Transcript Generating Trend Templates Through Vulnerability Analysis

Automatic Trust Management
for
Adaptive Survivable Systems
Howard Shrobe MIT AI Lab
Computational Vulnerability Analysis
for
Model Based Diagnosis
July 2001 PI Meeting Santa Fe
Outline
• Overall Framework
• Review of Diagnostic Process
• Computational Vulnerability Analysis
Adaptive Survivable Systems
• Techniques that enable self-monitoring and diagnosis
–
–
–
–
Driven by representations of structure and purpose
The application knows the purposes of its components
The application checks that these are achieved
If these purposes are not achieved, the application localizes and
characterize the failure
• Techniques that enable application adaptation
– The application achieve its purpose as well as possible within the
available infrastructure by choosing alternatives.
– Driven by models of Trust (informed by diagnosis and monitoring)
– Driven by models of computational alternatives
– It must have more than one way to effect each critical computation
– It should choose an alternative approach if the first one failed
– It should make its initial choices in light of the trust model
The Active Trust Management Architecture
Perpetual
Analytical
Monitoring
Trust Model:
Trustworthiness
Compromises
Attacks
Self Adaptive
Survivable Systems
Rational Decision
Making
Trend
Templates
Other Information
Sources:
Intrusion Detectors
System Models
&
Domain Architecture
Rational Resource Allocation
Motivating Example
Grammar
Center
Grammar
Performance
expectations
Speech
Processing
text
Voice
Capture
Display
Start
utterance
Gui
Directives
query
Omnibase
response
Integrity
Constraint
Dopey
Sleepy
Grumpy
Doc
Display
Generator
Diagnosis as Likely Mode Identification
• Single Level, Single Model Model Based Diagnosis
– Tells you which components aren’t working as expected
• Multi-Mode Diagnosis
– Tells you in what way they aren’t working as expected
• Multi-Level, Multi-Mode Diagnosis
– Tells you how the misbehaviors are coupled through commonmode failures (or compromises) and ranks the failures by their
probabilities.
• Attack Models
– Tells you how the common mode failures (or compromised modes
of the resources) are in turn coupled to common attacks exploiting
vulnerabilities of the resources.
Model Based Diagnosis with Multiple Faults
• Each component is modeled by multi-directional constraints
representing the normal behavior
• As a value is propagated through a component model, it is
labeled with the assumption that this component works
• A conflict is detected at any place to which inconsistent values
are propagated
• A conflict set is the set of all labels attached to the conflicting
values
• A diagnosis is a set of assumptions which form a covering set of
all Conflict set
• Goal is to find all minimum diagnoses
Model Based Troubleshooting
GDE
15
3
Times
40
Plus
40
5
5
25
Times
5
25
20
Plus
40
35
3
Times
15
Conflicts:
Blue or Violet Broken
Green Broken, Red with compensating fault
Green Broken, Yellow with masking fault
Diagnoses:
Multi-Mode Diagnosis
B
A
IN
L
Normal:3
Fast: -30
Slow: 7
0
H
6
2
30
MID
Low = 3
High = 6
P
.7
.1
.2
L H P
Normal:2 4 0.9
Fast: -30 1 .04
Slow: 5 30 .06
OUT1
L H P
Normal:5 10 0.8
Fast: -30 4 .03
Slow: 11 30 .07
OUT2
C
A
B
C
MID
Low
Normal Normal Slow
3
Slow
Fast
Normal 7
Fast
Normal Slow
1
Normal Fast
Slow
4
Fast
Slow Slow -30
Slow
Fast
Fast
13
Observed:
Predicted:
Observed:
Predicted:
5
Low = 5
High = 10
17
Low = 8
High =16
Consistent Diagnoses
MID
Prob
Explanation
High
3 .04410
C is delayed
12 .00640
A Slow, B Masks runs negative!
2 .00630
A Fast, C Slower
6 .00196
B not too fast, C slow
0 .00042
A Fast, B Masks, C slow
30 .00024
A Slow, B Masks, C not masking fast
Multi-Mode Multi-Tiered Diagnosis
• The model is augmented with another level of detail showing the
dependence of computations on underlying resources
• Each resource has models of its state of compromise
• The modes of the resource models are linked to the modes of the
computational models by conditional probabilities
• The model forms a bayesian network
Normal: Delay: 2,4
Delayed: Delay 4,+inf
Accelerated: Delay -inf,2
Conditional probability = .2
Conditional probability = .4
Conditional probability = .3
Normal: Probability 90%
Parasite: Probability 9%
Other: Probability 1%
Has models
Has models
Component 1
Node17
Located On
An Example System Description
N
Normal .6
Peak
.1
Off Peak .3
H
.15
.80
.05
N
Normal .8
Slow
.2
A
H
.3
.7
B
N
Normal .60
Slow
.25
Slower .15
Host1
Normal
Hacked
N
Normal .50
Fast
.25
Slow
.25
.9
.1
H
.05
.45
.50
C
N
Normal .50
Fast
.25
Slow
.25
D
E
Host2
Host3
Normal
Hacked
.85
.15
H
.05
.45
.50
Normal
Hacked
H
.05
.45
.50
Host4
.7
.3
Normal
Hacked
.8
.2
The System Description includes a Bayesian Network
• The Model can be viewed as a Two-Tiered Bayesian Network
– Resources with modes
– Computations with modes
– Conditional probabilities linking the modes
N
Normal .6
Peak
.1
Off Peak .3
H
.15
.80
.05
N
Normal .8
Slow
.2
A
B
N
Normal .60
Slow
.25
Slower .15
Host1
Normal
Hacked
N
Normal .50
Fast
.25
Slow
.25
H
.3
.7
.9
.1
H
.05
.45
.50
C
N
Normal .50
Fast
.25
Slow
.25
D
E
Host2
Host3
Normal
Hacked
.85
.15
H
.05
.45
.50
Normal
Hacked
H
.05
.45
.50
Host4
.7
.3
Normal
Hacked
.8
.2
The system description includes a behavioral model
• The Model can also be viewed as a behavioral model with
multiple modes per device
– Each model has behavioral description
• The modes have posterior probabilities linked by conditional
probabilities to the probabilities of the modes of the resources
N
Normal .6
Peak
.1
Off Peak .3
H
.15
.80
.05
N
Normal .8
Slow
.2
A
N
Normal .50
Fast
.25
Slow
.25
H
.3
.7
B
N
Normal .60
Slow
.25
Slower .15
D
H
.05
.45
.50
C
N
Normal .50
Fast
.25
Slow
.25
E
H
.05
.45
.50
H
.05
.45
.50
Integrating model based and Bayesian reasoning
• Start with each behavioral model in the “normal” state
• Repeat: Check for Consistency of the current model
• If inconsistent,
– Add a new node to the Bayesian network
• This node represents the logical-and of the nodes in the conflict.
• It’s truth-value is pinned at FALSE.
– Prune out all possible solutions which are a super-set of the conflict set.
– Pick another set of models from the remaining solutions
• If consistent, add to the set of possible diagnoses
• Continue until all inconsistent sets of models are found
• Solve the Bayesian network
N
Normal .6
Peak
.1
Off Peak .3
H
.15
.80
.05
N
Normal .8
Slow
.2
A
N
Normal .50
Fast
.25
Slow
.25
H
.3
.7
B
N
Normal .60
Slow
.25
Slower .15
D
H
.05
.45
.50
H
.05
.45
.50
Discrepancy Observed Here
C
N
Normal .50
Fast
.25
Slow
.25
E
H
.05
.45
.50
Conflict:
A = NORMAL
B = NORMAL
C = NORMAL
Least Likely Member of Conflict
Most Likely Alternative is SLOW
Adding Attack Models
• An Attack Model specifies the set of attacks that are
believed to be possible in the environment
• Each resource has a set of vulnerabilities
– Vulnerabilities enable attacks on that resource
• A successful attack exploits the vulnerability, putting the
resource into a non-normal behavioral mode
• This is given as a set of conditional probabilities
– If the attack succeeded on a resource of this type then the
likelihood that the resource is in mode-x is P
– This now forms a three tiered Bayesian network
Host1
Hasvulerability
Buffer-Overflow
Enables
Overflow-Attack
Resource-type
Unix-Family
Causes
.5
Normal
.7
Slow
Three Tiered Model
What the diagnostic process tells us
• All non-conflicting combination of models are possible
diagnoses
• The posterior probabilities tell you how likely each
diagnosis is.
• This guides recovery processing
• Each mode of each resource has a posterior probability
• This guides resource selection in the future
• The attack models couple the resource models, given a
system wide view.
• This informs the trust model
• This couples to long-term monitoring, that looks for
complex multi-stage attacks
Computational Vulnerability Analysis
• Grounding the attack model in systematic analysis
• Ontology of:
–
–
–
–
System Properties
System Types
System Structure
Control and Dependencies
Generating Attack Models
Through Vulnerability Analysis
• The problem: Where does the attack model and its
links to behavioral modes come from?
– So far, by hand crafting
• Vulnerability Analysis supplants this by a
systematic analysis:
– Forming an ontology of how computer systems are
structured
– Building models of the environment
• Network topology: nodes, routers, switches, filter, firewalls
• System types: hardware, operating systems
• Server and user suites: Which servers and users run where
– Analyzing how properties depend on resources
– Analyzing the vulnerabilities of the resources
Modeling System Structure
File
System
Operating
System
Hardware
Processor
Memory
Part-of
Part-of
Access
Controller
Logon
Controller
Job
Admitter
Device
Controllers
Scheduler
controls
Devices
Resides-In
controls
Device
Drivers
files
Part-of
resources
controls
User
Set
Input-to
controls
Input-to
Work
Load
Scheduler
Policy
Modeling the topology
Machine name: sleepy
OS Type: Windows-NT
Server Suite: IIS…..
User Authentication Pool: Dwarfs…
Switch:
subnet restrictions. ….
Switch:
subnet restrictions. ….
Router:
Enclave restrictions. ….
Topology tells you:
who can share (and sniff) which packets
who can affect what types of connections to whom
Modeling Dependencies
• Start with the desirable properties of systems:
– Reliable performance
– Privacy of communications
– Integrity and/or privacy of data
• Analyze which system components impact those
properties
– Performance - scheduler
– Privacy - access-controller
• To affect a desirable property control a component
that contributes to the delivery of that property
Controlling components (1)
• One way to gain control of a component is to
directly exploit a known vulnerability
– One way to control a Microsoft IIS web server is to use
a buffer overflow attack on it.
IIS Web Server
Is vulnerable to
Buffer-Overflow
Attack
IIS Web Server
Process
Takes control of
Buffer-Overflow
Attack
Controlling components (2)
• Another way to control a component is to find an
input to the component and then find a way to
modify the input
– Modify the scheduler policy parameters
Scheduler
Scheduler
Input to
control by
Scheduler
Policy
Parameters
Modificationaction
Scheduler
Policy
Parameters
Controlling components (3)
• Another way to control a component is to find one
of its components and then to find a way to gain
control the sub-component
Job-Admitter
Job-Admitter
Component-of
control by
User Job
Admitter
Controlaction
User Job
Admitter
Modifying Inputs (1)
• One way to modify an input is to find a
component which controls the input and then to
find a way to gain control component
Scheduler
Scheduler
Input-of
control by
Workload
Controls
Controls
Job Admitter
Controls
Job Admitter
Attack.
Workload
Modifying Inputs (2)
• One way to modify an input is to find a
component of the input and then to find a way to
modify the component
Scheduler
Scheduler
Input-of
control by
Workload
Component
User Workload
User
Workload
Modify
Component
Workload
Attack.
Access Rights
• Each object specifies a set of capabilities required
for each operation on that object
– Capabilities are organized in an DAG
– This generalizes the access mechanisms of all OS’s.
• Each actor (user or process) possesses certain
capabilities.
• An actor can perform an action on an object only
if it possesses a capability at least as strong as that
required for the operation
– This is a generalization of the access mechanisms in all
current OS’s.
• An access pool is a set of machines that shares
resources, password & access right descriptions
The AI Lab Topology (partial)
Netchex
Server
Switch
8thFloor-1
Server
Access
Pool
Kenmore
Maytag
Router Netchex
Filters out Telnet.
8thFloor-2
Dwarf
Access
Pool
Dopey
7thFloor-1
Sakharov
Doc
Life
Router
Access
pool
Lisp
Access
Pool
Wilson
Truman
Sleepy
Sneezy
General
Access
Pool
QuincyAdams
Jefferson
Creepy
Crawler
Obtaining Access (1)
• One way to gain access to an operation on an
object is to find a process with an adequate
capability and take control of the process
Typical User File
Typical User File
Required for
Read
To Read
User Read
Typical User Process
Posseses
Capability
User Read
Controlaction
Typical User
Process
Obtaining Access (2)
• Another way to gain access to an operation on an
object is to find a user with an adequate capability
and find a way to log in as that user and launch a
process with the user’s capabilities
Typical User File
Typical User File
Required for
Read
To Read
User Read
Typical User
Posseses
Capability
User Read
Logon as
Typical User
Launches
User
Process
Logging On
• Logging on requires obtaining knowledge of a
password
• To gain knowledge of a password
– Guess it, using guessing attacks
– Sniff it
• By placing a parasitic virus on the user’s machine
• By monitoring network traffic
– Hack the password file
Monitoring and Changing Network Traffic
• Network are broken down into subnet segments
• Segments are connected by Routers
– Routers can monitor traffic on any connected segment
• Each segment may be:
– Shared media
• Coaxial ethernet
• Wireless ethernet
• Any connected computer can monitor traffic
– Switched media
• 10 (100, 100) base-T
• Only the switch (or reflected ports) can monitor Traffic
• Switches and Routers are computers
– They can be controlled
– But they may be members of special access pools
• To gain knowledge of some information gain the
ability to monitor network traffic
Residences
• Components reside in several places
– Main memory
– Boot files
– Paging Files
• They migrate between residences
– Through local peripheral controllers
– Through networks
• To modify/observe a component find a residence
of the component and modify/observe it in the
residence
• To modify/observe a component find a migration
path and modify/observe it during the
transmission
Formats and Transformations
• Components live in several different formats
– Source code
– Compiled binary code
– Linked executable images
• Processes transform one format into another
– Compilation
– Linking
• To modify a component change an upstream
format and cause the transformations to happen
• To modify a component gain control of the
processes that perform the transformations
Modification during Transmission
• To control traffic on a network segment launch a
“man in the middle attack”
– Get control of a machine, redirect traffic to it
• To observe network traffic get control of a
switch/router and a user machine and then reflect
traffic to the user machine
• To modify network traffic launch an “inserted
packet” packet.
– Get control of a machine
– Send a packet from the controlled machine with the
correct serial number but wrong data before the sender
sends the real packet
An Example
• Affecting reliable performance:
– Control the scheduler • The scheduler is a component that impacts performance
– By modifying the scheduler’s policy parameters
• The policy parameters are inputs to the scheduler
– By gaining root access
• The policy parameters require root access for writing
– By using a buffer overflow attack on the web-server
• The web-server process possesses root capabilities
• The web-server process is vulnerable to a buffer-overflow
attack.
• For this attack to impact the performance all the
actions must succeed
– Each has an a priori probability based on its inherent
difficulty and current evidence suggesting that it
occurred.
Affecting Data Privacy (1)
Affecting Data Privacy (2)
Affecting Data Privacy (3)
Affecting Performance (1)
Affecting Performance (2)
Using Attack Scenarios
• This information is captured in an Object-Oriented
knowledge representation and rule-base system
that reasons with it.
• The inference process develops multi-stage attack
scenarios
• The scenarios are transformed into trend templates
for recognition purpose
• The scenarios are transformed into Bayesian
network fragment for diagnostic purposes
Integration Opportunities
• Projects that provide self-monitoring capabilities
– We depend on self-monitoring
– We typical assume coarse-grain (e.g. method wrapping)
– Could use lower-level tools as well
• Projects that provide policy enforcement
– Attempted violations of policies should trigger
diagnostic activity
• Projects that provide recovery capabilities
• Participation in framework development