Presentation is loading. Please wait.

Presentation is loading. Please wait.

Carnegie Mellon University 10/23/2015 Survivability Analysis via Model Checking Oleg Sheyner Jeannette Wing Carnegie Mellon University.

Published byWendy Lawrence Modified over 8 years ago

Similar presentations

Presentation on theme: "Carnegie Mellon University 10/23/2015 Survivability Analysis via Model Checking Oleg Sheyner Jeannette Wing Carnegie Mellon University."— Presentation transcript:

1 Carnegie Mellon University 10/23/2015 Survivability Analysis via Model Checking Oleg Sheyner Jeannette Wing Carnegie Mellon University

2 10/23/2015 Model Checking: Overview Finite ModelProperty to be Checked Counterexample Trace Model Checker Does the model satisfy the property? No Yes States and Transitions Specification Language Temporal Logic Abstract Automaton Explicit State Symbolic

3 Carnegie Mellon University 10/23/2015 Survivability A system is survivable if it can continue to provide a acceptable level of service despite the presence of faults. Faults –Accidental or malicious –Not necessarily independent Acceptable levels of service precisely defined Cost must be included in the equation

4 Carnegie Mellon University 10/23/2015 Survivability Analysis: Overview Checker System ModelSurvivability Property Phase 1 Scenario Graph Scenario Set Analyzer Reliability Query, Cost Query, etc. Phase 2 Annotations (e.g., probabilities, cost) Simple examples done Initial efforts under way

5 Carnegie Mellon University 10/23/2015 Phase 1 Network Model =Survivability Property = Scenario Graph = Model Checker = (modified) NuSMV A set of concurrently executing Finite State Machines. A predicate in CTL. A set of related examples.

6 Carnegie Mellon University 10/23/2015 Model Network –hosts –services –connectivity –trust relationships Adversary –Knowledge about the network –Privilege levels on hosts Attacks –Preconditions Local (adversary) Global (network-wide) –Traces –Effects Local (adversary) Global (network-wide) –Different flavors Intrusion detection system –Network (inter-host) –Host-based (local)

7 Carnegie Mellon University 10/23/2015 Phase 1 Example: Multistage Network Penetration database adversary ftp sshd firewallrouter IDS ip 1 ip 2 ip a ftp Attack Arsenal Sshd buffer overflow - remotely get root Ftp.rhosts file - establish trust between hosts Remote login - exploit trust between hosts Local buffer overflow - locally get root Detected Goal: Root access to host ip 2 Number 0 1 2 3

8 Carnegie Mellon University 10/23/2015 Scenario-Generating Properties These define secure operation - we look for counter examples Two cases 1)Don’t care about detection –AG (adversary.privilege[ ip 2 ] < root) –along all paths, it is always the case that the privilege of the adversary is less than root 2)Want stealth –AG ((adversary.privilege[ ip 2 ] < root) or (IDS.detected)) –As above or the ids detects the act that leads to privilege elevation

9 Carnegie Mellon University 10/23/2015... database adversary ftp sshd firewallrouter IDS ip 1 ip 2 ip a ftp root no access root Sshd buffer overflow on ip 1 root no access root Ftp.rhosts on ip 2 no access root rsh trust Ftp.rhosts on ip 2 no access root rsh trust Rsh from ip 1 to ip 2 user root rsh trust Rsh from ip a to ip 2 no access user root rsh trust ! Local buffer overflow on ip 2 no access root rsh trust Yeah! root Local buffer overflow on ip 2 root rsh trust Yeah!

10 Carnegie Mellon University 10/23/2015 NuSMV Encoding Network –1 attack host, 2 target hosts with services –3x3 connectivity matrix  existence of routing path  ability to connect to ftp and ssh services –3x3 trust matrix Adversary –Privilege levels for each host Attacks –4 attacks –some have multiple flavors NuSMV Statistics 82 bits of state (2 82 states) <40K representation nodes ~7000 reachable states 2 sec runtime on 1GHz Pentium III 8MB of memory used

11 Carnegie Mellon University 10/23/2015 Goal: Get Root, Avoiding Detection

12 Carnegie Mellon University 10/23/2015 Issues Metrics and Reliability Analysis –What is the worst case probability of failure? –What is the worst case probability that a service will ‘work’? Scalability Integration in a Vigilant System

13 Carnegie Mellon University 10/23/2015 Online and Offline Responses Online What is the least restrictive firewall configuration that thwarts the intruder? Offline Where do we install an additional IDS to maximize chances of detection? What is the smallest set of vulnerabilities we need to fix to thwart the attacker?

14 Carnegie Mellon University 10/23/2015 Scalability Expanded case study 5 hosts 4 new attacks legitimate users background traffic  high priority  low priority multiple firewall configurations NuSMV runtime: 4.5 hours ~ 6000 nodes in scenario graph Scalability remains a problem Would like performance linear in size of the reachable state Alternative approach: explicit- state model checking

15 Carnegie Mellon University 10/23/2015 Tool Support Modeling Scenario Generation Analysis Compiler NuSMV model PRISM model... High-Level Description Network spec (XML)..... Modified NuSMV PRISM. Raw Scenario Graph Decompile & Annotate Analyze Domain-Specific Scenario Set Worst-case reliability Most effective fix etc.

16 Carnegie Mellon University 10/23/2015 XML Fragment

17 Carnegie Mellon University 10/23/2015 Bottom Line Model checking technology can contribute to online vigilance –Complete graphs describing what can go wrong enable the system to analyze the threat and pick the appropriate response Scale is a problem –Model checking cannot do the job alone –Should be part of an integrated system employing multiple techniques

Download ppt "Carnegie Mellon University 10/23/2015 Survivability Analysis via Model Checking Oleg Sheyner Jeannette Wing Carnegie Mellon University."

Similar presentations

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.

1 Intrusion Monitoring of Malicious Routing Behavior Poornima Balasubramanyam Karl Levitt Computer Security Laboratory Department of Computer Science UCDavis.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Computer Security: Principles and Practice

Computer Security: Principles and Practice
1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.

1 Defining System Security Policies. 2 Module - Defining System Security Policies ♦ Overview An important aspect of Network management is to protect your.
1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia.

1 Measuring Network Security Using Attack Graphs Anoop Singhal National Institute of Standards and Technology Coauthors: Lingyu Wang and Sushil Jajodia.
Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.

Using Nagios for Intrusion detection Miguel Cárdenas Montes Elio Pérez Calle Francisco Javier Rodríguez Calonge.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
System and Network Security Practices COEN 351 E-Commerce Security.

System and Network Security Practices COEN 351 E-Commerce Security.
Network Security Testing Techniques Presented By:- Sachin Vador.

Network Security Testing Techniques Presented By:- Sachin Vador.
1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.

1 Carnegie Mellon UniversitySPINFlavio Lerda SPIN An explicit state model checker.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.

Lecture 4&5: Model Checking: A quick introduction Professor Aditya Ghose Director, Decision Systems Lab School of IT and Computer Science University of.
1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.

1 Achieving Trusted Systems by Providing Security and Reliability (Research Project #22) Project Members: Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun.
Generation of Scenario Graphs Using Model Checking

Generation of Scenario Graphs Using Model Checking
Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?

Software Reliability Methods Sorin Lerner. Software reliability methods: issues What are the issues?
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.

Intrusion detection Anomaly detection models: compare a user’s normal behavior statistically to parameters of the current session, in order to find significant.
The Rare Glitch Project: Scenario Graph Generation and MDP-Based Analysis Computer Science Department Carnegie Mellon University Pittsburgh, PA Jeannette.

The Rare Glitch Project: Scenario Graph Generation and MDP-Based Analysis Computer Science Department Carnegie Mellon University Pittsburgh, PA Jeannette.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Worm Defense. Outline  Internet Quarantine: Requirements for Containing Self-Propagating Code  Netbait: a Distributed Worm Detection Service  Midgard.

Similar presentations

Ads by Google