mulval a logic based network security analyzer
play

MulVAL: A logic-based network security analyzer Xinming Ou, - PowerPoint PPT Presentation

Nov 18, 2023 •38 likes •268 views

14th USENIX Security Symposium, August 2005 MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel Princeton University Outline Introduction Representation Vulnerability

  1. 14th USENIX Security Symposium, August 2005 MulVAL: A logic-based network security analyzer Xinming Ou, Sudhakar Govindavajhala, and Andrew W. Appel Princeton University

  2. Outline  Introduction  Representation  Vulnerability Specification  The MulVAL Reasoning System  Examples  Hypothetical Analysis  Performance and Scalability  Related Work  Conclusion MulVAL: A logic-based network security analyzer 2

  3. Introduction  Two features are critical for vulnerability analysis tool  Can automatically integrate formal vulnerability spec  Be able to scale to networks with thousands of machine  MulVAL  An end-to-end framework and reasoning system  Conducts multi-host, multi-stage vulnerability analysis  Adopt Datalog as modeling language  Bug spec, configuration, reasoning rules, system permission, privilege  The authors can leverage existing vulnerability database and scanning tools by Datalog and feeding it into MulVAL reasoning engine to perform analysis in seconds.  for networks with thousands of machines MulVAL: A logic-based network security analyzer 3

  4. Introduction  One of a sysadmin’s daily chores is  to read bug reports from various sources  such as CERT, BugTraq etc  to understand which reported bugs are actually security vulnerabilities in the context of his own network  to assessment of their security impact on the network  patch and reboot, reconfigure a firewall, dismount a file-server partition, and so on  A vulnerability analysis tool can be useful,  if it can automatically do so,  and only if it is scalable. MulVAL: A logic-based network security analyzer 4

  5. The inputs to MulVAL’s analysis are  Advisories  What vulnerabilities have been reported and do they exist on my machines?  Host configuration  What software and services are running on my hosts, and how are they configured?  Network configuration  How are my network routers and firewalls configured?  Principals  Who are the users of my network?  Interaction  What is the model of how all these components interact?  Policy  What accesses do I want to permit? MulVAL: A logic-based network security analyzer 5

  6. Representation (1/2)  Advisories  vulExists(webServer, ’CAN-2002-0392’, httpd)  vulProperty(’CAN-2002-0392’, remoteExploit, privilegeEscalation)  Host configuration  networkService(webServer, httpd, TCP, 80, apache)  Network configuration  hacl(internet, webServer, TCP, 80) // host access control lists  Principals  hasAccount(user, projectPC, userAccount)  hasAccount(sysAdmin, webServer, root) MulVAL: A logic-based network security analyzer 6

  7. Representation (2/2)  Interaction  execCode(Attacker, Host, Priv) :- vulExists(Host, VulID, Program), vulProperty(VulID, remoteExploit, privEscalation), networkService(Host, Program, Protocol, Port, Priv), netAccess(Attacker, Host, Protocol, Port), malicious(Attacker).  Policy  allow(Everyone, read, webPages)  allow(systemAdmin, write, webPages) MulVAL: A logic-based network security analyzer 7

  8. Vulnerability Specification  A specification of a security bug consists of two parts  how to recognize the existence of the bug on a system  what is the effect of the bug on a system  Formal, machine-readable formats  OVAL (Open Vulnerability Assessment Language)  a formal specification language for recognizing vulnerabilities  http://oval.mitre.org/documents/docs-03/intro/intro.html  ICAT (or National Vulnerability Database)  a database that provides a vulnerability’s effect  http://icat.nist.gov/icat.cfm MulVAL: A logic-based network security analyzer 8

  9. The MulVAL framework MulVAL: A logic-based network security analyzer 9

  10. The OVAL language and scanner  XML-based language  an OVAL definition can specify how to check a machine for the existence of a new software vulnerability  an OVAL-compatible scanner will conduct the specified tests and report the result  networkService(Host, Program, Protocol, Port, Priv).  clientProgram(Host, Program, Priv).  setuidProgram(Host, Program, Owner).  filePath(H, Owner, Path).  nfsExport(Server, Path, Access, Client).  nfsMountTable(Client, ClientPath, Server, ServerPath). MulVAL: A logic-based network security analyzer 10

  11. Vulnerability effect (in ICAT)  exploitable range  Local: a local exploit requires that the attacker already have some local access on the host  Remote  consequence  confidentiality loss Example:  integrity loss vulProperty(’CVE-2004-00495’,  denial of service localExploit,  privilege escalation privEscalation). MulVAL: A logic-based network security analyzer 11

  12. The MulVAL Reasoning System  A literal , p(t 1 , . . . , t k ) is a predicate applied to its arguments, each of which is either a constant or a variable.  Let L 0 , . . . ,L n be literals, a sentence in MulVAL is represented as L 0 :- L 1 , . . . ,L n  Semantically, it means if L 1 , . . . ,L n are true then L 0 is also true.  A clause with an empty body (right-hand side) is called a fact .  A clause with a nonempty body is called a rule . MulVAL: A logic-based network security analyzer 12

  13. Exploit rules  execCode(P, H, UserPriv)  Principal P can execute arbitrary code with privilege UserPriv on machine H  netAccess(P, H, Protocol, Port)  Principal P can send packets to Port on machine H through Protocol Example: remote exploit of a client program execCode(Attacker, Host, Priv) :- vulExists(Host, VulID, Program), vulProperty(VulID, remoteExploit, privEscalation), clientProgram(Host, Program, Priv), malicious(Attacker). * 84% of vulnerabilities are labeled with privilege escalation or only labeled with DoS MulVAL: A logic-based network security analyzer 13

  14. Multistage attacks  if an attacker P can access machine H with Owner’s privilege, then he can have arbitrary access to files owned by Owner.  accessFile(P, H, Access, Path) :- execCode(P, H, Owner), filePath(H, Owner, Path).  if an attacker can modify files under Owner’s directory, he can gain privilege of Owner.  execCode(Attacker, H, Owner) :- accessFile(Attacker, H, write, Path), filePath(H, Owner, Path), malicious(Attacker). MulVAL: A logic-based network security analyzer 14

  15. Host Access Control List/ Policy spec  hacl(Source, Destination, Protocol, DestPort)  Multihop network access  netAccess(P, H2, Protocol, Port) :- execCode(P, H1, Priv), hacl(H1, H2, Protocol, Port).  allow(Principal, Access, Data)  allow(Everyone, read, webPages).  allow(user, Access, projectPlan).  allow(sysAdmin, Access, Data). MulVAL: A logic-based network security analyzer 15

  16. Binding information / Algorithm  hasAccount(user, projectPC, userAccount).  hasAccount(sysAdmin, webServer, root).  dataBind(projectPlan,workstation,’/home’).  dataBind(webPages, webServer, ’/www’).  access(P, Access, Data) :- dataBind(Data, H, Path), accessFile(P, H, Access, Path).  policyViolation(P, Access, Data) :- access(P, Access, Data), not allow(P, Access, Data). MulVAL: A logic-based network security analyzer 16

  17. Example Security policy: The administrators need to ensure that the confidentiality and the integrity of users’ files will not be compromised by an attacker. allow(Anyone, read, webPages). allow(user, AnyAccess, projectPlan). allow(sysAdmin, AnyAccess, Data). MulVAL: A logic-based network security analyzer 17

  18. Hypothetical analysis  One important usage of vulnerability reasoning tools is to conduct “what if” analysis.  The authors introduce a predicate bugHyp to represent hypothetical software vulnerabilities  vulExists(Host, VulID, Prog) :- bugHyp(Host, Prog, Range, Consequence).  vulProperty(VulID, Range, Consequence) :- bugHyp(Host, Prog, Range, Consequence). MulVAL: A logic-based network security analyzer 18

  19. Execution time for hypothetical analysis Since the hypothetical analysis goes through all combination of programs to inject bugs, the running time is dependent on both the number of programs and the number of hypothetical bugs. MulVAL: A logic-based network security analyzer 19

  20. Related Work  Old works did not how to automatically integrate vulnerability specifications from the bug-reporting community into the reasoning model.  The difference between Datalog and model-checking is that derivation in Datalog is a process of accumulating true facts.  Since the number of facts is polynomial in the size of the network, the process will terminate efficiently.  Model checking checks temporal properties of every possible state-change sequence.  The number of all possible states is exponential in the size of the network MulVAL: A logic-based network security analyzer 20

  21. Related Work (cont’d)  For network attacks, one can assume the monotonicity property—gaining privileges does not hurt an attacker’s ability to launch more attacks.  If at a certain stage an attacker has multiple choices for his next step, the order in which he carries out the next attack steps is irrelevant for vulnerability analysis under the monotonicity assumption.  While it is possible that a model checker can be tuned to utilize the monotonicity property and prune attack paths that do not need to be examined  model checking is intended to check rich temporal properties of a state-transition system. MulVAL: A logic-based network security analyzer 21

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

What is network security? Friends and enemies: Alice, Bob, Trudy What is network security?

Network security Network security Foundations: what is security? cryptography Network Security Network Security authentication message integrity key distribution and certification Security in practice: Srinidhi Varadarajan

332 views • 6 slides
Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security

Network Security Network Security Srinidhi Varadarajan Network security Network security Foundations: what is security? cryptography authentication message integrity key distribution and certification Security in practice:

634 views • 36 slides
valgrind code analyzer Valgrind is another injection-based profiler/analyzer Can be used to

valgrind code analyzer Valgrind is another injection-based profiler/analyzer Can be used to

valgrind code analyzer Valgrind is another injection-based profiler/analyzer Can be used to do analysis of run time based on counts of clock cycles or machine code instructions run Can also be used to do analysis of

1.42k views • 7 slides
Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug

Introduction to Network Security Chapter 4 Taxonomy of Network-Based Vulnerabilities Dr. Doug Jacobson - Introduction to 1 Network Security - 2009 Topics Network Security Model Header attacks Protocol Attacks

597 views • 25 slides
Preallocating Resources for Distributed Memory based FPGA Debug Robert Hale & Brad Hutchings

Preallocating Resources for Distributed Memory based FPGA Debug Robert Hale & Brad Hutchings

Preallocating Resources for Distributed Memory based FPGA Debug Robert Hale & Brad Hutchings FPGA Debug - Logic Analyzer 1. External? 2. Internal? Time Resources Xilinx Internal Logic Analyzer (ILA) FPGA with 94% of LUT

618 views • 30 slides
Modeling Electrons in an Electrostatic Analyzer Max Gibiansky Based on a clinic project

Modeling Electrons in an Electrostatic Analyzer Max Gibiansky Based on a clinic project

Modeling Electrons in an Electrostatic Analyzer Max Gibiansky Based on a clinic project sponsored by SwRI. JUNO Satellite Magnetic Field Sensor ESA 60 ESA 300 ESA 180 Electrostatic Analyzer Measures velocity distribution of electrons

754 views • 12 slides
Introducing USB Based T1 E1 Analyzer Unit 818 West Diamond Avenue - Third Floor, Gaithersburg,

Introducing USB Based T1 E1 Analyzer Unit 818 West Diamond Avenue - Third Floor, Gaithersburg,

Introducing USB Based T1 E1 Analyzer Unit 818 West Diamond Avenue - Third Floor, Gaithersburg, MD 20878 Phone: (301) 670-4784 Fax: (301) 670-9187 Email: info@gl.com 1 1 Website: http://www.gl.com Portable USB T1 E1 Analyzer Unit T1 and

337 views • 20 slides
Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University

Network Security Fundamentals Security Training Course Dr. Charles J. Antonelli The University of Michigan 2013 Network Security Fundamentals Module 7 Intrusion Detection Topics Fundamentals Network IDS Snort Host-based IDS

1.03k views • 72 slides
Summary-based inter-unit analysis for Clang Static Analyzer Aleksei Sidorin 2016-11-01 . S

Summary-based inter-unit analysis for Clang Static Analyzer Aleksei Sidorin 2016-11-01 . S

Summary-based inter-unit analysis for Clang Static Analyzer Aleksei Sidorin 2016-11-01 . S amsung R &D Institute, R ussia 1 . . . . . Clang Static Analyzer Source-based analysis of high-level programming languages (C, C++,

631 views • 27 slides
Skydive An analyzer for network topology and traffic Sylvain Baubeau Sylvain Afchain Skydive

Skydive An analyzer for network topology and traffic Sylvain Baubeau Sylvain Afchain Skydive

Skydive An analyzer for network topology and traffic Sylvain Baubeau Sylvain Afchain Skydive goals Topology exploration and visualization Network traffic capture Make network troubleshooting easier SDN agnostic Real-time

704 views • 10 slides
Economics of network security Harald Vranken 1 Economics of network security Note that

Economics of network security Harald Vranken 1 Economics of network security Note that

Advanced Network Security (2019-2020) Economics of network security Harald Vranken 1 Economics of network security Note that network in this lecture means Physical communication network (eg. Internet, telephony, fax, telegraph)

769 views • 49 slides
Infrared Gas Analyzer - component analyzer - component analyzer Type: ZRJ Standard type Type:

Infrared Gas Analyzer - component analyzer - component analyzer Type: ZRJ Standard type Type:

Arbitraryrangesettingisallowedwithinspecifiedrange. Stand-alone type Infrared Gas Analyzer - component analyzer - component analyzer Type: ZRJ Standard type Type: ZKJ High performance type Ideal for combustion

278 views • 4 slides
TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented ,

TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented ,

TCP/IP: TCP Network Security Lecture 6 TCP Based on IP Provides connection-oriented , reliable stream delivery service (handles loss, duplication, transmission errors, reordering) Provides port abstraction (like UDP) Establishes

559 views • 30 slides
Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able

Intro, history, hacking Network Security Lecture 1 Welcome to Network Security Should be able to Skills identify design and Ability to analyze the implementation security of networked vulnerabilities in network systems protocols

564 views • 33 slides
A static analyzer for PE executables RMLL 2016 Security Track Ivan Kwiatkowski, AMIR

A static analyzer for PE executables RMLL 2016 Security Track Ivan Kwiatkowski, AMIR

A static analyzer for PE executables RMLL 2016 Security Track Ivan Kwiatkowski, AMIR Consulting Project origins Started in Feb. 2014 Annoyance at AV softwares opaque decisions Needed to automate repetitive tasks Overview: A

567 views • 21 slides
Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn

Foundations of Network and Foundations of Network and Computer Security Computer Security J ohn Black J CSCI 6268/TLEN 5831, Fall 2004 Introduction UC Davis PhD in 2000 Cryptography Interested in broader security as well

492 views • 12 slides
CD- -ROM Networking ROM Networking CD Somchai Prasitjutrakul Somchai Prasitjutrakul Dept. .

CD- -ROM Networking ROM Networking CD Somchai Prasitjutrakul Somchai Prasitjutrakul Dept. .

CD- -ROM Networking ROM Networking CD Somchai Prasitjutrakul Somchai Prasitjutrakul Dept. . of Computer Engineering of Computer Engineering Dept Chulalongkorn Univ. . Chulalongkorn Univ CD- -ROM Networking ROM Networking : : Outline

303 views • 28 slides
Network FS / Access Control 1 last time two-phase commit consensus: workers + coordinator agree

Network FS / Access Control 1 last time two-phase commit consensus: workers + coordinator agree

Network FS / Access Control 1 last time two-phase commit consensus: workers + coordinator agree to commit no take-backs via redo-logging at each node blocking on failure idea of majority-vote consensus 2 logistics note last weeks

1.65k views • 132 slides
Introduction File System Design for an NFS File In general, appliance is device designed to

Introduction File System Design for an NFS File In general, appliance is device designed to

4/1/2014 Introduction File System Design for an NFS File In general, appliance is device designed to Server Appliance perform specific function Distributed systems trend has been to use Dave Hitz, James Lau, and Michael appliances instead

103 views • 8 slides
Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance

Remote File Access: Problems and Solutions Authentication and authorization Performance Synchronization Robustness Lecture 13 CS 111 Page 1 Summer 2013 Authorization and Authentication Authorization is determined if someone

886 views • 41 slides
N AMING THE G AME W ORLD I Server Region The game world is divided into map chunks. ...

N AMING THE G AME W ORLD I Server Region The game world is divided into map chunks. ...

I NTER -S ERVER G AME S TATE S YNCHRONIZATION USING N AMED D ATA N ETWORKING Philipp Moll, S. Theuermann, Jeff Burke N. Rauscher, H. Hellwagner ACM Conference on Information-Centric Networking 2019 Moll, Theuermann, Rauscher, Hellwagner, Burke

402 views • 12 slides
The Statistics Network The Statistics Network Statistics network Compute servers Desktop PCs

The Statistics Network The Statistics Network Statistics network Compute servers Desktop PCs

Where are my files? The Statistics Network The Statistics Network Statistics network Compute servers Desktop PCs fs0x: /homes Susan Hutchinson (Oxford) Computing in Statistics October 2018 1/1 Where are my files? Your local desktop

598 views • 16 slides
Todays Objec2ves Distributed File Systems Timing Nov 10, 2017 Sprenkle - CSCI325 1

Todays Objec2ves Distributed File Systems Timing Nov 10, 2017 Sprenkle - CSCI325 1

11/10/17 Todays Objec2ves Distributed File Systems Timing Nov 10, 2017 Sprenkle - CSCI325 1 Sakai Poll Which class would you prefer to use for the exam? Wednesday Friday Answer by 5:30 p.m. Nov 10, 2017 Sprenkle -

368 views • 24 slides
Network File System (NFS) Nima Honarmand Spring 2017 :: CSE 506 Idea A client/server system

Network File System (NFS) Nima Honarmand Spring 2017 :: CSE 506 Idea A client/server system

Spring 2017 :: CSE 506 Network File System (NFS) Nima Honarmand Spring 2017 :: CSE 506 Idea A client/server system to share the content of a file system over network NFS only specifies User the client/server Kernel protocol

508 views • 18 slides

More recommend