Threat Modeling Revisited: Improving Expressiveness of ... - CiteSeerX

Threat Modeling Revisited: Improving Expressiveness of Attack Drake Patrick Mirembe Faculty of Computing and IT Makerere University Kampala [email protected] Abstract Threat modeling plays an important role in the deployment of optimal security controls and a number of threat modeling techniques have been proposed. However, most of the existing techniques lack adequate semantics and expressiveness. This paper reviews the existing techniques and proposes threat net; a technique based on information and causality theory concepts which offers improved expressiveness and semantics of threat models. Threat Net is built on Petri nets and treats every node in the threat path as a random variable, whose values include time specific attacker profile and system defense capabilities. In theory, by computing the expected value of random events one can estimate the cost of achieving a given goal. We believe that the simplicity and richness of our technique will make it attractive to security experts. In future we hope to validate threat net using case-based analysis theory. Key Words: Threat Net, Expressiveness, Semantics, Petri Nets, Threat-Centric, Attack-Centric

1 Introduction Threat modeling plays a very important role in the development and deployment of optimal security controls [1, 8]. Despite the importance of threat modeling, little effort has been dedicated to it compared to other aspects of digital security. However, a number of threat modeling techniques have been proposed including, fault trees [2]; attack net [4], security patterns, and attack trees [9, 10]. We note that most of the existing techniques lack adequate expressiveness and semantics to enable reasoning about threats. Therefore, the lack of adequate semantics makes the development of automated threat derivation tools and threat model validation difficult.

Maybin Muyeba Intelligent and Distributed Systems Liverpool Hope University [email protected] The remainder of the paper is organized as follows. Section 1.1 discuses our general approach. Section 2 presents the current threat modeling techniques and threat visualization. Section 4 introduces threat net as an enhancement to attack nets. Section 4 provides concluding remarks and future research directions. Our desire to focus on threat modeling was guided by the limitations of the existing threat modeling techniques and the future potential applications of threat modeling theories as more and more critical services become available online. We observe that semantics in prominent techniques in literature do not adequately enable logical reasoning about threats and their eventual mitigation. Hence, the need to explore new ideas on optimal threat modeling.

1.1

Our Approach

We propose a technique that is based on ordinary Petri nets, since attack nets are also based on Petri nets, one can say our contribution is to improve the expressiveness of attack nets to facilitate logical reasoning about threats. While attack nets take a view of an attacker, in our approach we focus on a threat. We argue that the view of a threat is more than that of an attacker. Thus, we define threat nets instead of attack nets. Threat nets have rich semantics in structure and provide mechanisms for capturing both system vulnerabilities and attacker attributes (what we refer to as background knowledge). The semantics defined in threat nets are based on concepts from case-based reasoning, information and causality theory. Every node (goal) in the net is treated as a time specific event whose occurrence may or may not depend on the occurrence of prior events. Threat nets differ from attack trees [5, 9, 10] by providing semantics for reasoning with the tree in addition to capturing threat specific background knowledge. Also threat nets differ from attack suits proposed by Sjouke et al. [12] by capturing background knowledge and system specific

attributes. Besides, attack suites semantics are complicated to interpret hence, making them less attractive to security experts although they could be appealing to tool builders. Threat nets differ from attack nets in two distinct ways; 1.

2.

Threat nets incorporate knowledge about system defense capabilities in addition to attack profile while attack net takes a view of an adversary. Threat nets explicitly capture the influence of background knowledge to the overall threat which is not done in attack nets.

Research shows that techniques that have sound semantics tend to be complex but threat nets minimizes the complexity of threat models by incorporating semantics in the elegant structure of Petri net. Where as existing threat modeling techniques are attacker oriented (e.g. attack nets) or system-based (e.g. fault trees), the threat nets are a hybrid technique.

2 Threat Modeling Threat modeling involves the identification of entry point’s formal and informal, privilege boundary definition and threat visualizations [6], [7]. Entry point identification is a process of determining all possible access points to the system whether authorized or unauthorized. Privilege boundary mapping is the assignment of access rights to system objects and threat visualization is a formal presentation of threats using techniques like attack trees, security pattern description, and attack nets. Generally two approaches to threat modeling exist and these are; (1) AttackerCentric(AC) and (2) Systems-Centric or Threat-Centric (TC) based on probability.

2.1

Attacker-Centric (AC)

Attacker-Centric threat modeling focuses on the identification of all possible access points to the system and the possible adversary aims. In general the attacker aims can be one or more of the following; Spoofing, Tampering, Repudiation, Information disclosure, Denial of services and Elevation of privileges (STRIDE) [11]. STRIDE, as it is popularly known, captures only the intention of the adversary but not his capabilities and system defense attributes. By capabilities we mean, the potential tools, knowledge and techniques the attacker might use to compromise a system. Most AC-based threat models are mainly visualized as attack trees [9, 10] hence, they are simple

to interpret and understand. Thus, AC-based threat models are popular among security experts although they lack adequate semantics to allow reasoning about threats they represent. Because of lack of adequate semantics, security controls developed based on AC approach suffice instead of being utility maximizing [13] (i.e., mitigate trivial threats but not the logical threats facing the system).

2.2

Threat-Centric (TC)

A threat analyst employing Threat-Centric approach focuses on capturing system design and deployment flaws which can translate into vulnerabilities. Threat centric approach provides mechanism of examining system design principles and deployment configuration. In TC approach, a threat analyst must step through the system design and deployment looking for vulnerabilities against each component of the design. TC threat modeling approach is the oldest technique of identifying vulnerabilities of a system and it has been extensively employed by mechanical engineers in the development of safety critical systems. Unlike AC-based models which have some semantics, most TC-based threat visualizations lack adequate semantics to allow reasoning about threats and their eventual validation. Thus for TC-based models to have a meaningful value, the threat analyst must synthesize sufficient background information about the system. In cases where sufficient background information is not available the effectiveness of the threat models drastically decreases. Most TC-based threat models are visualized as fault trees [2] of the system. It is our considered opinion that a threat modeling technique must capture both system attributes and attacker specific profile and must have sufficient semantics to enable logical reasoning about threats. In Section 2.3 we analyze some of the prominent threat visualizations techniques.

2.3

Threat Visualizations

Good threat visualization (representation) must capture both system specific attributes and attacker time specific details. Therefore any threat model that is based only on either AC or TC is flawed because it based on incomplete knowledge. An ideal threat visualization technique must be dynamic allowing the visualization of new threats as they appear hence making the security control adaptive. Also the visualization must be able to capture atomic details of threats as generalizations often leave out critical information which results into flawed threat models. In addition, the representation should be simple, easy to

understand and interpret. Besides the simplicity, the visualizations should have sound semantics to facilitate logical reasoning about threats, e.g. z z z

z

When are two threat paths equal? What is the internal structure of threat? Which particular event might have a greater impact even though it might have a low probability of occurrence? What is the best way of synthesizing threats?

For example attack suites [12] have sound semantics but are complex to understand and because of their complexity, they have not attracted much attention from security experts. In the following paragraphs we analyze some of the prominent threat visualizations against the fore mentioned desired attributes.

2.4

Fault Trees

Fault trees are a graphical representation of interaction of system failures [2]. The failures represent system vulnerabilities which present threats to the system. Fault trees were first published in the 1960's and have since then been employed by mechanical engineers in the analysis of system faults in mission critical systems. A node in the fault tree represents an event and the edges represent a causaleffect relationship between events. Leaf nodes are linked to the higher nodes in the hierarchy via logic gates (logic gate represent transformations). None-leaf nodes represent identified hazards for which predicted reliability or availability of data is required. Just like attack trees, intermediate nodes and leaf nodes represent refinements of a given fault. We note that fault trees lack adequate semantics to facilitate reasoning about threat models in addition to lack of expressiveness. Their lack of expressiveness is due to their inability to capture atomic details about the threat like attacker tools, knowledge, experience, motivation and goals. It is the limitations of fault trees as a threat visualization technique that has inspired the development of variants of tree-like threat visualizations structures like attack trees and attack nets. 2.4.1

Attack Trees

The term attack tree was coined by Schneier [9, 10] and it describes a directed graph which presents the why and how the security of a system can be compromised. In an attack tree every node represents an adversary goal and the root node represents the overall goal. Intermediate nodes in the graph represent sub-goals called (refinement of the parent goal) the

adversary has to accomplish in order to achieve the main objective. Leaf nodes in the graph represent the atom of an attack i.e., sub-goals or goals that can not be refined any further. Attack trees have simple semantics to allow the propagation of costs an adversary must incur to achieve a given task. However, semantics for attack trees have limited internal structure and can not facilitate sufficient logical reasoning about the threats they represent. For example when are two attack paths equal? What is the internal structure of an attack? Which event can have more impact? How should combine attributes be synthesized among others. Thus as much as attack trees are appealing to the security research community at conceptual level, there is need to enhance their structure through sound formalism in order to addressed the fore mentioned concerns. In addition, the formalism must provide an avenue of incorporating system specific details while preserving the simplicity. The most pronounced advantage of attack tree is their simplicity of representation hence interpretation. 2.4.2

Attack Suites

In an attempt to improve the fundamental understanding of attack trees, Sjouke et al [12] proposes an enhancement to attack trees by defining algebraic semantics. The researchers defined a universal set N of component whose various combinations can result into different attacks. The set N is defined as

N = x0 , x1 ,.., x n −1 where x 0 < i < n − 1 denote a unique component. Thus, an attack is defined as a finite non-empty multiset of components Ai , e.g. Ai = x1, x 3, A2 = x0, x1 Hence, an attack suite is a finite set of attacks.

C = A1, A2 Indeed their work introduced elegant semantics for attack trees which they transformed into attack suites. However their work did not address other concerns about attack trees like their static characteristics and being attack goal oriented. In addition, the semantics defined do not provide mechanism of synthesizing background knowledge in a logical way. Although the semantics introduced in attack suites are elegant, they introduced more complexity in the visualizations making the threat model difficult to understand. In general the complexity of the attack suites seem to overshadow the benefits of elegant semantics. Perhaps

this explains why a few further studies on attack suites have been carried out. 2.4.3

Attack Nets

After analyzing the weakness in the ordinary hierarchical graphical approaches to threat representation like attack trees and fault trees, McDermott [4] shifted the threat modeling paradigm to Petri Nets. The shift was inspired by the rich internal structure of Petri Nets which offer more expressiveness by separating data and processes. McDermott defined an attack net as a Petri Net with a set P, P = p1, p2, ..., pn of places and a set T,

T = t 1,t 2,. ..,t n of transitions. Places represent state or known knowledge while transitions represent events or actions that might cause a change of state in one or more linked places. The places are linked to transitions by unidirectional arcs, which represent the causal effect relationship. An attack net has a set of tokens S held in places and the movement of tokens between places along a given direction represent the progress of an attack. Attack nets present a departure from fault based analysis and attack tree threat representation by separating events from goals. The separation of events from goals enhanced the descriptive power of the representation, hence allowing security analyst to investigated atomic components of attacks. Despite the expressiveness of attack nets, the semantics of synthesizing information captured in the structure are not well defined. For example, when are two attack paths equal? How is the contribution to the overall attack of a particular event or knowledge at a node measured? How is background knowledge synthesized in the structure? Besides, no comparison between attack nets and attack trees has been done to ascertain which one performs better than the other. 2.4.4

SPD visualization, SPD represent threats models in a simple way hence, making the model easy to interpret. However, SPD visualization lacks adequate semantics to aid the systemization of threat models. Because of lack of semantics, SPD are not ideal for automated tool builders, but they are very popular with security implementers. Therefore, there is need to define ways in which appropriate formal semantics can be incorporated into security patterns to enable logical reasoning about threats. Thus in Figure 1 we map the prominent threat modeling techniques onto the ideal properties. If a given technique exhibits an attribute positively the intersection cell is marked with (+) and if the attribute is absent the intersection cell is marked (-). In cases where an attribute is more pronounced, the cell is marked (++), similarly in a cell where the attribute is vividly absent it is marked (- -). From Figure 1, the ideal threat presentation technique would be Security Patterns Descriptions (SPD). SPD describe threats in natural language, thus offering more expressiveness, however they lack formal semantics to aid logical reasoning about threat models. Thus, there is need to formalize SPD to provide more internal structure in order to facilitate logical reasoning about a given threat model. On the other hand, Attack Nets and Attack Suites provide semantics to aid the logical synthesis of threat models but they do not capture the atomic details of threats besides, the semantics defined lack sufficient internal structure. Therefore there is a need to refine these representations in order to enhance the semantics, reduce the inherent complexity and improve user acceptance. It should be noted that threat representations with sound semantics tend to have low rates of false positives and negatives. False positives are incidents of threats captured in the threat model which either does not exist or their severity index is overestimated while false negatives are threat indices either not captured in the threat model yet they exist or their severity index is underestimated.

Security Patterns Descriptions

Security Pattern Descriptions (SPD’s) are documents which describe the threat of a system in natural language. Security pattern descriptions are more expressive than graphical representations because they are not bound by formalism constrains. SPD's enable the capturing of atomic attributes of threats and background knowledge. Besides the expressiveness of

3

Threat Nets

We propose a threat modeling technique that incorporates system design and deployment flaws, and attacker time specific attributes in the synthesis of threats.

n

E ( X )t = ∑ p ( xi )logp ( xi ) 1

Figure 1: Threat representation Comparisons Our model is built on foundations of Petri nets, because the inherent structure of Petri nets allows deposition of a node into three distinct components i.e., goal, background knowledge and events. We define a node (place) in the threat path as a random variable, X, which represents a specific security service that might be compromised if a set of event(s) Y, Y representing transition (s)) below the node occurs. Background knowledge is quantified and represented as tokens in places. Since nodes are random variables, the number of tokens per node in the tree hierarchy is nondeterministic. Arcs linking events to nodes reflect the progress of an attack in that direction. Now we define a formal mechanism of processing threat trees. DEFINITION:

(x

1,

Let X

be

a

x3,. .., xi ,..., x n )

node in the tree, and let be a set of independent knowledge

Figure 2: Threat Net Structure Nodes X, Y, Z in Figure 2 represents sub-goals an adversary must achieve in order to progress To the main goal represented by node W. Each goal can be meant if background knowledge and attack capabilities represented as ( x1 , x 2 ,.., xi ) at each node are known. The knowledge of each probability

xi occurs with a

p i , of course the initial probabilities can be

subjective, but overtime one builds a knowledge base which he can refer to during the modeling process. Thus, the threat index at node Y at time t i is given by n

E (Y )t = ∑ p ( yi )logp( yi ) i

that influences independently the out come of X. Also let each x i occur with the probability, p ( xi ) thus the

Since the

probability distribution of the random variable X is p1, p 2,. .., p n . We assume that xi might be

easily be computed. At node Z, the quantity

(

)

representing one of the following; 1. Existence of vulnerability. 2. Existence of a mitigation control. 3.

Knowledge of vulnerability exploitation (i.e., has the vulnerability be exploited before?).

4.

Likelihood of future re-launches.

5.

Capabilities of the adversary.

6.

Values from nodes below

r j for j nodes to

the current node. Therefore we compute the cost of attaining a given goal (node) as the expected value [14] of a node X at time t i , defined as;

1

Pi ' s are known, the quantity E (Y )t can i

E (Y )t is i

converted into a probability for onward processing along the threat path. With our technique, one can logically analyze the internal structure of a threat, which is made of (background knowledge, events and adversary goals). Since threat modeling is not a one off event, we assume that the threat analyst employing threat nets approach has sufficient background information about the system which he can use to estimate the initial probabilities. To better reason with the model, we translated it into an optimization problem. An optimization problem is a problem of finding the best solution from all feasible solutions, in our case all possible threats. More formally, our optimization problem, P, is a quadruple denoted as;

P = ( v , f , n, g )

where v is the set of all possible vulnerabilities (background knowledge). Given a vulnerability y in v, f(y) is the set of feasible threats. Given a threat x in f(y), n(y,x) is the probability that x will result in an attack t. Thus, n(x,y) is defined as n( x,t ) = p(t / x ) , where p(t/x) is computed using Pearl's inference algorithm [3]. We define a function, g, to determine the most probable attack, g is a ranking function. If M is a set of all probable attacks, then

g (n( x,t )) = n( x,t ), if

n( M ) = 1

Otherwise

g (n( x, t )) = Max( M ) Consider a person who uses a laptop both at home and at his university office. If his laptop has no antivirus and he has no internet connection at home, then the vulnerability caused by lack of anti-virus has a higher probability of resulting into an attack at office than at home. By running the model a couple of times, a particular vulnerability can generate a threat probability distribution as per above figure. The results generated can be used to model security controls in order to mitigate threats.

4

Conclusions

With the exception of security patterns descriptions, most threat modeling techniques lack expressiveness. The incorporation of background knowledge and its logical synthesis improves the quality of a threat model. We observe that most threat analysts have not clearly distinguished threat models from attack models nor have they differentiated threat models from threat visualizations. The lack of a clear distinction between threat models and visualizations often results into suboptima models. In this paper we propose threat nets, a technique built on ordinary Petri nets that enhances the expressiveness of attack nets. Threat nets provide a mechanism of incorporating background knowledge in the threat model in a logical manner. The semantics in threat net leverages the structure of Petri nets which allows the separation of knowledge, goals and events in the model. By visualizing a threat at micro levels, threat net improves the quality of models by minimizing propagation errors caused by high level abstraction.

In general there is no well defined technique of measuring the quality of threat models. Therefore, quality depends on rigorous analysis and experience of the analyst. Despite the current research efforts in threat modeling, concerns about optimal threat identification, representation, model testing and validation are yet to be fully investigated.

5

References

[1] D. Dolev and A. Yoa. On the security of public key protocols. In The Proceedings of IEEE 22nd annual Symposium on Foundations of Computer Science , 1981. [2] FaultTree Org. Fault tree analysis tool, Jan 2008. [3] H. Guo and W. Hsu. A survey on algorithms for real-time bayesian network inference. In In the joint AAAI-02/KDD-02/UAI02 workshop on Real-Time Decision Support and Diagnosis Systems, Edmonton, Alberta, Canada, 2002. [4] J. McDermott. Attack net penetration testing. In Proceedings of the 2000 workshop on New Security Paradigms, pages 15–21, Ballycotton, County Cork, Ireland, 2001. [5] C. Pfleeger and S. Pfleeger. Security in Computing. 0-13-0355488. Prentice Hall, third edition, 2003. [6] C. Phillips and P. Laura. A graph-based system for networkvulnerability analysis. In NSPW ’98: Proceedings of the 1998 workshop on New security paradigms, pages 71–79, Charlottesville, Virginia, United States, 1998. ACM. [7] OWS Project. Threat risk modeling, October 2007. [8] J. Saunders. A dynamic risk model for information technologysecurity in a critical infrastructure environment, October 2007. [9] B. Schneier. Modeling security threats: Attack trees. Dr.Dobb’s Journal, pages 1–9, December 1999. [10] B. Schneier. Secrets and Lies: Digital Security in a NetworkedWorld. Wiley, 2000. [11] H. Shwan, S. Lambart, T. Ostwald, and A. Shostack. Uncovering secuirty design flaws using the stride approach, October 2007. [12] M. Sjouke and O. Martijn. Foundations of attack trees. In D. Won and S. Kim, editors, 8th Annual International Conference on Information Security and Cryptology, ICISC’05, number 3935 in LNCS, pages 186–198. Springer, 2006. [13] J. Steffan and M. Schumacher. Collaborative attack modeling. In SAC ’02: Proceedings of the 2002 ACM symposium on Applied computing, pages 253–259, Madrid, Spain, 2002. ACM. [14] H. Tilborg. Fundamentals of cryptology,A Professional reference and interactive tutorial. 0-7923-8675-2. Kluwer academic publishers, third edition, 2003.