Upload
others
View
4
Download
0
Embed Size (px)
Citation preview
Attack trees: meaning, analysis, and correctness
Barbara Fila (Kordy)http://people.irisa.fr/Barbara.Kordy/
GdR Security, WG FM, January 2020
It’s been already 20 years!
Fila – GdR Security, WG FM’20 2
Outline
1 Attack trees
2 Repeated labels
3 State-based attack trees
4 There is much more going on
Fila – GdR Security, WG FM’20 3
Attack trees
Outline
1 Attack trees
2 Repeated labels
3 State-based attack trees
4 There is much more going on
Fila – GdR Security, WG FM’20 4
Attack trees The model
An attack tree
steal moneyvia online banking
obtainuser name
eavesdropguess
user name
obtainpassword
phishingguesspwd
log in &execute transfer
Fila – GdR Security, WG FM’20 5
Attack trees The model
Attacks
online banking
user name
eavesdrop guname
pwd
phish gpwd
log&trans
{eavesdrop, phish, log&trans}
{guname, phish, log&trans}
{eavesdrop, gpwd, log&trans}
{guname, gpwd, log&trans}
Fila – GdR Security, WG FM’20 6
Attack trees Quantitative analysis
Bottom-up for min time
online banking
user name
eavesdrop100
guname20
pwd
phish100
gpwd300
log&trans5
Fila – GdR Security, WG FM’20 7
Attack trees Quantitative analysis
Bottom-up for min time
online banking
user name20
eavesdrop100
guname20
pwd100
phish100
gpwd300
log&trans5
Fila – GdR Security, WG FM’20 7
Attack trees Quantitative analysis
Bottom-up for min time
online banking125
user name20
eavesdrop100
guname20
pwd100
phish100
gpwd300
log&trans5
Fila – GdR Security, WG FM’20 7
Attack trees Quantitative analysis
Bottom-up procedure formally
Basic assignmentValues assigned to the leaf nodes
Attribute domainAlgebraic structure defining the propagation rules A = (D,⊕,⊗)
⊕
x y
⊗
x y
Example (Minimal time of attacking)
Amin_time = (N,min,+)
min
x y
+
x y
Fila – GdR Security, WG FM’20 8
Repeated labels
Outline
1 Attack trees
2 Repeated labels
3 State-based attack trees
4 There is much more going on
Fila – GdR Security, WG FM’20 9
Repeated labels Contributors
Reference
Wojciech Wideł and Barbara Kordy (Fila)
On quantitative analysis of attack-defense trees with repeated labels
POST 2018
Fila – GdR Security, WG FM’20 10
Repeated labels Meaning
A well-known problem
online banking125
user name20
phish100
guname20
pwd100
phish100
gpwd300
log&trans5
Fila – GdR Security, WG FM’20 11
Repeated labels Meaning
A well-known problem
online banking125
user name20
phish100
guname20
pwd100
phish100
gpwd300
log&trans5
Overestimated!
Fila – GdR Security, WG FM’20 11
Repeated labels Meaning
Nodes with the same labels
ClonesNodes representing the same instance of an action
AND
OR
a b
OR
AND
d c
Attacks: {b, c}, {a, c, d}
c - necessary clone
b - optional clone
Fila – GdR Security, WG FM’20 12
Repeated labels Minimal time example
Neutralize necessary clones
AND
OR
a10
b16
OR
AND
d5
c0
Step0: time′(c) := 0
Fila – GdR Security, WG FM’20 13
Repeated labels Minimal time example
Play with the values of optional clones
AND15
OR10
a10
b+∞
OR5
AND5
d5
c0
Step0: time′(c) := 0
Step1: time′(b) := +∞res1 = 15
Fila – GdR Security, WG FM’20 14
Repeated labels Minimal time example
Play with the values of optional clones
AND0
OR0
a10
b0
OR0
AND5
d5
c0
Step0: time′(c) := 0
Step1: time′(b) := +∞res1 = 15
Step2: time′(b) := 0res2 = 0+ time(b) = 16
Fila – GdR Security, WG FM’20 15
Repeated labels Minimal time example
Combine the results
AND25
OR
a10
b16
OR
AND
d5
c10
Step0: time′(c) := 0
Step1: time′(b) := +∞res1 = 15
Step2: time′(b) := 0res2 = 16
Step3: res = min{15, 16}+ 10 = 25
Fila – GdR Security, WG FM’20 16
Repeated labels Minimal time example
Algorithm for minimal time
Input: Attack tree t, (R+,min,+), basic assignment of timeOutput: Minimal time of attacking1: CN ← necessary clones2: CO ← optional clones3: time′(b)← 0 for b ∈ CN4: for every subset C ⊆ CO do5: time′(b)← +∞ for every b ∈ C6: time′(b)← 0 for every b ∈ CO \ C7: rC ← timeB(t, time′) +
∑b∈CO\C time(b)
8: end for9: return min
C⊆COrC + (
∑b∈CN time(b))
Fila – GdR Security, WG FM’20 17
Repeated labels Minimal time example
Algorithm for minimal time
Input: Attack tree t, (R+,min,+), basic assignment of timeOutput: Minimal time of attacking1: CN ← necessary clones2: CO ← optional clones3: time′(b)← 0 for b ∈ CN //0 = e+4: for every subset C ⊆ CO do5: time′(b)← +∞ for every b ∈ C //+∞ = a+ = emin6: time′(b)← 0 for every b ∈ CO \ C7: rC ← timeB(t, time′) +
∑b∈CO\C time(b)
8: end for9: return min
C⊆COrC + (
∑b∈CN time(b))
Fila – GdR Security, WG FM’20 17
Repeated labels Semiring-based metrics
Algorithm in the general case
Input: Attack tree t, non-increasing attribute domain (D,⊕,⊗),basic assignment for attribute α
Output: A(t, α)1: CN ← necessary clones2: CO ← optional clones3: α′(b)← e⊗ for b ∈ CN4: for every subset C ⊆ CO do5: α′(b)← a⊗ for every b ∈ C6: α′(b)← e⊗ for every b ∈ CO \ C7: rC ← αB(t, α
′)⊗⊗
b∈CO\Cα(b)8: end for9: return
⊕C⊆CO
rC ⊗ (⊗
b∈CNα(b))
Fila – GdR Security, WG FM’20 18
Repeated labels Semiring-based metrics
Non-increasing attribute domain
Commutative idempotent semiringAn algebraic structure (D,⊕,⊗) where⊕ is idempotent⊕ and ⊗ are associative and commutative⊗ distributes over ⊕absorbing element wrt ⊗ is equal to the neutral element wrt ⊕a⊗ = e⊕
Canonical partial order � in an idempotent semiring: x � y iff x ⊕ y = y
Non-increasing attribute domainAn attribute domain (D,⊕,⊗) where
(D,⊕,⊗) is a commutative idempotent semiringx ⊗ y � y (doing less is better)
Fila – GdR Security, WG FM’20 19
Repeated labels Semiring-based metrics
Interesting attribute domains
Example (minimal time)
(N,min,+)
Example (maximal probability)
([0, 1],max, ·)
Example (satisfiability)
({T,F},∨,∧)
Example (required skills level)
(N,min,max)
Fila – GdR Security, WG FM’20 20
State-based attack trees
Outline
1 Attack trees
2 Repeated labels
3 State-based attack trees
4 There is much more going on
Fila – GdR Security, WG FM’20 21
State-based attack trees Contributors
Reference
Maxime Audinot, Sophie Pinchinat, and Barbara Kordy (Fila)
Is My Attack Tree Correct?
ESORICS 2017
Fila – GdR Security, WG FM’20 22
State-based attack trees Attack tree & system
Modeling the system
Fila – GdR Security, WG FM’20 23
State-based attack trees Attack tree & system
Modeling the system
Fila – GdR Security, WG FM’20 23
State-based attack trees Attack tree & system
Modeling the system
Fila – GdR Security, WG FM’20 23
State-based attack trees Attack tree & system
Modeling the system
Fila – GdR Security, WG FM’20 23
State-based attack trees Attack tree & system
State-based attack tree
Goal 〈ι, γ〉ι – preconditionγ – postcondition
State-based attack tree grammarτ ::= 〈ι, γ〉 | OP(τ1, . . . , τn)where OP ∈ {OR, AND, SAND}
〈true,has_briefcase ∧ is_outside ∧ ¬detected〉
〈true,has_key ∧ has_combi〉
〈true,¬cam_1_on〉
〈true,¬cam_2_on〉
〈has_key ∧ has_combi,has_briefcase〉
〈has_briefcase,has_briefcase ∧ is_outside ∧ ¬detected〉
Fila – GdR Security, WG FM’20 24
State-based attack trees Attack tree & system
Paths in transition systems
Paths in the system Sys
A path is a sequence of states π = s0 . . . sn with si → si+1 for all i .
Goal 〈ι, γ〉 over Propι – preconditionγ – postcondition
π = s0s1s2s3
s0 |= is_outside
s3 |= has_key
π achieves 〈is_outside, has_key〉
Fila – GdR Security, WG FM’20 25
State-based attack trees Attack tree & system
Paths in transition systems
Paths in the system Sys
A path is a sequence of states π = s0 . . . sn with si → si+1 for all i .
Goal 〈ι, γ〉 over Propι – preconditionγ – postcondition
π = s0s1s2s3
s0 |= is_outside
s3 |= has_key
π achieves 〈is_outside, has_key〉
Fila – GdR Security, WG FM’20 25
State-based attack trees Attack tree & system
Sequential composition of paths •
π = π1 • π2
Fila – GdR Security, WG FM’20 26
State-based attack trees Attack tree & system
Parallel composition of paths !
π = !(π1, π2, π3)
Fila – GdR Security, WG FM’20 27
State-based attack trees Attack tree & system
Path semantics [τ ]Sys
State-based attack trees formalized with sets of pathsLet Sys be a system.
The path semantics [·]Sys is a set of paths in Sys, constructed as follows
[〈ι, γ〉]Sys = {π | π achieves 〈ι, γ〉 in Sys}
[OR(τ1, . . . , τn)]Sys = [τ1]Sys ∪ · · · ∪ [τn]
Sys
[SAND(τ1, . . . , τn)]Sys = [τ1]Sys • · · · • [τn]Sys
[AND(τ1, . . . , τn)]Sys = !([τ1]Sys , . . . , [τn]
Sys)
Fila – GdR Security, WG FM’20 28
State-based attack trees Attack tree & system
Analysis of state-based attack trees
How can we exploit the path semanticsto analyze state-based attack trees?
Fila – GdR Security, WG FM’20 29
State-based attack trees Refinement correctness
Refinement quality problem
Labels of intermediate nodes represent the history of refinement
〈ι, γ〉
↓ refinement
OP(〈ι1, γ1〉, 〈ι2, γ2〉, 〈ι3, γ3〉)
ObjectiveHow well has a node been refined with respect to a given system?
Fila – GdR Security, WG FM’20 30
State-based attack trees Refinement correctness
Meet
∃π in Sys, such that
π ∈ [〈ι, γ〉]Sys
π ∈ [OP(〈ι1, γ1〉, 〈ι2, γ2〉, 〈ι3, γ3〉)]Sys
Meet propertyThere exists a common path achieving the node’s goal and its refinement
[〈ι, γ〉]Sys ∩ [OP(〈ι1, γ1〉, 〈ι2, γ2〉, 〈ι3, γ3〉)]Sys 6= ∅
Fila – GdR Security, WG FM’20 31
State-based attack trees Refinement correctness
Match
[〈ι, γ〉]Sys
= Match
[OP(〈ι1, γ1〉, 〈ι2, γ2〉, 〈ι3, γ3〉)]Sys
Match propertyIdeal situation – the node and its refinement model the same set of paths
[〈ι, γ〉]Sys = [OP(〈ι1, γ1〉, 〈ι2, γ2〉, 〈ι3, γ3〉)]Sys
Fila – GdR Security, WG FM’20 32
State-based attack trees Refinement correctness
Under-Match
[〈ι, γ〉]Sys
( Under-Match
[OP(〈ι1, γ1〉, 〈ι2, γ2〉, 〈ι3, γ3〉)]Sys
Under-Match propertyForgotten attack scenarios – refinement models less paths
[〈ι, γ〉]Sys ) [OP(〈ι1, γ1〉, 〈ι2, γ2〉, 〈ι3, γ3〉)]Sys
Fila – GdR Security, WG FM’20 33
State-based attack trees Refinement correctness
Over-Match
[〈ι, γ〉]Sys
) Over-Match
[OP(〈ι1, γ1〉, 〈ι2, γ2〉, 〈ι3, γ3〉)]Sys
Over-Match propertyExtra attack scenarios – refinement models more paths
[〈ι, γ〉]Sys ( [OP(〈ι1, γ1〉, 〈ι2, γ2〉, 〈ι3, γ3〉)]Sys
Fila – GdR Security, WG FM’20 34
State-based attack trees Refinement correctness
Complexity
Meet Under-Match Over-Match MatchOR P P P P
SAND P P P PAND NP-c co-NP-c co-NP co-NP
High complexity is induced by the AND refinement (due to !)
Witness of refinement property violationWitness path generation by reduction to CTL model checking
Fila – GdR Security, WG FM’20 35
State-based attack trees Refinement correctness
Support for attack tree design
ATSyRA: Attack tree synthesis and risk analysisATSyRA studio tool http://atsyra2.irisa.fr/
DSL for system specificationAutomated attack generationAttack tree refinement analysis
Fila – GdR Security, WG FM’20 36
There is much more going on
Outline
1 Attack trees
2 Repeated labels
3 State-based attack trees
4 There is much more going on
Fila – GdR Security, WG FM’20 37
There is much more going on Field overview
Surveys
Wojciech Wideł, Maxime Audinot, Barbara Fila, and Sophie Pinchinat.Beyond 2014: formal methods for attack tree-based security modeling.ACM Comput. Surv., 52(4):75:1–75:36, 2019.
Barbara Kordy, Ludovic Piètre-Cambacédès, and Patrick Schweitzer.Dag-based attack and defense modeling: Don’t miss the forest for theattack trees.Computer Science Review, 13–14:1–38, 2014.
Electronic versions available onhttp://people.irisa.fr/Barbara.Kordy/publications.php
Fila – GdR Security, WG FM’20 38
There is much more going on Field overview
Ph.D. theses on foundations for attack trees
THESE DE DOCTORAT DE
INSA RENNES COMUE UNIVERSITE BRETAGNE LOIRE ECOLE DOCTORALE N° 601 Mathématique et Sciences et Technologies de l'Information et de la Communication Spécialité : Informatique
Formal modeling and quantitative analysis of security using attack-defense trees Thèse présentée et soutenue à Rennes, le 3 décembre, 2019 Unité de recherche : Institut de Recherche en Informatique et Systèmes Aléatoires (IRISA), UMR 6074
Par Wojciech WIDE
Rapporteurs avant soutenance :
Mathias Ekstedt Professeur, KTH Royal Institute of Technology Sjouke Mauw Professeur, University of Luxembourg
Composition du Jury : Gildas Avoine Professeur, INSA Rennes Mathias Ekstedt Professeur, KTH Royal Institute of Technology Barbara Fila Maître de conférences, INSA Rennes Heiko Mantel Professeur, Technische Universität Darmstadt Sjouke Mauw Professeur, University of Luxembourg Sophie Pinchinat Professeur, Université de Rennes 1 Sa Senior Lecturer, University of Dundee Directeur de thèse Gildas Avoine Professeur, INSA Rennes
THÈSE DE DOCTORAT DE
L’UNIVERSITE DE RENNES 1COMUE UNIVERSITE BRETAGNE LOIRE
Ecole Doctorale N°601Mathématique et Sciences et Technologiesde l’Information et de la CommunicationSpécialité : Informatique
Par
Maxime AUDINOT« Assisted design and analysis of attack trees »
Thèse présentée et soutenue à RENNES , le 17 Décembre 2018Unité de recherche : IRISA, Équipe LogicA
Rapporteurs avant soutenance :Mariëlle Stoelinga, Professor at University of TwenteSjouke Mauw, Professeur à l’Université du LuxembourgComposition du jury :
Président : Stéphanie Delaune, Directeur de recherche CNRS, at IRISAExaminateurs : Barabara Kordy, Maître de conférences à l’INSA Rennes
Jan Kretínský, Tenure-track assistant professor at Technical University of MunichSjouke Mauw, Professeur à l’Université du LuxembourgMariëlle Stoelinga, Professor at University of TwenteYann Thierry-Mieg, Maître de conférences à l’Université Pierre et Marie Curie
Dir. de thèse : Sophie Pinchinat, Professeur à l’Université Rennes 1
Fila – GdR Security, WG FM’20 39
There is much more going on Interesting research questions
The most important open research problem
Automated generationof large attack trees
Fila – GdR Security, WG FM’20 40
There is much more going on Dedicated venue
GraMSec http://www.gramsec.uni.lu/
The unique dissemination event for researchers and practitioners designingand using graphical approaches for modeling and analysis of security
Co-located with CSF
Fila – GdR Security, WG FM’20 41
Thank you for your attention
Do you have any questions?
Thank you for your attention
Fila – GdR Security, WG FM’20 42