measuring relative attack surfaces
play

Measuring Relative Attack Surfaces Jeannette Wing School of Computer - PowerPoint PPT Presentation

Feb 04, 2024 •116 likes •533 views

Measuring Relative Attack Surfaces Jeannette Wing School of Computer Science Carnegie Mellon University Joint with Mike Howard and Jon Pincus, Microsoft Corporation Motivation How do we measure progress? What effect has Microsofts

  1. Measuring Relative Attack Surfaces Jeannette Wing School of Computer Science Carnegie Mellon University Joint with Mike Howard and Jon Pincus, Microsoft Corporation

  2. Motivation • How do we measure progress? – What effect has Microsoft’s Trustworthy Computing Initiative had on the security of Windows? Has it paid off? – What metric can we use to say Windows Server 2003 is “more secure’’ than Windows 2000? • One approach: Howard’s Relative Attack Surface Quotient (RASQ) Attack Surface 2 Jeannette M. Wing

  3. Attackability Attacks System’s Surface (e.g., API) Intuition Reduce the ways attackers can penetrate surface Increase system’s security Attack Surface 3 Jeannette M. Wing

  4. Relative Attack Surface • Intermediate level of abstraction – Impartial to numbers or types of code-level bugs, e.g., #buffer overruns – More meaningful than counts of CVE/MSRC/CERT bulletins and advisories • Focus on attack vectors – Identify potential features to attack, based on past exploits Features to Attack * Security Bugs = Exploits – Fewer features to attack implies fewer exploits • Focus on relative comparisons Attack Surface 4 Jeannette M. Wing

  5. 20 RASQ Attack Vectors for Windows [Howard03] • Open sockets • Enabled accounts in admin group • Open RPC endpoints • Null Sessions to pipes and • Open named pipes shares • Services • Guest account enabled • Services running by default • Weak ACLs in FS • Services running as SYSTEM • Weak ACLs in Registry • Active Web handlers • Weak ACLs on shares • Active ISAPI Filters • VBScript enabled • Dynamic Web pages • Jscript enabled • Executable vdirs • ActiveX enabled • Enabled accounts Attack Surface 5 Jeannette M. Wing

  6. Relative Attack Surface Quotient | V | Σ v ε AV ω v simplistic count where v attack vector ω v weight for attack vector AV set of attack vectors Attack Surface 6 Jeannette M. Wing

  7. RASQ Computations for Three OS Releases 700 600 500 Windows Server 2003 is “more 400 secure” than previous versions. 300 200 100 0 Windows NT 4 Windows 2000 Windows Server 2003 Attack Surface 7 Jeannette M. Wing

  8. What’s Really Going On? Attack Surface 8 Jeannette M. Wing

  9. Informal Definitions A vulnerability is an error or weakness in design, implementation, or operation. - “error” => actual behavior – intended behavior An attack is the means of exploiting a vulnerability. – “means” => sequence of actions A threat is an adversary motivated and capable of exploiting a vulnerability. – “motivated” => GOAL – “capable” => state entities (processes and data) [Schneider, editor, Trust in Cyberspace , National Academy Press, 1999] Attack Surface 9 Jeannette M. Wing

  10. State Machines M = <S, I, A, T> S set of states s ∈ S, s: Entities → Values I ⊆ S set of initial states A set of actions T transition relation Execution of action a in a state s resulting in state s’ s s’ <s, a, s’> ∈ T We will use a.pre and a.post for all actions a ∈ A to specify T. Attack Surface 10 Jeannette M. Wing

  11. Behaviors An execution of M s 0 a 1 s 1 a 2 … s i-1 a i s i … – s 0 ∈ I, ∀ i > 0 <s i-1 , a i , s i > ∈ T – infinite or finite, in which case it ends in a state. The behavior of state machine M, Beh(M), is the set of all its executions. The set of reachable states, Reach(M), … Attack Surface 11 Jeannette M. Wing

  12. System-Under-Attack System = <S sys , I sys , A sys , T sys > Threat = <S thr , I thr , A thr , T thr > System-Under-Attack = (System || Threat) X GOAL • || denotes parallel composition of two state machines, interleaving semantics • GOAL – Predicate on state – Intuitively, adversary’s goal, i.e., “motivation” Attack Surface 12 Jeannette M. Wing

  13. Vulnerabilities Actual = <S act , I act , A act , T act > Intend = <S int , I int , A int , T int > Vul = Beh(Actual) – Beh(Intend) Actual Intend bad (exploitable) good • I act – I int ≠ ∅ • T act – T int ≠ ∅ Informally, we’ll say For some action a ∈ A act ∩ A int “a is a vulnerability.” • a int .pre ⇒ a act .pre, or • a int .post ⇒ a act .post Attack Surface 13 Jeannette M. Wing

  14. System-Under-Attack (Revisited) Actual = <S act , I act , A act , T act > Intend = <S int , I int , A int , T int > Threat = <S thr , I thr , A thr , T thr > Adversary can achieve GOAL: System-Under-Attack = (Actual || Threat) X GOAL Adversary cannot achieve GOAL: System-Under-Attack = (Intend || Threat) X GOAL Attack Surface 14 Jeannette M. Wing

  15. Attacks in (Actual || Threat) X GOAL An attack is a sequence of action executions a 1 a 2 a 3 … a i … a n s 0 s n such that • s 0 ∈ I • GOAL is true in s n • There exists 1 < i < n such that a i is a vulnerability. Attack Surface 15 Jeannette M. Wing

  16. Elements of an Attack Surface: State Entities • Running processes, e.g., browsers, mailers, database servers • Data resources, e.g., files, directories, registries, access rights – carriers • extract_payload: carrier -> executable • E.g., viruses, worms, Trojan horses, email messages, web pages – executables • multiple eval functions, eval: executable -> unit – applications (Word, Excel, …) – browsers (IE, Netscape, …) – mailers (Outlook, Oulook Express, Eudora, …) – services (Web servers, databases, scripting engines, …) – application extensions (Web handlers, add-on dll’s, ActiveX controls, ISAPI filters, device drivers, …) – helper applications (dynamic web pages, …) Attack Surface 16 Jeannette M. Wing

  17. Targets and Enablers data target process target • Target – Any distinguished data resource or running process used or accessed in an attack. • “distinguished” is determined by security analyst and is likely to be referred to in Goal. • Enabler – Any state entity used or accessed in an attack that is not a data or process target. Attack Surface 17 Jeannette M. Wing

  18. Channels and Protocols • Channels: means of communication – Message passing • Senders and receivers • E.g., sockets, RPC endpoints, named pipes – Shared memory • Writers and readers • E.g., files, directories, and registries • Protocols: rules for exchanging information – Message passing • E.g., ftp, RPC, http, streaming – Shared memory • E.g., single writer blocks all other readers and writers Attack Surface 18 Jeannette M. Wing

  19. Access Rights Access Rights ⊆ Principals X Objects X Rights where Principals = Users ∪ Processes Objects = Processes ∪ Data Rights, e.g., {read, write, execute} • Derived relations – accounts, which represent principals • special accounts, e.g., guest, admin – trust relation or speaks-for relation [LABW92] • E.g., ip1 trusts ip2 or Alice speaks-for Bob – privilege level • E.g., none < user < root Attack Surface 19 Jeannette M. Wing

  20. Attack Surface Dimensions: Summary Channels x Protocols • MSHTML (process target) message passing, shared memory RPC, streaming, ftp, R/W, … • HTTPD web server W (process enabler) • Browser B (process enabler) • server-client web • HTML document D (carrier, enabler) connection C • Extracted payload E (executable, enabler) Targets & Enablers Processes Data • Zone Z - carriers - executables Access Rights Principals x Objects x Rights Attack Surface 20 Jeannette M. Wing

  21. Reducing the Attack Surface Colloquial Formal Eliminate an eval function for one Turn off macros data type. Avoid giving any executable as an Block attachments in Outlook arg to an eval. Eliminate entire types of targets, Secure by default enablers, channels; restrict access rights. Strengthen post-condition of Check for buffer overruns actual to match intended. Strengthen pre-condition of Validate your input. actual to match intended. Change your password Increase likelihood that the every 90 days. authentication mechanism’s pre-condition is met. Attack Surface 21 Jeannette M. Wing

  22. Attack Surface Dimensions: Summary Channels x Protocols • message passing • shared memory Targets & Enablers • Processes • Data Access Rights - carriers Principals x Objects x Rights - executables Attack Surface 22 Jeannette M. Wing

  23. Examples

  24. MS02-005 Cumulative Patch for Internet Explorer (vulnerability 1) http://www.microsoft.com/technet/security/bulletin/MS02-005.asp Informally: • An HTML document (a web page sent back from a server or HTML email) can embed another object using the EMBED tag • the processing for this tag involves a buffer overrun • so a well-crafted (valid, but long) tag can lead to arbitrary code execution within the security context of the user. Attack Surface 24 Jeannette M. Wing

Recommend

Lecture 30 determine the relative risk of heart attack for those who take aspirin and those who

Lecture 30 determine the relative risk of heart attack for those who take aspirin and those who

Example: Thought Question: 10 Similar Studies Background : Suppose 10 similar studies, all on the same kind of population, have been conducted to Lecture 30 determine the relative risk of heart attack for those who take aspirin and those

462 views • 6 slides
Comprehensive,Experimental, Analysis,of,Automotive, Attack,Surfaces, Checkoway,et,al ,

Comprehensive,Experimental, Analysis,of,Automotive, Attack,Surfaces, Checkoway,et,al ,

Comprehensive,Experimental, Analysis,of,Automotive, Attack,Surfaces, Checkoway,et,al , Presented(By(Lucas(Copi( Overview, Introduction, Automotive,Threat,Models, Vulnerability,analysis, Conclusion, Introduction,

464 views • 18 slides
Automotive Attack Surfaces UCSD and University of Washington Current Automotive Environment

Automotive Attack Surfaces UCSD and University of Washington Current Automotive Environment

Automotive Attack Surfaces UCSD and University of Washington Current Automotive Environment Modern cars are run by tens of ECUs comprising millions of lines of code ECUs are well connected over internal buses (mainly CAN buses) to enable

534 views • 35 slides
TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

TCPDB.DAT case Archive file signatures Attack surface Attack vectors Defense Conclusions P A

Introduction Motivation SAP compression algorithms Archive file programs SAP archive file formats CAR SAR v2.00 SAR v2.01 Relative/absolute paths TCPDB.DAT case Archive file signatures Attack surface Attack vectors

913 views • 49 slides
Subdivision Surfaces CAGD Ofir Weber 1 Spline Surfaces Spline Surfaces Why use them?

Subdivision Surfaces CAGD Ofir Weber 1 Spline Surfaces Spline Surfaces Why use them?

Subdivision Surfaces CAGD Ofir Weber 1 Spline Surfaces Spline Surfaces Why use them? Smooth Good for modeling - easy to control Compact (complex objects are represented by less numbers) Flexibility (different

677 views • 38 slides
Attack on Traffic Systems These attack examples have happened in the past. We will take an

Attack on Traffic Systems These attack examples have happened in the past. We will take an

From start to finish how a cyber attack would be performed on traffic system, we will go over first day &gt;&gt; exploitation of the device &gt;&gt; the real-world aftermath. Mission Secure, Inc. Attack on Traffic Systems These attack examples

556 views • 18 slides
Relative Infectivity as a Reliable Alternative to the TCID 50 Assay Win Den Cheung, Ph.D.

Relative Infectivity as a Reliable Alternative to the TCID 50 Assay Win Den Cheung, Ph.D.

Relative Infectivity as a Reliable Alternative to the TCID 50 Assay Win Den Cheung, Ph.D. Associate Director, Cell-Based Assays, Analytical Development wcheung@regenxbio.com November 21, 2019 Measuring infectivity for rAAV Virus

421 views • 14 slides
Working principle of WP4 Block chamber Works on relative humidity principle Measuring

Working principle of WP4 Block chamber Works on relative humidity principle Measuring

AN INDIRECT METHODOLOGY FOR ASSESSING SOIL CONTAMINATION Exploring the possibility of WP4 (dewpoint potentiameter) Used for measuring soil suction and characterizing unsaturated soil Matric(x) suction (soil matrix) Total Soil Suction Suction

744 views • 15 slides
Normal and minimal surfaces The correspondence between normal surfaces and minimal surfaces has

Normal and minimal surfaces The correspondence between normal surfaces and minimal surfaces has

Normal and minimal surfaces The correspondence between normal surfaces and minimal surfaces has more applications. It can be used to investigate classical problems in Differential Geometry. Classical Isoperimetric Inequality: A curve in R 2

1.14k views • 79 slides
Asset Pricing Chapter IV. Measuring Risk and Risk Aversion June 20, 2006 Asset Pricing 4.1

Asset Pricing Chapter IV. Measuring Risk and Risk Aversion June 20, 2006 Asset Pricing 4.1

4.1 Measuring Risk Aversion 4.2 Interpreting the Measures of Risk Aversion 4.4 Risk Premium and Certainty Equivalence 4.5 Assessing an Investors Level of Relative Risk Aversion 4.6 The Concept of Stochastic Dominance 4.7 Mean Preserving

709 views • 23 slides
Market connectedness: spillovers, information flow, and relative market entropy Ko c

Market connectedness: spillovers, information flow, and relative market entropy Ko c

Introduction Measuring spillovers using fevds Shock propagation Speed of shock digestion Empirical findings Conclusions Market connectedness: spillovers, information flow, and relative market entropy Ko c University, March 26, 2014

459 views • 28 slides
CMSC427 Parametric surfaces (and alternatives) Generating surfaces From equations From

CMSC427 Parametric surfaces (and alternatives) Generating surfaces From equations From

CMSC427 Parametric surfaces (and alternatives) Generating surfaces From equations From data From curves Extrusion Straight Along path Lathing (rotation) Lofting 2 Constructive Solid Geometry (CSG)

1.11k views • 41 slides
Inspection is the process of measuring the qualities of a product or service in terms of

Inspection is the process of measuring the qualities of a product or service in terms of

INSPECTION OBJECTIVES: Inspection is the process of measuring the qualities of a product or service in terms of established standards Quality control is a process that measures output relative to standard, and acts when output doesn't meet

407 views • 39 slides
LANGUAGE BEN HOOKWAY: TO FIND CEO RELATIVE INSIGHT VALUE BEN@RELATIVE.AI STAND B14 DEVELOPED

LANGUAGE BEN HOOKWAY: TO FIND CEO RELATIVE INSIGHT VALUE BEN@RELATIVE.AI STAND B14 DEVELOPED

MAKING SENSE OF LANGUAGE BEN HOOKWAY: TO FIND CEO RELATIVE INSIGHT VALUE BEN@RELATIVE.AI STAND B14 DEVELOPED TO CATCH CRIMINALS ONLINE WHY NOW? Social Media Reviews Chat Survey Forums Calls Email Law Enforcement vs vs Comparison

365 views • 20 slides
A 1 Moving-target Defense Strategy for Cloud-based Services with Heterogeneous and Dynamic Attack

A 1 Moving-target Defense Strategy for Cloud-based Services with Heterogeneous and Dynamic Attack

A 1 Moving-target Defense Strategy for Cloud-based Services with Heterogeneous and Dynamic Attack Surfaces Wei Peng 1 Feng Li 1 Chin-Tser Huang 2 Xukai Zou 1 1 Indiana University-Purdue University Indianapolis (IUPUI.edu) 2 University of South

857 views • 22 slides
Advanced Lesson 22 Topic 22: Dreams. Grammar: Relative clauses and reduced relative clauses

Advanced Lesson 22 Topic 22: Dreams. Grammar: Relative clauses and reduced relative clauses

2 nd semester Advanced Lesson 22 Topic 22: Dreams. Grammar: Relative clauses and reduced relative clauses Relative clauses give us more information about someone or something. We can use relative clauses to combine clauses without repeating

439 views • 5 slides
A Study of the Transition Between Metastable States of Droplets on Superhydrophobic Surfaces

A Study of the Transition Between Metastable States of Droplets on Superhydrophobic Surfaces

Outline Background Pillared Surfaces Chemically Structured Surfaces Conclusions and Future Work A Study of the Transition Between Metastable States of Droplets on Superhydrophobic Surfaces Kellen Petersen Department of Mathematics Courant

1.07k views • 104 slides
From K 3 Surfaces to Noncongruence Modular Forms Explicit Methods for Modularity of K 3 Surfaces

From K 3 Surfaces to Noncongruence Modular Forms Explicit Methods for Modularity of K 3 Surfaces

From K 3 Surfaces to Noncongruence Modular Forms Explicit Methods for Modularity of K 3 Surfaces and Other Higher Weight Motives ICERM October 19, 2015 Winnie Li Pennsylvania State University 1 A K 3 surface with rank 20 There are thirteen

389 views • 22 slides
RIGIDITY OF POL YHEDRAL SURFACES (VARIATIONAL PRINCIPLES ON TRIANGULATED SURFACES) Feng Luo

RIGIDITY OF POL YHEDRAL SURFACES (VARIATIONAL PRINCIPLES ON TRIANGULATED SURFACES) Feng Luo

RIGIDITY OF POL YHEDRAL SURFACES (VARIATIONAL PRINCIPLES ON TRIANGULATED SURFACES) Feng Luo Rutgers University Discrete Differential Geometry Berlin, July 19, 2007 SCHLAEFLI FORMULA (1853) V/x ij = -l ij /2 e i =-1 (1814-1895)

899 views • 54 slides
Surfaces in the space of surfaces Theorem (Shah, Ratner) The closure of f( H 2 ) is a compact,

Surfaces in the space of surfaces Theorem (Shah, Ratner) The closure of f( H 2 ) is a compact,

Planes in hyperbolic manifolds f : H 2 M n = H n / Surfaces in the space of surfaces Theorem (Shah, Ratner) The closure of f( H 2 ) is a compact, immersed, totally geodesic submanifold N k inside M n. Curtis McMullen Harvard University

355 views • 8 slides
Toward an Automated Vulnerability Comparison of Open Source IMAP Servers Chaos Golubitsky

Toward an Automated Vulnerability Comparison of Open Source IMAP Servers Chaos Golubitsky

Toward an Automated Vulnerability Comparison of Open Source IMAP Servers Chaos Golubitsky (chaos@glassonion.org) December 7, 2005 1 Overview Motivation Attack surfaces IMAP server design Automated attack surface measurement

236 views • 12 slides
Minimal and normal surfaces There is a correspondence between the theory of minimal surfaces in

Minimal and normal surfaces There is a correspondence between the theory of minimal surfaces in

Minimal and normal surfaces There is a correspondence between the theory of minimal surfaces in differential geometry and the theory of normal surfaces. We will explore the correspondence and use it to derive: Problem : 3-SPHERE RECOGNITION

1.36k views • 77 slides
BEZIER SURFACES 1 OUTLINE Quadratic Bezier Surfaces Cubic Bezier Surfaces 2 DE

BEZIER SURFACES 1 OUTLINE Quadratic Bezier Surfaces Cubic Bezier Surfaces 2 DE

BEZIER SURFACES 1 OUTLINE Quadratic Bezier Surfaces Cubic Bezier Surfaces 2 DE CASTELJAU RECURSION REVISITED l 0 =p 0 , r 3 =p 3 l 1 =1/2(p 0 +p 1 ), r 2 =1/2(p 2 +p 3 ) l 2 =1/2(l 1 +1/2(p 1 +p 2 )), r 1 =1/2(r 2

315 views • 20 slides
Lecture 18 Cardiovascular Disease: Stroke and Heart Attack 3.20.08 Louise Organ

Lecture 18 Cardiovascular Disease: Stroke and Heart Attack 3.20.08 Louise Organ

Lecture 18 Cardiovascular Disease: Stroke and Heart Attack 3.20.08 Louise Organ lorgan@rice.edu From Last Time Burden of cardiovascular disease (CVD) Cardiovascular system Measuring cardiovascular health Valve diseases

636 views • 63 slides

More recommend