: Basic EDI dataflow in Russia. eaccounting for HR and Payroll. eaccounting in a Cloud

Analyzing Failures of a Semi-Structured Supercomputer Log File Efficiently by Using PIG on Hadoop

Constraint-Based Analysis of Gene Deletion in a Metabolic Network

ENVIRONMENT FOR SIGNAL PROCESSING APPLICATIONS DEVELOPMENT AND PROTOTYPING Brigitte SAGET, MBDA

A Multi-Heuristic GA for Schedule Repair in Precast Plant Production

CalOHI Content Management System Review

Fleet vehicles opportunities for carbon management

Scalable Transactions for Web Applications in the Cloud using Customized CloudTPS

Rural and Remote Broadband Access: Issues and Solutions in Australia

(Analytic Formula for the European Normal Black Scholes Formula)

June Enprise Rent. Enprise Author: Document Version: Product: Product Version: SAP Version:

Product Overview. Version 1-12/14

Increasing Net Debt as a percentage of Average Equalized ValuaOon

Category 7: Employee Commuting

Whole Systems Approach to CO 2 Capture, Transport and Storage

Lecture notes: 160B revised 9/28/06 Lecture 1: Exchange Rates and the Foreign Exchange Market FT chapter 13

Presentation on Short-Term Certificates to the CAPSEE Conference. September 18, 2014

CPU. Rasterization. Per Vertex Operations & Primitive Assembly. Polynomial Evaluator. Frame Buffer. Per Fragment. Display List.

A Graph-based Proactive Fault Identification Approach in Computer Networks

A Loadable Task Execution Recorder for Hierarchical Scheduling in Linux

ME 612 Metal Forming and Theory of Plasticity. 6. Strain

CARE QUALITY COMMISSION ESSENTIAL STANDARDS OF QUALITY AND SAFETY. Outcome 10 Regulation 11 Safety and Suitability of Premises

Probabilistic maintenance and asset management on moveable storm surge barriers

A Note on Approximating. the Normal Distribution Function

Expert-Mediated Search

Advances in GNSS Equipment

Nimble Storage Exchange ,000-Mailbox Resiliency Storage Solution

Cisco Data Virtualization

A Comparative Analysis of BRIDGE and Some Other Well Known Software Development Life Cycle Models

AP Calculus AB 2008 Scoring Guidelines

Mathematics. Mathematics 3. hsn.uk.net. Higher HSN23000

Gold versus stock investment: An econometric analysis

Incomplete 2-Port Vector Network Analyzer Calibration Methods

The international Internet site of the geoviticulture MCC system Le site Internet international du système CCM géoviticole

Category 1: Purchased Goods and Services

A copy of the Consultation Paper is in the Members Library and further details are available at

DENTAL CAD MADE IN GERMANY MODULAR ARCHITECTURE BACKWARD PLANNING CUTBACK FUNCTION BIOARTICULATOR INTUITIVE USAGE OPEN INTERFACE.

Review and Analysis of Cloud Computing Quality of Experience

5.4 Exponential Functions: Differentiation and Integration TOOTLIFTST:

OPTIONS AND FUTURES: A TECHNICAL APPRAISAL

TIME MANAGEMENT. 1 The Process for Effective Time Management 2 Barriers to Time Management 3 SMART Goals 4 The POWER Model e. Section 1.

SPREAD OPTION VALUATION AND THE FAST FOURIER TRANSFORM

Who uses our services? We have a growing customer base. with institutions all around the globe.

Transcription:

Combinatorial Analysis of Ntwork Scurity Stvn Nol a, Brian O Brry a, Charls Hutchinson a, Sushil Jajodia a, Lynn Kuthan b, and Andy Nguyn b a Gorg Mason Univrsity Cntr for Scur Information Systms b Dfns Information Systms Agncy ABSTRACT W xtnd th traditional analysis of ntwork vulnrability by sarching for squncs of xploitd vulnrabilitis distributd throughout a ntwork. Whil vulnrabilitis considrd in isolation may sm innocuous, whn considrd in combination thy may lad to srious scurity brachs. Our approach stablishs ncoding ruls to rason about intrdpndnt vulnrabilitis and xploits. It thn rasons about th ruls to prform critical failur analysis for a givn ntwork. W hav dvlopd a prototyp softwar tool for automating th analysis, which can b intgratd with xisting ntwork scurity tools such as vulnrability databass and ntwork discovry tools. W dmonstrat our approach through an xampl application. W also prform a scaling xprimnt to show th prformanc of our approach for largr ntworks. Kywords: Information scurity, vulnrability analysis, formal mthods, modl chcking 1. INTRODUCTION In th currnt stat of th art, scurity vulnrability analysis tools considr individual vulnrabilitis, indpndnt of on anothr. Morovr, thy analyz singl machins only, in isolation from othr machins in th ntwork. But th intrdpndncy of vulnrabilitis and th connctivity of a ntwork mak such analysis incomplt. Whil a singl vulnrability itslf may not pos a significant dirct thrat to a systm, a combination of vulnrabilitis may. Thus vn wll administrd ntworks ar vulnrabl to attacks, bcaus of th scurity ramifications of offring a varity of combind srvics. That is, srvics that ar scur whn offrd in isolation nonthlss rndr th ntwork inscur whn offrd simultanously. Many currnt tools addrss vulnrabilitis in isolation and in th contxt of a singl host only. W xtnd this by sarching for squncs of intrdpndnt vulnrabilitis, distributd among th various hosts in a ntwork. Th sarch for squncs of vulnrabilitis within a ntwork is vry similar to th problm of gnrating tst cass for systm vrification. For ach of ths problms, an numration of all possibl combinations of systm inputs is dsird. For vulnrability analysis, th systm to b tstd is a modl of th ntwork scurity attributs and thir rlationships. Within th ara of formal mthods, modl chckrs ar particularly adpt at gnrating tst cass bcaus of thir ability to gnrat countrxampls. For ntwork vulnrability analysis, tst cass gnratd by a modl chckr corrspond to attack scnarios. W ncod th vulnrabilitis in a stat machin dscription Additional author information S. Nol: snol@gmu.du; phon (703) 993-3946; fax (703) 993-1638; B. O Brry: bobrry@gmu.du; phon (703) 993-3946; fax (703) 993-1638; C. Hutchinson: chuckhutchinson2@yahoo.com; phon (703) 993-3946; fax (703) 993-1638; S. Jajodia: jajodia@gmu.du; phon (703) 319-0877; fax (703) 993-1638; L. Kuthan: kuthanl@ncr.disa.mil; phon (703) 882-1557; fax (703) 882-2824; A. Nguyn: nguyna@ncr.disa.mil; phon (703) 882-1557; fax (703) 882-2824

suitabl for a modl chckr. W thn assrt via tmporal logic that an attackr cannot tak a givn action on a givn host. Th modl chckr ithr offrs assuranc that th assrtion is tru (i.. that th targt is scur), or provids a countrxampl dtailing ach stp of a succssful attack. Our approach stablishs ncoding ruls to rason about intrdpndnt vulnrabilitis and xploits, to prform critical failur analysis for a givn ntwork. W hav also dvlopd a softwar tool for automating th analysis. This tool for advancd vulnrability analysis can also b intgratd with xisting ntwork scurity tools such as vulnrability databass and ntwork discovry tools. In th nxt sction, w dscrib gnral considrations for ntwork attack. Sction 3 thn dscribs our approach for combinatorial analysis of ntwork attack vulnrability. In Sction 4, w discuss dtails for rasoning ngins that sarch for valid combinations of attackr tchniqus. Sction 5 thn shows an xampl application of our approach. Finally, Sction 6 prforms an xprimnt to show how our approach scals for largr ntworks. 2. CHARATERSTICS OF NETWORK ATTACK To advanc an attack, th attackr must know various tchniqus, calld xploits. An xploit gnrally has spcific conditions that must xist for it to b succssful. Such attack pr-conditions might includ th prsnc of crtain vulnrabl programs, sufficint usr privilgs, or a particular form of connctivity to anothr machin. Succssful xploits thn gnrally induc a nw st of conditions within th ntwork. Such xploit post-conditions might includ lvatd usr privilg, incrasd connctivity, or stablishmnt of a trust rlationship. Th concpt of xploit pr- and post-conditions is shown in Figur 1. Pr-Conditions Vulnrabilitis Usr lvl Post-Conditions Incrasd vulnrabilitis Connctivity Exploit Incrasd connctivity Elvatd usr lvl Figur 1 Exploit pr-conditions and post-conditions. Succssful attacks gnrally consist of a sris of xploits that gradually incras th vulnrability of th ntwork, until som final attack goal is rachd. Such attacks ar possibl bcaus of dpndncis among xploits in trms of pr-conditions and post-conditions. That is, a pr-condition of on xploit may b a post-condition of anothr. Such dpndncis form a dirctd graph in trms of xploits and vulnrabilitis shown in Figur 2. Vulnrabilitis gnrally diffr among th various machins in a ntwork. That is, diffrnt platforms, configurations, availabl srvics, tc. imply diffrnt sts of vulnrabilitis on th corrsponding machins. Thus, various machins may hav diffring xploit dpndncy graphs, as shown in Figur 3. In th figur, th arrows btwn machins show thir connctivity. Attackrs sarch for vulnrabilitis on th machins with which thy hav connctivity. Onc a targt machin is sufficintly compromisd, th attackr can launch attacks from it. With this nw attack locus, th attackr can xtnd th numbr of machins that can b sarchd for vulnrabilitis, prhaps vntually b taking control of othr machins. Th attackr can continu this procss until his goal is mt, as in Figur 4, or until thr ar no othr vulnrabilitis to xploit.

i v j Figur 2 Intrdpndncis among xploits. Machin i Exploit dpndncis for machin i Figur 3 Ntwork-wid vulnrabilitis and xploits. Figur 4 Attackr s goal is mt.

3. COMBINATORIAL ANALYSIS OF NETWORK VULNERABILITY Bcaus of th intrdpndncis of xploits and thir dpndnc on machin connctivity, a combinatorial approach is ncssary for full undrstanding of attack vulnrability. Th traditional approach of considring ntwork componnts in isolation and rporting vulnrabilitis indpndnt of on anothr is clarly insufficint. Our gnral approach to th combinatorial analysis of ntwork vulnrability involvs rul-basd modling of attackr xploits in trms of xploit pr- and post-conditions. This capturs th intrdpndncis of xploits, including connctivity dpndncis. Infrnc ngins thn rason about combinations of xploits. That is, assrtions ar mad concrning whthr particular attack goals can b mt, which ar thn provn through rul infrnc. Th rsult is th discovry of attack paths for th assumd attackr goals. W implmnt this approach to combinatorial vulnrability analysis through th architctur in Figur 5. In an initial modling phas, on spcifis a rul-basd modl of ntwork attack. A subsqunt rasoning phas dtrmins whthr th attack goal can b rachd from th initial ntwork stat, basd on th attack ruls. Th squnc of stps lading from th initial stat to th goal stat constituts an attack path through th ntwork. Rasoning Rsults Attack Path Ntwork Dscription XML Modling Rasoning Engin Exploits XML Modl Buildr Modl XML Cod Gnrator Rasoning Languag SMV Attack Goal XML Tmplat XSL Figur 5 Architctur for combinatorial vulnrability analysis. In our implmntation of combinatorial vulnrability analysis, attack modls ar spcifid in th Extnsibl Markup Languag (XML) [1]. XML is a licns-fr, platform-indpndnt and wll-supportd wb standard for structuring data. An XML Documnt Typ Dfinition (DTD) [2] dfins th structur of XML documnts that srv as valid modls for combinatorial vulnrability analysis. From th initial modl for ntwork attack, cod-gnration softwar gnrats cod for input to a rasoning ngin. This procss is controlld through a gnral-purpos cod-gnration tmplating languag. This dcoupling of th modling phas and rasoning phas mans that th rasoning languag can b rplacd by mrly modifying th cod-gnration tmplat. No chang to th original modl spcification is ncssary.

Th particular tmplating languag w mploy for cod gnration is th Extnsibl Stylsht Languag (XSL) [3]. Statd most simply, an XSL styl sht dscribs how to display a particular typ of XML documnt. But mor gnrally, XSL provids gnral-purpos XML procssing via th XSL Transformations (XSLT) languag. XSL is frquntly usd to rndr XML documnts as HTML. But w apply it hr in a novl way: to rndr XML documnts as input to a rasoning ngin. Th rus of XML and XSL lvrags xisting tools and wb infrastructur. It also provids an xcllnt dgr of tool flxibility. In particular, rplacing a particular rasoning ngin rquirs simply th dvlopmnt of a nw XSL stylsht. Figur 6 shows th XML structur of ntwork attack modls. XML documnts ar strictly trs, but w collaps rdundant structurs to simplify th figur. Hr boxs show XML lmnts, with XML attributs apparing bnath th lmnt nams. Attack Modl 1 1 Ntwork Exploit Goal Nam Machin Machin ID, OS Prcondition OS Postcondition Program Nam Accss Typ Privilg Lvl Connction Dstination App Layr Typ Trans Layr Typ Nt Layr Typ Link Layr Typ Figur 6 Structur for ntwork attack modls. Th lmnt Ntwork spcifis th initial configuration of th ntwork undr analysis, bfor any attackr actions. Various xisting tools for vulnrability scanning and ntwork discovry can automat th gathring of this information. Th Ntwork lmnt is comprisd of som numbr of Machin sub-lmnts, rprsnting machins within th ntwork. Each Machin lmnt has sub-lmnts for installd programs, accss typs (.g. intractiv or fil transfr), usr privilgs, and connctions to othr machins. Connctions ar spcifid at various lvls, i.. link layr through application layr. Th modl lmnt Exploit is an action that th attackr can tak to diminish ntwork scurity. In th modling phas, a ntwork scurity analyst crafts xploits that modl atomic attackr actions. This includs xploits for rportd vulnrabilitis, takn from archivs such as Bugtraq [4]. It also includs attack-xprt xploits that hav th potntial to incrmntally advanc an attack, in th sam way that an actual attackr would. Th modl lmnt Exploit has sub-lmnts Prcondition and Postcondition for xploit rul pr- and post-conditions. Ths ar Boolan xprssions of th various ntwork lmnts. Th modl lmnt Goal is th assumd attack goal. During th rasoning phas, our approach rports whthr th attack goal can vr b rachd, and if so, th squnc of xploits that lad to it. It is dfind as th post-condition of a particular xploit on a givn machin.

4. REASONING ABOUT NETWORK-ATTACK MODELS Givn that w hav a scurity modl of a particular ntwork, how do w procd to rason whthr an attackr can succssfully attain a crtain attack goal? And if th attack is succssful, what stps would th attackr nd to tak? Out approach modls xploits as ruls with pr-conditions and post-conditions. Th conditions ar ssntially atomic facts, and th application of on xploit typically stablishs facts that ar th prconditions of othr xploits. This gnral fact-and-rul framwork fits wll with th way in which hackrs attack actual ntworks; ach succssful xploit by th attackr lavs th targt ntwork vulnrabl to a nw st of xploits. Thr ar a varity of possibl rasoning mchanisms to dtrmin which attacks ar possibl. Our currnt stratgy is to us, to th xtnt possibl, xisting off-th-shlf tools to solv th rasoning problm. Th rational is that dvloping a custom rasoning tool for an initial prototyp is not th most ffctiv approach. With our approach, w ar ssntially facd with a vrification problm. In particular, w ar trying to vrify if a ntwork is immun to attack, at last to th xtnt of th compltnss of th ntwork modl. Th rsarch community has two basic approachs to solving vrification problms. Ths two approachs ar xplicit numration, implmntd by modl chckrs, and th dductiv infrnc, implmntd by thorm provrs. Th chif advantag of modl chcking [5] is its automatic aspcts: aftr dscribing a modl, on simply runs th modl chckr ssntially without human intraction. An addd bonus of th modl chcking approach is that if a particular conjctur is fals, a modl chckr automatically producs an xplicit countrxampl. In our cas, such a conjctur addrsss th scurity of som host in th ntwork. That is, w conjctur that th ntwork is in som way scur. Th countrxampl shows why th conjctur is fals, i.. why th ntwork is inscur. Thus th countrxampl is ffctivly an attack path. Although modl chcking bgan as a mthod for vrifying hardwar dsigns, thr is growing vidnc that modl chcking can b applid with considrabl automation to spcifications for rlativly larg softwar systms [6]. Th incrasing usfulnss of modl chckrs for softwar systms maks modl chckrs attractiv targts for us in aspcts of softwar dvlopmnt othr than pur analysis, which is thir primary rol today. Modl chckrs ar dsirabl tools to incorporat bcaus thy ar xplicitly dsignd to handl larg stat spacs [7] and thy gnrat countrxampls fficintly. Thr ar a varity of modl chckrs in th community, but two in particular hav achivd broad usag and stability in thir rspctiv domains. Ths two ar th SMV modl chckr [8]], which valuats conjcturs in computational tr logic, and th SPIN [9] modl chckr, which valuats conjcturs in linar tmporal logic. Although ths two logics ar strictly incomparabl in xprssiv powr, for our purposs ithr is mor than satisfactory. This is bcaus ntwork scurity conjcturs tnd to b simply invariants,.g. th attackr nvr obtains root privilgs on a particular host. Th chif problm with modl chckrs is th stat xplosion problm. That is, modls can bcom so larg that th modl chckr simply cannot finish its computations in a rasonabl amount of tim. Thr ar a varity of tricks that ar usd to control th stat spac, and w may tak advantag of various charactristics of th ntwork scurity problm to control th stat spac for our problm. For xampl,

most of th activity of th attackr is monotonic, i.. th attackr typically dos not hav to los on privilg to obtain anothr. Th basic sarch algorithm for th SMV modl chckr is bradth first, and th basic sarch algorithm for th SPIN modl chckr is dpth first. Th consqunc is that countrxampls in SMV tnd to b shortr, and countrxampls in SPIN can asily b unncssarily long. This argus in favor of SMV, sinc attack th ntwork administrator will bttr undrstand attack paths if thy contain only th significant actions takn by th attackr. In fact, SMV has bn applid in arly work at Gorg Mason Univrsity in this ara [10]. W xpct to ncountr th typical scaling problms associatd with modl chcking. But w also hav confidnc that usful and intrsting ntworks will ultimatly fit insid th SMV tool. If this provs fals, w ar prpard to look at mor powrful infrnc tchnologis. Howvr, w don't want to approach logic programming or thorm proving unlss rally ncssary, sinc ths approachs tnd to b much mor usr intnsiv, and rquir significant xprtis on th part of th ntwork administrator. A furthr disadvantag of ths altrnat approachs is that xplicit countrxampls ar not typically producd. It is worth ritrating that our modular architctur supports automatic languag gnration for whatvr rasoning ngin is chosn. 5. EXAMPLE APPLICATION This sction shows attack paths discovrd in an xampl application of or approach. Hr th attack goal is to obtain supr usr shll accss, which is th most dvastating accss lvl an attackr can gain. Figur 7 shows th ntwork architctur for th xampl application. Th ntwork undr attack is protctd by a firwall that prmits all outbound traffic but blocks all inbound traffic xcpt for th domain nam srvic (DNS). Hr w assum that th Frd machin is vulnrabl to a hypothtical rmot buffr ovrflow attack in DNS BIND. Figur 8 shows th attack paths discovrd for this xampl. Whil Frd is th only machin running th vulnrabl vrsion of DNS BIND, othr machins can b attackd through th Frd using othr rmot buffr ovrflow attacks. This ability is dspit th fact that th firwall blocks accss to th ports associatd with th othr buffr ovrflows. Th dtails for th individual xploits in th attack appar blow. Th Exploit #1 (rmt_su_bof_bind) is th hypothtical buffr ovrflow xploit, modld aftr xisting xploits for som vrsions of BIND. Th attacking machin for this initial xploit is Attack, and th victim machin is Frd. Th xploit pr-conditions ar that th attackr has shll accss on his own machin, th program for xploiting th vulnrabl vrsion of BIND xists on attacking machin, and th th attacking machin has connctivity to th victim machin s BIND srvic through th firwall. Th post-condition of this xploit is that supr usr shll accss is obtaind on th victim machin. Aftr th ability to xcut programs on a rmot machin has bn obtaind, Exploit #2 (rcp_download) is applid to download a root kit. In this cas, th attackr has configurd his machin to trust th rmot machin and allow this xploit. Th root kit contains utilitis and othr tools usd to scalat th privilg lvl to supr usr. Th xploit pr-conditions ar: xcut accss (th ability to run programs) has bn obtaind on Frd, th rcp program xists on Frd, Frd has connctivity to th Attack machin s rsh srvic, and Frd is trustd by th Attack machin (as spcifid in th Frd s rhosts fil). Th xploit postcondition is that root kit programs ar copid from th Attack machin.

Attackr Firwall Frd Barny Wilma Routr Btty Bambam Routr Pbbls Dino Figur 7 Exampl ntwork undr attack. Exploit #1 Frd Exploit #2 Exploit #3 Exploit #4 Barny, Wilma, Btty, Pbbls, Bambam Figur 8 Discovrd attack paths. Aftr th root kit has bn downloadd on Frd, th print protocol damon, 'in.lpd'(or 'lpd'), shippd with its oprating systm may b xploitd to allow th attackr to xcut arbitrary commands with supr usr privilgs on othr hosts. This is Exploit #3 (rmt_su_bof_lpd). Hr th attacking machin is Frd, and th victim machin is any of Barny, Wilma, Btty, Pbbls, or Bambam. Aftr th root kit has bn downloadd, a buffr ovrflow may b xploitd through th 'dtspcd'srvic to allow th attackr to gain administrativ privilgs on othr hosts. This is Exploit #4 (rmt_su_bof_dtspcd),

v1 1 v n 2 in which th attacking machin is still Frd, and th victim machin is any of Barny, Wilma, Btty, Pbbls, or Bambam. Th rsult of this xploit is that th attack gains supr usr accss privilgs on th victim machin. 6. SCALABILTY OF THE APPROACH W now invstigat scalability for our approach. In particular, w show how xcution tim incrass with modl siz. This is particularly intrsting givn th known scaling problms with modl chcking, which w apply as a rasoning ngin. Ntwork v3 3 3 Goal machin n v 1 2 v 3 Attack goal v 3 4 v 1 2 v 2 v 1 2 v 1 1 1 2 v 1 1 Attackr machin Figur 9 Modl structur for scalability xprimnt. Excution Tim Pr Numbr of Machins 1 2 60 Tim t (sconds) 50 40 30 Fit: 4 3 2 t n = 0. 0006 n 0. 029 n + 0. 540 n 3. 79 n + 7. ( ) 80 20 10 0 Numbr of machins n Figur 10 Modl structur for scalability studis. Obsrvations Fit 5 10 15 20 25 30 Figur 9 shows th modl structur that w apply for our scaling xprimnt. Thr is a singl attack machin, outsid th ntwork undr attack. Th ntwork undr attack is fully connctd. Each ntwork

machin has a singl xploit associatd with it, which has two pr-conditions that must both b tru, and a singl post-condition. Th scaling paramtr for th xprimnt is th numbr of machins in th ntwork. In th xprimnt, w rcord xcution tim for incrasing numbrs of machins in th ntwork. Figur 10 shows th xprimntal rsults. A fit of th masurd xcution tims is polynomial, with ngligibl 4th-ordr and 3rd-ordr trms. W conclud that th xcution tims scal rasonably wll. W should point out, howvr, that mmory siz is th limiting prformanc factor in this xprimnt. W xprincd svr mmory problms for 50 ntwork machins. In particular, 512 mgabyts of mmory was insufficint for this problm siz. Again, this is a known problm with th modl chcking approach, and w will considr altrnativ rasoning ngins in th futur. 7. CONCLUSION Our approach xtnds traditional vulnrability analysis by sarching for squncs of xploitd vulnrabilitis distributd throughout a ntwork. Whil vulnrabilitis considrd in isolation may sm innocuous, whn considrd in combination thy may lad to srious scurity brachs. Indd, our approach closly follows actual attack pattrns, in which a sris of xploits incrmntally diminishs ntwork scurity. Thr ar ky faturs of our approach that provid substantial bnfit to th analysis of ntwork scurity. For xampl, th tchniqu allows multipl attack scnarios to b tstd using th sam modl dscription, for xampl to modl an insidr attack. Onc th modl has bn constructd, it is trivial to show what an attackr can accomplish starting from a diffrnt accss lvl on a ntwork host. Also, our approach automatically xplors th total scurity ramifications of vulnrabilitis accssibl to an attackr. Applying our tool, it is thus asy to dmonstrat why dfns in dpth is important in th dsign of ntwork scurity. REFERENCES 1. Extnsibl Markup Languag (XML), World Wid Wb Consortium, http://www.w3.org/xml/. 2. XML DTD Tutorial, XML 101 Wb Sit, http://www.xml101.com/dtd/dfault.asp. 3. Th Extnsibl Stylsht Languag (XSL), World Wid Wb Consortium, http://www.w3.org/styl/xsl/. 4. Bugtraq computr vulnrability archiv, http://www.scurityfocus.com/. 5. E. Clark, O. Grumbrg, and D. Pld, Modl Chcking, Cambridg, MA: MIT Prss, 2000. 6. W. Chan, R. Andrson, P. Bam, S. Burns, F. Modugno, and D. Notkin, Modl Chcking Larg Softwar Spcifications, IEEE Transactions on Softwar Enginring, 24(7), pp. 498-520, July 1998. 7. J. Birch, E. Clark, K. McMillan, D. Dill, and L.J. Hwang, Symbolic Modl Chcking: 1020 Stats and Byond, in Procdings of th ACM/SIGDA Intrnational Workshop in Formal Mthods in VLSI Dsign, January 1991. 8. Formal Mthods Modl Chcking, Carngi Mllon, School of Computr Scinc, http://www.cs.cmu.du/~modlchck. 9. G. Holzmann, Th Modl Chckr SPIN, IEEE Transactions on Softwar Enginring, 23(5):279-295, May 1997. 10. R. Ritchy, P. Ammann, Using Modl Chcking to Analyz Ntwork Vulnrabilitis, in Procdings of th IEEE Symposium on Scurity and Privacy (S&P 2000), Brkly, California, 2000.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information