1 This lectures agenda Objective Understand how to formally model networkwide threats How models can help quantifypinpoint hidden threats Specific papers Attack graph Sheyner ID: 760460
Download Presentation The PPT/PDF document "Attack Graphs and Attack Surface" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1
Attack Graphs and Attack Surface
1
Slide2This lecture’s agenda
ObjectiveUnderstand how to “formally” model network-wide threatsHow models can help quantify/pinpoint hidden threatsSpecific papers:Attack graph , Sheyner et alNetwork Attack surface, Osterweil et al
2
Slide3Motivation
Networks/services/protocols grow rapidlyIncreasing complexityNeed to evaluate vulnerability of network as a whole“Quantitative” techniques
3
Slide4Motivation for these papers
Attack graphNeed “global” view of network threatsNot just single-hop threats, multi-hop effectsExpose hidden weaknesses and pointers for better defensesAttack surfaceHow to systematically quantify how secure a system/protocol isHelp compare proposals
4
Slide5Outline for class
Automated generation of attack graphsShape and size of threats
5
Slide6What can you do with attack graphs?
Risk analysisReliability analysis Uncover hidden multi stage attacksGraph metrics on overall threat landscapeSuggest remedial actions
6
Slide7State of art in attack analysis
Manual red teams“Local vulnerabilities” Network scanners – COPS, Nessus, nmapAttack graphsEach edge is a “atomic” attack “Manual, tedious, error prone”
7
Slide8Requirements of automated approach
Exhaustive i.e., covers all possible attacksSuccincti.e., only contains relevant network states from which intruder reaches goal state
8
Slide9High-level view of automation
Model the networkSpecify nodes, edges, goalsProduce attack graph e.g., using model checking Represent back to “human readable” form
9
Slide1010
Slide11Motivating Scenario
11
Simple network, 4 atomic attacks
sshd
, ftp
rhosts
,
remotelogin
,
bufferoverflowlocal
Some stealthy and some detectable
Intruder starts outside and wants to disrupt the database
Slide12Formal Model
12
What is a “state”? How to identify relevant states?
What is a transition? How to identify relevant transitions?
How do we determine success states a priori?
Slide13Algorithm for generation
Define propertyE.g., unprivileged users never touch database?E.g., privilege level of adversary on low level host never gets rootUse model checking to find set of states that have a path to an unsafe state For purposes of this class treat modelcheck as black box like solving SAT formula etc.
13
Slide14Attack rules
Intruder preconditionsNetwork preconditionsIntruder effectsNetwork effects
14
Slide1515
Slide16Example Attack Graph
16
Slide17How to use attack graphs?
Minimal critical sets:Find a minimal set of atomic attacks to blockAnalogous to minimum cover problemProbabilistic reliability analysis:What is the best strategy for attacker to attack while being stealthy?Analogous to MDP
17
Slide18Limitations of paper
Scalability?How to identify all states and transitions and properties?Model checkers may not give all counterexamples?Liveness properties?
18
Slide19Outline for class
Automated generation of attack graphsShape and size of threats
19
Slide20Attack Surface Motivation
Understand not only vulnerabilities within system but also of dependenciesSum of system dependencies Set of resources that can potentially be exploited to launch an attackE.g., if you depend on DNS, SSL to work correctly its part of your attack surface
20
Slide21Paper definition
Consider a networked system NSurface refers to “resources” N usesIf any of them were compromised/incorrect, N would malfunction
21
Slide22Approach to determine Attack Surface
Model N’s control flow graphAnalyze how N gets used in practiceIdentify “external” dependencies
22
Slide23Concrete contribution
Compare two standards:Web PKI model using X.509 certification authorityDANE or DNS-based named entity authentication
23
Slide24CA Verification
Verifies authenticity of binding between certificate and domain nameEach client (RP in their jargon) is pre-installed with trusted root certificates from CAsCheck if there is a chain of signatures leading to a trusted CA
24
Slide25CA Verification dependencies
Recursive DNS to find webserverGet certificate from serverConsult root CA list Check if revokedTLS session key generationProblem: “Rogue” or misconfigured CAs e.g., DigiNotar example
25
Slide26DANE TLSA proposal
Leverage DNSSEC (To be covered later)DNS request happens anyway!DANE: publish crypto keys for domains in-band inside DNS instead of CA approach
26
Slide27DANE TLSA dependencies
Domain owners control and manage their own verificationRemove CA from the equationManage lifecycle of their own keysStapling: maps domain name to certificatesRevocation is reportedly simpler
27
Slide28Approach
Create process DAG for each proposalP = set of processes, E = set of edges
28
Slide29Is this enough?
No, these are at different granularitiesConceptually different resource types Need to bring it to some other “atomic” unitIntroduce resource tiersObject, session, network delivery (somewhat handwavy)
29
Slide30Resource graphs: CA vs DANE
30
Slide31Measurement
31
Slide32Limitations
Is this the right granularity of modeling processes and edges?Is the quantified number a fair comparison?Deployment costs?Hidden dependencies?Do they have a vested interest
32
Slide33Takeaways
Attack surface and attack graphs are great abstractionsUseful to think when you design systems/protocolsNot too much traction in practice(My biased view)Way too much black art in modeling to get it right
33
Slide34Next class!
MidtermIn classSV/RW – we will email the admin the pdfOpen notes/papers. No Laptops or tablets or phones allowedMay help to create a quick one page cheat sheet!Good luck!
34