Presentation is loading. Please wait.

Presentation is loading. Please wait.

H.W. Chan, CSE Dept., CUHK1 Quantitative Evaluation for Operational Security - an Experiment [Ortalo et al., IEEE Transactions on Software Engineering,

Similar presentations


Presentation on theme: "H.W. Chan, CSE Dept., CUHK1 Quantitative Evaluation for Operational Security - an Experiment [Ortalo et al., IEEE Transactions on Software Engineering,"— Presentation transcript:

1 H.W. Chan, CSE Dept., CUHK1 Quantitative Evaluation for Operational Security - an Experiment [Ortalo et al., IEEE Transactions on Software Engineering, Sept/Oct 1999] Group Meeting, Mar 7, 2000

2 H.W. Chan, CSE Dept., CUHK2 Outline n Introduction n The Approach: – Privilege graphs – Attack state graphs – Mathematical model n The experiment – setup and results n Discussion

3 H.W. Chan, CSE Dept., CUHK3 Introduction n System security has been usually discussed in terms of security requirements and policy – requires cooperation of all users – difficult for ordinary users to comprehend n A quantitative measure for system security is easier to comprehend – a figure representing the ‘degree of security’ of the system can be useful

4 H.W. Chan, CSE Dept., CUHK4 Quantifying security n Borrowing software reliability theory: – In reliability, a piece of software fails upon time of usage; the Mean Time To Failure quantify the reliability of the software – Similar, in security, a system can be breached upon effort of attacks; the Mean Effort to Breach can quantify the security of the system

5 H.W. Chan, CSE Dept., CUHK5 The Approach n Privilege graph: – node: a set of privileges owned by a user or set of users (e.g., a group in Unix) – arc: a vulnerability that cause a user owning one privilege to obtain another, e.g., X Y There is a method allowing a user owning privilege X to obtain privilege Y.

6 H.W. Chan, CSE Dept., CUHK6 Examples of vulnerabilities n Privilege subsets directly issued from the protection scheme n Direct security flaws, e.g., Trojan horse n System features exploited for attack –.rhosts,.xinitrc, setuid programs hwchan1 gds

7 H.W. Chan, CSE Dept., CUHK7 Privilege graph - example A X admin B P Finsider Key 1: Y’s.rhosts is writable by X 2: X can guess Y’s password 3: X can modify Y’s.tcshrc 4: X is a member of Y 5: Y uses a program managed by X 6: X can modify a setuid program owned by Y 7: X is in Y’s.rhosts Key 1: Y’s.rhosts is writable by X 2: X can guess Y’s password 3: X can modify Y’s.tcshrc 4: X is a member of Y 5: Y uses a program managed by X 6: X can modify a setuid program owned by Y 7: X is in Y’s.rhosts

8 H.W. Chan, CSE Dept., CUHK8 Quantifying vulnerabilities n Each arc in the privilege graph should be assigned a weight to quantify the effort required for exploiting the vulnerability n Different factors should be considered, e.g., expertise, time and equipment n No good methods to do this yet!

9 H.W. Chan, CSE Dept., CUHK9 Attacker behavior n In an attack, an attacker begins with some minimal privileges, and wants to obtain some protected privileges. n In a privilege graph, the path from the attacker node to the target node describes the progress of attack: attacker target

10 H.W. Chan, CSE Dept., CUHK10 n There can be more than one paths from the attacker node to the target node – assumption: attacker does not know the shortest path n Two assumptions for attacker behavior – Total memory (TM): all possibilities of attack are considered at any stage of attack – Memoryless (ML): at each newly visited node, only attacks possible from that node are considered

11 H.W. Chan, CSE Dept., CUHK11 Attack state graphs (ML) IFI BFIX ABFIPX BFIPX FIX IP AIP AFIX

12 H.W. Chan, CSE Dept., CUHK12 Attack state graph (TM) IFI BFIX ABFIPX BFIPX FIX IP AIP AFIX FIP AFIP

13 H.W. Chan, CSE Dept., CUHK13 Mathematical Model n Assume the Markov model: – Probability of success in an attack before an amount of effort ‘e’ is spent is: P(e) = 1 - exp(-Le) – L is the rate of attack, and can be assigned as the weight of the vulnerability – thus, mean effort to succeed is 1/L

14 H.W. Chan, CSE Dept., CUHK14 – mean effort spent in state j is E j = 1/summation(L ji ), for all i belongs to out(j) – Mean Effort To security Failure (METF) from initial state k to state i is METF k = E k + summation(L ki *E k *METF i ), for all i belongs to out(k)

15 H.W. Chan, CSE Dept., CUHK15 The experiment n Setup: – Several hundred different workstations – 700 users sharing one global file system – privilege graphs, attacker state graph and METF computed every day from June 95 to Mar 97 (674 days) – vulnerabilities are classified into four levels and given rates 10^-1, 10^-2, 10^-3, 10^-4

16 H.W. Chan, CSE Dept., CUHK16 Results

17 H.W. Chan, CSE Dept., CUHK17 Conclusion and discussion n A preliminary investigation about the security evaluation of operational systems n The assignment of rates of the vulnerabilities is pretty arbitrary, but is key to the validity of the measurement


Download ppt "H.W. Chan, CSE Dept., CUHK1 Quantitative Evaluation for Operational Security - an Experiment [Ortalo et al., IEEE Transactions on Software Engineering,"

Similar presentations


Ads by Google