Towards Unifying Vulnerability Information for Attack...
Transcript of Towards Unifying Vulnerability Information for Attack...
Towards Unifying Vulnerability Information for Attack Graph Construction
Sebastian Roschke
Feng Cheng, Robert Schuppenies, Christoph Meinel
ISC2009 - 2009-09-08
Internet-Technologies and -Systems | Prof. Dr. Ch. Meinel
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
2
Outline
■ Introduction
□ Attack Graph Workflow
■ Sources of Vulnerability Information
□ Source Comparison
□ CVE, CVSS, and OVAL
■ Implementation of an Extraction Tool
□ Data Model
□ Architecture
□ Proof of Concept
■ Summary & Conclusions
Intr
oduc t
ion –
Outlin
e
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
3
Attack Graph Workflow
■ Attack Graph Workflow Phases
□ Information Gathering, Attack Graph Contruction, Analysis & Visualization
Intr
oduc t
ion –
Att
ack
Gra
ph W
or k
flow
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
4
Outline
■ Introduction
□ Attack Graph Workflow
■ Sources of Vulnerability Information
□ Source Comparison
□ CVE, CVSS, and OVAL
■ Implementation of an Extraction Tool
□ Data Model
□ Architecture
□ Proof of Concept
■ Summary & Conclusions
Intr
oduc t
ion –
Outlin
e
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
5
Vulnerabilty Information
Sourc
es o
f Vuln
e rab
ility
Info
rmat
ion
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
6
Sources of Vulnerabilty Information
■ Existing databases are either commercial or community-based
□ Commercial: DragonSoft (D.Soft), Secunia, SecurityFocus (S.Focus), Securiteam, and X-Force
□ Community-based: Cooperative Vulnerability Database (CoopVDB), the Department of Energy Cyber Incident Response Capability (DoE-CIRC), the National Vulnerability Database (NVD), the Open Source Vulnerability Database (OSVDB), and the United States Computer Emergency Readiness Team (US-CERT)
■ Vulnerabilty standardization efforts
□ CVE – Common Vulnerabilty and Exposures
□ CVSS - Common Vulnerability Scoring System
□ OVAL - Open Vulnerability and Assessment Language
Sourc
es o
f Vuln
e rab
ility
Info
rmat
ion
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
7
Vulnerabilty Standardization Efforts
■ CVE – Common Vulnerabilty and Exposures
□ Dictionary providing common names and references for vulnerabilites
■ CVSS - Common Vulnerability Scoring System
□ Metric indicates how critial a vulnerability is
□ Metrics: base metrics, temporal metrics, and environmental metrics
□ Base metrics: access vector and complexity information, degree of Confidentiality, Integrity, and Availability (CIA) violations, and number of required authentication steps
■ OVAL - Open Vulnerability and Assessment Language
□ Detailed and structured description of congurations affected by vulnerabilities
□ Defintion Types: vulnerability definitions, compliance definitions, inventory definitions, patch definitions, miscellaneous type
Sourc
es o
f Vuln
e rab
ility
Info
rmat
ion –
St a
ndar
diz
atio
n
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
8
Sources of Vulnerabilty Information
Comparison
Sourc
es o
f Vuln
e rab
ility
Info
rmat
ion –
Com
par
ison
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
9
Outline
■ Introduction
□ Attack Graph Workflow
■ Sources of Vulnerability Information
□ Source Comparison
□ CVE, CVSS, and OVAL
■ Implementation of an Extraction Tool
□ Data Model
□ Architecture
□ Proof of Concept
■ Summary & Conclusions
Intr
oduc t
ion –
Outlin
e
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
10
Implementation – Data Model
Data Model
■ Description of vulnerabilities as set of pre- and post-conditions
■ Condition consists of system properties
Ext
ract
ion T
ool – D
ata
Model
(1/ 3
)
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
11
Implementation – Data Model
System Properties
Ext
ract
ion T
ool – D
ata
Model
(2/ 3
)
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
12
Implementation – Data Model
Description Example
Ext
ract
ion T
ool – D
ata
Model
(3/ 3
)
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
13
Automatic Vulnerability Extraction
Architecture
■ Plugin enabled architecture of readers and writers
■ Reader plugins parse VDBs and create internal vulnerability representation (according to introduced data model)
■ Writer plugins use the data model to transform internal representation, e.g., to create AG creator compatible data
Ext
ract
ion T
ool – A
rchitect
ure
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
14
Automatic Vulnerability Extraction
Proof of Concept
■ PoC implemented in python with simple web based front end
■ Reader plugins: NVD Reader, OVAL Reader, XML Reader, CVE Reader
■ Writer plugins: MulVAL Writer, XML Writer
Extraction Process
■ Main source NVD
■ Utilization of CVSS: CIA impact, access vector
■ Utilization of OVAL: description of environment
■ Extraction based on common patterns and phrases
□ “execute arbitrary code"
□ “Microsoft Windows 2000 SP4 or later is installed”
Ext
ract
ion T
ool – E
xtra
ctio
n P
roc e
ss
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
15
Correctness
Evaluation of Textual Extraction
■ NVD comparison of textual description with CVSS counterpart
Ext
ract
ion T
ool – C
orr
ect n
ess
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
16
Outline
■ Introduction
□ Attack Graph Workflow
■ Sources of Vulnerability Information
□ Source Comparison
□ CVE, CVSS, and OVAL
■ Implementation of an Extraction Tool
□ Data Model
□ Architecture
□ Proof of Concept
■ Summary & Conclusions
Intr
oduc t
ion –
Outlin
e
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
17
Summary
■ Main contributions
□ Comparison of vulnerability databases
□ Data model to unify vulnerabilities
□ Automatic extraction of vulnerability information
□ Transformation to different attack graph tools, e.g., MulVAL (Ou et al.)
■ Conclusions
□ Vulnerability information often is inconsistent, e.g., CVSS compared to textual description
□ Extraction from textual descriptions applicable (70%-90% correctness)
Sum
mar
y -
Conc l
usi
on
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
18
Open Issues
■ Improve the extraction process
■ Additional plugins to enrich functionality
□ Reader for new VDBs, e.g., ...
□ Writers for different Attack Graph tools
■ Universal vulnerability database providing unified vulnerability information (extracted from multiple databases) at runtime
■ Utilization of data model to describe system and network information
■ Attack Graph toolkit focusing on wide range of vulnerability information
Sum
mar
y – O
pe n
Iss
ues
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
19
Questions
Any Questions?
Sum
mar
y -
Ques
tions