1 / 17

Quantitative Evaluation of Operational Security: An Experiment in System Security Measurement

This paper discusses a quantitative approach to evaluating operational security. It introduces a framework using privilege graphs and attack state graphs to model security vulnerabilities quantitatively. The study proposes the Mean Effort to Breach metric, analogous to mean time to failure in software reliability, to measure system security comprehensibly. An extensive experiment involving hundreds of workstations and thousands of users explored this methodology over 674 days. Results indicate that while vulnerability rates are essential, their assignment remains subjective, underscoring the need for continued research in security evaluation.

keefe-palmer
Télécharger la présentation

Quantitative Evaluation of Operational Security: An Experiment in System Security Measurement

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Quantitative Evaluation for Operational Security -an Experiment [Ortalo et al., IEEE Transactions on Software Engineering, Sept/Oct 1999] Group Meeting, Mar 7, 2000 H.W. Chan, CSE Dept., CUHK

  2. Outline • Introduction • The Approach: • Privilege graphs • Attack state graphs • Mathematical model • The experiment • setup and results • Discussion H.W. Chan, CSE Dept., CUHK

  3. Introduction • System security has been usually discussed in terms of security requirements and policy • requires cooperation of all users • difficult for ordinary users to comprehend • A quantitative measure for system security is easier to comprehend • a figure representing the ‘degree of security’ of the system can be useful H.W. Chan, CSE Dept., CUHK

  4. Quantifying security • Borrowing software reliability theory: • In reliability, a piece of software fails upon time of usage; the Mean Time To Failure quantify the reliability of the software • Similar, in security, a system can be breached upon effort of attacks; the Mean Effort to Breach can quantify the security of the system H.W. Chan, CSE Dept., CUHK

  5. The Approach • Privilege graph: • node: a set of privileges owned by a user or set of users (e.g., a group in Unix) • arc: a vulnerability that cause a user owning one privilege to obtain another, e.g., Y X There is a method allowing a user owning privilege X to obtain privilege Y. H.W. Chan, CSE Dept., CUHK

  6. Examples of vulnerabilities • Privilege subsets directly issued from the protection scheme • Direct security flaws, e.g., Trojan horse • System features exploited for attack • .rhosts, .xinitrc, setuid programs hwchan1 gds H.W. Chan, CSE Dept., CUHK

  7. Privilege graph - example A 6 3 P B Xadmin Key 1: Y’s .rhosts is writable by X 2: X can guess Y’s password 3: X can modify Y’s .tcshrc 4: X is a member of Y 5: Y uses a program managed by X 6: X can modify a setuid program owned by Y 7: X is in Y’s .rhosts 7 5 1 4 insider F 2 H.W. Chan, CSE Dept., CUHK

  8. Quantifying vulnerabilities • Each arc in the privilege graph should be assigned a weight to quantify the effort required for exploiting the vulnerability • Different factors should be considered, e.g., expertise, time and equipment • No good methods to do this yet! H.W. Chan, CSE Dept., CUHK

  9. Attacker behavior • In an attack, an attacker begins with some minimal privileges, and wants to obtain some protected privileges. • In a privilege graph, the path from the attacker node to the target node describes the progress of attack: target attacker H.W. Chan, CSE Dept., CUHK

  10. There can be more than one paths from the attacker node to the target node • assumption: attacker does not know the shortest path • Two assumptions for attacker behavior • Total memory (TM): all possibilities of attack are considered at any stage of attack • Memoryless (ML): at each newly visited node, only attacks possible from that node are considered H.W. Chan, CSE Dept., CUHK

  11. Attack state graphs (ML) I FI ABFIPX IP FIX BFIPX AIP BFIX AFIX H.W. Chan, CSE Dept., CUHK

  12. Attack state graph (TM) I FI ABFIPX IP FIX FIP BFIPX AIP BFIX AFIX AFIP H.W. Chan, CSE Dept., CUHK

  13. Mathematical Model • Assume the Markov model: • Probability of success in an attack before an amount of effort ‘e’ is spent is: P(e) = 1 - exp(-Le) • L is the rate of attack, and can be assigned as the weight of the vulnerability • thus, mean effort to succeed is 1/L H.W. Chan, CSE Dept., CUHK

  14. mean effort spent in state j is Ej = 1/summation(Lji), for all i belongs to out(j) • Mean Effort To security Failure (METF) from initial state k to state i is METFk = Ek + summation(Lki*Ek*METFi), for all i belongs to out(k) H.W. Chan, CSE Dept., CUHK

  15. The experiment • Setup: • Several hundred different workstations • 700 users sharing one global file system • privilege graphs, attacker state graph and METF computed every day from June 95 to Mar 97 (674 days) • vulnerabilities are classified into four levels and given rates 10^-1, 10^-2, 10^-3, 10^-4 H.W. Chan, CSE Dept., CUHK

  16. Results H.W. Chan, CSE Dept., CUHK

  17. Conclusion and discussion • A preliminary investigation about the security evaluation of operational systems • The assignment of rates of the vulnerabilities is pretty arbitrary, but is key to the validity of the measurement H.W. Chan, CSE Dept., CUHK

More Related