1 / 30

JIGSAW – Attack Modeling Language

JIGSAW – Attack Modeling Language. Steven J. Templeton U.C. Davis Security Lab. JIGSAW – Origins. Language as a means of: Organizing thinking about attacks Express attack/security concepts in a convenient way to reason about

dyllis
Download Presentation

JIGSAW – Attack Modeling Language

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. JIGSAW – Attack Modeling Language Steven J. Templeton U.C. Davis Security Lab Global Guard - U.C. Davis Security Lab

  2. JIGSAW – Origins • Language as a means of: • Organizing thinking about attacks • Express attack/security concepts in a convenient way to reason about • Language based on abstract attack concepts, program/protocol specifications, system configuration • Emphasis not on detecting new, low level vulnerabilities, but in how these plus system information could be combined into sophisticated multi-stage attacks. • Of particular interest is detecting new attacks. • Relies on sensor input detecting specific system events or known attacks, i.e. CIDF GIDOs. Global Guard - U.C. Davis Security Lab

  3. Concept Structure Action Transfer Channel Remote Execution • Send CIDIF Report • Audit RSH packet data Report RSH Connection Spoofing Concept Where Requires DOS SeqNumProbing Spoofed Packet Send Global Guard - U.C. Davis Security Lab

  4. Concept Framework concept <concept_name> extends #- list of concepts on which this concept is based requires #- labeled list of reports or domain data used in concept where #- correlate assertions on attributes report #- expresses details of positive correlations seen action #- external actions end. Global Guard - U.C. Davis Security Lab

  5. requires - events needed #- Specifies the reports or domain specifications required #- Specifies label bindings e.g. concept Propagate requires Push_Transfer_Channel: PUTC #- subscribed report Remote_Execution: RE #- subscribed report Pull_Transfer_Channel: PLTC #- subscribed report … e.g. concept Buffer_Overflow requires Buffer_Overflow_Detected: BOD #- subscribed report … #- The requires section lists the types of reports the concept as agent wishes to subscribe to. Global Guard - U.C. Davis Security Lab

  6. requires - (continued) e.g. concept Linux5.1-IMAP_buffer_overflow requires Host_Info: HI #- domain knowledge Linux_5.1_IMAP_attach_detected: L51IMAP #- subscribed report … e.g. concept IIS_List_Overflow_Attack requires Host_Info: HI #- domain knowledge IIS_List_Overflow_Detected: IISLOD #- subscribed report IIS_Access: IISA #- subscribed report … e.g. concept RSH_connection_spoof requires Trusted_Partner: TP #- subscribed report Network_DOS: ND #- subscribed report SeqNumProbe: SNP #- subscribed report SpoofedPacketSend: SPS #- subscribed report … Global Guard - U.C. Davis Security Lab

  7. report - changes in KB #- where values are bound to instantiations of a report and the report is published e.g. assert Linux5.1-IMAP_vulnerable #- keyword assert is optional (host <- L51IMAPD.hostname) retract Linux5.1-IMAP_vulnerable (hostname) #- explanatory data passed along by binding matching “required” reports to this report; by default all required reports are bound #- keyword unbind is used to limit growth of explanatory data e.g. assert SeqNumProbe (dest <- SNP.dest) unbind SNP #- all other unbound data is lost Global Guard - U.C. Davis Security Lab

  8. report - (continued) e.g. concept Linux5.1-IMAP_buffer_overflow requires Host_Info: HI #- domain knowledge Linux_5.1_IMAP_attach_detected: L51IMAP #- subscribed report … report buffer_overflow _detected (host <- HI.host) … end. Global Guard - U.C. Davis Security Lab

  9. report - (continued) e.g. concept RSH_Connection_Spoofing requires Trusted_Partner: TP #- subscribed report Network_DOS: ND #- subscribed report SeqNumProbe: SNP #- subscribed report SpoofedPacketSend: SPS#- subscribed report … report Remote_Execution (dest <- SPS.target) #- host we can execute on (source <- SPS.source) (true_src <- SPS.true_src) #- where remote code must (start_time <- SPS.time) #- come from (end_time <- SPS.time) Global Guard - U.C. Davis Security Lab

  10. report - (continued) e.g. concept NIS_Connection_Spoofing requires Trusted_Partner: TP #- subscribed report Network_DOS: ND #- subscribed report SeqNumProbe: SNP #- subscribed report SpoofedPacketSend: SPS#- subscribed report … report Remote_Execution (dest <- SPS.target) #- host we can execute on (source <- SPS.source) (true_src <- SPS.true_src) #- where remote code must (start_time <- SPS.time) #- come from (end_time <- SPS.time) Global Guard - U.C. Davis Security Lab

  11. where - Correlates assertions #- A list of expressions which must be true for the concept to hold #- Describes constraints on how reports are to be combined. e.g. DOS.host is SPS.source DOS.port_set includes SPS.source active(DOS) while active(SPS) #- Base library of functions can be extended either globally or local to the particular construct. e.g. defpred is_mail_port(X) ( X in { SMTP, POP, POP2, POP3, IMAP } ) deffunc number_of_ports(X) ( return card(X.port_set) ) #- CBV only, no side-effects #- No external calls allowed Global Guard - U.C. Davis Security Lab

  12. Example: SynFlood • concept SynFlood • requires • SynFlood: SF • NetworkAccess: NA • where • network_access(NA.true_src, SF.target) • report • Denial_of_Network_Service • (target <- SF.target) update_on • (port_set <- port_set + SF.port) • (start_time <- SF.time) • (stop_time <- SF.time) update • end. Global Guard - U.C. Davis Security Lab

  13. More Examples concept FileHandleGuessing requires where report end. concept DNS_Cache_Poisoning requires DNS_Cache_Poison_Detected: DNSCP report Traffic_Redirection forall ce in DNSCP.map_list { (remap <- remap + [DNSCP.old_IPA, DNSCP.new_IPA]) } end. Global Guard - U.C. Davis Security Lab

  14. Example: Connection Spoofing concept Connection_Spoofing requires Trusted_Partner: TP Network_DOS: ND SeqNumProbe: SNP SpoofedPacketSend: SPS where ND.hosts includesTP.host SPS.source is SPS.target active(ND) whileactive(SPS) not ND.hosts includes SPS.true_src not ND.hosts includes SPS.target report assert Connection_Spoofing (dest <- SPS.target) (source <- SPS.source) (true_src <- SPS.true_src) (start_time <- SPS.time) (end_time <- SPS.time) end. Global Guard - U.C. Davis Security Lab

  15. action - external effects #- used to * send alerts and other informational reports * send CIDF GIDOs to other A-boxes * dynamically change sensors * take response measures Global Guard - U.C. Davis Security Lab

  16. extends - basic inheritance #- convenient notation when useful reports are not asserted as needed (missing “binds”) e.g. concept ThinWorm extends Worm Global Guard - U.C. Davis Security Lab

  17. Sensor Framework • Wraps sensor input to provide JIGSAW reports • sensor <sensor_name> • requires { • extern <process>: <binding> #- external process • - or - • gido <gido_src>: <gido_filter> #- GIDO this wraps • #- negotiated via IDIAN • } • report { #- messages to JSAs • <assertion> ( <assertion_data>+ ) • } • end. Global Guard - U.C. Davis Security Lab

  18. Concept Hierarchy DOS Network DOS Network DOS Network DOS Network DOS port DOS Host DOS all ports Global Guard - U.C. Davis Security Lab

  19. Concept Hierarchy DOS Host DOS Network DOS all ports Halt Computer SynFlood PacketStorm DOS port Unplug Cable concept SynFlood requires SynFloodDetected: SFD report Denial_of_Service (host <- SFD.host) ( port <- SFD.port_x ) end. Global Guard - U.C. Davis Security Lab

  20. Concept Hierarchy DOS Host DOS Network DOS all ports concept UnpluggedCable requires UPCableDetected: UPC report Denial_of_Service (host <- UPC.host) ( port <- * ) end. Halt Computer SynFlood PacketStorm DOS port Unplug Cable Global Guard - U.C. Davis Security Lab

  21. Concept Hierarchy DOS Host DOS Network DOS all ports concept PacketStorm requires PacketStormDetected: PS report forall h in LocalNet(PS.host,PS.adapter) Denial_of_Service (host <- PS.host) (port <- * ) end. PingOfDeath SynFlood PacketStorm DOS port Unplug Cable Global Guard - U.C. Davis Security Lab

  22. Concept Hierarchy? DOS Host DOS Network DOS all ports PingOfDeath SynFlood PacketStorm DOS port Unplug Cable DOS Process concept PingOfDeath requires PingOfDeath: POD report Denial_of_Service (host <- POD.target) (port <- * ) (proc <- *) end. Global Guard - U.C. Davis Security Lab

  23. Concept Hierarchy Denial-of-Service DOS Host DOS Network DOS all ports Halt Computer SynFlood PacketStorm DOS port Unplug Cable Global Guard - U.C. Davis Security Lab

  24. Report Specialization Denial-of-Service DOS Host HTTP_DOS Comm_DOS SMTP_DOS DOS Network R&D_DOS DMZ_DOS FTP_DOS DOS all ports PingOfDeath SynFlood PacketStorm DOS port Unplug Cable NIS_DOS Global Guard - U.C. Davis Security Lab

  25. D.O.S. - Hierarchy of Specialization Global Guard - U.C. Davis Security Lab

  26. Conceptual Execution Model Communicating Agent Model • Each concept statement defines a JSA (JigSaw Agents) • JSAs execute concurrently on 1 or more hosts. • requires specifies the types of reports of interest to the JSA – what it subscribes to • reports are the messages an agent will publish • reports can be either broadcast to all agents, or sent only to subscribing agents • Remote groups of agents communicate via CIDF using IDIAN to negotiate report requirements Global Guard - U.C. Davis Security Lab

  27. Uses • Forward direction as an ID system • In reverse to identify vulnerabilities • In reverse w/ sensors replaced with appropriate attack scripts as an attack system • Plans how to reach goal • Can find new combinations of attacks to reach goal e.g. • Using DNS requests as a method for a worm to pull in its body. • Port DOS to Spoof IIS Authentication, then buffer overflow list command as a means of remote execution. Global Guard - U.C. Davis Security Lab

  28. Attack Requirements concept Propagate requires Remote_Execution: RE … where … … end. concept Linux5.1-IMAP_Vulnerable requires OS_Linux-5.1: OSL51 Not_IMAP_Patched: NIMAPP … report Remote_Execution (host <- OSL51.host) … end. concept OS_Linux-5.1_ID requires OS_Scan: OSS where OSS.OS is Linux_5.1 report OS_Linux-5.1 (host_set <- OSL51.host) end. Global Guard - U.C. Davis Security Lab

  29. Challenges • Writing more Specifications • Efficient implementation • Integration of anomaly detection components into JIGSAW • Appropriate Time-to-Live for assertions • Update reports of continuing events Global Guard - U.C. Davis Security Lab

  30. Summary • Simple conceptual framework for modeling attack concepts • Extensible to handle new attribute relationships • Utilizes new attack detectors to improve performance • Specifications use behavioral characteristics of attack and/or critical resources to protect. • CIDF friendly. • While conceptually an agent approach, not tied to any execution method. • Well suited as an attack tool. Global Guard - U.C. Davis Security Lab

More Related