Vulnerability Take Grant - UAIC

computers & security 26 (2007) 349–360

available at www.sciencedirect.com

journal homepage: www.elsevier.com/locate/cose

Vulnerability Take Grant (VTG): An efficient approach to analyze network vulnerabilities Hamid Reza Shahriari*, Rasool Jalili Network Security Center, Department of Computer Engineering, Sharif University of Technology, Azadi Avenue, Tehran, Iran

article info

abstract

Article history:

Modeling and analyzing information system vulnerabilities help predict possible attacks to

Received 27 February 2006

computer networks using vulnerabilities information and the network configuration. In

Accepted 9 March 2007

this paper, we propose a comprehensive approach to analyze network vulnerabilities in order to answer the safety problem focusing on vulnerabilities. The approach which is called

Keywords:

Vulnerability Take Grant (VTG) is a graph-based model consists of subject/objects as nodes

Network security

and rights/relations as edges to represent the system protection state. Each node may have

Access control

properties including single vulnerabilities such as buffer overflow. We use the new concept

Vulnerability

of vulnerability rewriting rule to specify the requirements and consequences of exploiting

Vulnerability analysis

vulnerabilities. Analysis of the model is achieved using our bounded polynomial algorithm,

Safety problem

which generates the most permissive graph in order to verify whether a subject can obtain

Vulnerability Take-Grant model

an access right over an object. The algorithm also finds the likely attack scenarios. Appli-

Multiphase attack analysis

cability of the approach is investigated by modeling widespread vulnerabilities in their general patterns. A real network is modeled as a case study in order to examine how an attacker can gain unauthorized access via exploiting the chain of vulnerabilities. Our experience shows the efficiency, applicability, and expressiveness in modeling a broader range of vulnerabilities in our approach in comparison to the previous approaches. ª 2007 Elsevier Ltd. All rights reserved.

1.

Introduction

The goal of vulnerability analysis in computer and network systems is to analyze vulnerabilities’ dependencies to find the attack scenarios before malicious attackers find them. Currently, several tools exist which analyze the single host vulnerabilities in isolation. However, protecting networks against attacks requires considering all network vulnerabilities; vulnerabilities inter-dependencies; and the dependency among services. Considering individually, a service may provide an acceptable level of security, but a combination of such services may lead to subtle attack scenarios. For example, the file transfer protocol (ftp) and the hypertext transfer protocol (http),

provided simultaneously in the same host, may permit an attacker to write into a web directory using ftp. This causes the web server to execute a program written by the attacker. Accordingly, a comprehensive analysis of network vulnerabilities needs consideration of individual hosts as well as their relationships. The complexity of analyzing network vulnerabilities increases extremely as the number of hosts and services increases. Manual handling of such complexity is very difficult or even impossible in the case of current enormous networks. Accordingly, automated approaches are necessary for vulnerability analysis. Our vulnerability analysis problem is to determine whether an attacker can obtain unauthorized access to a particular

* Corresponding author. Tel.: þ98 21 66164020. E-mail addresses: [email protected] (H.R. Shahriari), [email protected] (R. Jalili). 0167-4048/$ – see front matter ª 2007 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2007.03.002

350


resource. This is a specific form of the safety problem, which asks ‘‘Given an initial configuration of a protection system, can a subject s obtain some access right r over an object o?’’ (Shapiro, 2003). In other words, we focus on determining whether a set of known vulnerabilities allows a given subject to acquire some specific set of rights over an object representing a resource. Based on the authors’ knowledge, the previous literature has not explored the safety problem focusing on vulnerabilities. Approaches proposed in Zerkle and Levitt (1996), Dacier and Deswarte (1994), Ritchey and Ammann (2001), Ramakrishnan and Sekar (2002), Shahriari and Jalili (2004), Noel et al. (2003, 2004), and Noel and Jajodia (2004) analyze network vulnerabilities from the point of view of the relations among individual hosts and network configurations. These approaches mainly use model checking and graph-based techniques to generate and analyze an attack graph; the task has been done in exponential time. In Ammann et al. (2002) and Noel et al. (2003), polynomial time approaches have been suggested for the same problem without any specific upper bound on polynomial degree. In this paper, we propose a new access control based model to address the concept of vulnerabilities and their effects on the system protection state. The model has been motivated from the Take-Grant protection model; a graph-based access control model, where subjects and objects are considered as nodes of a graph, and access rights as well as administrative rights (Take and Grant) are considered as the edges (Jones et al., 1976). We also propose a framework to model vulnerabilities based on their pre-conditions and post-conditions as well as an algorithm to analyze the model with bounded polynomial time in the size of the protection system graph. The proposed algorithm can generate possible attack scenarios. The applicability of the framework has been shown through real examples of vulnerabilities. The examples cover a general form of widespread vulnerabilities such as buffer-overflow and cross-site scripting. The remainder of this paper is organized as follows. In Section 2, we review previous works on the Take-Grant protection model and network vulnerability analysis. The outline of our proposed approach has been presented in Section 3. The detail of our approach has been presented in Section 4. Section 5 discusses the applicability of the approach through modeling broad types of vulnerabilities and their rewriting rules. Section 6 presents an algorithm to analyze the model in order to answer the safety problem considering vulnerabilities. Section 7 provides a real case study. The conclusion and future works have been presented in Section 8.

2.

Related work

The Take-Grant protection model was first developed by Jones et al. (1976) where the safety problem could be solved in linear time. They provided the necessary and sufficient conditions under which rights and information could be transferred between two entities of the protection system and a linear time algorithm to test those conditions. Applications of the Take-Grant model to various systems have been explored separately (Bishop, 1981, 1996; Jones, 1978; Snyder, 1977;

Wu, 1981; Frank and Bishop, 1996). Extending the initial Take-Grant model also has been experienced by Frank and Bishop (1996). They proposed a method of extending the Take-Grant model to add the notion of information or right flow cost and to find the most likely path. In nearly all previous works, in addition to decidability, time complexity of the decision algorithm has been emphasized. Linear time complexity of the Take-Grant model for safety problem has made it more attractive than other formal access control models. Based on the authors’ knowledge, the Take-Grant protection model has not been used for host or network vulnerability analysis so far.1 Previous approaches to network vulnerability analysis mainly focused on model checking and graph-based techniques whose time complexity was either exponential or polynomial. Such approaches mainly depend on some offthe-shelf tools for scanning individual host vulnerabilities. Vulnerability scanner tools such as System Scanner (Internet Security Systems) scan hosts to discover vulnerabilities in the configuration. However, they do not investigate how a combination of configurations on the same host or among hosts on the same network can contribute to the vulnerabilities. The NetKuang system tries to assess beyond host vulnerabilities. It is an extension to a previous work on building a rulebased expert system, namely Kuang (Zerkle and Levitt, 1996). NetKuang extends the Kuang’s rule-set to include certain UNIX network security issues, which are undetectable when analyzing a single host. NetKuang uses a backtrack search algorithm to identify vulnerabilities. Dacier proposed the concept of privilege graphs. Privilege graphs are explored to construct an attack state graph, which represents different ways in which an intruder may reach a certain goal, such as root access on a host (Dacier and Deswarte, 1994). Ritchey and Ammann (2001) used model checking for vulnerability analysis of networks via the model checker SMV. They could obtain only one attack corresponding to an unsafe state. The experiment was restricted to only specific vulnerabilities. However, the model checking approach has been used in some other researches to analyze network vulnerabilities (Sheyner et al., 2002; Jha et al., 2002). The model checking has the scalability problem which some researchers tried to overcome (Jajodia et al., 2003). Ramakrishnan and Sekar (2002) used a model checker to analyze a single host system with respect to combinations of unknown vulnerabilities. The key issue in their research was checking infinite space model using model abstraction. Swiler et al. (2001) presented a method for generating attack graphs by forward exploration. In (Shahriari and Jalili, 2004), CSP was used to model and analyze TCP protocol vulnerabilities. In this approach, the model checker FDR2 was used to verify some simple security properties and find attack scenarios. CSP has been used widely in modeling and analyzing security protocols (Ryan and Schneider, 2001) and verifying intrusion detection systems (Rohrmair and Lowe, 2003). Noel et al. presented TVA in Jajodia et al. (2003), Noel et al. (2003) and investigated it more in Noel et al. (2004) and Noel and Jajodia (2004). In their approach, exploits are modeled as 1

Bishop has modeled security breach of SETUID programs in UNIX operating system in his Ph.D. thesis (Bishop, 1984).

351


pre/post-conditions and a specific tool has been used to construct the attack graph. Encoding each exploit individually resulted in a large and complex model. Logic-based approaches have been considered in Shahriari and Jalili (2005) and Ou et al. (2005). The more recent approach named MulVal (Ou et al., 2005) adopts Datalog (which is a subset of Prolog) as the modeling language of elements in the analysis. The reasoning engine consists of a collection of Datalog rules capturing the operating system behavior and the interactions of various components in the network. The main problem of MulVal is using a backward search algorithm for determining whether goals can be achieved from the initial state. In this kind of reasoning, users always need to define some goal and then the reasoner will check whether the goal is satisfiable or not. In our approach, which is based on the access control model, vulnerabilities of the same type are modeled in a general pattern. For example, all buffer overflow vulnerabilities are treated similarly and encoded in a single model. It reduces the size of the model and cost of analysis. Accordingly, we propose an efficient algorithm to analyze the vulnerabilities in a bounded polynomial time based on the size of protection graph.

3.

Outline of the approach

The proposed approach is composed of three steps. In the first step, the network configuration and known vulnerabilities are collected. In the second step, the gathered information is used to construct the initial model. The last step involves analyzing the model to capture all the ways through which the rights can be transferred. Fig. 1 depicts the schematic outline of our approach. To construct the model, we need to know the current host and network configuration of rights, and the set of host and network vulnerabilities. The former can be derived by examining the system and network. Many of the latter can be

Information Gathering

determined using vulnerabilities databases and host and network analysis tools. The OVAL scanner is a tool developed based on the Open Vulnerability Assessment Language (OVAL) (Wojcik et al., 2003), an XML-based language which is used to formally describe the host configuration vulnerabilities and the required tests to detect them. This standard has been proposed by MITRE Corporation on which some major operating system vendors have reached consensus. As of writing this paper, the OVAL definitions for Windows, Redhat Linux, and Sun Solaris operating systems vulnerabilities are available. The Nessus vulnerability scanner is a powerful tool which utilizes the NASL language to find the vulnerabilities of network services remotely (Derasion, 2000). The network topology can be captured using several tools, such as Cheops-ng. The initial model of the network, called VTG, will be constructed based on the vulnerabilities of the hosts and services, current configuration of rights, and network topology provided automatically by the abovementioned tools. At the core of our model are Vulnerability Rewriting Rules, which specify how exploiting vulnerabilities changes the system protection state and represents the requirements and consequences of exploiting a vulnerability. The Analysis engine takes the initial model and a database of vulnerability rewriting rules as input and generates transitive closure of accesses in which all the achievable access rights have been captured. Having the closured model, checking for unauthorized acquired rights based on the security policy will be straightforward. In case of security policy violation, generating the related attack scenario is also possible through our approach.

4.

Vulnerability Take-Grant model

In this section we present the generalized Vulnerability TakeGrant model. Our approach is based on extending the initial take-grant model. Some definitions are provided first and the formal model is presented later on.

Modeling

Analyzing

Host 1 Security Policy

OVAL Scanner

Secure Nessus Scanner Host n

Modeling Network

VTG Model

Analysis Checking for Closure Engine Violation

OVAL Scanner

Attack Scenario Vulnerability Rewriting Rules Database

Network Configuration

Fig. 1 – The outline of the approach.

352

4.1.


Basic definitions

Definition 1. The computing system can be defined as the state machine SYS ¼ ðS; S0 ; s; SA ; SU Þ, where S is the set of all states, S0 4S is the set of initial states, s4S S is the set of state transitions and SA 4S and SU 4S represent the set of authorized and unauthorized states, respectively. The authorized and unauthorized states are specified by the system security policy. Any security policy should satisfy some consistency constraints. As an example, each policy should disjointly partition the system states, i.e. SA WSU ¼ S; SA XSU ¼ f, and it should be a surjective function. Specification of the security policy and its constraints are beyond the scope of this paper. Bishop and Bailey (1996) provided a definition for vulnerable state: ‘‘A vulnerable state is an authorized state from which an unauthorized state can be reached using authorized state transitions.’’ In the definition, not only states but also transitions are classified into authorized and unauthorized ones. We can simplify this definition by excluding transitions as the authorized/unauthorized state transitions depend on the current state of the system. If the transition is unauthorized, the system is in a (presumably) disallowed state in which a prohibited action may be taken or would transition to an unauthorized state, and hence the system is in an unauthorized state. Accordingly, a vulnerable state can be defined as follows: Definition 2. The state s is vulnerable if it is an authorized state ðs0 ˛SA Þ and there is an unauthorized state s0 ðs0 ˛SU Þ and transisk s1 tions s1 ; s2 ; .; sk such that s / / / s0 . Accordingly, vulnerability is defined as characteristics of a vulnerable state that distinguishes it from all non-vulnerable states.

4.2.

The model

In this section, we define the core of our model to analyze vulnerabilities. Exploiting most vulnerabilities leads to a change in access rights of entities in the system protection state. This requires some conditions to be met, such as having access to a server or running a special version of a service on the server. In other words, the system must be in a vulnerable state to provide opportunity for the attacker to exploit the vulnerability and change the protection state of the system. For example, the attacker may acquire root access on the running server, or may stop a service. The new state may also enable the attacker to make subsequent state transitions leading to an unauthorized state. A general model should allow us to represent the preconditions and postconditions of all types of vulnerabilities in it. As stated earlier, exploiting most vulnerabilities involve the attacker having some access rights over entities of the system which in turn leads to acquiring additional access rights. But not all of the vulnerabilities are of the form ‘‘Requires some rights/Provides some other rights’’. For example, consider

the Ethernet LAN vulnerability that an attacker may sniff the transmitted data. To exploit this vulnerability, the attacker and the victim must be connected to the same LAN. The entities have no right over each other in the latter case. Therefore, we need a general type of relationship to address them. Moreover, there are a large number of vulnerabilities that require certain properties to be present for the individual entities. For example, running Apache server 1.3.12 is a precondition of the vulnerability CVE-2000-0868 (Mitre Corporation). Therefore, we should address three general categories of the preconditions: The set of rights of entities over other entities (E ), The set of general relations between entities (Er) (i.e. any relationships between entities other than access rights), The set of attributes of individual entities (Aa). The notions R and r are used for set of access rights and general relationships, respectively. Other notations are defined more formally as follows: Definition 3. The set E is the set of tuples fðu; v; SÞju; v˛V; S4Rg in which the vertex u has some set of rights (S ) over vertex v. Definition 4. The set Er is the set of tuples fðu; v; LÞju; v˛V; L4rg in which the vertex u has some set of relationships (L) with vertex v. Our proposed model, which is called Vulnerability TakeGrant (VTG), is a graph based model and is defined as follows: Definition 5. The Vulnerability Take-Grant (VTG) model is defined as a tuple VTG ¼ ðV; E; Er ; Aa Þ, where V is the set of vertices representing entities, E is the set of rights the source vertex has over the destination vertex, Er is the set of relationships between vertices, and Aa : V/2a is a function associating the attributes to each entity, where a is the set of all possible attributes of vertices including vulnerabilities. It is worth noting that, although we have changed the initial Take-Grant protection model, its original rewriting rules are just applicable to the rights (the set R). In other words, the set of relations between entities is not changed by the original rewriting rules.

4.3.

Rewriting rules

As the system executes operations and users interact with the system, the state of the protection system changes. The initial Take-Grant model has offered four rewriting rules as the executable operations: take, grant, create, and remove rules. As we have extended the initial Take-Grant model, we review the take and grant rules (t and g stands for special rights take and grant, respectively): 1. Take rule: Let x, y, and z be three distinct vertices in a protection graph G0 and let x be a subject. Also let there be an edge from x to y labeled g with t˛g and g4R, an edge from y

353


(a) y

t x

z

5.

y

t

z

x

(b) g y

x

g z

y

x z

Fig. 2 – (a) Take rewriting rule and (b) grant rewriting rule.

to z labeled b, and a4b4R. Then the take rule defines a new graph G1 by adding an edge to the protection graph from x to z labeled a. Fig. 2a shows the take rule graphically. 2. Grant rule: Let x, y, and z be three distinct vertices in a protection graph G0 and let x be a subject. Also, let there be an edge from x to y labeled g with g˛g and g4R, an edge from x to z labeled b, and a4b4R. Then the grant rule defines a new graph G1 by adding an edge to the protection graph from y to z labeled a. Fig. 2b shows the grant rule graphically. Exploiting vulnerabilities changes the system protection state. However, there is no rewriting rule to address exploiting the vulnerabilities. We address these changes through vulnerability rewriting rules. Each vulnerability rewriting rule checks the model for presence of the preconditions of a vulnerability and applies its postconditions to the model. We make an assumption which seems to be realistic when we are dealing with vulnerabilities in the real world. Each exploit involves only one active entity as an attacker, which acts to gain extra access rights. We call this entity the active vertex. Now we define the vulnerability rewriting rule: Definition 6. A vulnerability rewriting rule is defined as a tuple VRR ¼ ðGpre ; f ; vA Þ, where Gpre is the graph identifying the vulnerability precondition; f is a function mapping the vulnerable state to the destination state; and vA represents the active vertex which utilizes the vulnerability. In fact, the subgraph Gpre denotes the vulnerability pattern which is considered as the precondition of the vulnerability in our model. To be able to exploit the vulnerability, the graph G should contain an isomorph subgraph to Gpre. Accordingly, an exploit can be defined as an instance of the vulnerability rewriting rule which is applied to a specific subgraph of graph G. It is defined more formally as follows: Definition 7. Let G is a VTG graph representing the current protection state of the system. An exploit is defined as a tuple e ¼ ðG; VRRv ; uA Þ where VRRv is the vulnerability rewriting rule applying on G, and uA is the vertex representing the system entity which corresponds the active vertex of VRRv. In fact, an exploit is an instance of vulnerability rewriting rule in a vulnerable state.

Applicability of the model

Here we show how real-world vulnerabilities can be modeled using our approach. As stated before, exploiting most vulnerabilities causes the protection state of the system to be altered. Thus, exploiting vulnerabilities is addressed in our model by vulnerability rewriting rules. In fact the vulnerability rewriting rules represent the transitions which are caused by the vulnerability exploitation. We model some well-known and realistic vulnerabilities in operating systems and web applications as rewriting rules in order to demonstrate the applicability of our approach. First we present a model of program executions in UNIX, and then the common vulnerabilities in the program execution are modeled. Example 1. (SETUID programs in UNIX) In the UNIX environment, the commands or programs are normally executed with permissions of the user who invoked the command, but an SETUID program is executed with the privilege of the user who owns it. Fig. 3 shows two examples presenting the model of command execution in the UNIX operating system. Fig. 3a shows the execution of a regular program (copy) by the user u. The regular rights (E ) are shown by solid edges and the relationships (Er) are shown by dashed edges. Although the owner of the copy program is root, this program has access neither to file 1 nor to device1. In Fig. 3b mount is executed as an SETUID program by user u. The user u has no direct access to file1 and device1, but as the program mount is a SETUID program whose owner is the user root, it can access both file1 and device1. This fact is represented in the model by assigning a t (take) right from mount to root.

(a)

root ow

n

r,w r,w

u

file1

x t

device 1

copy

r,w file2 copy is regular program and user u executes it with its permissions

(b)

ow

root

n

r,w r,w file1

t x mount

device 1

u r,w file2 mount is a setuid program and user u executes it by root permissions. Fig. 3 – Modeling execution of programs in UNIX: (a) a regular program and (b) a SETUID program.

354


Applying the take rule enables the mount program to acquire r and w rights over file1 and device1, respectively. Example 2. (Buffer-overflow vulnerabilities) Buffer overflow vulnerabilities are reported to be the most exploited ones among network attacks (SANS Research Center). We model all vulnerabilities of this type by a single rewriting rule. CVE-2000-0128 is a buffer-overflow vulnerability in Linux mount and umount programs allowing local users to gain root privileges via a long relative pathname (Hansman and Hunt, 2005; Mitre Corporation). As Fig. 4 shows, if the mount program has this vulnerability, then the user u can gain the root privileges. The user u can access file1 only indirectly through mount. Nevertheless, the user u can exploit the buffer-overflow vulnerability in mount and gets the root privileges. This is shown by adding a take (t) edge from u to the root vertex. Applying the take rule, the user u obtains the rights read and write over file1. We can model the buffer-overflow vulnerability rewriting rule as following: VRRbof ¼ Gbof ; fbof ; vA ; where Gbof ¼ ðV; E; Er ; Aa Þ ¼ ðfðX; YÞg; fðX; Y; xÞg; B; fðY; fVULN ¼ BOFgÞgÞ; and fbof ðV; E; Er ; Aa Þ ¼ ðV; EWfðX; Y; tÞg; Er ; Aa Þ; and vA ¼ X

t

u

(a)

x mount {Vuln=BOF}

file1

root r, w

own

[Exploiting BOF vulnerability] u

(b)

t

t

x mount {Vuln=BOF}

file1

root

where X and Y are nodes representing the attacker and vulnerable process, respectively. This rule implies that if Y has a buffer-overflow vulnerability and X has x (execute) right over Y, then it can exploit and acquire t right over Y. Example 3. (Cross-site scripting vulnerabilities) Cross-site scripting vulnerabilities are a large group of vulnerabilities which have increasingly populated in web applications. A cross-site scripting vulnerability (CSS) comes from the failure of a web application to validate user input before returning it to the client’s web-browser. The essence of cross-site scripting is that an intruder causes a legitimate web server to send a page to a victim’s browser That page contains a malicious script or HTML codes of the intruder’s choice. The malicious script runs with the privileges of a legitimate script originating from the legitimate web server. Consequently, the attacker may access private data on the client such as cookies, data files, or may access restricted web sites on behalf of the victim (Hansman and Hunt, 2005; CERT Advisory; Isamil et al., 2004). We refer to this type of CSS as Server-CCS, as the vulnerability is due to a fault in the web server. For example, the vulnerabilities CVE-2002-0075 and CVE-2002-0682 are of this type (Mitre Corporation). In other cases, the client browser itself has a vulnerability, which allows attacker to run a script within the browser and access the private data. We refer to this type of CSS as Client-CSS. CVE-2002-1187 is an example of client-CSS vulnerability. Fig. 5 shows an example of the Server-CCS vulnerability, in which the malicious attacker Eve has changed certain web pages on the webserver to include malicious scripts. This can be easily done in sites allowing users to send feedback or take part in an auction. When user u browses a link referring to the malicious page, the malicious script is executed on the client, and Eve can access the information belonging to u. Because the cooperation of u is needed for this vulnerability to be exploited, we show its affect by adding an edge from u to Eve labeled g (stands for grant). Applying the grant rule, Eve can acquire u’s access rights, such as r and w, on the private file doc. We can model the cross-site scripting vulnerability rewriting rule as following: VRRcss ¼ Gcss ; fcss ; vA ;

r,w

where

own

Gcss ¼ ðV; E; Er ; Aa Þ ¼ ðfðX; Y; WÞg; fðX; W; xÞ; ðY; W; xÞg; B; fðW; fVULN ¼ CSSgÞgÞ;

[Applying Take rule two times] and

t

(c)

u

t

t x mount {Vuln=BOF}

file1

root r,w

own

r,w Fig. 4 – (a) Mount is a SETUID program and has the bufferoverflow vulnerability, (b) The user u gains the take right over root account by exploiting the buffer-overflow and (c) The user u gains the r and w rights over file1 by applying Take rule.

fcss ðV; E; Er ; Aa Þ ¼ ðV; EWfðY; X; gÞg; Er ; Aa Þ; and vA ¼ X where X, Y, and W are nodes representing attacker, legitimate client, and web server, respectively. This rule implies that if W has a CSS vulnerability, and X and Y have x right over W, then the right g is added from Y to X. Example 4. (Weak password vulnerability) The weak password vulnerability (which we refer to as WP hereafter) arises when a user account with a weak password is defined on

355


Webserver

M

{Vuln=CSS} hosts

doc r,w

Eve

A

u

(a)

sts

(a)

x

ho

x

P

x

U {Srv=Login}

[Exploiting CSS vulnerability]

{Vuln=WP}

Webserver [Cracking the password of account u]

{Vuln=CSS} x

x g

Eve

sts

r,w

hosts

doc

ho

(b)

M

u A

(b)

[Applying Grant rule] Webserver

x

(c)

x

doc r,w

{Vuln=WP} U

{Srv=Login}

{Vuln=CSS} x

P

g

Eve

u

t Fig. 6 – Exploiting the weak password vulnerability. (a) The account u has a weak password vulnerability and (b) the attacker A exploits the WP vulnerability and gains a take right over account u.

r,w Fig. 5 – Server cross-site scripting vulnerability (Server-CSS).

and fwp ðV; E; Er ; Aa Þ ¼ ðV; EWfðA; Y; tÞg; Er ; Aa Þ;

a host M and the host provides the login service to its users. Assume that a user has an account U on host M and he/she has chosen a weak password for the account. Also assume this host provides the login service through process P. Having access to the login service, the attacker A can guess U’s password and obtain all the privileges of user account U. Fig. 6 presents the password cracking rewriting rule which demonstrates how exploiting the WP vulnerability results in a change in access rights. The preconditions of this rule have been depicted in Fig. 6a. Fig. 6b shows how the attacker obtains the new access right t over user account a after exploiting WP vulnerability. We use the attribute {Vuln ¼ WP} to represent it. Also we add the attribute {Srv ¼ Login} to the attributes of vertex P to show the login service provided by process P. Based on above discussion, we can model the weak password vulnerability rewriting rule as following: VRRwp ¼ Gwp ; fwp ; vA ; where Gwp ¼ ðV; E; Er ; Aa Þ ¼ ðffðA; P; W; UÞg; fðA; P; xÞg; fðM; P; fhostsgÞ; ðM; U; fhostsgÞg; fðP; fSrv ¼ LogingÞ; ðU; fVuln ¼ WPgÞggÞ;

and va ¼ A

6.

Analysis

In this section we present our approach to analyzing the model. Our analysis is based on the following question: ‘‘Is it possible for attacker A to achieve access right r over y or not?’’ Rights in the Take-Grant protection model can be transferred either cooperatively or unilaterally. It is also the case in application of this model in vulnerability analysis. The attacker can exploit some vulnerabilities unilaterally; however, exploiting other vulnerabilities require cooperation of other subjects of the system which grant their rights either unknowingly or intentionally. In this section, we consider the capability of an attacker to acquire rights without cooperation of other entities. To be precise, we are interested in the following question: ‘‘Can attacker A achieve access right r over y unilaterally?’’ Grant rules are useless when we focus on unilateral transformation of rights. Our mean of unilateral transformation of rights can be defined more formally in VTG by the predicate can$access: Definition 8. The predicate can$access (a, x, y, VTG0) is true for the right a and two vertices x (as subject) and y, if there exist

356


protection graphs VTG1,., VTGn such that VTG0w*VTGn using only take and vulnerability rewriting rules, and in VTGn there is an edge from x to y labeled a. The definition allows the attacker to use only take and vulnerability rewriting rules which transfer the rights unilaterally. To answer can$access, we construct VTG’s closure regarding de jure and vulnerability rewriting rules. First we define the concept of closure: Definition 9. Let A be the set of rewriting rules. We define GA as the closure of graph G regarding A, if all possible rules of A have been applied in GA and no more rewriting rules can be applied in it. The initial state of VTG graph is changed by both de jure and vulnerability rewriting rules. Let Gdejure be the closure of G regarding de jure rewriting rules (which only contains the take rewriting rule based on the unilateral analysis) and GVRR be the closure of G regarding vulnerability rewriting rules. Only one set of rules has been applied in each of these closures. However, it maybe possible to apply the rewriting rules of the other closure after constructing one closure. Fig. 7 shows an example of how one can exploit a previously considered vulnerability through a vulnerability rewriting rule after applying a de jure rewriting rule. The closures include all the possible ways through which the rights could be transferred using the related vulnerability rewriting rules. The attacker may exploit some sequences of the vulnerabilities to reach its final goal. To capture all the possible attack paths, a complete closure is needed. The following algorithm constructs the complete closure of G:

Algorithm Gen_Complete_Closure (G) 1 Let list F initially contain all ordered pairs of the from (e, r) where e denotes edges labeled t, and r denotes its associated right 2 While (! IsEmpty(F )) //applying all possible de jure rules 3 While (!IsEmpty(F )) 4 Let (e, r) ¼ head(F ) 5 For each take rule applicable through e 6 Apply the rule on G and add the resulting edge and its associated right to F, if it has not been inserted yet. 7 Delete (e, r) from F //applying all possible VRRs 8 for all rw ˛ VRR 9 pattern ¼ FindPattern(G, rw, Gpre) // find Gpre-isomorph in G 10 Apply all exploits of the form exp¼ (G, rw, uA) where uA ˛ pattern 11 if exp involves addition of edges like e0 labeled r0 to G then 12 Add all such pairs ðe0 ; r0 Þ to F, If they haven’t been inserted yet.

The correctness and time complexity of Gen_Complete_ Closure algorithm is dealt in Theorem 1. Theorem 1. Gen_Complete_Closure constructs the complete closure of G correctly in Oðn2k þ nkþ3 Þ, where n is the number of vertices of G, and k is the maximum number of nodes in the vulnerabilities pregraphs.

Proof. At first, we prove that lines 2–7 construct Gdejure given i the input graph Gi at the beginning of the ith round of the algorithm. We should prove that the algorithm adds all possible edges and rights and also no multiple edges exist between vertices. Let L ¼ {(R1,r1), (R2,r2),.,(Rm,rm)} be a seclosure, quence of applied rules leading to a correct Gdejure i where R and r stand for a related set of rights and rules, respectively. Assume there are some pairs in L whose rights are not produced by our algorithm and let (Rk, rk), 1 k m, be the first such ordered pair appearing in L. We define rights t and a in Fig. 2a the basic rights of the take rule. The basic rights of rk should have been already added to graph by one of the rules r1 to rk1, if they were not present in the initial graph G. The similar conditions hold for our algorithm as well; thus, the basic rights of rk have been added to F (or they had been existed at first) and should be considered by the algorithm which leads in addition of Rk and contradicts the initial assumption that Rk has not been added by Gen_Complete_Closure algorithm. Moreover, the condition of line 6 in the algorithm ensures that no ordered pair will be added to F repeatedly. At each round of the algorithm, lines 8–12 consider all the vulnerability rewriting rules and apply all the possible ones and append all the newly added rights to list F. The algorithm terminates when no item has remained in list F. Let jVj be the maximum number of vulnerabilities and k represents the maximum number of vertices in graph Gpre of a vulnerability rewriting rule. We first prove that after at most 1 nð n k 1 Þðk 1Þ!jVj times of executing the external loop, all the possible rewriting rules have been applied and lines 8–12 do not change the graph anymore. This result is based on the fact that every active vertex of G participates only once in a given exploit of the form exp ¼ (G, rw, uA) because after that uA has achieved all the desired rights it could achieve by applying this rule. It is easy to see that the number of all possible vulnerability rewriting rules is no more than 1 nð n k 1 Þðk 1Þ!jVj, so if the algorithm applies only one vulnerability rewriting rule in each round of the loop at worst, 1 after at most nð n k 1 Þðk 1Þ!jVj times of loop execution all the rules of this type have been applied. Now we compute the time complexity of each internal loop. Lines 2–7 consider each edge of the list F for applying possible take rewriting rules. The test of line 5 takes O(n). At each moment, there are O(n2) elements in list F. Thus time complexity of the first internal loop is O(n3). Notice that checking the condition of line 6 can be done in O(1) by using the graph data structure instead of exploring the list F because the edges and their associated rights are added to G as well as F. Lines 8–12 consider all the applicable rewriting rules and apply these rules if possible. The time complexity k . of FindPattern and applying the rewriting rule in it is Oð n Þ k Therefore, the time complexity of the second loop is Oð n Þ considering that the number of vulnerabilities, jVj, and the maximum number of vertices in rewriting rule pattern graph, k, are constant. Thus, the time complexity of the whole algorithm , is Oðn2k þ n3 Þ Having a complete closure, it is clear that we can answer the safety problem introduced at the beginning of this section in O(1). Therefore the following theorem holds:

357


{Srv=Login} P

x

ho s ts

{Srv=Login}

*

V {Vuln=WP}

x

A

x

m sts ho

sts ho

ho sts

m

P t

V {Vuln=WP} x

x

Q {Vuln=BoF}

t

Q {Vuln=BoF}

Fig. 7 – Applying a de jure rule between two vulnerability rewriting rules. Initially, A cannot exploit BoF vulnerability of Q, because it has not the x right over Q, but after exploiting weak password vulnerability of V, and applying a take rule, it acquires the x right over Q, and it is now able to exploit BOF vulnerability of Q.

Theorem 2. Let A be the union of the de jure and vulnerability rewriting rules. We can construct GA in polynomial time and answer the safety problem in constant time. , It is worth of noting that the initial cost of constructing the complete closure will be paid once and the attacker’s capability to access the network resources can be verified in constant time afterwards. Moreover, the algorithm can be modified to generate attack path. The attack path can be tracked by assigning text labels to rights when applying rewriting rules. The assigned text describes how the vulnerabilities are exploited or the de jure rules are applied as well as the subjects and objects involved in the rules. Fig. 8 depicts how a new label can be generated from two previously generated ones. Assume that rights p and q have been already added by rewriting rules and text labels Label ( p) and Label (q) contain the attack scenarios which lead to the addition of these rights respectively. Also, assume we can now apply a new rewriting rule and obtain the new right r. The associated text label of r, Label (r), can be of the following form: n LabelðrÞ ¼ LabelðpÞ; LabelðqÞ; ‘‘having access rights p and q;

o

‘‘

we can apply rewriting rule x and achieve right r

Subsequently, Label(r) contains the complete attack scenario acquiring right r.

7.

Case study

In this section, we represent the application of Vulnerability Take-Grant model and the acquired results in vulnerability analysis of a typical network. Besides the previously introduced rewriting rules, we need some general rules to analyze the real world vulnerabilities. For example, each user’s access

Label(r) r

La

be q

l(q

)

)

l(p p

be

La

Fig. 8 – Generating attack scenario labels.

rights are a subset of the root’s access rights. This fact can be shown in the VTG model as a set of take edges drawn from the root user-account to other user accounts defined on the same host. Fig. 9 depicts a local network, where the attacker (Eve) is placed outside the network. The firewall configuration allows remote users to have access to web and mail services. Eve’s goal is to gain access to Bob’s files hosted on Saman. On the machine NSC, the HTTP and SMTP services are listening to the associated ports. These services are running with the user privileges apache and root, respectively. Moreover, SSH and RPC services are running on the machine FileServer with the user privilege root, and SMB service is running on Saman with the same user privilege. Using the Nessus and OVAL scanners, we found that the services HTTP on NSC, SMB on Saman and RPC on FileServer have buffer overflow vulnerability. Moreover, we found that the user account root on the machine FileServer suffers from weak password vulnerability and the user Bob has added the account manager from machine FileServer to its .rhosts file. The VTG model of network is represented in Fig. 10. To avoid congestion, unnecessary relations between hosts are ignored in the figure. By using the complete closure algorithm (Gen_Complete_ Closure) described in the previous section and applying the rewriting rules on the above VTG graph, GA is acquired. Some part of GA is depicted in Fig. 11. As mentioned above, the Eve’s goal is to access Bob’s file on the Saman. Eve is allowed to access Bob’s file if and only if there is an edge from Eve to Bob in GA including right r in its set of access rights. The attack path which brings the Eve to Bob’s file is shown in a dotted line in Fig. 11. We can obtain the attack path by using the previously described technique. One possible attack scenario is as follows: 1. Eve exploits the HTTP buffer overflow vulnerability on the machine NSC and gains the user privilege apache on this machine. 2. Now Eve has access to SSH service on machine FileServer and can try to guess root password. 3. After finding the root password, Eve has all the rights of user account manager on machine FileServer. 4. Pretending to be manager, Eve acquires Bob’s access rights on machine Saman. 5. Consequently, Eve reaches its final goal which is having access to file1 on machine Saman.

358


Fig. 9 – Case study network topology.

8.

and its analysis method, network designers and administrators can predict possible attacks to their network resources, just by providing the network configuration information. Such information consists of the hosts’ vulnerabilities and the network topology which can be detected using offthe-shelf scanning tools as described in Section 3. It is possible to use the model for more comprehensive analysis. Answering questions such as finding the critical vulnerable path, the shortest path to accessing a right and minimum cost path of accessing rights (considering the possibilities or difficulties of exploiting different vulnerabilities) can represent further applications of Vulnerability Take-Grant model in the vulnerability analysis. Reducing the time complexity of the analysis can be considered as well. The proposed algorithm constructs the complete closure in bounded polynomial time and answers to safety problem in constant time. Considering the similarity of de jure and vulnerability rewriting rules, it may be possible to analyze the vulnerabilities by an algorithm just like can$steal (Jones et al., 1976) in linear time. The nature of Take-Grant

Conclusions and future works

In this paper, we introduced a new method for network venerability analysis, which was motivated from Take-Grant protection model. This method affords the possibility of representing the protection state of a network with a formal model. We demonstrated how different types of vulnerabilities could be represented in our model if an appropriate level of abstraction is selected. The attacker’s capability to access the resources of network can be analyzed by the model. We also introduced the complete closure concept to address all the possible ways of exploiting vulnerabilities and presented an algorithm to construct the complete closure graph in Oðn2k þ nkþ3 Þ where k is a constant value representing the maximum number of nodes in a vulnerability pre-graph. Having complete closure, the safety problem could be answered in constant time. Besides analyzing vulnerabilities, the proposed method could generate possible attack scenarios. Using the model

t

Eve

x t

smtp

Bob

owns root x

g

x {Srv=Login}

x

{Vuln=WP} owns

ssh

owns

{Vuln=BoF}

s

st ho

ho st

s

sts ho

rpc

ho sts

manager

root t

hosts

http

t

r

apache

owns x

{Vuln=BoF}

{Vuln=rhost}

s

file1

st

{Vuln=BoF}

owns

ho

root

smb

Devil

sts ho

ho st s ho sts

NSC

sts ho

ho st s ho sts

Saman

FileServer

Fig. 10 – VTG model of NSC network and the Attacker on Devil machine.

359


ho st s ts s

s ts

ho

ho

s st

root

http

x

r

t

x owns

smtp

Bob

t root

t

t

t

t

g

x

r

x

owns root t

ssh

owns sts

ho

rpc

s

st

ho

ho

st

s

sts

ho

manager

t Eve

x

t

hosts

ho

s ts

hosts

apache

owns

owns file1

Devil

ho

ho

NSC

s ts

smb

r

ho

st s

Saman

FileServer

Fig. 11 – Part of GA for the case study network.

model makes it most suitable for analyzing the vulnerabilities based on changes in access rights. Moreover, it is interesting to generalize this method for analyzing vulnerabilities based on a proper high-level category of vulnerabilities and their preconditions and postconditions. Having the abstract category of vulnerabilities, it is possible to explore the safety problem regarding vulnerabilities more theoretically.

Acknowledgments The authors are grateful to Reza Sadoddin for his valuable comments and constant cooperation on finalizing this paper. The authors also acknowledge the comments of Matt Bishop on the draft version of this paper and his guides about future directions.

references

Ammann P, Wijesekera D, Kaushik S. Scalable, graph-based network vulnerability analysis. In: Proceedings of nineth ACM conference on computer and communications security, Washington, DC; November 2002. Bishop M. Hierarchical take-grant protection systems. In: Proceedings of 8th symposium on operating systems principals; December 1981. p. 107–23. Bishop M. Practical Take-Grant systems: do they exist? Ph.D. thesis, Department of Computer Sciences, Purdue University, West Lafayette, IN 47097; May 1984. Bishop M. Conspiracy and information flow in the Take-Grant protection model. Journal of Computer Security 1996;4(4): 331–60.

Bishop M, Bailey D. A critical analysis of vulnerability taxonomies. Technical report CSE-96-11. Department of Computer Science, University of California at Davis; September 1996. CERT Advisory CA-2000–02. Malicious HTML tags embedded in client web requests [online]. Available from: . Cheops-ng, the network swiss army knife [online]. Available from: . Dacier M, Deswarte Y. Privilege graph: an extension to the typed access matrix model. Proceedings of third European symposium on research in computer security (ESORICS 94), (Brighton, UK). Lecture Notes in Computer Science: Computer Security 1994;875:319–34 [Springer-Verlag]. Derasion R. The Nessus attack scripting language reference guide [online]. Available from: ; 2000. Frank J, Bishop M. Extending the Take-Grant protection system. Technical Report. Department of Computer Science, University of California at Davis; 1996. Hansman S, Hunt R. A taxonomy of network and computer attacks. Journal of Computer Security 2005;24(1):31–43. Internet Security Systems. System Scanner information [online]. Available from: . Isamil O, Etoh M, Kadobayashi Y. A proposal and implementation of automatic detection/collection system for cross-site scripting vulnerability. In: Proceedings of the 18th international conference on advanced information networking and application (AINA’04); 2004. Jones A, Lipton R, Snyder L. A linear time algorithm for deciding security. In: Proceedings of 17th annual symposium on the foundations of computer science; October 1976. p. 33–41. Jones A. Protection mechanism models: their usefulness, Foundations of secure computing. New York City, NY: Academic Press; 1978. p. 237–54. Jha S, Sheyner O, Wing J. Two formal analyses of attack graphs. In: Proceedings of 15th IEEE computer security foundations workshop, Nova Scotia, Canada; June 2002.

360


Jajodia S, Noel S, O’Berry B. Topological analysis of network attack vulnerability. In: Kumar V, Srivastava J, Lazarevic A, editors. Managing cyber threats: issues, approaches and challenges. Kluwer Academic Publisher; 2003. Mitre Corporation. Common vulnerabilities and exposure database [online]. Available from: . Noel S, Jajodia S, O’Berry B, Jacobs M. Efficient minimum-cost network hardening via exploit dependency graphs. In: Proceedings of the 19th annual computer security applications conference, Las Vegas, Nevada; December 2003. Noel S, Jajodia S. Managing attack graph complexity through visual hierarchical aggregation. In: Proceedings of the ACM CCS workshop on visualization and data mining for computer security, Fairfax, Virginia; October 2004. Noel S, Robertson E, Jajodia S. Correlating intrusion events and building attack scenarios through attack graph distances. In: Proceedings of the 20th annual computer security applications conference, Tucson, Arizona; December 2004. Ou X, Govindavajhala S, Appel AW. MulVal: a logic-based network security analyzer. In: Proceedings of 14th USENIX Security Symposium; 2005. p. 113–28. Ritchey RW, Ammann P. Using model checking to analyze network vulnerabilities. In: Proceedings of IEEE symposium on security and privacy; May 2001. p. 156–65. Ryan P, Schneider S. Modeling and analysis of Security protocols: a CSP approach. Addison-Wesley; 2001. Ramakrishnan CR, Sekar R. Model-based analysis of configuration vulnerabilities. Journal of Computer Security 2002;10(1/2): 189–209. Rohrmair G, Lowe G. Using data-independence in the analysis of intrusion detection systems. In: Workshop on issues in the theory of security (WITS’03), Warsaw, Poland; April 2003. Snyder L. On the synthesis and analysis of protection systems. In: Proceedings of sixth symposium on operating systems principals; November 1977. p. 141–50. Swiler L, Phillips C, Ellis D, Chakerian S. Computer attack graph generation tool. In: Proceedings of DARPA information survivability conference & exposition II; June 2001. Sheyner O, Haines J, Jha S, Lippmann R, Wing J. Automated generation and analysis of attack graphs. In: Proceedings of IEEE Symposium on Security and Privacy, Oakland, CA; 2002.

Shapiro JS. The practical application of a decidable access control model. Technical Report SRL-2003–04. John Hopkins University; 2003. SANS Research Center. The SANS top 20 Internet security vulnerabilities [online]. Available from: . Shahriari HR, Jalili R. Using CSP to model and analyze transmission control vulnerabilities within the broadcast network. In: Proceedings of the IEEE international networking and communication conference (INCC’2004); June 2004. p. 42–7. Shahriari HR, Jalili R. Modeling and analyzing network vulnerabilities via a logic-based approach. In: Proceedings of second international symposium of telecommunications (IST 2005), September 10–12; 2005. p. 13–8. Wu M. Hierarchical protection systems. In: Proceedings of 1981 symposium on security and privacy; April 1981. p. 113–23. Wojcik M, Bergeron T, Wittbold T, Roberge R. Introduction to OVAL: A new language to determine the presence of software vulnerabilities [online]. Available from: ; November 2003. Zerkle D, Levitt K. NetKuang – a multi-host configuration vulnerability checker. In: Proceedings of the sixth USENIX UNIX security symposium, San Jose, CA; 1996. Hamid Reza Shahriari received his M.Sc. in Computer Science from Amir-Kabir University of Technology, Tehran, Iran, in 2000. He is currently a Ph.D. student in Computer Science in Sharif University of Technology, working on his thesis on vulnerability analysis of computer networks. His research interests are Information Security and Formal Methods in Security.

Rasool Jalili received his Ph.D. in Computer Science from The University of Sydney, Australia in 1995. He then joined, as an assistant professor, the Department of Computer Engineering, Sharif University of Technology, Tehran, Iran, where he is doing research in the areas of Distributed Systems and Information Security.