Post on 01-Apr-2015
k-Zero Day Safety: Measuring the Security Risk of Networks against Unknown Attacks
Lingyu Wang1
Sushil Jajodia2, Anoop Singhal3, and Steven Noel2
1 Concordia University2 George Mason University3 National Institute of Standards and Technology
ESORICS 2010
Outline
Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day
Safety Application and Instantiation Conclusion
2
Outline
Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day
Safety Application and Instantiation Conclusion
3
The Need for Security Metric
4
Boss, we really need this newfirewall, it will make our networkmuch more secure!
“Much more secure”? How much more?
… …
The Need for Security Metric
5
“You cannot improve what you cannot measure” To justify the cost of a security solution, we
need to know how much security the solution can bring
A security metric will allow for a direct measurement of security before and after deploying the solution
Such a capability will make network hardening a science rather than an art
The Need for Security Metric
6
“Much more secure”? How much more?
Security Cost
2 $5k
3 $10k
… …
Can Security Be Measured?
Security metric exists for known vulnerabilities1
Knowledge about vulnerabilities allow us to measure their relative exploitability, likelihood, impact, etc.
But what about unknown vulnerabilities? We are measuring the unmeasurable2, because
there is little ground for such a measurement Vulnerability: No prior knowledge is available Software: Software flaws are much less predictable Attacker: Finding flaws/developing exploits is a chaotic
process
7
1 Common Vulnerability Scoring System (CVSS-SIG) v2, http://www.first.org/cvss/2 J. McHugh. Quality of protection: Measuring the unmeasurable? In Proceedings of the 2nd ACM workshop on Quality of protection (QoP’06), 2006.
The Curse on Security Metric
What if we can’t measure unknown vulnerabilities? Attackers can simply step outside and do as he
pleases1
What’s the value of a “more secure” system that is equally susceptible to unknown attacks?
Therefore, security is not quantifiable until we can fix all potential flaws But by then we certainly don’t need a security
metric!
8
1 J. McHugh. Quality of protection: Measuring the unmeasurable? In Proceedings of the 2nd ACM workshop on Quality of protection (QoP’06), 2006.
9
What if we can’t measure unknown vulnerabilities? Attackers can simply step outside and do as he
pleases1
What’s the value of a “more secure” system that is equally susceptible to unknown attacks?
Therefore, security is not quantifiable until we can fix all potential flaws But by then we certainly don’t need a security
metric!
don’t Instead, we simply count them
We count how many unknown vulnerabilities can be resisted by a network
A larger count means a more secure network
Since more unknown vulnerabilities must all be Available at the same time, Applicable to the same network, and Exploitable by the same attacker
Whose likelihood is lower
The Curse on Security MetricOur Solution
Our Contribution
The k-zero day safety metric Formally defined based on an abstract network
model Proved to satisfy the required algebra properties Algorithms for computing the metric are
proposed Application to network hardening is discussed
The first known effort capable of quantifying the risk of unknown attacks It may open up new opportunities to the
evaluation, hardening, and design of secure networks
10
Outline
Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day
Safety Application and Instantiation Conclusion
11
Related Work NIST’s efforts on standardizing security
metric Special publication 500-133 1985, 800-55
2003 CVSSv2 and NVD
Efforts on measuring known vulnerabilities MTTF-based approach (Dacier et al., TSE’99) Minimum-effort approaches (Balzarotti et al.,
QoP’05 and Pamula et al., QoP’06) PageRank approach (Mehta et al., RAID’06) Our previous work (DBSec’07-08, QoP’07-08)
12
Related Work Attack surface (Howard et al., QoP’06)
Measures the security of a single software system
Focusing on interfaces instead of internal details
k-anonymity (Samarati et al., TKDE’01) Measuring the amount of privacy using an
integer regardless of specific application semantic
Zero day attack Total number of zero-day vulnerabilities
(McQueen et al., HICSS’09) Ranking applications with consequences of
having one zero-day vulnerability (Ingols et al., ACSAC’09)
13
Outline
Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day
Safety Application and Instantiation Conclusion
14
Network
15
host 0
host 1
host 2
http
(iptables) ssh
ssh
firewall
The model H ={0,1,2,F} S={http,ssh,iptables,firewall}
P={user,root} conn={<0,F>,<0,1>…} serv(1)={http,ssh,iptables}
serv(F)={firewall} priv(1)=priv(2)={user,root}
An example
If all services are free of known vulnerabilities, a vulnerability scanner or attack graph will claim the network is secure, and no additional hardening effort (e.g., iptables) is necessary
Assumptions However, we shall reach a different
conclusion by considering at least how many zero-day attacks are required to compromise the network
We assume a zero day vulnerability1. Cannot be exploited unless
a. A network connection exists between source/destination
b. A remote service with the vulnerability exists on destination
c. The attacker already has a privilege on the source host
2. May lead to any privilege on the destination host
(These essentially depict a worst-case scenario)16
Zero Day Vulnerability
17
host 0
host 1
host 2
http
(iptables) ssh
ssh
firewall
The model <vssh,0,1>: <0,1>conn sshserv(1)
<vroot,1,1>: root priv(1)
pre(<vssh,0,1>)={<0,1>,<ssh,1>,<user,0>}
post(<vssh,0,1>)={<user,1>}
pre(<vroot,1,1>)={<user,1>}
post(<vroot,1,1>)={<root,1>}
An example
user,0 root,1
root,2
vhttp,0,1
vssh,0,2
vssh,0, 1
vfirewall,0,F 0,2
vssh,1,2
k-Zero Day Safety
18
host 0
host 1
host 2
http
(iptables) ssh
ssh
firewall
The model CI={<user,0>} A={<root,2>} <vhttp,0,1>v<vssh,1,2> <vssh,0,1>v<vssh,1,2> <vssh,0,2>v<vroot,2,2> k0d({<vhttp,0,1>,<vssh,1,2>})=2
k0d({<vssh,0,1>,<vssh,1,2>})=1
k0d({<vfirewall,0,F>,<vssh,0,2>},<vroot,2,2>)=3
An example
At least one zero day vulnerability is required to compromise the network
user,0 root,1
root,2
vhttp,0,1
vssh,0,2
vssh,0, 1
vfirewall,0,F 0,2
vssh,1,2
Hardening the Network: k=k+1
19
host 0
host 1
host 2
http
(iptables) ssh
ssh
firewall
The model <viptables,0,1>v<vssh,0,1>
<viptables,0,1>v<vssh,1,2>
k0d({<viptables,0,1>,<vssh
,1,2>})=2 k0d({<viptables,0,1>,<vssh
,0,1>,<vssh,1,2>})=2 k0d(<root,2>)=2
An example
With this hardening effort, at least two distinct zero day vulnerabilities are required to compromise the same network
root,1
root,2
vhttp,0,1
vssh,1,2 vssh,0,1 viptables,0,1
ssh,1 user,0
vfirewall,0,F 0,2 vssh,0,2
In Summary
20
Our metric can help to compare the relative security of “secure networks” that are otherwise indistinguishable by existing
techniques(Notice: Many features of the model are not mentioned while
discussing this simple example. More details can be found in the paper)
Outline
Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day
Safety Application and Instantiation Conclusion
21
What’s the Value of k?
22
The algorithm <root,2>
=<vssh,1,2><vssh,0,2>
=<vssh,1,2><root,1><vssh
,0,2><0,2>=… (DNF conversion)=(<vhttp,0,1><vssh,1,2>)(<vssh,0,1><vssh,1,2>)(<vfirewall,0,F><vssh,0,2>)
k=k0d({<vssh,0,1>,<vssh,1,2>})=1
An example
user,0 root,1
root,2
vhttp,0,1
vssh,0,2
vssh,0, 1
vfirewall,0,F 0,2
vssh,1,2
Complexity Exponential (in size of
the attack graph) The problem is NP-hard
Efficient algorithms still exist for practical variations
Is k>1 True?
23
The algorithm<user,0><vhttp,0,1><vssh,1,2>)
(k>1)<vssh,0,1><vssh,1,2>)
(k=1)(k>1)=FALSE!
An example
user,0 root,1
root,2
vhttp,0,1
vssh,0,2
vssh,0, 1
vfirewall,0,F 0,2
vssh,1,2
Complexity Polynomial if k is
compared to a constant (in size of the attack graph)
Outline
Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day
Safety Application and Instantiation Conclusion
24
Application to Network Hardening
We can unfold k based on the model
25
This (mess) tells us (in number) that k may be increased by: Increasing diversity of services Strengthening isolation around services Removing unnecessary services or connections Enforcing stricter access control policies Protecting assets via backups or IDSs Introducing more security services Patching known vulnerabilities ……
Application to Network Hardening
We can unfold k based on the model
26
Nothing new here? Right, these hardening options match existing
practices (e.g., layered defense, security via virtualization, security through diversity, etc.)
Which shows the relevance of our metric But their effectiveness can now be
quantified! And their cost can be justified In a simple, intuitive way (so simple that even the boss can understand)
k Cost
2 $5k
3 $10k
… …
Instantiating the Model This paper focuses on
model and algorithms Instantiating the
model from a real world network is a different issue We discuss several key
aspects in the paper
27
host 0
host 1
host 2
http
(iptables) ssh
ssh
firewall
user,0 root,1
root,2
vhttp,0,1
vssh,0,2
vssh,0, 1
vfirewall,0,F 0,2
vssh,1,2
k=3
Algorithms
Model
Instantiation
Outline
Introduction Related Work k-Zero Day Safety Model Algorithms for Computing k-Zero Day
Safety Application and Instantiation Conclusion
28
Conclusion We can unfold k based on the model
29
We have proposed the k-zero day safety metric discussed algorithms and complexity shown potential application of the metric
Future work include extending the model to address various
limitations further investigating instantiation of the model studying other applications of the metric
Q & A
Thank You!
30
Contact Author: Lingyu Wang (wang@ciise.concordia.ca)