Presentation is loading. Please wait.

Presentation is loading. Please wait.

STIF [Security Tools Integration Framework] STIF-WARE EVOLUTION Fyodor YarochkinMeder Kydyraliev HackInTheBox, Kuala Lumpur -

Published byJordan Kennedy Modified over 9 years ago

Similar presentations

Presentation on theme: "STIF [Security Tools Integration Framework] STIF-WARE EVOLUTION Fyodor YarochkinMeder Kydyraliev HackInTheBox, Kuala Lumpur -"— Presentation transcript:

1 STIF [Security Tools Integration Framework] STIF-WARE EVOLUTION Fyodor YarochkinMeder Kydyraliev fyodor@o0o.numeder@o0o.nu HackInTheBox, Kuala Lumpur - 2005

2 Agenda (best question gets an “Industry Slave” HITB T-shirt) Introduction to STIF-ware concepts First generation of STIF (automation, integration, unification) Demonstration Problems with the first generation of STIF STIF2 – wider coverage of knowledge representation format, functionality decoupling, distributed multi- agent system, open system architecture STIF2 prototype http://o0o.nu/

3 Introduction Security Tools Integration Framework (STIF) is aimed to provide a unified environment and data exchange platform for automated security assessments in heterogeneous environments. In simple words it is a platform for “hacking” automation, where STIF emulates the “brain” of a security analyst to perform repetitive tasks. http://o0o.nu/

4 Why automation? machine-based knowledge processing automate routine tasks, spend more time on tasks that require brain power create intrusion scenarios, and let machine probe them (nIDS testing) ‘human’ error mitigation reduce human labor involvement in modern corporate pen-testing sweatshop http://o0o.nu/

5 Why integration? Various security tools, written in different languages, are available, but no unified format for data exchange and representation; No machine data analysis, aggregation and correlation possibilities; Handling large-scale assessments w/ disintegrated tools is a nightmare; No possibilities to automate distributed attacks http://o0o.nu/

6 Typical scenario for security analyst http://o0o.nu/

7 Want to see what happened to Joe the analyst after one month? http://o0o.nu/

8 Look what repetitive and boring “hacking” has done to him… Poor Joe… http://o0o.nu/

9 Why not let machine do the boring part??? http://o0o.nu/

10 Of course, you can... script it: `ls –al ~/code/scripts/` (ab)use security scanners (nessus); (ab)use exploit toolkits (e.g metasploit); hire a full room of pen-testing monkeys, that will do the boring part (sweatshop production); http://o0o.nu/

11 Scanners vs. STIF Problems with scanners: hardcoded sequence of execution; vendor-specific integration (e.g. NASL, plug-in APIs), requires rewrite or code hacking; vendor-specific data representation/storage (hard to integrate into existing solutions, e.g. custom DBs); http://o0o.nu/

12 STIF solution STIF is designed to solve the problems outlined earlier, by introducing the common format for data representation and by providing a platform for data exchange among tools. http://o0o.nu/

13 First generation STIF provides: Highly customizable rule-based inference engine, which enables analyst to script out ANY scenario based on the data that was returned by tools; Unified data exchange and representation format; Generic database publishing module (save data from tools in DB w/ any scheme); IRC BOT interface: data publisher and importer http://o0o.nu/

14 STIF Features (continued) Distributed architecture ready to use DB schema STIF is written in Java the reason for that decision is simple: quicker development cycle, cross-platform compatibility; http://o0o.nu/

15 Data representation unification STIF encapsulates data in a set of XML messages (STIF-Message) Input data, provided in XML format, converted by Exec module into the form, which could be understood by the tool The results of tools execution are converted to STIF and are fed back into the Inference Engine. http://o0o.nu/

16 STIF-Message Sample STIF-Message: 192.168.1.1 HTTP Apache/1.3.27 (Unix) PHP/4.3.1 http://o0o.nu/

17 Inference engine responsible for data interflow between various tools; makes decisions on which tools to be executed, when new data appears provides data aggregation and correlation facilities (including regular expressions based matching to the knowledge base facts); maintains execution flow using rule-based scenarios; http://o0o.nu/

18 Data Publishing facility Publishing in STIF environment means providing the Publisher with newly arrived facts (STIF- Messages from tools). STIF is able to execute several data/fact publishing modules simultaneously (e.g. database publishing, IRC publishing). http://o0o.nu/

19 SQL Publisher STIF comes with SQL publishing module, which can publish/store data received from tools in a form of a STIF-Message, in databases of arbitrary scheme. INSERT INTO ip_address VALUES(NULL,'%h'); SELECT id FROM ip_address WHERE ip_address='%h'; INSERT INTO port VALUES(NULL, $1, '%n', '%P', '%S', '%p', '%a'); http://o0o.nu/

20 IRC Importer/Publisher STIF supports command input over IRC and can publish new facts to an IRC channel or using private messages. Other software tools can act as STIF “nodes” embedding the IRC importer/publisher functionality http://o0o.nu/

21 Your favorite tools integration to support STIF? STIF provides several means to import data into STIF inference engine: Generic2STIFConverter, extracts data from output using regular expressions to form STIF-Message; Tool-specific wrappers http://o0o.nu/

22 Integration using STIF Generic2STIF Converter Define rules in parser.xml: Interesting.*ports on.*\(([\d\.]+)\):.+ newline ^(\d+)/(?:tcp|udp).+ … http://o0o.nu/

23 ^\d+/(tcp|udp).+ ^\d+/(?:tcp|udp)\s+(open|closed|filtered).+ ^\d+/(?:tcp|udp)\s+(?:open|closed|filtered)\s+([\w-]+).* ^\d+/(?:tcp|udp)\s+(?:open|closed|filtered)\s+[\w-]+\s+(.+) http://o0o.nu/

24 How can you help? You can do several things to contribute to our efforts: Try it!!! Ask your favorite tool’s author to become STIF-compliant; Write regular expressions to parse output for Generic2STIFConverter; Patch you favorite tools to be STIF-compliant; or.. wait until STIF2 is out http://o0o.nu/ STIF-compliant?

25 First generation STIF Demonstation http://o0o.nu/

26 Problems with current STIF implementation Complexity: massive coupled piece of code Centralized system: limited support for task distribution Non-dynamic (fixed at startup) inference engine rules Knowledge interchange format needs to be extended http://o0o.nu/

27 STIF2 Concepts Functionality decoupling http://o0o.nu/

28 STIF2 Concepts Platform independent Composed of independent agents Agents communicate with each other using messaging protocol Agent capability service exists to provide agent capability lookup and matching facility http://o0o.nu/

29 STIF2 Multi-Agent Architecture Multi-agent architecture –Tool wrapper Agents Scanning, connection forwarding, attack launching –Logic Execution Agents –User Interface Agents –And more http://o0o.nu/

30 Message Exchange Framework Provides facilities for agent communication Provides facilities for communication channel selection (covert channels, tunneling, stenography) http://o0o.nu/

31 Goal-Driven execution Goal-driven execution flow –Each agent describes its functionality with a set of capabilities. Each capability can be executed on certain type of data object (network, host, user, URL) –Each agent is given task to execute the capability, which becomes agent goal. Agent may have different plans to execute the same capability. Plans are scored based on execution success rate http://o0o.nu/

32 Goal Driven execution Each also plan may be assigned with qualifiers: –Stealth-ness –Latency Which can be matched to current ‘environment’ settings http://o0o.nu/

33 Event-driven execution Event-driven execution flow –Each agent may subscribe to ‘interests’, expressing its interest to certain types of data objects, which agent is interested in (network, host, open port, URL, a valid user) –When an agent discovers a new data. The “interests” list is queried for the list of interested agents. The agent is responsible to forward the data to interested partners. http://o0o.nu/

34 Agent Data Cache (beliefs) Agent caches data locally (local data Cache, beliefs) Agent may query other agents or KB for missing data http://o0o.nu/

35 Current Implementation prototype Based on Java/JADE framework The communication protocol: in progress The knowledge interchange format: reviewing current standards (KIF, DAML) Once the communication framework is finalized, JADE messaging framework to be replaced with home-brewed implementations (ports for different languages) http://o0o.nu/

36 Questions (remember we give out T-shirt for best question)? Suggestions ? fyodor@o0o.nu meder@o0o.nu http://o0o.nu/sec/STIF/ http://o0o.nu/

37 Thanks!!!! http://o0o.nu/

Download ppt "STIF [Security Tools Integration Framework] STIF-WARE EVOLUTION Fyodor YarochkinMeder Kydyraliev HackInTheBox, Kuala Lumpur -"

Similar presentations

A Workflow Engine with Multi-Level Parallelism Supports Qifeng Huang and Yan Huang School of Computer Science Cardiff University 2005.9.

A Workflow Engine with Multi-Level Parallelism Supports Qifeng Huang and Yan Huang School of Computer Science Cardiff University
TSpaces Services Suite: Automating the Development and Management of Web Services Presenter: Kevin McCurley IBM Almaden Research Center Contact: Marcus.

TSpaces Services Suite: Automating the Development and Management of Web Services Presenter: Kevin McCurley IBM Almaden Research Center Contact: Marcus.
Mobile Agents Mouse House Creative Technologies Mike OBrien.

Mobile Agents Mouse House Creative Technologies Mike OBrien.
Database System Concepts and Architecture

Database System Concepts and Architecture
Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group

Web Service Ahmed Gamal Ahmed Nile University Bioinformatics Group
Key-word Driven Automation Framework Shiva Kumar Soumya Dalvi May 25, 2007.

Key-word Driven Automation Framework Shiva Kumar Soumya Dalvi May 25, 2007.
Snejina Lazarova Senior QA Engineer, Team Lead CRMTeam Dimo Mitev Senior QA Engineer, Team Lead SystemIntegrationTeam Telerik QA Academy SOAP-based Web.

Snejina Lazarova Senior QA Engineer, Team Lead CRMTeam Dimo Mitev Senior QA Engineer, Team Lead SystemIntegrationTeam Telerik QA Academy SOAP-based Web.
1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.

1 Introduction to XML. XML eXtensible implies that users define tag content Markup implies it is a coded document Language implies it is a metalanguage.
Distributed Heterogeneous Data Warehouse For Grid Analysis

Distributed Heterogeneous Data Warehouse For Grid Analysis
Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)

Presentation 7 part 2: SOAP & WSDL. Ingeniørhøjskolen i Århus Slide 2 Outline Building blocks in Web Services SOA SOAP WSDL (UDDI)
Technical Architectures

Technical Architectures
Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.

Rheeve: A Plug-n-Play Peer- to-Peer Computing Platform Wang-kee Poon and Jiannong Cao Department of Computing, The Hong Kong Polytechnic University ICDCSW.
CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.

CS 290C: Formal Models for Web Software Lecture 10: Language Based Modeling and Analysis of Navigation Errors Instructor: Tevfik Bultan.
Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.

Software Frameworks for Acquisition and Control European PhD – 2009 Horácio Fernandes.
Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.

Input Validation For Free Text Fields ADD Project Members: Hagar Offer & Ran Mor Academic Advisor: Dr Gera Weiss Technical Advisors: Raffi Lipkin & Nadav.
Computers: Tools for an Information Age

Computers: Tools for an Information Age
Building Knowledge-Driven DSS and Mining Data

Building Knowledge-Driven DSS and Mining Data
Distributed Systems: Client/Server Computing

Distributed Systems: Client/Server Computing
Messaging Technologies Group: Yuzhou Xia Yi Tan Jianxiao Zhai.

Messaging Technologies Group: Yuzhou Xia Yi Tan Jianxiao Zhai.
Professional Informatics & Quality Assurance Software Lifecycle Manager „Tools that are more a help than a hindrance”

Professional Informatics & Quality Assurance Software Lifecycle Manager „Tools that are more a help than a hindrance”

Similar presentations

Ads by Google