Upload
vandien
View
216
Download
0
Embed Size (px)
Citation preview
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
A Logical Framework for Anticipation of NetworkA Logical Framework for Anticipation of Network Incidents
Elie Bursztein and Jean Goubault‐LarrecqPhd Student LSV ENS‐CACHAN CNRS INRIA DGAPhd Student LSV ENS‐CACHAN CNRS INRIA DGA
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Outline
IntroductionNetwork EvolutionAttack Model Evolution
Anticipation game key featuresDependency relationsPlayer interactionTime
Model LogicPositional LogicgTemporal Logic
Conclusion
Outline: Introduction > Model > Strategy > Conclusion 2
Conclusion
28/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
The Good Old Time
Outline: Introduction > Model > Strategy > Conclusion 328/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
The Current Internet
Outline: Introduction > Model > Strategy > Conclusion 4
Opte project
28/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Attack Sophistication vs. Intruder Knowledge
Outline: Introduction > Model > Strategy > Conclusion 5
Cert/ Carnegie Mellon University
28/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Attack Step‐stones
L t k ff lti l l bilitiLarge network may suffers multiples vulnerabilities
Patches and counter‐measures need to be prioritized
A minor vulnerability can turn into a major holeA minor vulnerability can turn into a major hole when used as a step‐stone
Attack graph allows to reasonAttack graph allows to reason
about attack sequences
Outline: Introduction > Model > Strategy > Conclusion 628/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Attack Graph Example
Sandia Red Team “White Board” attack graph from DARPA CC20008 I f ti b ttl ti i t
Outline: Introduction > Model > Strategy > Conclusion 7
Information battle space preparation experiment
28/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Model Evolution
Anticipation
Attack graphs
Anticipation Games
g pmodel checker(Ritchey and Ammann
2000)
Attack trees(Schneier 1999)( )
8Outline: Introduction > Model > Strategy > Conclusion28/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Related Work
Attack graphModel checker‐based (Ritchey et. al S&P’00, Sheyner( y , yet. al S&P’02)Graph‐based (Ammann et. al CCS’02, Ritchey et. alGraph based (Ammann et. al CCS 02, Ritchey et. al ACSAC’02, Noel et. al ACSAC’03, Wang et. al ESORICS’05, Wang et. al DBSEC’06)ESORICS 05, Wang et. al DBSEC 06)
Timed GameATL (Alur et al. 97)
The Element of Surprise in Timed Games (De Alfaro et al. CONCUR 2003)
TATL (Henzinger et al 2006 Formats)TATL (Henzinger et al 2006 Formats)
Outline: Introduction > Model > Strategy > Conclusion 928/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Model Key Features
• Collateral effectsD dD d Collateral effects• Trust relations
DependencyDependency
• AdministratorInteractionInteraction• Intruder
InteractionInteraction
• Action take timeTimeTime
10Outline: Introduction > Model > Strategy > Conclusion28/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Dependency
User Database
6
54 Email serverWeb server 54 Email serverWeb server
1 2 3
Client 3Client 2Client 1
11Outline: Introduction > Model > Strategy > Conclusion28/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Network interaction
Exploit vulnerabilities
Abuse trust relationsAbuse trust relations
Patch
Firewall
Restore
Outline: Introduction > Model > Strategy > Conclusion 1228/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Vulnerability cycle
Outline: Introduction > Model > Strategy > Conclusion 13
Cert/ Carnegie Mellon University
28/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Network Information
U D t b
Fixed over the time Evolve over time
6
User Database
1 2 3 4 5 6
ρ(Public) ⊥ ⊥ ⊥ T T ⊥ρ(Public) ⊥ ⊥ ⊥ T T ⊥
ρ(Vuln) ⊥ ⊥ ⊥ T T ⊥
ρ(Compr) ⊥ ⊥ ⊥ ⊥ ⊥ ⊥
54 Email serverWeb server ρ(NeedPub) ⊥ ⊥ ⊥ T T ⊥
1 2 31 2 3
Client 3Client 2Client 1
Outline: Introduction > Model > Strategy > Conclusion 1428/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Information Evolution
1 2 3 4 5 6 1 2 3 4 5 61 2 3 4 5 6ρ(Public) ⊥ ⊥ ⊥ T T ⊥ρ(Vuln) ⊥ ⊥ ⊥ T T ⊥ρ(Compr) ⊥ ⊥ ⊥ ⊥ ⊥ ⊥
1 2 3 4 5 6ρ(Public) ⊥ ⊥ ⊥ T T ⊥ρ(Vuln) ⊥ ⊥ ⊥ T T ⊥ρ(Compr) ⊥ ⊥ ⊥ T ⊥ ⊥
Compr 4
ρ(Compr) ⊥ ⊥ ⊥ ⊥ ⊥ ⊥ρ(NeedPu
b)⊥ ⊥ ⊥ T T ⊥
ρ(Compr) ⊥ ⊥ ⊥ T ⊥ ⊥ρ(NeedPu
b)⊥ ⊥ ⊥ T T ⊥
28/11/2007 Outline: Introduction > Model > Strategy > Conclusion 15
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
A Incomplete Game Example
Exploit web server Patch Email serverExploit web server
E l it ilExploit email server
Patch web server Patch Email server
6
1 2 3
54
Outline: Introduction > Model > Strategy > Conclusion 16
1 2 3
28/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Time
Each action requires a different amount of timeEach action requires a different amount of time Patching a service: Download, extract, apply, restart
E l it iExploit a service
Firewalling a service
In anticipation games as in TATL the fastest action winwin
Player can be taken by surprise
Outline: Introduction > Model > Strategy > Conclusion 1728/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
The element of surprise
NetworkExploit 4 in 3 unit Firewall 4 in 1 unit
Outline: Introduction > Model > Strategy > Conclusion 1828/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Type of attacks
Anticipation games allows to modelDenial of service
Buffer overflow execution
Permission abusePermission abuse
Cross‐scripting
Information leak
….
28/11/2007 Outline: Introduction > Model > Strategy > Conclusion 19
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Rule Language
Outline: Introduction > Model > Strategy > Conclusion 2028/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Semantic
A successor node is compromisedA successor node is compromised
At least, one of the node the belongs to the equivalence is public
28/11/2007 Outline: Introduction > Model > Strategy > Conclusion 21
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Rules example
Outline: Introduction > Model > Strategy > Conclusion 2228/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
A Play example
User Database
6
Email serverWeb server
54
1 2 31 2 3
Client 3Client 2Client 1
Pl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPlayer Action Rule Target SuccPlayer Action Rule Target SuccPlayer Action Rule Target SuccPlayer Action Rule Target SuccPl A ti R l T t SPl A ti R l T t SPlayer Action Rule Target SuccPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPlayer Action Rule Target SuccPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPlayer Action Rule Target Succ
Admin Choose Firewall 4
Intruder Choose Compromise 0day 4= 01248121620242832
Player Action Rule Target Succ
Admin Execute Firewall 4
Intruder Choose Compromise 0day 4
Player Action Rule Target Succ
Admin Choose Patch 4
Intruder Choose Compromise 0day 4
Player Action Rule Target Succ
Admin Choose Patch 4
Intruder Fail Compromise 0day 4
Player Action Rule Target Succ
Admin Choose Patch 4
Intruder Choose Compromise 0day 5
Player Action Rule Target Succ
Admin Choose Patch 4
Intruder Execute Compromise 0day 5
Player Action Rule Target Succ
Admin Choose Patch 4
Intruder Choose Compromise Forward 5 6
Player Action Rule Target Succ
Admin Execute Patch 4
Intruder Choose Compromise Forward 5 6
Player Action Rule Target Succ
Admin Choose Unfirewall 4
Intruder Choose Compromise Forward 5 65
Player Action Rule Target Succ
Admin Execute Unfirewall 4
Intruder Choose Compromise Forward 5 6
Player Action Rule Target Succ
Admin Choose Patch 5
Intruder Choose Compromise Forward 5 6
Player Action Rule Target Succ
Admin Choose Patch 5
Intruder Execute Compromise Forward 5 6
Player Action Rule Target Succ
Admin Choose Patch 5
Intruder Choose Compromise 2 5
Player Action Rule Target Succ
Admin Execute Patch 5
Intruder Choose Compromise 2 5
Player Action Rule Target Succ
Admin
Intruder Fail Compromise 2 5
Player Action Rule Target Succ
Admin
Intruder Choose Compromise 4 6
Player Action Rule Target Succ
Admin
Intruder Execute Compromise 4 6
Player Action Rule Target Succ
Admin
Intruder Choose Compromise 1 4
Player Action Rule Target Succ
Admin
Intruder Execute Compromise 1 4
Player Action Rule Target Succ
Admin
Intruder Choose Compromise 2 4
Player Action Rule Target Succ
Admin
Intruder Execute Compromise 2 4
Player Action Rule Target Succ
Admin
Intruder Choose Compromise Forward 2 5
Player Action Rule Target Succ
Admin
Intruder Execute Compromise Forward 2 5
Player Action Rule Target Succ
Admin
Intruder Choose Compromise 3 5
Player Action Rule Target Succ
Admin
Intruder Execute Compromise 3 5
Outline: Introduction > Model > Strategy > Conclusion 23
Intruder Choose Compromise 0day 4Intruder Choose Compromise 0day 4Intruder Choose Compromise 0day 4Intruder Fail Compromise 0day 4Intruder Choose Compromise 0day 5Intruder Execute Compromise 0day 5Intruder Choose Compromise Forward 5 6Intruder Choose Compromise Forward 5 6Intruder Choose Compromise Forward 5 6Intruder Choose Compromise Forward 5 6Intruder Choose Compromise Forward 5 6Intruder Execute Compromise Forward 5 6Intruder Choose CompromiseBackward
2 5Intruder Choose CompromiseBackward
2 5Intruder Fail CompromiseBackward
2 5Intruder Choose CompromiseBackward
4 6Intruder Execute CompromiseBackward
4 6Intruder Choose CompromiseBackward
1 4Intruder Execute CompromiseBackward
1 4Intruder Choose CompromiseBackward
2 4Intruder Execute CompromiseBackward
2 4Intruder Choose Compromise Forward 2 5Intruder Execute Compromise Forward 2 5Intruder Choose CompromiseBackward
3 5Intruder Execute CompromiseBackward
3 5
28/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Properties Semantic
Outline: Introduction > Model > Strategy > Conclusion 2428/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Semantic
The player A have a strategy to satisfy p y gy ythe property
In every future the node will be compromised
28/11/2007 Outline: Introduction > Model > Strategy > Conclusion 25
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Property Illustration
Outline: Introduction > Model > Strategy > Conclusion 2628/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Decidability
TATL Formula model checking in Anticipation game is decidable andAnticipation game is decidable and EXPTIME‐complete
28/11/2007 Outline: Introduction > Model > Strategy > Conclusion 27
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
One More Thing !
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
It Work!
Model and Strategies are fully implemented in C
The talk example cannot be analyzed by handThe talk example cannot be analyzed by hand 4011 plays
40825 t t40825 states
28/11/2007 Outline: Introduction > Model > Strategy > Conclusion 29
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Analyzer Demo
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Future Work
CIA model
Abstraction
Non determinism
Outline: Introduction > Model > Strategy > Conclusion 3128/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Conclusion
Game and Time provide a richer model for i t i l iintrusion analysis
Many directions to explorey p
Outline: Introduction > Model > Strategy > Conclusion 3228/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Questions
During this work no network service was injured or tortured.
Outline: Introduction > Model > Strategy > Conclusion 3328/11/2007
Elie Bursztein [email protected]‐cachan.fr
A Logical Framework for Evaluating Network Resilience Against Faults and Attacks
Rule execution time
28/11/2007 Outline: Introduction > Model > Strategy > Conclusion 34
Rule execution time