SLG in MulVAL

1. SLG in MulVAL netAccess(H2, Protocol, Port) :- execCode(H1, User), reachable(H1, H2, Protocol, Port). netAccess(…) execCode(…) from input tuples Possible instantiations Possible instantiations table for first subgoal table for goal

2. SLG complexity for Datalog • Total time dominated by the rule that has the maximum number of instantiations • Time for computing one table = Computation of the subgoals + retrieving information from input tuples + matching results in the rules bodies • Time for computing all tables = retrieving information from input tuples + matching results in the rules’ bodies • See “On the Complexity of Tabled Datalog Programs” http://www.cs.sunysb.edu/~warren/xsbbook/node21.html

3. MulVAL complexity in SLG execCode(Host, User) :- vulExists(Host, _, Program, remote, privilegeEscalation), networkService(Host, Program, Protocol, Port, User), netAccess(Host, Protocol, Port). Scale with network size O(N) different instantiations

4. MulVAL complexity in SLG netAccess(H2, Protocol, Port) :- execCode(H1, _), reachable(H1, H2, Protocol, Port). Scale with network size Complexity of MulVAL O(N2) different instantiations

5. Datalog proof generation • In security analysis, not only do we want to know what attacks could happen, but also we want to know how attacks can happen • Thus, we need more than an yes/no answer for queries. • We need the proofs for the true queries, which in the case of security analysis will be attack paths. • We also want to know all possible attack paths; thus we need exhaustive proof generation.

6. An obvious approach execCode(Host, PrivilegeLevel) :- vulExists(Host, Program, remote, privilegeEscalation), serviceRunning(Host, Program, Protocol, Port, PrivilegeLevel), networkAccess(Host, Protocol, Port). execCode(Host, PrivilegeLevel, Pf) :- vulExists(Host, Program, remote, privilegeEscalation, Pf1), serviceRunning(Host, Program, Protocol, Port, PrivilegeLevel, Pf2), networkAccess(Host, Protocol, Port, Pf3), Pf=(execCode(Host, PrivilegeLevel), [Pf1, Pf2, Pf3]). This will break the bounded-term property and result in non-termination for cyclic Datalog programs

7. XSB reasoning engine Datalog Proof Steps MulVAL Attack-Graph Toolkit Ou, Boyer, and McQueen. ACM CCS 2006 Datalog rules Security advisories Translated rules Graph Builder Network configuration Datalog representation Datalog proof graph Machine configuration Joint work with Idaho National Laboratory

8. Stage 1: Rule Translation netAccess(H2, Protocol, Port, ProofStep) :- execCode(H1, User), reachable(H1, H2, Protocol, Port), ProofStep= because( ‘multi-hop network access', netAccess(H2, Protocol, Port), [execCode(H1, User), reachable(H1, H2, Protocol, Port)] ). Proof step

9. 1 0 2 3 Stage 2: Build the Exhaustive Proof because(‘multi-hop network access', netAccess(fileServer, rpc, 100003), [execCode(webServer, apache), reachable(webServer, fileServer, rpc, 100003)]) execCode(webServer, apache) multi-hop network access netAccess(fileServer, rpc, 100003) reachable(webServer, fileServer, rpc, 100003)

10. Complexity of Proof Building • O(N2) to complete Datalog evaluation • With proof steps generated • O(N2) to build a proof graph from proof steps • Need to build O(N2) graph components • Building of one component • Find the predecessor: table lookup • Find the successors: table lookup Total time: O(N2), if table lookup is constant time

11. 1 0 2 3 4 5 6 NFS shell Logical Attack Graphs accessFile(attacker,fileServer, write,/export) Trojan horse installation netAccess(attacker,webServer, tcp,80) NFS semantics Remote exploit execCode(attacker, webServer,apache) accessFile(attacker,workStation, write,/usr/local/share) vulExists(webServer, CAN-2002-0392, httpd, remoteExploit, privEscalation) execCode(attacker,workStation,root) : OR : AND networkService (webServer,httpd,tcp,80,apache) : ground fact

12. Performance and Scalability

13. Related Work • Sheyner’s attack graph tool (CMU) • Based on model-checking • Cauldron attack graph tool (GMU) • Based on graph-search algorithms • NetSPA attack graph tool (MIT LL) • Graph-search based on a simple attack model

14. Advantages of the Logic-programming Approach • Publishing and incorporation of knowledge/information through well-understood logical semantics • Efficient and sound analysis by leveraging the reasoning power of well-developed logic-deduction systems

15. SAT-based Security Hardening • MulVAL proof graph provides information on potential consequences of vulnerabilities. • How do we use this information to improve security? • Datalog proof turned to Boolean formula • SAT solver searches for optimal solution SAT-Solving Approaches to Context-Aware Enterprise Network Security Management. John Homer, Xinming Ou. In IEEE Journal on Selected Areas in Communications (JSAC).

16. Benefit of SAT • Impossible for human to understand all configuration options and ramifications. • Computers can do it better • Balance security and usability • Essentially a constraint solving process • Provides automated, reliable approach to reason about conflicting requirements

17. Vision for Network Security Management Suggested Configuration Changes Training Guidance Usability Requirement MulVAL Problematic Configuration Graph to Boolean formula Desirable Configuration SAT Solver Φ MulVAL Proof Graph

18. SAT-Solving Techniques • MinCostSAT • Utilize user-provided discrete cost values to find mitigation solution that minimizes cost • UNSAT Core Elimination • Reduce complexity in reconfiguration to simple choices between conflicting requirements • Use partial-ordering lattice to further reduce scope of choices, based on past decisions

19. Benefits • Human user only addresses “problem areas” in network configuration • Reduces complex problem to more manageable proportions

20. Example buffer overrun webServer NFS shell Remote exploit fileServer

21. MulVAL Proof Graph p2 e3 e2 privilege c4 c5 p1 c6 c7 exploit e1 configuration setting c1 c2 c3

22. d (a + b) (a + b + d’) a d (a’ + d) b e (b’ + d) c e(c d) (c’ + d’ + e) (d + e’) (c + e’) Circuit to CNF Conversion From Sharad Malik’s slides • Tseitin Transformation • Can ‘e’ ever become true? Consistency conditions for circuit variables Is (e)(a + b + d’)(a’+d)(b’+d)(c’+d+e)(d+e’)(c+e’) satisfiable?

23. Boolean Transformation p2 e1 : e2: e3: c1 ⋀  c2 ⋀ c3⇒ p1 c4⋀  c5 ⋀ p1⇒ p2 c6⋀  c7 ⋀ p1⇒ p2 ¬c1 ⋁ ¬c2 ⋁ ¬c3⋁ p1 ¬c4 ⋁ ¬c5 ⋁ ¬p1⋁ p2 ¬c6 ⋁ ¬c7 ⋁ ¬p1⋁ p2 e3 e2 attack possibility constraints c4 c5 p1 c6 c7 Φ = e1 ⋀ e2 ⋀ e3 ψ = Φ ⋀ c3 ⋀ ¬p2 e1 policy requirement zChaff SAT solver c1 c2 c3

24. MinCostSAT Given ψ with n variables x1,x2,...,xn with cost ci ≥ 0, find assignment X ∈ {0, 1}n to satisfy ψ and minimize C =∑ cixi MinCostSAT in network reconfiguration : • Privilege variables incur cost when assigned true • Configuration variables incur cost when assigned false • Allow variables to be forced true or false

25. MinCostSAT buffer overrun webServer NFS shell Remote exploit fileServer

26. Scalability Testing

27. Iterative UNSAT Core Elimination • UNSAT Core : subset of original CNF clauses that are unsatisfiable by themselves • For unsatisfiable formula ψ and UNSAT core μμ1, μ2,..., μn ⊆ ψ, ψ will remain unsatisfiable while μremains unchanged • To resolve, a user needs to decide relative values of only a few network components

28. Iterative UNSAT Core Elimination • Requires no up-front cost assignments, relies on human decisions as needed • Further reduce user decisions by keeping partial-ordering lattice to store relative priorities established by prior decisions • When two variables with known ordering appear in an UNSAT core, only lower-priority variable is presented to user

29. Open Problems • How to come up with the numbers? • Monetary units? • How to estimate the costs? • How to capture the difficulty level of attacks? • More difficult exploits reduces the risk? • Can this be done inline? • How about zero-day vulnerabilities? • Scalability in production systems.

30. That’s it. Questions?