towards unifying vulnerability information for attack...

Towards Unifying Vulnerability Information for Attack Graph Construction

Sebastian Roschke

Feng Cheng, Robert Schuppenies, Christoph Meinel

ISC2009 - 2009-09-08

Internet-Technologies and -Systems | Prof. Dr. Ch. Meinel

Sebastian Roschke | Unifying Vulnerability Information for AG Construction | 2009-09-08

2

Outline

■ Introduction

□ Attack Graph Workflow

■ Sources of Vulnerability Information

□ Source Comparison

□ CVE, CVSS, and OVAL

■ Implementation of an Extraction Tool

□ Data Model

□ Architecture

□ Proof of Concept

■ Summary & Conclusions

Intr

oduc t

ion –

Outlin

e


3

Attack Graph Workflow

■ Attack Graph Workflow Phases

□ Information Gathering, Attack Graph Contruction, Analysis & Visualization

Intr

oduc t

ion –

Att

ack

Gra

ph W

or k

flow


4

Outline

■ Introduction






□ Data Model

□ Architecture



Intr

oduc t

ion –

Outlin

e


5

Vulnerabilty Information

Sourc

es o

f Vuln

e rab

ility

Info

rmat

ion


6

Sources of Vulnerabilty Information

■ Existing databases are either commercial or community-based

□ Commercial: DragonSoft (D.Soft), Secunia, SecurityFocus (S.Focus), Securiteam, and X-Force

□ Community-based: Cooperative Vulnerability Database (CoopVDB), the Department of Energy Cyber Incident Response Capability (DoE-CIRC), the National Vulnerability Database (NVD), the Open Source Vulnerability Database (OSVDB), and the United States Computer Emergency Readiness Team (US-CERT)

■ Vulnerabilty standardization efforts

□ CVE – Common Vulnerabilty and Exposures

□ CVSS - Common Vulnerability Scoring System

□ OVAL - Open Vulnerability and Assessment Language

Sourc

es o

f Vuln

e rab

ility

Info

rmat

ion


7

Vulnerabilty Standardization Efforts

■ CVE – Common Vulnerabilty and Exposures

□ Dictionary providing common names and references for vulnerabilites

■ CVSS - Common Vulnerability Scoring System

□ Metric indicates how critial a vulnerability is

□ Metrics: base metrics, temporal metrics, and environmental metrics

□ Base metrics: access vector and complexity information, degree of Confidentiality, Integrity, and Availability (CIA) violations, and number of required authentication steps

■ OVAL - Open Vulnerability and Assessment Language

□ Detailed and structured description of congurations affected by vulnerabilities

□ Defintion Types: vulnerability definitions, compliance definitions, inventory definitions, patch definitions, miscellaneous type

Sourc

es o

f Vuln

e rab

ility

Info

rmat

ion –

St a

ndar

diz

atio

n


8

Sources of Vulnerabilty Information

Comparison

Sourc

es o

f Vuln

e rab

ility

Info

rmat

ion –

Com

par

ison


9

Outline

■ Introduction






□ Data Model

□ Architecture



Intr

oduc t

ion –

Outlin

e


10

Implementation – Data Model

Data Model

■ Description of vulnerabilities as set of pre- and post-conditions

■ Condition consists of system properties

Ext

ract

ion T

ool – D

ata

Model

(1/ 3

)


11


System Properties

Ext

ract

ion T

ool – D

ata

Model

(2/ 3

)


12


Description Example

Ext

ract

ion T

ool – D

ata

Model

(3/ 3

)


13

Automatic Vulnerability Extraction

Architecture

■ Plugin enabled architecture of readers and writers

■ Reader plugins parse VDBs and create internal vulnerability representation (according to introduced data model)

■ Writer plugins use the data model to transform internal representation, e.g., to create AG creator compatible data

Ext

ract

ion T

ool – A

rchitect

ure


14

Automatic Vulnerability Extraction

Proof of Concept

■ PoC implemented in python with simple web based front end

■ Reader plugins: NVD Reader, OVAL Reader, XML Reader, CVE Reader

■ Writer plugins: MulVAL Writer, XML Writer

Extraction Process

■ Main source NVD

■ Utilization of CVSS: CIA impact, access vector

■ Utilization of OVAL: description of environment

■ Extraction based on common patterns and phrases

□ “execute arbitrary code"

□ “Microsoft Windows 2000 SP4 or later is installed”

Ext

ract

ion T

ool – E

xtra

ctio

n P

roc e

ss


15

Correctness

Evaluation of Textual Extraction

■ NVD comparison of textual description with CVSS counterpart

Ext

ract

ion T

ool – C

orr

ect n

ess


16

Outline

■ Introduction






□ Data Model

□ Architecture



Intr

oduc t

ion –

Outlin

e


17

Summary

■ Main contributions

□ Comparison of vulnerability databases

□ Data model to unify vulnerabilities

□ Automatic extraction of vulnerability information

□ Transformation to different attack graph tools, e.g., MulVAL (Ou et al.)

■ Conclusions

□ Vulnerability information often is inconsistent, e.g., CVSS compared to textual description

□ Extraction from textual descriptions applicable (70%-90% correctness)

Sum

mar

y -

Conc l

usi

on


18

Open Issues

■ Improve the extraction process

■ Additional plugins to enrich functionality

□ Reader for new VDBs, e.g., ...

□ Writers for different Attack Graph tools

■ Universal vulnerability database providing unified vulnerability information (extracted from multiple databases) at runtime

■ Utilization of data model to describe system and network information

■ Attack Graph toolkit focusing on wide range of vulnerability information

Sum

mar

y – O

pe n

Iss

ues


19

Questions

Any Questions?

Sum

mar

y -

Ques

tions

towards unifying vulnerability information for attack...

Documents