1 training intrusion-tolerance of web systems challenges and solutions
TRANSCRIPT
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
1/37
National Aerospace University Kharkiv Aviation Institute
Department of computer Systems and Networks
Reporter:
MSc studentAlexander Beloborodov
Scientific advisor:Dr.Sc. Anatoliy Gorbenko
Odesa 2012
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
2/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Motivation
2
0,0%
10,0%
20,0%
30,0%
40,0%
50,0%
60,0%
70,0%
Computer Crim e and Security Survey Report 2010
Malware infection (67,1%)Denial of service (17%)Web site defacement (7%)Exploit of users's social network profile (5%)System penetration by outsider (11%)
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
3/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Training Content
The main definitions Vulnerability database analysis Vulnerability lifecycle analysis
Cloud platform to avoid intrusions Common suggestions to protect
our home systems
Conclusions
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 3
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
4/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Dependability
, . , , , , (, ),
, . [ .. /. ., .., , 2008 . 29]
Dependability is a complex characteristic of a systemto provide the required services, which can be
justifiably trusted. It includes reliability, availability,survivability, safety, security (integrity, confidentiality),high confidence, maintainability.[Translated from E.S. Bakhmach Fail-safe programmable logic in the I&CS / ed. V.S. Kharchenko, V.V. Sklyar, Kharkiv, 2008 - p. 29]
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 4
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
5/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Vulnerability
, , ,
. [ National Information Assurance (IA) Glossary.http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf ]
Vulnerability is a weakness in an information
system, system security procedures, internalcontrols, or implementation that could beexploited by a threat source .[National Information Assurance (IA) Glossary.http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf ]
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 5
http://www.cnss.gov/Assets/pdf/cnssi_4009.pdfhttp://www.cnss.gov/Assets/pdf/cnssi_4009.pdfhttp://www.cnss.gov/Assets/pdf/cnssi_4009.pdfhttp://www.cnss.gov/Assets/pdf/cnssi_4009.pdf -
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
6/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Vulnerability Examples
08.07.2012 6O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Let we enumerate examples ofvulnerabilities
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
7/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Name CWE-ID Description
Permissions,Privileges, andAccess Control
CWE-264Failure to enforce permissions or other access restrictions forresources, or a privilege management problem.
Buffer Errors CWE-119Buffer overflows and other buffer boundary errors in which aprogram attempts to put more data in a buffer than the buffer canhold, or when a program attempts to put data in a memory areaoutside of the boundaries of the buffer.
Code Injection CWE-94 Causing a system to read an attacker-controlled file and executearbitrary code within that file. Includes PHP remote file inclusion,uploading of files with executable extensions, insertion of codeinto executable files, and others.
InputValidationCWE-20
Failure to ensure that input contains well-formed, valid data thatconforms to the applications specifications. Note: this overlapsother categories like XSS, Numeric Errors, and SQL Injection.
OS CommandInjections
CWE-78Allowing user-controlled input to be injected into command linesthat are created to invoke other programs, using system() orsimilar functions.
The full list: http://nvd.nist.gov/cwe.cfm
Common WeaknessEnumeration
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 8
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
8/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Fault
, , , ( ) ,
.
Fault is any version inequality to specificationrequirements, a result of an error made in a
development, its occurrence by using the system(implementation versions) leads to a computationalerror or control of the process, crash or system failure- the transition to the defective or inoperable.
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 9
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
9/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Vulnerability and fault
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Fault
Vulnerability
All the faults are vulnerabilities All the vulnerabilities are faults
Any case is possible
10
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
10/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Vulnerability Data Sources
Data Source Site Access
National Vulnerability Database(NVD)
www.nvd.nist.gov/ HTML, XML
Common Vulnerabilities andExposures (CVE)
www.cve.mitre.org/ HTML, XML
Open Source VulnerabilityDatabase (OSVDB)
www.osvdb.org/ HTML, XML,SQL Dump
Open Vulnerability andAssessment Language (OVAL)
www.oval.mitre.org/ HTML
Computer Emergency ResponseTeam (CERT)
www.cert.org/ HTML
Secunia www.secunia.com/ HTML
Problems: Completeness of the information Timeliness The presence of direct-access and the ability to copy the entire
database Accuracy of the information
11
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
11/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Analysis of XML file of NationalVulnerability Database
cpe:/o:microsoft:windows_server_2008::sp2:x32 2010-02-10T13:30:00 2010-03-10T10:15:00 9.0 NETWORK
LOW COMPLETE COMPLETE COMPLETE MS
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
12/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Patch Data Sources
13
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
13/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
VulnerabilityTracker (1)
Main
Vulnerability Details
Graph
Edit Configuration
Products Tree
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 14
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
14/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
VulnerabilityTracker (2)
Viewing comparison results of similar dates(publication, modification, etc.) in variousdatabases by calculating the day differences
In the picture date difference is showed betweendates of NVD (date1) and CVE (date2) concerningRedHat Enterprise Linux 5, Apple MacOS Server10.5.8, Microsoft Windows Server 2008 products
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 15
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
15/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Vulnerability Lifecycle
Let we draw the vulnerabilitylifecycle
08.07.2012 16O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
16/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Vulnerability Lifecycle
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 17
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
17/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Service-Oriented Architecture
08.07.2012 18O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
SOA is employed in: e-banking e-business
e-medicine (bioinformatics) e-science e-commerce Geographic Information Systems Enterprise Resource Planning Systems SaaS (EaaS), Grid, Cloud Computing
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
18/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
SaaS Examples
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 19
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
19/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
The structure of intrusion-avoidance system
1. Vulnerability data sources 2. Patch data sources
4. Employing diversity to obtain security gainAnatoliy Gorbenko, Vyacheslav Kharchenko, Olga Tarasyuk, AlexanderRomanovsky. Intrusion-Avoiding Architecture Making Use of Diversity in the Cloud-BasedDeployment Environment
3.
20
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
20/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Vulnerability Data Sources
CVE
www.cve.mitre.org
www.nvd.nist.gov
NVD
www.secunia.com
SECUNIA
www.cert.org
CERT
www.osvdb.org
OSVDB
www.oval.mitre.org OVAL
The Internet
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 21
They support exporting own databases inthe form of XML files
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
21/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Collecting Information (1)
CWE
SCORE
SUMMARYREFERENCE
PUB DATE
MOD DATE
EXPLOIT DATEFIX DATE
DISCOVER DATEDISCLOSUR DATE
PRODUCT LIST
PHASESTATUS
CVE
CVE-ID
NVD
CVE-ID
CWESCORE
OSVDB
CVE-ID
EXPLOIT DATE
DISCOVER DATEDISCLOS DATE
FIX DATE
PHASESTATUS
PRODUCT LIST
OUR DatabaseCVE-ID
CVE-ID
CVE-ID
24
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
22/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Collecting Information (2)
OUR DatabaseCVE-ID
CWESCORE
EXPLOIT DATEFIX DATE
DISCOVER DATEDISCLOSUR DATE
PRODUCT LIST
PHASESTATUS
SUMMARYREFERENCE
PUB DATEMOD DATE
CVE
CVE-ID
NVD
CVE-ID
CWESCORE
OSVDB
CVE-ID
EXPLOIT DATE
DISCOVER DATEDISCLOS DATE
FIX DATE
PHASESTATUS
PRODUCT LIST
F o r m a t
C o n v e r t e r
25
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
23/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Vulnerability Database Scheme
Vulnerabilities
Products and configurations
Users and policies
26
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
24/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Deployment Diagram
28
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
25/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Reconfiguration Example
Linux Apache httpd
Windows
Glassfish MySQL
Oracle
OperatingSystem Web Server
ApplicationServer
Database
ManagementSystem
Dynamic reconfiguration system chooses lessvulnerable configuration
29
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
26/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Compatibility Graph
Graph was proposed by Aleksey Furmanov
30
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
27/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Configuration Samples
1.
2.
3.
4.
5.
6.
Configurations were proposed by Aleksey Furmanov08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 31
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
28/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Assumptions
The following conventions were accepted inthe simulation: Before the January 1, 2010 operating systems
didnt have vulnerabilities. Eliminating vulnerabilities takes particular time
which differs for each operating system. Accordingto the article it takes
28.9 days for Microsoft Windows 46.12 days for Apple Mac OS - 46.12 73.89 days for Novel Linux 106.83 days for Red Hat Linux
167.72 days for Sun Solaris.
08.07.2012 32O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Jones, J. Days-of-risk in 2006: Linux, Mac OS X, Solaris and Windows. Electronic data Access:http://blogs.csoonline.com/days_of_risk_in_2006 (2006 )
http://blogs.csoonline.com/days_of_risk_in_2006%20(2006http://blogs.csoonline.com/days_of_risk_in_2006%20(2006 -
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
29/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Reconfiguration Simulation
0
10
20
30
40
50
60
70
1 31 61 91 121 151 181 211 241 271 301 331 361Day of the year
N u m
b e r o
f v u
l n e r a
b i l i t i e s
Novel Linux-11RedHat Linux-5Aple MacOS Server- 10.5.8Sun/Oracle Solaris-10MS Windows Server-2008
Now our system is managed by OS MS Windows Server 2008Novel Linux 11Apple MacOS Server 10.5.8RedHat Linux 5MS Windows Server 2008Novel Linux 11RedHat Linux 5
33
C l bili i i diff
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
30/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Common vulnerabilities in differentoperating systems
34
Cl d l tf t id
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
31/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Cloud platform to avoidintrusions
08.07.2012 35O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
32/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
Our Team
Research Group: Vyacheslav Kharchenko Anatoliy Gorbenko Aleksey Furmanov
Anatoliy Shostak Sofia Pokrova
System Analyst Aleksiy Furmanov
Development Group Alexander Beloborodov Alexander Lysenko
Sofia Pokrova 36
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
33/37
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
34/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Protecting your systems (2)
Measures to prevent intrusions Use Secunia Software Personal Inspector to
check your system on vulnerability presence Install and configure firewalls Configure access policy on your PC and network
equipment you use Never share your user name, password or security
questions with anyone No one else must guess your password
08.07.2012 38O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
35/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Protecting your systems (3)
Measures to protect privateinformation Make an email account for registrations or use
temporary email ( www.shitmail.me ,www.mailinator.com )
Be careful in social networks, keep your privateinformation in secret Keep the passwords in your mind (our in paper) After login when you dont need to use your
account any more dont forget to logout
Pay attention the link you click Check the site address you are now
08.07.2012 39O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
http://www.shitmail.me/http://www.mailinator.com/http://www.mailinator.com/http://www.shitmail.me/ -
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
36/37
VDB Analysis
Cloud Platform
Protect your PC
Conclusions
Definitions
Content
Conclusions
We studied: What vulnerability and fault mean Vulnerability data sources Patch data sources
We obtained experience in: Analyzing information of XML files of
vulnerability databases Vulnerability lifecycle design
We discussed: General suggestions to protect our home
systems from intrusions
08.07.2012O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 40
-
7/31/2019 1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions
37/37
Alexander BeloborodovIntrusion -avoidance of Web systems: challenges and solutions E-mail: [email protected]