Vulnerability Chaining; it’s all connected
- 1. KB6 (You’re all connected) Or why history matters
- 2. Agenda • Problem Statement • Proposed Solution • Challenges • Results • Future work
- 3. Problem Statement • We evaluate new vulnerabilities constantly but only in isolation • When a new vulnerability is announced, we have no way of knowing whether it makes an older vulnerability more useable – Or Vise versa • It is impossible for a human to perform that analysis manually
- 4. Illustrated Example Attacker Target Goal: Compromise the target
- 5. Illustrated Example Attacker Target Vuln 1 Vuln 1 Requires: HTTP Provides: File Drop Priority Low Who Cares
- 6. Illustrated Example Attacker Target Vuln 2Vuln 2 Requires: HTTP + File Name Provides: Location for File Name Priority Low WhoCares
- 7. Illustrated Example Attacker Target Vuln 3 Vuln 3 Requires: HTTP + File Name + File Location Provides: File Execution Priority Low Who Cares
- 8. Illustrated Example Attacker Target Vuln 1 Vuln 2 Vuln 3 Goal Achieved: Compromise the target Compromise!
- 9. Proposed Solution • Create a standard taxonomy to describe all vulnerabilities in terms of “resources” – Allows automated matching of requirements and results for vulnerabilities • Use graphing algorithms to find pathways through the vulnerabilities – Think mapquest for vulnerabilities and systems
- 10. Taxonomy Examples • Major buckets: – Access, Authorization, Confidentiality, Availability, Encryption, Middleware and Defense • Access Resources – Direct access to Disk / network / output devices / input devices / memorory – Network Read / Network Write – Can send mail / Can recieve mail / Can send messages / Can receive messages – Configure application options – Macro Creation / Macro Deletion / Run macros – Configure Application – Create directory / Delete directory / Change permissions on directory – Create symbolic link / Delete symbolic link / Create hard link / Delete hard link – Create shortcut / Delete shortcut – Can write to file / Create file / Gain file location / Make file executable / Can read file / Delete files / Change permissions on file – Send Signal / Recieve Signal / Send Event / Recieve Event – Create user environment Variable / Change user environment Variable / Read user environment Variable / Delete user environment Variable – Cause user to execute remote commands / Causes application to execute arbitrary file / Cause application to execute code / Manipulate/Inject server commands – Gives Access to a Shell – Can Print – Can configure printer – can create cron job – create dump file
- 11. More Taxonomy Examples • Authorization Resources – Priv change – Bypass authorization – Silly default password – Spoof Credentials – Anonymously execute – Spoof Packets – Receives bad packets – Proxy Authorization – Gain printer rights – Login Granted
- 12. Our 3->6 Tier Architecture DJANGO ClusterDJANGO Cluster PGSQLPGSQL LibghttpdLibghttpd II NN TT EE RR NN EE TT Database CacheDatabase Cache MemCachedMemCached Squid WebCacheSquid WebCache
- 13. MGVT Model Graph View TemplateModel Graph View Template
- 14. Solution Workflow • Data gets inserted • Data gets described/”connected” by analyst • Graphs are generated by query
- 15. Example of how the solution works • Microsoft Excel Unspecified Remote Code Execution Vulnerability – If you can get someone to execute your excel file, then you can execute arbitrary commands. – Therefore its requirements are send a message or email – And its results are command execution Screen exampleScreen example
- 16. Example of Views and Graphing support • Focusing in on understanding a problem. Screen exampleScreen example
- 17. Challenges • Creating a taxonomy that is appropriately detailed • Graphing complexities • HCI (usability) issues • Loading/describing all the vulnerabilities into the system • We need a way of distinguishing between redundant paths and partial paths that must be combined • We need a way to distinguish between the primary path choice and alternate • How to add a new resource and apply it to all previously analyzed vulnerabilities efficiently • Handling application specific resources without spiraling into unmanageable complexity
- 18. Results • This allows us: – To better prioritize valuable IT resources – Asses the value of defensive technology Questions Answered by solution – Does this new vuln make any previously impossible attacks possible? – Do any previous vulns make this vuln more useful?
- 19. Future work • Deal with all the challenges • Try other algorithms – Graphing – Dynamic routing • Look at mapping onto AppArmor or SELinux privilege models • Integrate with assessment tools & vulnerability databases – CVSS – OVAL – OSVDB • Implement proper handling of mitigations • Integrate with vulnerability scanning tools/reports • Integrate with static analysis tools
Editor's Notes
- #13: Although we chose PGSQl MySQL can be used in a production environment Also Libghttpd can be replaced by apache in which case Django can also be run in mod_python instead of seperated tiers with FastCGI. For development One can use sqlite/apache+mod_python for a 1 tier architecture. We have a vmware development image available.
- #14: A modification to the MVC/MTV architecture. The interesting points are in the View and Graph side.