slg in mulval
DESCRIPTION
SLG in MulVAL. netAccess(H2, Protocol, Port) :- execCode(H1, User), reachable(H1, H2, Protocol, Port). netAccess(…). execCode(…). from input tuples. Possible instantiations. Possible instantiations. table for first subgoal. table for goal. SLG complexity for Datalog. - PowerPoint PPT PresentationTRANSCRIPT
![Page 1: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/1.jpg)
SLG in MulVAL
netAccess(H2, Protocol, Port) :-
execCode(H1, User),
reachable(H1, H2, Protocol, Port).
netAccess(…)
Possible instantiations
table for goal
execCode(…)
Possible instantiations
table for first subgoal
from input tuples
1
![Page 2: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/2.jpg)
SLG complexity for Datalog
• Total time dominated by the rule that has the maximum number of instantiations– Time for computing one table = Computation of the subgoals + retrieving information from input tuples + matching results in the rules bodies– Time for computing all tables = retrieving information from input tuples + matching results in the rules’ bodies
• See “On the Complexity of Tabled Datalog Programs” http://www.cs.sunysb.edu/~warren/xsbbook/node21.html
2
![Page 3: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/3.jpg)
MulVAL complexity in SLG
execCode(Host, User) :- vulExists(Host, _, Program, remote, privilegeEscalation), networkService(Host, Program, Protocol, Port, User), netAccess(Host, Protocol, Port).
Scale with network size
O(N) different instantiations
3
![Page 4: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/4.jpg)
netAccess(H2, Protocol, Port) :-
execCode(H1, _),
reachable(H1, H2, Protocol, Port).
MulVAL complexity in SLG
Scale with network size
O(N2) different instantiations
Complexity of MulVAL
4
![Page 5: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/5.jpg)
Datalog proof generation
• In security analysis, not only do we want to know what attacks could happen, but also we want to know how attacks can happen– Thus, we need more than an yes/no answer for
queries.– We need the proofs for the true queries, which in the
case of security analysis will be attack paths.– We also want to know all possible attack paths; thus
we need exhaustive proof generation.
5
![Page 6: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/6.jpg)
An obvious approach
6
execCode(Host, PrivilegeLevel) :- vulExists(Host, Program, remote, privilegeEscalation), serviceRunning(Host, Program, Protocol, Port, PrivilegeLevel), networkAccess(Host, Protocol, Port).
execCode(Host, PrivilegeLevel, Pf) :- vulExists(Host, Program, remote, privilegeEscalation, Pf1), serviceRunning(Host, Program, Protocol, Port, PrivilegeLevel, Pf2), networkAccess(Host, Protocol, Port, Pf3), Pf=(execCode(Host, PrivilegeLevel), [Pf1, Pf2, Pf3]).
This will break the bounded-term property and result in non-termination
for cyclic Datalog programs
![Page 7: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/7.jpg)
MulVAL Attack-Graph Toolkit
Datalog representation
Machine configuration
Network configuration
Security advisories
XSB reasoning
engine
Datalo
g P
roo
f Step
s
Grap
h
Bu
ilder Datalog
proof graph
Datalog rules
Ou, Boyer, and McQueen. ACM CCS 2006
Joint work with Idaho National Laboratory
7
Translated rules
![Page 8: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/8.jpg)
netAccess(H2, Protocol, Port, ProofStep) :-
execCode(H1, User),
reachable(H1, H2, Protocol, Port),
ProofStep= because( ‘multi-hop network access', netAccess(H2, Protocol, Port), [execCode(H1, User), reachable(H1, H2, Protocol, Port)] ).
Stage 1: Rule Translation
Proof step
8
![Page 9: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/9.jpg)
netAccess(fileServer, rpc, 100003)
Stage 2: Build the Exhaustive Proof
because(‘multi-hop network access', netAccess(fileServer, rpc, 100003), [execCode(webServer, apache), reachable(webServer, fileServer, rpc, 100003)])
1multi-hop network access
0
execCode(webServer, apache)
reachable(webServer, fileServer, rpc, 100003)
2
3
9
![Page 10: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/10.jpg)
Complexity of Proof Building
• O(N2) to complete Datalog evaluation– With proof steps generated
• O(N2) to build a proof graph from proof steps– Need to build O(N2) graph components– Building of one component
• Find the predecessor: table lookup• Find the successors: table lookup
Total time: O(N2), if table lookup is constant time
10
![Page 11: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/11.jpg)
Logical Attack Graphs
10
2
3
4
5
6
: OR
: AND
: ground fact
execCode(attacker,workStation,root)
Trojan horse installation
accessFile(attacker,workStation, write,/usr/local/share)
NFS semantics
networkService (webServer,httpd,tcp,80,apache)
vulExists(webServer, CAN-2002-0392, httpd, remoteExploit, privEscalation)
netAccess(attacker,webServer, tcp,80)
Remote exploitexecCode(attacker, webServer,apache)
accessFile(attacker,fileServer, write,/export)
NFS shell
11
![Page 12: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/12.jpg)
Performance and Scalability
0.01
0.1
1
10
100
1000
10000
1 10 100 1000
Number of hosts
CPU time (sec)
Fully connected
Partitioned
Ring
Star
12
![Page 13: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/13.jpg)
Related Work
• Sheyner’s attack graph tool (CMU)– Based on model-checking
• Cauldron attack graph tool (GMU)– Based on graph-search algorithms
• NetSPA attack graph tool (MIT LL)– Graph-search based on a simple attack model
13
![Page 14: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/14.jpg)
Advantages of the Logic-programming Approach
• Publishing and incorporation of knowledge/information through well-understood logical semantics
• Efficient and sound analysis by leveraging the reasoning power of well-developed logic-deduction systems
14
![Page 15: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/15.jpg)
SAT-Solving Approaches to Context-Aware Enterprise Network Security Management. John Homer, Xinming Ou. In IEEE Journal on Selected Areas in Communications (JSAC).
SAT-based Security Hardening
• MulVAL proof graph provides information on potential consequences of vulnerabilities.
• How do we use this information to improve security?– Datalog proof turned to Boolean formula– SAT solver searches for optimal solution
![Page 16: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/16.jpg)
Benefit of SAT
• Impossible for human to understand all configuration options and ramifications.– Computers can do it better
• Balance security and usability– Essentially a constraint solving process
• Provides automated, reliable approach to reason about conflicting requirements
![Page 17: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/17.jpg)
Vision for Network Security
Management
Problem
atic C
onfiguration
MulV
AL
Usa
bilit
y R
eq
uire
me
nt
Desirable
Configuration
MulVAL Proof Graph
Graph to Boolean formula
SAT Solver
Training
Guidance
Φ
Suggested Configuration
Changes
![Page 18: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/18.jpg)
SAT-Solving Techniques
• MinCostSAT– Utilize user-provided discrete cost values to find
mitigation solution that minimizes cost
• UNSAT Core Elimination– Reduce complexity in reconfiguration to simple
choices between conflicting requirements– Use partial-ordering lattice to further reduce scope of
choices, based on past decisions
![Page 19: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/19.jpg)
Benefits
• Human user only addresses “problem areas” in network configuration
• Reduces complex problem to more manageable proportions
![Page 20: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/20.jpg)
Example
webServer
fileServer
buffer
overrun
NFS shellRemote exploit
![Page 21: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/21.jpg)
MulVAL Proof Graph p2
e2
c5
e1
c1
e3
c4 c6p1
c3
exploit
privilege
configuration setting
c7
c2
![Page 22: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/22.jpg)
• Tseitin Transformation
• Can ‘e’ ever become true?
Circuit to CNF Conversion
a
bd
e
c
(a + b + d’)(a’ + d)(b’ + d)
d (a + b)
(c’ + d’ + e)(d + e’)(c + e’)
e (c d)
Is (e)(a + b + d’)(a’+d)(b’+d)(c’+d+e)(d+e’)(c+e’) satisfiable?
Consistency conditions for circuit variables
From Sharad Malik’s slides
![Page 23: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/23.jpg)
Boolean Transformationp2
e2
c5
e1
c1
e3
c4 c6p1
c3
c7
c2
c1 ⋀ c2 ⋀ c3 ⇒ p1
c4 ⋀ c5 ⋀ p1 ⇒ p2
c6 ⋀ c7 ⋀ p1 ⇒ p2
e1 :
e2 :
e3 :
Φ = e1 ⋀ e2 ⋀ e3
ψ = Φ ⋀ c3 ¬⋀ p2
zChaff SAT solver
¬c1 ¬⋁ c2 ¬⋁ c3 ⋁ p1
¬c4 ¬⋁ c5 ¬⋁ p1 ⋁ p2
¬c6 ¬⋁ c7 ¬⋁ p1 ⋁ p2attack possibility constraints
policy requirement
![Page 24: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/24.jpg)
MinCostSAT
Given ψ with n variables x1,x2,...,xn with cost ci ≥ 0,
find assignment X {0, 1}∈ n to satisfy ψ and minimize
C =∑ cixi
MinCostSAT in network reconfiguration :• Privilege variables incur cost when assigned true • Configuration variables incur cost when assigned false • Allow variables to be forced true or false
![Page 25: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/25.jpg)
25
MinCostSAT
webServer
fileServer
buffer
overrun
NFS shellRemote exploit
Privilege Variables Cost
Execute code (file server) p2 1000
Execute code (web server) p1 50
Configuration settings Variables Cost
Access to web server c1 100
Active service (web server) c2 100
Active service (file server) c4 50
Vulnerability (file server) c5 20
File access on file server c6 50
NFS table (file server) c7 10
Minimal Cost Solution [total cost = 80]
Allow privileges on web server (p1) 50
Patch vulnerability on file server (c5) 20
Change NFS table settings (c7) 10
![Page 26: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/26.jpg)
Scalability Testing
SizeCost func.
Num. of variables
Num. of clauses
Run time (sec)
100 hosts
(10 subnets)A 11,853 12,053 0.11
100 hosts
(10 subnets)B 11,853 12,053 0.21
250 hosts
(25 subnets)A 70,803 72,553 3.03
250 hosts
(25 subnets)B 70,803 72,553 6.49
![Page 27: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/27.jpg)
Iterative UNSAT Core Elimination
• UNSAT Core : subset of original CNF clauses that are unsatisfiable by themselves
• For unsatisfiable formula ψ and UNSAT core μμ1, μ2,..., μn ⊆ ψ, ψ will remain unsatisfiable while μremains unchanged
• To resolve, a user needs to decide relative values of only a few network components
![Page 28: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/28.jpg)
Iterative UNSAT Core Elimination
• Requires no up-front cost assignments,relies on human decisions as needed
• Further reduce user decisions by keeping partial-ordering lattice to store relative priorities established by prior decisions
• When two variables with known ordering appear in an UNSAT core, only lower-priority variable is presented to user
![Page 29: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/29.jpg)
Open Problems
• How to come up with the numbers?– Monetary units?– How to estimate the costs?
• How to capture the difficulty level of attacks?– More difficult exploits reduces the risk?– Can this be done inline?– How about zero-day vulnerabilities?
• Scalability in production systems.
![Page 30: SLG in MulVAL](https://reader036.vdocuments.mx/reader036/viewer/2022081502/5681572a550346895dc4c560/html5/thumbnails/30.jpg)
That’s it.
Questions?
30