towards unifying vulnerability information for attack...
TRANSCRIPT
Towards Unifying Vulnerability Information for Attack Graph Construction
Sebastian Roschke
Feng Cheng, Robert Schuppenies, Christoph Meinel
ISC2009 - 2009-09-08
Internet-Technologies and -Systems | Prof. Dr. Ch. Meinel
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
2
Outline
■ Introduction
□ Attack Graph Workflow
■ Sources of Vulnerability Information
□ Source Comparison
□ CVE, CVSS, and OVAL
■ Implementation of an Extraction Tool
□ Data Model
□ Architecture
□ Proof of Concept
■ Summary & Conclusions
Intr
oduc t
ion –
Outlin
e
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
3
Attack Graph Workflow
■ Attack Graph Workflow Phases
□ Information Gathering, Attack Graph Contruction, Analysis & Visualization
Intr
oduc t
ion –
Att
ack
Gra
ph W
or k
flow
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
4
Outline
■ Introduction
□ Attack Graph Workflow
■ Sources of Vulnerability Information
□ Source Comparison
□ CVE, CVSS, and OVAL
■ Implementation of an Extraction Tool
□ Data Model
□ Architecture
□ Proof of Concept
■ Summary & Conclusions
Intr
oduc t
ion –
Outlin
e
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
5
Vulnerabilty Information
Sourc
es o
f Vuln
e rab
ility
Info
rmat
ion
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
6
Sources of Vulnerabilty Information
■ Existing databases are either commercial or community-based
□ Commercial: DragonSoft (D.Soft), Secunia, SecurityFocus (S.Focus), Securiteam, and X-Force
□ Community-based: Cooperative Vulnerability Database (CoopVDB), the Department of Energy Cyber Incident Response Capability (DoE-CIRC), the National Vulnerability Database (NVD), the Open Source Vulnerability Database (OSVDB), and the United States Computer Emergency Readiness Team (US-CERT)
■ Vulnerabilty standardization efforts
□ CVE – Common Vulnerabilty and Exposures
□ CVSS - Common Vulnerability Scoring System
□ OVAL - Open Vulnerability and Assessment Language
Sourc
es o
f Vuln
e rab
ility
Info
rmat
ion
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
7
Vulnerabilty Standardization Efforts
■ CVE – Common Vulnerabilty and Exposures
□ Dictionary providing common names and references for vulnerabilites
■ CVSS - Common Vulnerability Scoring System
□ Metric indicates how critial a vulnerability is
□ Metrics: base metrics, temporal metrics, and environmental metrics
□ Base metrics: access vector and complexity information, degree of Confidentiality, Integrity, and Availability (CIA) violations, and number of required authentication steps
■ OVAL - Open Vulnerability and Assessment Language
□ Detailed and structured description of congurations affected by vulnerabilities
□ Defintion Types: vulnerability definitions, compliance definitions, inventory definitions, patch definitions, miscellaneous type
Sourc
es o
f Vuln
e rab
ility
Info
rmat
ion –
St a
ndar
diz
atio
n
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
8
Sources of Vulnerabilty Information
Comparison
Sourc
es o
f Vuln
e rab
ility
Info
rmat
ion –
Com
par
ison
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
9
Outline
■ Introduction
□ Attack Graph Workflow
■ Sources of Vulnerability Information
□ Source Comparison
□ CVE, CVSS, and OVAL
■ Implementation of an Extraction Tool
□ Data Model
□ Architecture
□ Proof of Concept
■ Summary & Conclusions
Intr
oduc t
ion –
Outlin
e
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
10
Implementation – Data Model
Data Model
■ Description of vulnerabilities as set of pre- and post-conditions
■ Condition consists of system properties
Ext
ract
ion T
ool – D
ata
Model
(1/ 3
)
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
11
Implementation – Data Model
System Properties
Ext
ract
ion T
ool – D
ata
Model
(2/ 3
)
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
12
Implementation – Data Model
Description Example
Ext
ract
ion T
ool – D
ata
Model
(3/ 3
)
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
13
Automatic Vulnerability Extraction
Architecture
■ Plugin enabled architecture of readers and writers
■ Reader plugins parse VDBs and create internal vulnerability representation (according to introduced data model)
■ Writer plugins use the data model to transform internal representation, e.g., to create AG creator compatible data
Ext
ract
ion T
ool – A
rchitect
ure
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
14
Automatic Vulnerability Extraction
Proof of Concept
■ PoC implemented in python with simple web based front end
■ Reader plugins: NVD Reader, OVAL Reader, XML Reader, CVE Reader
■ Writer plugins: MulVAL Writer, XML Writer
Extraction Process
■ Main source NVD
■ Utilization of CVSS: CIA impact, access vector
■ Utilization of OVAL: description of environment
■ Extraction based on common patterns and phrases
□ “execute arbitrary code"
□ “Microsoft Windows 2000 SP4 or later is installed”
Ext
ract
ion T
ool – E
xtra
ctio
n P
roc e
ss
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
15
Correctness
Evaluation of Textual Extraction
■ NVD comparison of textual description with CVSS counterpart
Ext
ract
ion T
ool – C
orr
ect n
ess
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
16
Outline
■ Introduction
□ Attack Graph Workflow
■ Sources of Vulnerability Information
□ Source Comparison
□ CVE, CVSS, and OVAL
■ Implementation of an Extraction Tool
□ Data Model
□ Architecture
□ Proof of Concept
■ Summary & Conclusions
Intr
oduc t
ion –
Outlin
e
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
17
Summary
■ Main contributions
□ Comparison of vulnerability databases
□ Data model to unify vulnerabilities
□ Automatic extraction of vulnerability information
□ Transformation to different attack graph tools, e.g., MulVAL (Ou et al.)
■ Conclusions
□ Vulnerability information often is inconsistent, e.g., CVSS compared to textual description
□ Extraction from textual descriptions applicable (70%-90% correctness)
Sum
mar
y -
Conc l
usi
on
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
18
Open Issues
■ Improve the extraction process
■ Additional plugins to enrich functionality
□ Reader for new VDBs, e.g., ...
□ Writers for different Attack Graph tools
■ Universal vulnerability database providing unified vulnerability information (extracted from multiple databases) at runtime
■ Utilization of data model to describe system and network information
■ Attack Graph toolkit focusing on wide range of vulnerability information
Sum
mar
y – O
pe n
Iss
ues
Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08
19
Questions
Any Questions?
Sum
mar
y -
Ques
tions