1 / 25

Measuring a System’s Attack Surface

Measuring a System’s Attack Surface. Yin Shi. Overview. Introduction State Machine Model Definitions and Examples Attack Surface Measurement Method Linux Example Discussion Related Work Conclusions. Introduction. Questions faced by industry today

rtipton
Download Presentation

Measuring a System’s Attack Surface

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Measuring a System’s Attack Surface Yin Shi

  2. Overview • Introduction • State Machine Model • Definitions and Examples • Attack Surface Measurement Method • Linux Example • Discussion • Related Work • Conclusions

  3. Introduction • Questions faced by industry today • Two measurements are commonly used today by us • At the code level • At the system level (CERT) • A new security metric based on the notion of attack surface • Not all system resource should be treated equally • What is the attack surface? • What is the attack class?

  4. State Machine Model • Informal Overview • Differences from standard state machine • We explicitly represent an access matrix in the state of the state machine, allowing us to represent the set of principals explicitly • We represent the system itself as a separate entity in our model and not as a principal • We distinguish both the threat and the system administrator as system principals different from other system users

  5. State Machine Model • Formal Definition • M = <S, I, A, T> • S is the set of states • I  S is the set of initial states • A is the set of actions • T is the transition relation • Type State is defined as • State = Env x Store x Access_Matrix • Env = Name → Resource • Store = Resource → Value • Access_Matrix = Principal x Resource x Rights • Principal = {Threat, Administrator, User} • Access rights definitions are specific to the system being modeled. ie. Rights = {r, w, x}

  6. State Machine Model • Formal Definition • A = AS AT  AA AU • T  S x A x S • For any action a  A, if a.pre and a.post are the pre- and post-conditions of a a.T = {(x, a, x’): S x A x S | a.pre(x)  a.post(x, x’)} T is the union of all such sets, a.T, for each action a  A • A state transition <x, a, x’>, is the execution of action a in state x resulting in the new state x’

  7. Definitions and Examples • Definition 1 (Attack) • An attack is a finite sequence of action executions a1, …, ai, …, an such that: • 1 ≤ i ≤ n ai  A; • a1  AT; • 1 < i ≤ n ai  As; and • Goal is satisfied in the state reached by M after execution of an • Consider the specification of two actions: • SEND_STRINGTand PROCESS_STRINGS • A system state is a triple, <e, s, am> • x¯, to denote the resource itself • x’, to denote its value in the post-state

  8. Definitions and Examples

  9. Definitions and Examples • Give a hypothetical attack • The Threat exploits a buffer overrun in a process P running in the system by sending a string X through the channel C whose length exceeds 512. • Res(PROCESS_STRING) = (I, C, E, P) • P is the target of attack • The post-condition of PROCESS_STRING reflects the vulnerability of the system. • The intended behavior for PROCESS_STRING is to display the input string I, no matter what its length.

  10. Definitions and Examples

  11. Definitions and Examples • Definition 2 (Attack Surface) • The attack surface of the System is the pair, <As, U Res(a)> (aAs), where the first componentis the set of system actions and the second is the collective set of resource, Res(a), for each system action, a  As • Every system resource can potentially be part of an attack surface. • In reality, not all system resources have the same likelihood of being a target of an attack.

  12. Definitions and Examples • Definition 3 (Attack Class) • Given a set of properties, Prop, and a set of resource types, Type, let Type_Hierarchy be the subtype hierarchy induced by Prop on Type, ie., Induce (<Prop, Type>, <Type_Hierarchy, ≤ >). The attack classes of a system are all the types in Type_Hierarchy that are leaf nodes, which have no subtypes of their own. • Ensure that all attack classes are disjoint, will not double count resources • The set of properties specified by the user captures how likely resources of a given type will be attacked.

  13. Attack Surface Measurement Method • Impractical way • To enumerate the set of system actions of a given system and count the number of resources in each of the action’s resource set. • Practical way • Identify the resources that are potential targets, let Type be the set of types • Induce a type hierarchy over the set, Type. Every leaf node is an attack class (Attack_Class) • Define a payoff function, assign payoffs to each attack class • Choose some k attack classes • Compare the two versions of the system with respect to these k attack classes to obtain their relative attack surface exposure

  14. Attack Surface Measurement Method • Reducing the Attack Surface • Reduce the number of system actions • Remove a known or potential system vulnerability by strengthening the pre- and post-conditions of a system action a  As • Eliminate an entire attack class • Reduce the number of instances of an attack class

  15. Linux Example • Measuring the attack surface of four versions of the Linux operating system • Consider potential targets of attack (MITRE CVEs) • Induce a type hierarchy • assign payoffs to the attack classes • Assume a higher payoff for an attack class if the resources of that attack class appear a greater number of times in the CVEs • Chose 11 attack classes for attack surface measurement • Count the number of instances of each of the 11 attack classes for four versions

  16. Linux Example

  17. Linux Example • Different ways to compare the security of different versions of a system • Default comparison: Debian and RH Default • Relative security of different versions of system • Customized usage-based comparison: RH Default and RH Facilities • Changes in the security level based on its customization • Time-based comparison: RH Facilities and RH used • Security level of a system as it changes over time

  18. Linux Example

  19. Discussion • Some General Caveats • Measure the security of a running instance of a system • Unlike a count of the number bugs in the code, it is a dynamic, not static measure • Measure the security of a system in a given configuration. • Realize that system’s security level will change as its configuration changes over time.

  20. Discussion • Advantages using attack surface measurement • Our metric is a relative measure of security. • Our metric can be used to track the security level of the system over time by measuring the attack surface at regular intervals. • Our method of measuring the attack surface leverages our knowledge of and experience with the system.

  21. Related Work • The use of attack surface to measure the system relative security is a novel idea. • Michael Howard of Microsoft first introduced it for the Windows OS • Choose 10 out of 20 attack classes of Windows • Choose 10 out of 14 attack classes of Linux

  22. Related Work

  23. Related Work • Studies focus on vulnerabilities with respect to their discovery • Browne • Beattie • Works focus on the vulnerabilities of a system as a measure of its security • Brocklehurst • Alves-Foss • Voas (MTTI) • Ortalo

  24. Conclusions • Our state machine model is general enough to model the behavior of • The system, the threat, the administrator and the users on the system • Our attack surface measurement method can be applied to any system. • We view our work as a first step towards a meaningful and practical metric for security measurement. • We believe our understanding would lead us to more meaningful and useful quantitative metrics for security measurement.

  25. Questions • Discussion Questions

More Related