A Security Specification Language (SSL) for Run-Time Policy Enforcement Topic Area: Design approaches and Run Time Assurance for Highly Dynamic Systems Sandeep Shukla FERMAT Lab, Centre for Embedded Systems for Critical Applications Bradley Department of Electrical and Computer Engineering Virginia Tech, USA. shukla@vt.edu Caution: This research is in a preliminary state
Multi-Layer Security Cyber Attacks can happen at any layer of a System 1. Firmware / HAL 2. System Libraries 3. O/S 4. Middleware 5. Application components Application layer System Libraries O/S HAL Middleware firmware 2
Strategies to Cope with Security Vulnerabilities Testing for known attacks (e.g., Penetration Testing) Formal static analysis of code for finding known vulnerabilities Run time monitoring for events symptomatic of known attacks Correlation of monitored events to determine higher order event indicative of an ongoing attack All of the above are needed 3
Monitoring Approach Identify events or event patterns that would violate security policy during run-time What do we need to know for effective monitoring? Attack surfaces and threat models Security policies to stop threat scenarios to happen Monitors Invasive External 4
Run-time monitoring for Security Violations Original application Target Libraries Secured application Instrumented target Instrumented libraries Compiled policy 5
SCADA Cyber Incidents Points of Entry Point of Entry Local - Business Network Remote Access Remote-Via Business Network Remote-Corporate WAN Local - HMI Remote - Internet Directly Local-Communication Channel Media Remote - Dial up modem Remote - Wireless System Remote - VPN Local Access Local - Programming Terminal Remote - SCADA Network 2 3 3 4 4 5 6 8 9 10 11 14 18 0 5 10 15 20 Point of Entry (Global) Source: RISI Report
Detecting individual violations is not always enough Situational Awareness Need Event correlation. Spatial Correlation Temporal Correlation Spatiotemporal Correlation S2ERC - Shukla & Deng 7
Event Hierarchy Primitive Events - Detectable Directly First Order Events - Events comprising of Primitive events nth Order Events Events comprising of less than nth order events with at least one n-1th order event S2ERC - Shukla & Deng 8
Spatio-Temporal Correlation Temporal Correlation A set of events which are partially ordered in time Indicative of an incident Spatial Correlation A set of events happening during the same time frame at various locations of the system Indicative of an incident Spatio-Temporal Correlation A set of events with both temporal and spatial diversity Indicative of an incident S2ERC Shukla & Deng 9
Temporal 3 unsuccessful login attempts within a pre-specified time duration 3Faillogin Each unsuccessful login primitive event 3Faillogin 1 st order event Examples More than n 3Faillogin over a period of 12 hours 2 nd order event Spatial 5 hosts indicate a change in memory usage Each host s sudden increased memory usage primitive event 5 hosts reporting sudden increased memory usage 1 st order event S2ERC Shukla & Deng 10
Examples (2) Spatio-temporal All 3Faillogin s are from 2 distinct IP addresses The 2 distinct IP addresses are within the same subnet 2 nd order spatio-temporal Collection of 3Faillogins each 1 st order Location information associated spatial information S2ERC Shukla & Deng 11
Spatio-temporal Correlation Temporal Event Aggregation Event Driven, Timeline Driven Event 1 Event 2 Event 3 Event N Spatial Event Aggregation Process 1 Process 2 Event 1 Event 2 Event N Temporal Event Correlator E1 Event 1 Event 2 Event N E2 EN E3 Process M Spatial Event Correlator P1, P2, P3, PN E1, E2, E3, EN S2ERC Shukla & Deng 12
Expression Event Correlation Relations How to express first order events in terms of primitive events How to express nth order events in terms of ith order events where i (n-1) The intensional expression to extensional monitors Automated Monitor Synthesis What is the best choice? Regular Expressions? Temporal Logic? Separation Logic? A combination? The choice must render itself to automated monitor synthesis S2ERC Shukla & Deng 13
We define a new modal logic based on temporal logic, Separation logic and regular expressions Examples: ECL Event Correlation Logic G([T] #(p) < n) G Always p primitive event of interest #(p) number of occurrences of p T a time interval [T] over that time interval If number of events p is n or more over a time period T, then we need to construct a first order event S2ERC Shukla & Deng 14
Pseudo-code for synthesised Monitor for G([L](#(p) < n)) for every p Start { count = 0; monitor (p,l, count);} monitor (p,l,count) { starttime = 0; for every p { if (CurrentTime starttime < L) { count = count +1; } If (count > n) flag event; else abort; } } S2ERC Shukla & Deng 15
A Spatial Correlation Example G (login@l1 & login@(l2) & l1 l2) -> MultiLogin(l1,l2) ); G Always login@l1 a login event at IP address l1 login@l2 a login event at IP address l2 l1 l2 MultiLogin(l1,l2) Whenever same account login happens from two distinct IP addresses raise a first order event called MultiLogin S2ERC Shukla & Deng 16
Proposed Software Architecture for Correlation Monitors Cyber Threat Monitoring SCADA Control Center Event Subscriber Server Event Correlation Server.NET XML SQL ODBC HMI Workstations SCADA Control Server Database/Logging Facility Wide Area Network Field Site 1 Field Site 2 Field Site N Modem Modem Modem Publisher RTU Publisher PLC Publisher IED S2ERC Shukla & Deng 17
Proposed Correlation System Architecture Individual Event 1 Individual Event 2 Individual Event 3 Individual Event N Event Database Event Correlation Server First level products: subscribed events Event Console Event Hierarchy rules Rule Database Event Mining Second level products: mined events Correlation Engine Synthesized monitors Event Subscriber Server Third level products: correlated events Cyber Threat Monitor S2ERC Shukla & Deng 18
Goals of this work Assess Major Event Correlation Engines and Technologies Define Event Hierarchy Model for Specific Domains Define ECL and rules of inference in ECL Design templates for customizing domain specific ECLS Develop monitor Synthesis Algorithms and prototype implementation correlation Create a SCADA test bed on our GECO platform GECO PSLF and NS-2 Cosimulation platform Inject security attacks, and check efficacy of monitors Estimate Latency of communication for time critical event Integrate all the developed algorithms and techniques into a set of tools dedicated for intelligent analysis. S2ERC Shukla & Deng 19
Meta Grammar for Policies For the grammar for the Meta language is as follows: Policy ::= Access_Right Access_Right Policy Access_Right + Policy (Policy) Policy* Access_Right ::= (Actors : Access_Types : Resources) Actors ::= Actor {Actor, Actors} Resources ::= Resource {Resource, Resources} Access_Types ::= Access_Type {Access_Type, Access_Types} 20
Actual Policy as CFG Actors ::= processor1 processor2 processa process device1 Access_Type ::= read write execute erase lock Resource ::= memory_address_range(n1, n2) device2 shared_object1 mutex1 21
Example 1 ar1 = (process1:{read+write}: memory_address_range(x,y)), ar2 = (process2:read: memory_address_range(u,v)) (ar1 + ar2)* 22
Example 2 Bell and LaPadula confidentiality model ar1 = (process1:{read+write}:range1); ar2 = (process1:read:range2); ar3 = (process2:{read+write}: range 2); ar4 = (process2:write:range1); policy = (ar1 + ar2 + ar3 + ar4)*. 23
Example 3 policy = switch (mode) { case preboot: (X:{ r+w, EPROM)*; case default: (X, r, EPROM) *; } 24
Summary Run-time Monitoring is a common technique for security Monitor Synthesis is important for fast deployment Event correlation is important for system level threat detection Defining suitable formal language to capture security policies is an important area of research 25