a logical framework for anticipation of network · a logical framework for anticipation of network...

Elie Bursztein [email protected]‐cachan.fr

A Logical Framework for Evaluating Network Resilience Against Faults and Attacks

A Logical Framework for Anticipation of NetworkA Logical Framework for Anticipation of Network Incidents

Elie Bursztein and Jean Goubault‐LarrecqPhd Student LSV ENS‐CACHAN CNRS INRIA DGAPhd Student LSV ENS‐CACHAN CNRS INRIA DGA



Outline

IntroductionNetwork EvolutionAttack Model Evolution

Anticipation game key featuresDependency relationsPlayer interactionTime

Model LogicPositional LogicgTemporal Logic

Conclusion

Outline: Introduction > Model > Strategy > Conclusion 2

Conclusion

28/11/2007



The Good Old Time

Outline: Introduction > Model > Strategy > Conclusion 328/11/2007



The Current Internet


Opte project

28/11/2007



Attack Sophistication vs. Intruder Knowledge


Cert/ Carnegie Mellon University

28/11/2007



Attack Step‐stones

L t k ff lti l l bilitiLarge network may suffers multiples vulnerabilities

Patches and counter‐measures need to be prioritized

A minor vulnerability can turn into a major holeA minor vulnerability can turn into a major hole when used as a step‐stone

Attack graph allows to reasonAttack graph allows to reason

about attack sequences




Attack Graph Example

Sandia Red Team “White Board” attack graph from DARPA CC20008 I f ti b ttl ti i t


Information battle space preparation experiment

28/11/2007



Model Evolution

Anticipation

Attack graphs

Anticipation Games

g pmodel checker(Ritchey and Ammann

2000)

Attack trees(Schneier 1999)( )

8Outline: Introduction > Model > Strategy > Conclusion28/11/2007



Related Work

Attack graphModel checker‐based (Ritchey et. al S&P’00, Sheyner( y , yet. al S&P’02)Graph‐based (Ammann et. al CCS’02, Ritchey et. alGraph based (Ammann et. al CCS 02, Ritchey et. al ACSAC’02, Noel et. al ACSAC’03, Wang et. al ESORICS’05, Wang et. al DBSEC’06)ESORICS 05, Wang et. al DBSEC 06)

Timed GameATL (Alur et al. 97)

The Element of Surprise in Timed Games (De Alfaro et al. CONCUR 2003)

TATL (Henzinger et al 2006 Formats)TATL (Henzinger et al 2006 Formats)




Model Key Features

• Collateral effectsD dD d Collateral effects• Trust relations

DependencyDependency

• AdministratorInteractionInteraction• Intruder

InteractionInteraction

• Action take timeTimeTime




Dependency

User Database

6

54 Email serverWeb server 54 Email serverWeb server

1 2 3

Client 3Client 2Client 1




Network interaction

Exploit vulnerabilities

Abuse trust relationsAbuse trust relations

Patch

Firewall

Restore




Vulnerability cycle


Cert/ Carnegie Mellon University

28/11/2007



Network Information

U D t b

Fixed over the time Evolve over time

6

User Database

1 2 3 4 5 6

ρ(Public) ⊥ ⊥ ⊥ T T ⊥ρ(Public) ⊥ ⊥ ⊥ T T ⊥

ρ(Vuln) ⊥ ⊥ ⊥ T T ⊥

ρ(Compr) ⊥ ⊥ ⊥ ⊥ ⊥ ⊥

54 Email serverWeb server ρ(NeedPub) ⊥ ⊥ ⊥ T T ⊥

1 2 31 2 3





Information Evolution

1 2 3 4 5 6 1 2 3 4 5 61 2 3 4 5 6ρ(Public) ⊥ ⊥ ⊥ T T ⊥ρ(Vuln) ⊥ ⊥ ⊥ T T ⊥ρ(Compr) ⊥ ⊥ ⊥ ⊥ ⊥ ⊥

1 2 3 4 5 6ρ(Public) ⊥ ⊥ ⊥ T T ⊥ρ(Vuln) ⊥ ⊥ ⊥ T T ⊥ρ(Compr) ⊥ ⊥ ⊥ T ⊥ ⊥

Compr 4

ρ(Compr) ⊥ ⊥ ⊥ ⊥ ⊥ ⊥ρ(NeedPu

b)⊥ ⊥ ⊥ T T ⊥

ρ(Compr) ⊥ ⊥ ⊥ T ⊥ ⊥ρ(NeedPu

b)⊥ ⊥ ⊥ T T ⊥

28/11/2007 Outline: Introduction > Model > Strategy > Conclusion 15



A Incomplete Game Example

Exploit web server Patch Email serverExploit web server

E l it ilExploit email server

Patch web server Patch Email server

6

1 2 3

54


1 2 3

28/11/2007



Time

Each action requires a different amount of timeEach action requires a different amount of time Patching a service: Download, extract, apply, restart

E l it iExploit a service

Firewalling a service

In anticipation games as in TATL the fastest action winwin

Player can be taken by surprise




The element of surprise

NetworkExploit 4 in 3 unit Firewall 4 in 1 unit




Type of attacks

Anticipation games allows to modelDenial of service

Buffer overflow execution

Permission abusePermission abuse

Cross‐scripting

Information leak

….




Rule Language




Semantic

A successor node is compromisedA successor node is compromised

At least, one of the node the belongs to the equivalence is public




Rules example




A Play example

User Database

6

Email serverWeb server

54

1 2 31 2 3


Pl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPlayer Action Rule Target SuccPlayer Action Rule Target SuccPlayer Action Rule Target SuccPlayer Action Rule Target SuccPl A ti R l T t SPl A ti R l T t SPlayer Action Rule Target SuccPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPlayer Action Rule Target SuccPl A ti R l T t SPl A ti R l T t SPl A ti R l T t SPlayer Action Rule Target Succ

Admin Choose Firewall 4

Intruder Choose Compromise 0day 4= 01248121620242832

Player Action Rule Target Succ

Admin Execute Firewall 4

Intruder Choose Compromise 0day 4


Admin Choose Patch 4




Intruder Fail Compromise 0day 4






Intruder Execute Compromise 0day 5



Intruder Choose Compromise Forward 5 6


Admin Execute Patch 4



Admin Choose Unfirewall 4



Admin Execute Unfirewall 4







Intruder Execute Compromise Forward 5 6



Intruder Choose Compromise 2 5


Admin Execute Patch 5



Admin

Intruder Fail Compromise 2 5


Admin



Admin

Intruder Execute Compromise 4 6


Admin



Admin



Admin



Admin



Admin



Admin

Intruder Execute Compromise Forward 2 5


Admin



Admin



Intruder Choose Compromise 0day 4Intruder Choose Compromise 0day 4Intruder Choose Compromise 0day 4Intruder Fail Compromise 0day 4Intruder Choose Compromise 0day 5Intruder Execute Compromise 0day 5Intruder Choose Compromise Forward 5 6Intruder Choose Compromise Forward 5 6Intruder Choose Compromise Forward 5 6Intruder Choose Compromise Forward 5 6Intruder Choose Compromise Forward 5 6Intruder Execute Compromise Forward 5 6Intruder Choose CompromiseBackward

2 5Intruder Choose CompromiseBackward

2 5Intruder Fail CompromiseBackward


4 6Intruder Execute CompromiseBackward





2 4Intruder Choose Compromise Forward 2 5Intruder Execute Compromise Forward 2 5Intruder Choose CompromiseBackward


3 5

28/11/2007



Properties Semantic




Semantic

The player A have a strategy to satisfy p y gy ythe property

In every future the node will be compromised




Property Illustration




Decidability

TATL Formula model checking in Anticipation game is decidable andAnticipation game is decidable and EXPTIME‐complete




One More Thing !



It Work!

Model and Strategies are fully implemented in C

The talk example cannot be analyzed by handThe talk example cannot be analyzed by hand 4011 plays

40825 t t40825 states




Analyzer Demo



Future Work

CIA model

Abstraction

Non determinism




Conclusion

Game and Time provide a richer model for i t i l iintrusion analysis

Many directions to explorey p




Questions

During this work no network service was injured or tortured.




Rule execution time


Rule execution time

a logical framework for anticipation of network · a logical framework for anticipation of network...

Documents