Attack- based Domain Transition Analysis Susan Hinrichs shinrich@ - - PowerPoint PPT Presentation

SE Linux Symposium ‘06 Attack- based DTA 1

Attack- based Domain Transition Analysis

Susan Hinrichs shinrich@ uiuc.edu Prasad Naldurg prasadn@ microsoft.com

SE Linux Symposium ‘06 Attack- based DTA 2

Outline

• Motivation

– Review of type enforcement transitions – Attack graphs

• Domain transition graphs

– Global transition graphs – Concentrated graphs

• What’s next and conclusions

SE Linux Symposium ‘06 Attack- based DTA 3

Problem: Understanding Policy

• SE Linux TE policy is expressive but

can be massive

– Need to figure out if policy matches higher level security goals

• Several approaches

– Ensure that TE policy matches higher level goals – Determine what happens when things go wrong

SE Linux Symposium ‘06 Attack- based DTA 4

Attack- based Approach

• Assume a process running under a

particular domain can be co- opted

– What will happen? – Ideally compartmentalized, but leaks happen in real workable systems

SE Linux Symposium ‘06 Attack- based DTA 5

TE Transitions

• Information Flow
• Domain Transition

A B C D A C B

SE Linux Symposium ‘06 Attack- based DTA 6

Information Spread on Attack

A O N M R Q P C T S V U E W

SE Linux Symposium ‘06 Attack- based DTA 7

Estimating Attack Impact

• A single attacker is bound by the

domain transitions it can make from the initial subverted domain

• Good news and bad news

– Domain transition graph is smaller than information flow graph, but – Global domain transition graph is still really big

SE Linux Symposium ‘06 Attack- based DTA 8

Building Global Domain Transition Graph

• Use Apol framework

– Apol at the time calculated domain transitions that involve a single domain

• Added algorithm to compute the graph of all

domain transitions in the policy

– Apol team has since independently added this calculation

• Export graph in XML

– Used yEd to display – Almost useful in classical hierarchical layout

SE Linux Symposium ‘06 Attack- based DTA 9

Global Domain Transition Graph

297 nodes and 863 arcs

SE Linux Symposium ‘06 Attack- based DTA 10

Concentrate Attention

• Help user analyze scenarios

– Suspect domains where attack is suspected – Sensitive domains working with very sensitive information that must be protected at all cost

• Create subgraph that includes the

transitive closure of all domain transitions that start at suspect domains and end at sensitive domains

SE Linux Symposium ‘06 Attack- based DTA 11

Using the DT SubGraph

• If Suspect and Sensitive domains are

disconnected

– No problems!

• Otherwise, look for edge or node cut

sets

– Separate suspect and sensitive domains

SE Linux Symposium ‘06 Attack- based DTA 12

pppd_t Domain Transition Subgraph

SE Linux Symposium ‘06 Attack- based DTA 13

Breaking the Chains

• Worry less about long paths in DT

SubGraph

• Mitigate edges (domain transition)

– Review programs and determine transition is not needed. Remove it – Guard transition with boolean. Turn off when attacks seem likely. – Increase log analysis of worrisome transitions.

• Mitigate nodes (domains)

SE Linux Symposium ‘06 Attack- based DTA 14

Node Mitigations

A B C A B C

Analyze that programs running In B cannot be misused

SE Linux Symposium ‘06 Attack- based DTA 15

Node Mitigations

A B C A Proxy B B

Insert High Assurance Proxy

C

SE Linux Symposium ‘06 Attack- based DTA 16

Node Mitigations

A B C A B1 B2

Split Domain

C

SE Linux Symposium ‘06 Attack- based DTA 17

What’s Next

• Integrate with information flow graph
• Automate some of the resolution
• ptions

– Systematically examine more policy scenarios

• Update to integrate into new modular

policy framework

SE Linux Symposium ‘06 Attack- based DTA 18

In Closing

• Understanding Domain Transitions aid

in understanding attack impact

• Visualization can greatly help the ISSO

understand policy configuration

– Ask the right questions to get appropriate level of detail

• Use the graph to systematically

mitigate dangers