Group_9_slide
Download
Report
Transcript Group_9_slide
Taxonomies of Attacks and
Vulnerabilities in Computer Systems
Igure, V.M.; Williams, R.D.
IEEE Communications Surveys & Tutorials,
Volume: 10 Issue: 1 (2008)
R96725034 林昕彥
R96725036 陳政彥
Why do we need taxonomy?
• Their main goal was to organize information about known
vulnerabilities or attacks, so that designers could use that
information to build more secure systems or defense systems
• If the classification is based on the actual vulnerability
exploited by the attack, the dimension of classification can be
considered as the cause of flaw
• The taxonomy provides useful information to find unknown
vulnerabilities as well as to avoid introducing similar
vulnerabilities in future designs.
• They provide a classification of testing techniques based on
the vulnerability the test is meant to discover. Each test class
discovers all the vulnerabilities that have similar
characteristics
Attack sophistication vs. intruder
technical knowledge
INTRODUCTION
Introduction
• Security assessment of a system is the process of determining
the system’s capability to resist attacks
• This process typically involves probing the system to detect
the presence of known vulnerabilities
– most attacks typically exploit known vulnerabilities
• This process is limited because it only searches for known
vulnerabilities
• Security assessment is an objective process only as long as it is
limited to searching for known weaknesses
• Probing a system to detect previously unidentified flaws is still
a very subjective process
Introduction
• Prior work has attempted to gain an understanding of the
characteristics and nature of known vulnerabilities to support
the prediction of vulnerabilities in new systems
• The first step in understanding vulnerabilities is to classify
them into a taxonomy based on their characteristics
– A taxonomy classifies the large number of vulnerabilities into a few
well defined and easily understood categories
– Such classification can serve as a guiding framework for performing a
systematic security assessment of a system
• This article provides a state-of-the-art survey of existing
security related taxonomies
• The survey covers papers published between 1974 and 2006
TAXONOMIES AND SECURITY
ASSESSMENT
Taxonomies and Security Assessment
• A taxonomy is formally defined as “the study of the general
principles of scientific classification”
• This classification is done according to the relationships
between the characteristics of the objects
• A good taxonomy also provides a common language for the
study of the field
Taxonomies and Security Assessment
• taxonomies of vulnerabilities and attacks might be useful in
the security assessment process
– can also be useful for system designers
– can also provide a way to explore unknown attacks
• Many taxonomies of attacks and vulnerabilities have been
published over the years, but there is still no standard or
universally accepted taxonomy
• Our primary interest is in the development and use of attack
and vulnerability taxonomies in the security assessment
process
ATTACK TAXONOMIES
Attacks
Goals
Dimension of
taxonomy
Comments
Types of Computer
Crimes (Perry &
Wallich 1984)
Listing main types of crimes
Two-dimensional matrix:
crime vs. users
committing the crime
Common characteristics:
source of attack
Replay Attacks in
Crypto-Protocols
(Syverson 1994)
“consider which detection,
representation, or prevention
mechanisms are appropriate
for a replay
attack”
Source of attack is the
primary dimension
of classification
Common characteristic:
source of attack
Types of Misuse
(Brinkley
& Schell 1995)
Listing of types of misuse; Not
intended to be a taxonomy
Two-level hierarchy;
classes are not
properly defined
Provides overview of
types of misuse
IDS Attack
Signatures
(Kumar 1995)
Classified attack signatures to
develop comprehensive
database for an IDS
Based on manifestation
of attacks in
network traffic and logs
Applied in IDS
development
Types of Misuse
(Attacks) (Lindquist
&
Jonsson 1997)
“Makes systematic study
possible” “useful for
reporting incidents to
response teams” “included a
grading of the severity”
Extended Neumann and
Parker’s taxonomy
Discuss usefulness of
selecting a
good dimension of
classification
Attacks
Goals
Dimension of
taxonomy
Comments
Attacks Against
“Putting all of the methods of
Information Systems attack into a classification
(Cohen 1997)
scheme and co-locating them
with each other so that
knowledgeable experts can …
consider… possible attacks”
No classification, just a
long list of
known attacks
An exhaustive list of
attacks is static and
needs to be constantly
updated to keep it
relevant
Attacks (Lough 2001) Develop a taxonomy of
attacks in wireless networks
Distilled the classes
discussed in prior
work on taxonomies into
four common categories
The categories are
similar to the
basic security properties
Attacks against
Mobile
Agents (Man, Wei
2001)
Hierarchical taxonomy:
1. Intention
2. Number of attackers
3. Read vs. non-read
Classification is not
based on
characteristics of attack
DoS Attacks in WSNs Highlight the various threats
(Wood, Stankovic
faced by WSNs
2002)
Attacks classified under
the various network
layers of the
communication protocol
Dimension is similar to
location
of flaws
Sybil Attacks in
WSNs
(Newsome et al.
2004)
Multidimensional:
1. Mode of
communication
2. Type of identity
3. Simultaneity
Underscores the need for
a taxonomy
to study a new field
“Used in the analysis of
existing protection
schemes … useful for research
developments”
“To better understand the
implications of the Sybil
attack and how to defend
against it”
Attacks
Goals
Dimension of
taxonomy
Comments
DoS Attacks
(Hussain et
al. 2003)
“Provide the classification
component of a realtime
attack analysis to aid network
administrators”
Source of attack: single
source vs. multiple
sources
Taxonomy can be used to
develop tools for realtime
defense
Web Attacks
(Alvarez,
Petrovic 2003)
“Help designers … build more
secure application
… a useful reference
framework for security
application”
Multidimensional
taxonomy based on a
“Web attack life cycle”
Common classification
types:
vulnerability; service;
target
Attacks: Defense
centric
(Killourhy et al.
2004)
“Organizes attacks by virtue of Anomaly seen in sensor
the way they manifest
data; four categories
as anomalies in sensor data”
Mostly relevant only in
IDS; lowlevel
categories
DDoS Attack and
Defense
Mechanisms
(Mirkovic, Reiher
2004)
“Structure the DDoS field and
facilitate a global
view of the problem and
solution space”
Eight characteristics of
an attack; three
characteristics of
defenses
Common characteristic:
exploited
weakness; impact on
victim;
type of victim
Effects of the attack
Common characteristic:
DoS,
Deception,
Reconnaissance,
Unauthorized access
Internet Attacks
Build an attack simulator;
(Mostow, Bott 2000); Taxonomy was used in
(Delooze — 2004)
the simulator model
Attacks
Goals
Dimension of
taxonomy
Comments
Attacks in VANETS
(Golle
et al. — 2004)
Taxonomy was not the main
aim
1. Nature
2. Target
3. Scope
4. Impact
Common characteristic
nature
of attack; impact on
victim;
scope; target;
Shellcode Attacks
(Arce
2004)
“Understanding these
programs’ technical
capabilities
and their connection to those
who develop
and use them”
Functional perspective:
1. Attack vector
2. Exploitation technique
3. Payload
Multiple ways to trigger
a vulnerability
Attacks (Hansman,
Hunt
— 2005)
Develop a “pragmatic
taxonomy that is useful to
those dealing with attacks on
a regular basis.”
Four taxonomies based
on:
1. Attack vector
2. Attack target
3. Vulnerability
4. Payload
For application-specific
taxonomies, it might be
possible
to combine all these into
one taxonomy
Types of Computer Crimes [17]
The six classes of
users are
distinct attacks
matrix
of not
computer
• Two-dimensional
• First dimension: Users
– Operators, programmers, data entry, internal users, outside users, and
intruders
• Second dimension: Computer crimes
– Physical destruction, information destruction, data diddling, theft of
services, browsing, and theft of information
Types of Computer Misuse [18]
• Level One:
–
–
–
–
Theft of computer resources
Disruption of computer resources
Unauthorized disclosure of information
Unauthorized modification of information
• Level Two:
–
–
–
–
–
–
Human error
User abuse of authority
Direct probing
Probing with malicious software
Direct penetration
Subversion of security mechanism
Information System Attacks [19]
• First attempts at developing a taxonomy to help the security
assessment process
– put all possible attacks under a single taxonomy
– could be used to predict future attacks in existing systems
• The biggest drawback of [19] is that it is not a classification
– It is merely a long list of all known attacks
• The article lists 94 different attacks on information systems
Computer Attack [24]
• In [24] Neumann identified 26 different kinds of computer
attacks and classified them into nine categories:
–
–
–
–
–
–
–
–
–
External
Hardware misuse
Masquerading
Pest programs
Bypasses
Active misuse
Passive misuse
Inactive misuse
Indirect misuse
• This can be considered a hierarchical taxonomy because it has
two levels of classification
Classify Computer Security Intrusions [7]
• Lindquist and Jonsson’s taxonomy [7, 26] is a very good
example of one that is suitable for a security assessment
process
– the first to introduce the notion of dimension of classification
• they extended three of Neumann and Parker’s categories into
multiple subdivisions:
– Bypass of intended controls
– Active misuse of resources
– Passive misuse of resources
IDS Related Taxonomies
• Two main types of IDSs:
– Signature-based system
– Anomaly-based system
• The primary motivation for this classification was to provide a
defense-centric taxonomy to help network defenders
Signature-based system
• Every attack manifests itself as some kind of event or
sequence of events in a network
– These unique events are called the signatures of the attack
• Every known attack is given a signature based on its
characteristics
• Attack taxonomy can ensure that all known attacks are
represented in the database
Signature-based system
• In [27] Kumar presents a taxonomy signatures to help build an
effective IDS
– Attack signatures are classified into five categories:
•
•
•
•
•
Existence
Sequence
Partial order
Duration
Interval
Anomaly-based system
• Looking for any network activity that deviates from the norm
• Killourhy et al. [28] developed a taxonomy of attacks based on
their manifestation as anomalies in IDS sensor data
– Every attack manifests itself either as a:
•
•
•
•
Foreign symbol
Minimal foreign sequence
Dormant sequence
Non-anomalous sequence
DoS Attack Related Taxonomies
• Attacker can carry out a successful attack without penetrating
the target network
• In [29] Neumann lists three types of DoS attacks based on the
source of the attack
– no network penetration and can be carried out remotely over the
Internet
– attacker exploits some known vulnerability to penetrate the network
and then carries out resource exhaustion attacks
– distributed DoS (DDoS) attacks, attackers penetrate or compromise
many third party computers and use them to launch a DoS attack
against the target network
DoS Attack Related Taxonomies
• Mirkovic and Reiher [8] intended to build a taxonomy that
would provide a complete overview of the field of DDoS
attacks and defenses
• Each attack has multiple characteristics, and Mirkovic and
Reiher classify attacks along multiple dimensions
– This classification is not mutually exclusive
• Eight dimensions:
–
–
–
–
–
–
–
–
Degree of automation
Exploited weakness
Source address validity
Attack rate dynamics
Possibility of characterization (based on packet content)
Persistence of agent set
Victim type
Impact on the victim
DoS Attack Related Taxonomies
• In [35] Campbell uses a novel dance metaphor to characterize
DoS attacks
– He characterizes a DoS attacker as a third person interrupting two
dancing partners
• He groups all DoS attacks under four classes that represent
the attacker’s strategy for success:
–
–
–
–
Partner -> spoofing
Flood -> flooding
Trip -> shutting down
Intervene -> interception
Web Attack Taxonomies
• Alvarez and Petrovic [34] analyzed and classified Web attacks,
their goal was to extract useful information for application
developers to build more secure systems
Specialized Attack Taxonomies
• There are many attack taxonomies that cover only certain
specific applications
• Man and Wei [42] developed a taxonomy of attacks against
mobile agents
– The goal of the work was to understand all possible attacks against
mobile agents and then use this understanding to develop appropriate
protection mechanisms
• The first level of classification in [42] divides attacks into two
categories based on the intentions of the attack
– hierarchical, and this characteristic is useful for security assessment
Taxonomies for Security Assessment
• Lough presents an exhaustive survey of computer attack and
vulnerability taxonomies in [15]
• Classifies all attacks under four categories:
–
–
–
–
Incorrect validation
Incorrect exposure
Incorrect randomness
Incorrect deallocation
• This classification is made on the cause of attack dimension
• Lough’s taxonomy is not application-specific
Taxonomies for Security Assessment
• In [25] Hansman and Hunt aim to develop a “pragmatic
taxonomy that is useful to those dealing with attacks on a
regular basis.”
• They conclude that it is difficult to develop an effective treestructure taxonomy of attacks
• Four dimension:
–
–
–
–
Attack vector
Attack target
Vulnerabilities and exploits
Attacks with payloads
• If the taxonomy were application-specific instead of trying to
incorporate all possible kinds of attacks, it might not be very
difficult to develop a single tree-structure taxonomy of attacks
VULNERABILITY TAXONOMIES
Vulnerability Taxonomy
• One of the earliest works on this topic was done by McPhee.
• McPhee’s paper was published in 1974, and since then there has been
much research done on computer security.
• McPhee lists seven class of integrity flaws in operating systems:
System data in user area
Non-unique identification of system resource
System violation of storage protection
User data passed as system data
User-supplied address of protected control blocks
Concurrent use of serial resources
Uncontrolled sensitive system resource
Vulnerability Taxonomy
• Attanasio described the methodology and results of
penetration testing experiments.
• The penetration analysts had three goals:
To obtain information to which they were not entitled
To launch a DoS attack by exhausting resources
To obtain resources bypassing the accountability
mechanisms
• The paper does not provide a taxonomy, as that was not their
goal, but it makes the important contribution of listing
operations system characteristics that are likely to have flaws.
Vulnerability Taxonomy
• After the penetration testing experiment, Attanasio
et al. Listed 16 OS features that are likely to have
flaws:
Implicit or explicit resource sharing mechanisms
Man-machine interfaces administered by the OS
Configuration management problem
Add-on features
Design modifications and design extensions
Parameter checking
Control of security descriptors
Vulnerability Taxonomy
Error handling
Side effects
Parallelism
Access to microprogramming
Complex interfaces
Duplication of function
Limits and prohibitions
Access to residual information
Violation of design principles
TAXONOMY OF SOFTWARE
PROGRAM FLAWS
Taxonomy of Software Program Flaws
• The Research in Secured Operating Systems (RISOS)
project and the Protection Analysis (PA) project were
two of the earliest efforts at producing taxonomies of
vulnerabilities in computer software.
• Both of the projects examined the vulnerabilities in
different operating systems.
Taxonomy of Software Program Flaws
• The seven classes of vulnerabilities in the RISOS
project were:
Incomplete parameter validation
Inconsistent parameter validation
Implicit sharing of privileged/confidential data
Inadequate identification
Authentication or authorization
Asynchronous validation or inadequate serialization
Violable prohibition or limiting and exploitable logic error
Taxonomy of Software Program Flaws
• The ten classes from the PA project were:
Consistency of data over time
Validation of operands
Validation of residuals
Validation of naming
Validation of domain
Serialization
Interrupted atomic operations
Exposed misrepresentations
Queue management dependencies
Critical operator selection error
Taxonomy of Software Program Flaws
• The categories of both the RISOS and PA
classifications indicate that the dimension of
classification was by operations.
• This means that the categories represent operations
of the OS which can be misused to cause attacks.
• The RISOS and PA categories would be greatly
beneficial in a larger taxonomy.
Taxonomy of Software Program Flaws
• Bishop analyzed the RISOS and PA taxonomies, and showed
that these classes could be mapped onto each other.
• Bishop classified each vulnerability along six axes:
Nature of the flaw
Time of introduction
Exploitation domain of the vulnerability
The effect domain
The minimum number of components needed to exploit the
vulnerability
The source of the identification of the vulnerability
Taxonomy of Software Program Flaws
• After the PA project, the most influential work on
taxonomies of flaws was done by Landwehr et al.
• They did not limit their taxonomy to operating
systems but provided a more general taxonomy of
flaws in computer programs.
• They classified their flaws in three different
dimensions:
– Genesis
– Time of introduction
– location
Taxonomy of Software Program Flaws
• Jiwnani et al. used Landwehr’s taxonomy to aid security
testing.
• They adapted Landwehr’s three dimensions to build a matrix
that related the cause of the vulnerability.
• To be effective, the taxonomy must be used in conjunction
with all the dimensions of the classification.
• The assessment process can be more systematic if these
dimensions are arranged hierarchically.
Taxonomy of Software Program Flaws
• All the work we have seen so far classified attacks or
vulnerabilities based on some inherent characteristic of the
attack or vulnerability itself.
• Krsul departed from this norm.
• He developed a taxonomy based on the observation that most
of the vulnerabilities were introduced into programs because
of mistaken assumptions by the programmer.
• He classified flaws according to the assumption that led to
their introduction into the software.
Taxonomy of Software Program Flaws
• Aslam focused only on the UNIX operating system.
• Aslam’s taxonomy is hierarchical, and the first level
had three main categories:
– Configuration flaws
– Environment flaws
– Coding flaws
• The dimension of classification for these three classes
is the cause of the flaw.
Taxonomy of Software Program Flaws
• Du and Mathur described each flaw with multiple attributes.
They classify flaws along three axes:
– Cause
– Impact
– Fix
• Landwehr’s original genesis class had two main subclasses:
intentional and inadvertent flaws.
• Du and Mathur ignore the intentional flaws. Instead, they
focused on the inadvertent flaws in the software.
• Since the taxonomy provides details about the flaws, it could
be effective in a security assessment process.
Taxonomy of Software Program Flaws
• Kamara et al. successfully use Du and Mathur’s taxonomy for analyzing
vulnerabilities in Internet firewalls.
• They break down a firewall into its constituent components, and its
operations and data flow.
• They analyze some of the well-known firewall vulnerabilities, and map
them to both Du and Mathur’s taxonomy and the specific operations and
parts of the firewalls.
• The result is a matrix that identifies which operations and parts of a
firewall are likely to produce flaws.
• This is very useful in future security assessments of other firewalls as well
as in preventing the same kinds of flaws in new products.
Taxonomy of Software Program Flaws
• Gray’s aim was to develop a taxonomy of
vulnerabilities that would be useful to people
in various positions in a software development
organization.
• Gray combined the work of Landwehr, Bishop,
and Wang into an extended and multiperspective taxonomy.
Taxonomy of Software Program Flaws
• The taxonomy had ten classes of program flaws:
Genesis
Time of introduction
Location
Execution environment
Quality impact
Method of discovery
Thread and exploitation scenarios
Monitoring and exploitation scenarios
Limitation and remediation scenarios
Elimination methods
Taxonomy of Software Program Flaws
• Gray’s approach of combining all the perspectives within one
taxonomy is not very efficient.
• Gray does not offer any subclasses for any of these classes.
• Such a single-level taxonomy does not provide adequate
information about the flaws.
• This ineffectiveness shows that taxonomies are most useful
when they are developed for a particular application from a
specific perspective.
Taxonomy of Software Program Flaws
• Tsipenyuk et al. seek to simplify the existing
software vulnerabilities taxonomies.
• They claim that most of the existing
taxonomies are too complex.
Taxonomy of Software Program Flaws
• In order to help software developers and security
practitioners, they group all software security flaws
under eight classes:
Input validation and representation
API abuse security features time and state
Errors
Code quality
Encapsulation
Environment
Taxonomy of Software Program Flaws
• Yu et al. provide a framework for analyzing
the security of Web software service.
• The unique contribution is that they relate all
the attacks with the software vulnerabilities
each attack exploits.
Taxonomy of Software Program Flaws
• Yongzheng and Xiochen develop a taxonomy of vulnerabilities to aid the
security risk assessment process.
• They base on the concept of “privilege sets” and “privilege escalation.”
• A vulnerability can be viewed as a feature that gives additional privileges
to the attacker.
• The paper ranks the privilege sets of nine user classes, ranging from
common user to root.
• The paper provides a ranking of the impacts of each privilege level, with
the root level causing the greatest damage and the user level causing the
least.
Taxonomy of Software Program Flaws
• Wang’s work also explored the link between a
flaw and the risk posed by that flaw.
• A flaw that could be exploited in multiple ways
can be considered more risky.
– Than one that can be exploited only in one way.
Taxonomy of Software Program Flaws
• Alhazmi et al. test the efficacy of vulnerability
discovery models to predict the number of
vulnerabilities in a software product.
• Having a target number of vulnerabilities could help
the security analyst, but traditional taxonomy–based
classifications would have to be used to find the
actual vulnerabilities.
NETWORK VULNERABILITY
TAXONOMIES
Network Vulnerability Taxonomies
• Ristenbatt describes a methodology name
Network Communications Vulnerability
Assessment (NCVA)
– which was developed to perform network
vulnerability assessment.
• The first taxonomy classified the various types
of networks according to their design.
Network Vulnerability Taxonomies
• The objective of this taxonomy was to provide the analyst
with a high-level overview of the network. The top-level
categories were:
The transfer strategy
The network transfer control method
The transfer link structure
Link access method or protocol
System topology architecture
Network Vulnerability Taxonomies
• The second taxonomy outlined the typical network
susceptibilities.
• He defines susceptibilities as system features that might be
targeted by attackers. Susceptibilities are potential
vulnerabilities.
• The network susceptibilities taxonomy has five classes:
Topology
Physical layer
Data link layer
Network layer
Management and control
Network Vulnerability Taxonomies
• Jayaram and Morse provide a taxonomy of security threats
to networks. Their taxonomy has five categories:
Physical threats
System weak spots
Malign problems
Access rights
Communication-based threats
Network Vulnerability Taxonomies
• A more elaborate taxonomy of threats to networks is provided
by Welch and Lathrop.
• The taxonomy was developed to build a security architecture
for a wireless network.
• The taxonomy is hierarchical and provides a systematic
approach for analyzing al the security threats faced by a
network.
• They begin by considering threats to each of the basic security
properties: confidentiality and integrity.
Network Vulnerability Taxonomies
• The taxonomy lists seven attacks that pose a threat to
security properties:
Traffic analysis
Passive eavesdropping
Active eavesdropping
Unauthorized access
Man-in-the-middle
Session highjacking
Replay attacks
Network Vulnerability Taxonomies
• Pothamsetty and Akyol made an effort at producing a taxonomy of
network protocol vulnerabilities.
• Their main goal was to organize information about known vulnerabilities.
• They classify the vulnerabilities into seven categories:
Clear text communication
Non-robust protocol message parsing
Insecure protocol state handling
Inability to handle abnormal packet rates
Replay and reuse
Protocol field authentication
Entropy problems
PROPERTIES OF A TAXONOMY FOR SECURITY
ASSESSMENT
Properties of a Taxonomy for Security Assessment
•
The goal is to identify a set of characteristics for a very specific taxonomy: one
that can be used effectively in a security assessment process.
•
The taxonomy must be tailored to the viewpoint of an assessment professional. It
should also help make the process as objective as possible.
•
The basic properties of such a taxonomy would be:
Application- or system-specific taxonomy
Taxonomy must be layered or hierarchical
First level of classification – attack impact
Second level of classification – system-specific attack types
Third level of classification – system components (attack targets)
Fourth level of classification – system features (source of vulnerability)
Classes need not be mutually exclusive
Properties of a Taxonomy for Security Assessment
• The efficacy of a security assessment process should be
measured by its objectivity and vulnerability coverage.
• A process with good vulnerability coverage explores all
relevant system features that are likely to have vulnerabilities.
• Although there are no metrics for measuring objectivity and
vulnerability coverage, we believe that a taxonomy with the
above properties greatly aids a security assessment process.
Conclusion
• This article presents a survey of all taxonomies
related to computer and network security.
• The survey analyzes existing work on security
taxonomies and assess their usefulness in terms of
security assessment.
• The analysis helps identify specific properties of
taxonomies that aid security assessment.