-
A Scalable Approach to Full Attack Graphs Generation
Feng Chen, Jinshu Su and Yi Zhang.
Show/hide abstract
Attack graphs are valuable vulnerabilities analysis tools to network
defenders and may be classified to two kinds by application. One is the partial
attack graphs which illustrate the potential interrelations among the known
vulnerabilities just related to the given attack goal in the targeted network, the
other is full attack graphs which evaluate the potential interrelations among all
the known vulnerabilities in the targeted network. The previous approaches to
generating full attack graphs are suffering from two issues. One is the effective
modeling language for full attack graphs generation and the other is the
scalability to large enterprise network. In this paper, we firstly present a novel
conceptual model for full attack graph generation that introduces attack pattern
simplifying the process of modeling the attacker and formally describe full
attack graphs to compactly represent all the attack paths. Secondly, a formal
modeling language VAML is proposed to describe the various elements in the
conceptual model. Thirdly, based on VAML, a scalable approach to generate
full attack graphs is put forward. The prototype system CAVS has been tested
on an operational network with over 150 hosts. We have explored the system?s
scalability by evaluating simulated networks with up to one thousand hosts and
various topologies. The experimental result shows the approach could be
applied to large networks.
-
Architectural Refinement and Notions of Intransitive Noninterference
Ron van der Meyden.
Show/hide abstract
Information flow security policies can be interpreted as architectural
designs. In the process of systems development, one
might refine such a design by viewing a component as being composed of
sub-components, and specifying permitted flows of information between
these components and others in the design. The paper studies the
soundness of such refinements with respect to a spectrum of different
semantics for information flow policies.
A notion of systems refinement in which the information
content of observations is reduced is also studied.
-
From Formal Access Control Policies to Runtime Enforcement Aspects
Slim Kallel, Anis Charfi, Mira Mezini, Mohamed Jmaiel and Karl Klose.
Show/hide abstract
We present an approach that addresses both formal specification and
verification as well as runtime enforcement of RBAC access control
policies including application specific constraints such as
separation of duties (SoD). We introduce TemporalZ, a formal
language based on Z and temporal logic, which provides domain
specific predicates for expressing RBAC and SoD constraints. An
aspect-oriented language with domain specific concepts for RBAC and
SoD constraints is used for the runtime enforcement of policies.
Enforcement aspects are automatically generated from TemporalZ
specifications hence avoiding the possibility of errors and
inconsistencies that may be introduced when enforcement code is
written manually. Furthermore, the use of aspects ensures the
modularity of the enforcement code and its separation from the
business logic.
-
MEDS: The Memory Error Detection System
Jason Hiser, Clark Coleman, Michele Co and Jack Davidson.
Show/hide abstract
Memory errors continue to be a major source of software failure. To address this issue, we present MEDS (Memory Error Detection System), a system for detecting memory errors within binary executables. The system can detect buffer overflow, uninitialized data reads, double-free, and deallocated memory access errors and vulnerabilities. It works by using static analysis to prove memory accesses safe. If a memory access cannot be proven safe, MEDS falls back to dynamic runtime analysis. The system exceeds previous work with dramatic reductions in false positives, as well as covering all memory segments (stack, static, heap).
-
Pattern-based Confidentiality-Preserving Refinement
Holger Schmidt.
Show/hide abstract
We present an approach to security requirements engineering, which makes use
of special kinds of problem frames that serve to structure, characterize,
analyze, and finally solve software development problems in the area of
software and system security.
In this paper, we focus on confidentiality problems. We enhance our approach
by formal behavioral descriptions of the frames, which enable software
engineers to unambigously specify security requirements. Consequently,
software engineers can prove that the envisaged solutions provide functional
correctness and that the solutions fulfill the specified security requirements.
-
Protection Poker: Structuring Software Security Risk Assessment and Knowledge Transfer
Laurie Williams, Michael Gegick and Andy Meneely.
Show/hide abstract
Discovery of security vulnerabilities is on the rise. As a result, software development teams must place a higher priority on preventing the injection of vulnerabilities in software as it is developed. Because the focus on software security has increased only recently, software development teams often do not have expertise in techniques for identifying security risk, understanding the impact of a vulnerability, or knowing the best mitigation strategy. We propose the Protection Poker activity as a collaborative and informal form of misuse case development and threat modeling that plays off the diversity of knowledge and perspective of the participants. An excellent outcome of Protection Poker is that security knowledge passed around the team. Students in an advanced undergraduate software engineering course at North Carolina State University participated in a Protection Poker session conducted as a laboratory exercise. Students actively shared misuse cases, threat models, and their limited software security expertise as they discussed vulnerabilities in their course project. We observed students relating vulnerabilities to the business impacts of the system. Protection Poker lead to a more effective software security learning experience than in prior semesters. A pilot of the use of Protection Poker with an industrial partner will begin in October 2008.
-
Systematically Eradicating Data Injection Attacks using Security-oriented Program Transformations
Munawar Hafiz, Paul Adamczyk and Ralph Johnson.
Show/hide abstract
Injection attacks and their defense require a lot of creativity from attackers and secure system developers. Unfortunately, as attackers rely increasingly on systematic approaches to find and exploit a vulnerability, developers rely on the traditional way of writing ad hoc checks in source code. This paper shows that security engineering to prevent injection attacks need not be ad hoc. It shows that protection can be introduced at different layers of a system by systematically applying general purpose security-oriented program transformations. These program transformations are automated so that they can be applied to new systems at design and implementation stages, and to existing ones during maintenance.
-
Toward Non-security Failures as a Predictor of Security Faults and Failures
Michael Gegick, Peter Rotella and Laurie Williams.
Show/hide abstract
In the search for metrics that can predict the presence of vulnerabilities early in the software life cycle, there may be some benefit to choosing metrics from the non-security realm. We analyzed non-security and security failure data reported for the year 2007 of a Cisco software system. We used non-security failure reports as input variables into a classification and regression tree (CART) model to determine the probability that a component will have at least one vulnerability. Using CART, we ranked all of the system components in descending order of their probabilities and found that 57% of the vulnerable components were in the top nine percent of the total component ranking, but with a 48% false positive rate. The results indicate that non-security failures can be used as one of the input variables for security-related prediction models.
-
Verification of Business Process Entailment Constraints Using SPIN
Christian Wolter, Philip Miseldine and Christoph Meinel.
Show/hide abstract
Access Control decisions are based on the authorisation policies
defined for a system as well as observed context and behaviour
when evaluating these constraints at runtime. Business Processes have been
recognised as a primary source for defining authorisation policies at
process designtime, as well as generating context at runtime.
The verification of access controls is essential for providing
secure systems. Model checking is an automated technique
used for verifying finite state machines. The properties to be
verified are usually expressed as formulae in temporal logic.
In this paper we present a formal specification of entailment constraints,
such as Seperation of Duty, in the context of business processes and a
technique to verify behavioural and security properties of a business process. To enhance the usability the complex and technical details are hidden from the process modeller by using an automatic translation of the process model into a process
meta language (Promela) based on Coloured Petri net (CPN) semantics.
The model checker SPIN is used for the verification of the
process model. The described translation methodology is implemented
as an extension for the free web-based Process modelling tool Oryx.
-
Application of Action Refinement theory for enforcing security properties
Fabio Martinelli and Ilaria Matteucci.
Show/hide abstract
In this paper we propose an application of action
refinement theory, developed in Gorrieri01, for enforcing security
policies at different levels of abstraction.
We assume to have a (high level) specification of a system in
which there is a possible untrusted component controlled by a
controller program in such a way the whole system results secure.
Here we show that it is possible to guarantee that the refinement
of this system at a lower level of abstraction is still secure,
regardless the behavior of the implementation of the untrusted
component. As a matter of fact, by exploiting the considered
action refinement theory, it is possible to refine the system, the
controller program and the possible untrusted component as three
independent entities, in such a way, their implementation does not
depend one each other. Hence the capability of the controller
operator to make the system secure regardless the behavior of the
untrusted component at high level is preserved also at low level.
-
Automatic Security Testing for Web Applications
Dao Thanh Binh and Etsuya Shibayama.
Show/hide abstract
With the increasingly important role of web applications for online services and business systems, vulnerabilities such as SQL Injection or Cross Site Scripting have become serious security threats to web applications. Manual test is time-consuming and error-prone that could miss some potential execution paths in case of large applications. In this paper, we describe an automatic security testing for web applications with the help of dynamic test data generation to improve the code coverage of the test. The test runs totally automatically except that testers only need to manually specify one or several entry points for the web applications. Other entry points are searched automatically during the test. Attack requests are generated using a small set of predefined attack codes and vulnerabilities are detected using dynamic tainting technique for finding dangerous contents in commands and output that came from untrustworthy sources. Constraint-based test data generation is considered in this case of web applications for automatically generating requests to cause the program to follow paths which are unexecuted in previous test executions. We developed a tool called Volcano that implemented our method to detect SQL injection vulnerability in web applications written in PHP. Experiment results on real web applications show that our automatic security testing improved by test data generation technique could effectively find many new vulnerabilities.
-
Information Flow Control as a Foundation for Security Design Engineering
Robert Dahlberg, John Rhodes, Joshua Snell, Joshua Bruch, David Roever and Hongjun Sun.
Show/hide abstract
Designing security for complex systems is a difficult process and takes the knowledge of a number of IT experts. The need for highly secure systems, combined with requirements for numerous certifications and accreditations of these systems compounds the challenges in designing security. The obvious solution is to build the certification and accreditation requirements into the design methodology. The information flow control methodology focuses on the identification of security requirements based on the risk sensitivity of information flows from the perspective of the business function. We take a common-sense approach that allows engineers to use techniques that fit their skill sets. Resulting designs are easy to reference and update, are optimized for building and certifying the system, and serve as useful tools for supporting the system in production.
-
Measuring the effect of code complexity on static analysis results
James Walden, Adam Messer and Alex Kuhl.
Show/hide abstract
To understand the effect of code complexity on static analysis, thirty-five format string vulnerabilities were selected from the National Vulnerability Database. We analyzed two sets of code for each vulnerability. The first set of code contained the vulnerability, while the second was a later version of the code in which the vulnerability had been fixed. We examined the effect of both code complexity and the year of discovery on the quality of static analysis results, including successful detection and false positive rates. The tool detected 63\% of the format string vulnerabilities, with detection rates decreasing with increasing code complexity. When the tool failed to detect a bug, it was for one of two reasons: the absence of security rules specifying the vulnerable function, or the presence of a bug in the static analysis tool. Complex code is more likely to contain complicated code constructs and obscure format string functions, resulting in lower detection rates. However, detection rates did not change substantially from 2000 to 2006, showing that reported format string vulnerabilities are not becoming more difficult to find over time.
-
Trusted Emergency Management
Tim Levin, Cynthia Irvine, Terry Benzel, Thuy Nguyen, Paul Clark and Ganesha Bhaskara.
Show/hide abstract
The ability for emergency first responsders to access sensitive information for which they have not been pre-vetted can save lives and property. We describe a trusted emergency management solution for ensuring that sensitive information is protected from unauthorized access, while allowing for extraordinary access to be authorized under the duress of an emergency. Our solution comprises an emergency access control policy, an operational model and a scalable system security architecture. The operational model involves end-users who are on call as first responders, providers of critical information, and a coordinating authority. Extraordinary access to information is allowed to occur only during emergencies, and only in a confined emergency partition, which is unavailable before the emergency and can be completely purged after the emergency. As all information remains within its assigned partition, after the emergency the system can meaningfully enforce its pre-emergency access control policy. A major component of the architecture is the end-user device, and we describe mechanisms on the device for secure storage of data, and for management of emergency state, to indicate feasibility.
-
CC-based Design of Secure Application Systems
Robin Sharp.
Show/hide abstract
This paper describes some experiences with using the Common
Criteria for Information Security Evaluation as the basis for a
design methodology when designing secure application systems. The
cases considered include a Point-of-Sale (POS) system, a wind
turbine park monitoring and control system and a secure workflow
system, all of them specified to achieve CC assurance level EAL3.
The methodology is described and strengths and weaknesses of using
the Common Criteria in this way are discussed. In general, the
systematic methodology was found to be a good support for the
designers, enabling them to produce an effective and secure design
starting with the formulation of a Protection Profile and ending
with an Implementation Representation, which describes the concrete
design, within the alloted timeframe of the various projects.
-
Functional Security Testing — closing the gap between software testing and security testing: A case from a Telecom provider
Albin Zuccato and Clemens Kögler.
Show/hide abstract
To offer successful products and services in the telecom business requires to show that the specified security is implemented as expected. Functional security testing is suitable for this purpose as it bridges the gap between software and security testing. In this paper we describe the static and dynamic aspects of such functional security testing approach. For the static parts we present the data schema which allows the storage of test cases, provide linking to requirements and enables documentation of test results. The dynamic aspects are covered in a process description for test planning, test execution and evaluation. We show in an evaluation that this approach supports the demands from common criteria in respect to testing. We also provide evidence for a practical application of our approach and show the benefits we found.
-
Measuring the Attack Surfaces of SAP Platforms and Business Applications
Pratyusa K. Manadhata, Yuecel Karabulut and Jeannette M. Wing.
Show/hide abstract
Software vendors are increasingly concerned about mitigating the
security risk of their software. Code quality improvement is a
traditional approach to mitigate security risk; measuring and
reducing the attack surface of software is a complementary
approach. In this paper, we introduce a method for measuring the
attack surfaces of SAP software systems, i.e., platforms and
business applications, implemented in Java. We implement a
tool as an Eclipse plugin to measure an SAP software system's attack
surface in an automated manner. We demonstrate the feasibility of
our approach by measuring the attack surfaces of three versions of
an SAP software system. We envision our measurement method and tool to
be useful to SAP's software developers for improving software security
and quality.
-
Thoughts on the .NET cryptographic API
Cédric Boon, Pieter Philippaerts and Frank Piessens.
Show/hide abstract
When a vulnerability is discovered in a cryptographic algorithm, or
in a specific implementation of that algorithm, it is important that
software using that algorithm or implementation is upgraded quickly.
Hence, modern cryptographic libraries such as the Java Cryptographic
Architecture and Extensions (JCA/JCE) and the .NET crypto libraries
are designed to be extensible with new algorithms and
implementations, and to support algorithm and implementation
independent use of the libraries. Software written against these
libraries can be implemented such that switching to a new crypto
algorithm or implementation requires very little effort.
This paper reports on our experiences with the implementation of a
number of extensions to the .NET cryptographic libraries. The
extensions we consider are smart card based implementations of
existing algorithms. We evaluate the extensibility of the libraries,
and the support for implementation independence. We identify several
problems with the libraries that have a negative impact on these
properties, and we propose solutions.
The main conclusion of the paper is that extensibility and
implementation independence can be substantially improved with only
minor changes that maintain backwards compatibility for client code.
