Click here to load reader

Taxonomies of Attacks and Vulnerabilities in Computer Systems

  • View
    20

  • Download
    0

Embed Size (px)

DESCRIPTION

Taxonomies of Attacks and Vulnerabilities in Computer Systems. Igure, V.M.; Williams, R.D. IEEE Communications Surveys & Tutorials, Volume: 10  Issue: 1 (2008). R96725034 林昕彥 R96725036 陳政彥. Why do we need taxonomy?. - PowerPoint PPT Presentation

Text of Taxonomies of Attacks and Vulnerabilities in Computer Systems

  • Taxonomies of Attacks and Vulnerabilities in Computer SystemsIgure, V.M.; Williams, R.D.

    IEEE Communications Surveys & Tutorials, Volume: 10 Issue: 1 (2008)R96725034 R96725036

  • Why do we need taxonomy?Their main goal was to organize information about known vulnerabilities or attacks, so that designers could use that information to build more secure systems or defense systemsIf the classification is based on the actual vulnerability exploited by the attack, the dimension of classification can be considered as the cause of flawThe taxonomy provides useful information to find unknown vulnerabilities as well as to avoid introducing similar vulnerabilities in future designs.They provide a classification of testing techniques based on the vulnerability the test is meant to discover. Each test class discovers all the vulnerabilities that have similar characteristics

  • Attack sophistication vs. intruder technical knowledge

  • INTRODUCTION

  • IntroductionSecurity assessment of a system is the process of determining the systems capability to resist attacksThis process typically involves probing the system to detect the presence of known vulnerabilities most attacks typically exploit known vulnerabilitiesThis process is limited because it only searches for known vulnerabilitiesSecurity assessment is an objective process only as long as it is limited to searching for known weaknessesProbing a system to detect previously unidentified flaws is still a very subjective process

  • IntroductionPrior work has attempted to gain an understanding of the characteristics and nature of known vulnerabilities to support the prediction of vulnerabilities in new systemsThe first step in understanding vulnerabilities is to classify them into a taxonomy based on their characteristicsA taxonomy classifies the large number of vulnerabilities into a few well defined and easily understood categoriesSuch classification can serve as a guiding framework for performing a systematic security assessment of a systemThis article provides a state-of-the-art survey of existing security related taxonomiesThe survey covers papers published between 1974 and 2006

  • TAXONOMIES AND SECURITY ASSESSMENT

  • Taxonomies and Security AssessmentA taxonomy is formally defined as the study of the general principles of scientific classificationThis classification is done according to the relationships between the characteristics of the objectsA good taxonomy also provides a common language for the study of the field

  • Taxonomies and Security Assessmenttaxonomies of vulnerabilities and attacks might be useful in the security assessment processcan also be useful for system designerscan also provide a way to explore unknown attacksMany taxonomies of attacks and vulnerabilities have been published over the years, but there is still no standard or universally accepted taxonomyOur primary interest is in the development and use of attack and vulnerability taxonomies in the security assessment process

  • ATTACK TAXONOMIES

  • AttacksGoalsDimension of taxonomyCommentsTypes of Computer Crimes (Perry & Wallich 1984)Listing main types of crimesTwo-dimensional matrix: crime vs. users committing the crimeCommon characteristics: source of attackReplay Attacks in Crypto-Protocols (Syverson 1994)consider which detection, representation, or preventionmechanisms are appropriate for a replayattackSource of attack is the primary dimensionof classificationCommon characteristic: source of attackTypes of Misuse (Brinkley& Schell 1995)Listing of types of misuse; Not intended to be a taxonomyTwo-level hierarchy; classes are notproperly definedProvides overview of types of misuseIDS Attack Signatures(Kumar 1995)Classified attack signatures to develop comprehensivedatabase for an IDSBased on manifestation of attacks innetwork traffic and logsApplied in IDS developmentTypes of Misuse(Attacks) (Lindquist &Jonsson 1997)Makes systematic study possible useful forreporting incidents to response teams included agrading of the severityExtended Neumann and Parkers taxonomyDiscuss usefulness of selecting agood dimension of classification

  • AttacksGoalsDimension of taxonomyCommentsAttacks AgainstInformation Systems(Cohen 1997)Putting all of the methods of attack into a classificationscheme and co-locating them with each other so that knowledgeable experts can consider possible attacksNo classification, just a long list ofknown attacksAn exhaustive list of attacks is static and needs to be constantlyupdated to keep it relevantAttacks (Lough 2001)Develop a taxonomy of attacks in wireless networksDistilled the classes discussed in priorwork on taxonomies into four common categoriesThe categories are similar to thebasic security propertiesAttacks against MobileAgents (Man, Wei 2001)Used in the analysis of existing protectionschemes useful for research developmentsHierarchical taxonomy:1. Intention2. Number of attackers3. Read vs. non-readClassification is not based oncharacteristics of attackDoS Attacks in WSNs(Wood, Stankovic 2002)Highlight the various threats faced by WSNsAttacks classified under the various networklayers of the communication protocolDimension is similar to locationof flawsSybil Attacks in WSNs(Newsome et al. 2004)To better understand the implications of the Sybilattack and how to defend against itMultidimensional:1. Mode of communication2. Type of identity3. SimultaneityUnderscores the need for a taxonomyto study a new field

  • AttacksGoalsDimension of taxonomyCommentsDoS Attacks (Hussain etal. 2003)Provide the classification component of a realtimeattack analysis to aid network administratorsSource of attack: single source vs. multiplesourcesTaxonomy can be used todevelop tools for real-timedefenseWeb Attacks (Alvarez,Petrovic 2003)Help designers build more secure application a useful reference framework for security applicationMultidimensional taxonomy based on aWeb attack life cycleCommon classification types:vulnerability; service; targetAttacks: Defense centric(Killourhy et al. 2004)Organizes attacks by virtue of the way they manifestas anomalies in sensor dataAnomaly seen in sensor data; four categoriesMostly relevant only in IDS; lowlevelcategoriesDDoS Attack andDefense Mechanisms(Mirkovic, Reiher 2004)Structure the DDoS field and facilitate a globalview of the problem and solution spaceEight characteristics of an attack; threecharacteristics of defensesCommon characteristic: exploitedweakness; impact on victim;type of victimInternet Attacks(Mostow, Bott 2000);(Delooze 2004)Build an attack simulator; Taxonomy was used inthe simulator modelEffects of the attackCommon characteristic: DoS,Deception, Reconnaissance,Unauthorized access

  • AttacksGoalsDimension of taxonomyCommentsAttacks in VANETS (Golleet al. 2004)Taxonomy was not the main aim1. Nature2. Target3. Scope4. ImpactCommon characteristic natureof attack; impact on victim;scope; target;Shellcode Attacks (Arce2004)Understanding these programs technical capabilitiesand their connection to those who developand use themFunctional perspective:1. Attack vector2. Exploitation technique3. PayloadMultiple ways to trigger a vulnerabilityAttacks (Hansman, Hunt 2005)Develop a pragmatic taxonomy that is useful tothose dealing with attacks on a regular basis.Four taxonomies based on:1. Attack vector2. Attack target3. Vulnerability4. PayloadFor application-specifictaxonomies, it might be possibleto combine all these intoone taxonomy

  • Types of Computer Crimes [17]Two-dimensional matrix of computer attacksFirst dimension: UsersOperators, programmers, data entry, internal users, outside users, and intrudersSecond dimension: Computer crimesPhysical destruction, information destruction, data diddling, theft of services, browsing, and theft of informationThe six classes of users are not distinct

  • Types of Computer Misuse [18]Level One:Theft of computer resourcesDisruption of computer resourcesUnauthorized disclosure of informationUnauthorized modification of informationLevel Two:Human errorUser abuse of authorityDirect probingProbing with malicious softwareDirect penetrationSubversion of security mechanism

  • Information System Attacks [19]First attempts at developing a taxonomy to help the security assessment processput all possible attacks under a single taxonomycould be used to predict future attacks in existing systemsThe biggest drawback of [19] is that it is not a classificationIt is merely a long list of all known attacksThe article lists 94 different attacks on information systems

  • Computer Attack [24]In [24] Neumann identified 26 different kinds of computer attacks and classified them into nine categories:ExternalHardware misuseMasqueradingPest programsBypassesActive misusePassive misuseInactive misuseIndirect misuseThis can be considered a hierarchical taxonomy because it has two levels of classification

  • Classify Computer Security Intrusions [7]Lindquist and Jonssons taxonomy [7, 26] is a very good example of one that is suitable for a security assessment processthe first to introduce the notion of dimension of classificationthey extended three of Neumann and Parkers categories into multiple subdivisions:Bypass of intended controlsActive misuse of resourcesPassive misuse of resources

  • IDS Related TaxonomiesTwo main types of IDSs:Signature-based systemAnomaly-based systemThe primary motivation for this classification was to provide a defense-centric taxonomy to help network defenders

  • Signature-based systemEvery attack manifests itself as some kind of event or sequence of events in a networkThese unique events are called the signatures of the attackEvery known attack is given a signature based on its characteristicsAttack taxonomy can ensure that all known attacks are represented in the database

  • Signature-based systemIn [27] Kumar presents a taxonomy signatures to help build an effective IDSAttack signatures are classified into five categories:ExistenceSequencePartial orderDurationInterval

  • Anomaly-based systemLooking for any network activity that deviates from the normKillourhy et al. [28] developed a taxonomy of attacks based on their manifestation as anomalies in IDS sensor dataEvery attack manifests itself either as a:Foreign symbolMinimal foreign sequenceDormant sequenceNon-anomalous sequence

  • DoS Attack Related TaxonomiesAttacker can carry out a successful attack without penetrating the target networkIn [29] Neumann lists three types of DoS attacks based on the source of the attackno network penetration and can be carried out remotely over the Internetattacker exploits some known vulnerability to penetrate the network and then carries out resource exhaustion attacksdistributed DoS (DDoS) attacks, attackers penetrate or compromise many third party computers and use them to launch a DoS attack against the target network

  • DoS Attack Related TaxonomiesMirkovic and Reiher [8] intended to build a taxonomy that would provide a complete overview of the field of DDoS attacks and defensesEach attack has multiple characteristics, and Mirkovic and Reiher classify attacks along multiple dimensionsThis classification is not mutually exclusiveEight dimensions:Degree of automationExploited weaknessSource address validityAttack rate dynamicsPossibility of characterization (based on packet content)Persistence of agent setVictim typeImpact on the victim

  • DoS Attack Related TaxonomiesIn [35] Campbell uses a novel dance metaphor to characterize DoS attacksHe characterizes a DoS attacker as a third person interrupting two dancing partnersHe groups all DoS attacks under four classes that represent the attackers strategy for success:Partner -> spoofingFlood -> floodingTrip -> shutting downIntervene -> interception

  • Web Attack TaxonomiesAlvarez and Petrovic [34] analyzed and classified Web attacks, their goal was to extract useful information for application developers to build more secure systems

  • Specialized Attack TaxonomiesThere are many attack taxonomies that cover only certain specific applicationsMan and Wei [42] developed a taxonomy of attacks against mobile agentsThe goal of the work was to understand all possible attacks against mobile agents and then use this understanding to develop appropriate protection mechanismsThe first level of classification in [42] divides attacks into two categories based on the intentions of the attackhierarchical, and this characteristic is useful for security assessment

  • Taxonomies for Security AssessmentLough presents an exhaustive survey of computer attack and vulnerability taxonomies in [15]Classifies all attacks under four categories:Incorrect validationIncorrect exposureIncorrect randomnessIncorrect deallocationThis classification is made on the cause of attack dimensionLoughs taxonomy is not application-specific

  • Taxonomies for Security AssessmentIn [25] Hansman and Hunt aim to develop a pragmatic taxonomy that is useful to those dealing with attacks on a regular basis.They conclude that it is difficult to develop an effective tree-structure taxonomy of attacksFour dimension:Attack vectorAttack targetVulnerabilities and exploitsAttacks with payloadsIf the taxonomy were application-specific instead of trying to incorporate all possible kinds of attacks, it might not be very difficult to develop a single tree-structure taxonomy of attacks

  • VULNERABILITY TAXONOMIES

  • Vulnerability TaxonomyOne of the earliest works on this topic was done by McPhee.

    McPhees paper was published in 1974, and since then there has been much research done on computer security.

    McPhee lists seven class of integrity flaws in operating systems:

    System data in user areaNon-unique identification of system resourceSystem violation of storage protectionUser data passed as system dataUser-supplied address of protected control blocksConcurrent use of serial resourcesUncontrolled sensitive system resource

  • Vulnerability TaxonomyAttanasio described the methodology and results of penetration testing experiments. The penetration analysts had three goals:

    The paper does not provide a taxonomy, as that was not their goal, but it makes the important contribution of listing operations system characteristics that are likely to have flaws.

    To obtain information to which they were not entitledTo launch a DoS attack by exhausting resourcesTo obtain resources bypassing the accountability mechanisms

  • Vulnerability TaxonomyAfter the penetration testing experiment, Attanasio et al. Listed 16 OS features that are likely to have flaws:

    Implicit or explicit resource sharing mechanismsMan-machine interfaces administered by the OSConfiguration management problem Add-on featuresDesign modifications and design extensionsParameter checkingControl of security descriptors

  • Vulnerability Taxonomy

    Error handlingSide effectsParallelismAccess to microprogrammingComplex interfacesDuplication of functionLimits and prohibitionsAccess to residual informationViolation of design principles

  • TAXONOMY OF SOFTWARE PROGRAM FLAWS

  • Taxonomy of Software Program FlawsThe Research in Secured Operating Systems (RISOS) project and the Protection Analysis (PA) project were two of the earliest efforts at producing taxonomies of vulnerabilities in computer software.

    Both of the projects examined the vulnerabilities in different operating systems.

  • Taxonomy of Software Program FlawsThe seven classes of vulnerabilities in the RISOS project were:

    Incomplete parameter validationInconsistent parameter validationImplicit sharing of privileged/confidential dataInadequate identificationAuthentication or authorizationAsynchronous validation or inadequate serializationViolable prohibition or limiting and exploitable logic error

  • Taxonomy of Software Program FlawsThe ten classes from the PA project were:

    Consistency of data over timeValidation of operandsValidation of residualsValidation of namingValidation of domainSerializationInterrupted atomic operationsExposed misrepresentationsQueue management dependenciesCritical operator selection error

  • Taxonomy of Software Program FlawsThe categories of both the RISOS and PA classifications indicate that the dimension of classification was by operations.

    This means that the categories represent operations of the OS which can be misused to cause attacks.

    The RISOS and PA categories would be greatly beneficial in a larger taxonomy.

  • Taxonomy of Software Program FlawsBishop analyzed the RISOS and PA taxonomies, and showed that these classes could be mapped onto each other.

    Bishop classified each vulnerability along six axes:

    Nature of the flawTime of introductionExploitation domain of the vulnerabilityThe effect domainThe minimum number of components needed to exploit the vulnerabilityThe source of the identification of the vulnerability

  • Taxonomy of Software Program FlawsAfter the PA project, the most influential work on taxonomies of flaws was done by Landwehr et al.

    They did not limit their taxonomy to operating systems but provided a more general taxonomy of flaws in computer programs.

    They classified their flaws in three different dimensions:GenesisTime of introductionlocation

  • Taxonomy of Software Program FlawsJiwnani et al. used Landwehrs taxonomy to aid security testing.

    They adapted Landwehrs three dimensions to build a matrix that related the cause of the vulnerability.

    To be effective, the taxonomy must be used in conjunction with all the dimensions of the classification.

    The assessment process can be more systematic if these dimensions are arranged hierarchically.

  • Taxonomy of Software Program FlawsAll the work we have seen so far classified attacks or vulnerabilities based on some inherent characteristic of the attack or vulnerability itself.

    Krsul departed from this norm.

    He developed a taxonomy based on the observation that most of the vulnerabilities were introduced into programs because of mistaken assumptions by the programmer.

    He classified flaws according to the assumption that led to their introduction into the software.

  • Taxonomy of Software Program FlawsAslam focused only on the UNIX operating system.

    Aslams taxonomy is hierarchical, and the first level had three main categories:Configuration flawsEnvironment flawsCoding flaws

    The dimension of classification for these three classes is the cause of the flaw.

  • Taxonomy of Software Program FlawsDu and Mathur described each flaw with multiple attributes. They classify flaws along three axes:Cause ImpactFix

    Landwehrs original genesis class had two main subclasses: intentional and inadvertent flaws.

    Du and Mathur ignore the intentional flaws. Instead, they focused on the inadvertent flaws in the software.

    Since the taxonomy provides details about the flaws, it could be effective in a security assessment process.

  • Taxonomy of Software Program FlawsKamara et al. successfully use Du and Mathurs taxonomy for analyzing vulnerabilities in Internet firewalls.

    They break down a firewall into its constituent components, and its operations and data flow.

    They analyze some of the well-known firewall vulnerabilities, and map them to both Du and Mathurs taxonomy and the specific operations and parts of the firewalls.

    The result is a matrix that identifies which operations and parts of a firewall are likely to produce flaws.

    This is very useful in future security assessments of other firewalls as well as in preventing the same kinds of flaws in new products.

  • Taxonomy of Software Program FlawsGrays aim was to develop a taxonomy of vulnerabilities that would be useful to people in various positions in a software development organization.

    Gray combined the work of Landwehr, Bishop, and Wang into an extended and multi-perspective taxonomy.

  • Taxonomy of Software Program FlawsThe taxonomy had ten classes of program flaws:

    GenesisTime of introductionLocationExecution environmentQuality impactMethod of discoveryThread and exploitation scenariosMonitoring and exploitation scenariosLimitation and remediation scenariosElimination methods

  • Taxonomy of Software Program FlawsGrays approach of combining all the perspectives within one taxonomy is not very efficient.

    Gray does not offer any subclasses for any of these classes.

    Such a single-level taxonomy does not provide adequate information about the flaws.

    This ineffectiveness shows that taxonomies are most useful when they are developed for a particular application from a specific perspective.

  • Taxonomy of Software Program FlawsTsipenyuk et al. seek to simplify the existing software vulnerabilities taxonomies.

    They claim that most of the existing taxonomies are too complex.

  • Taxonomy of Software Program FlawsIn order to help software developers and security practitioners, they group all software security flaws under eight classes:

    Input validation and representationAPI abuse security features time and stateErrorsCode qualityEncapsulationEnvironment

  • Taxonomy of Software Program FlawsYu et al. provide a framework for analyzing the security of Web software service.

    The unique contribution is that they relate all the attacks with the software vulnerabilities each attack exploits.

  • Taxonomy of Software Program FlawsYongzheng and Xiochen develop a taxonomy of vulnerabilities to aid the security risk assessment process.

    They base on the concept of privilege sets and privilege escalation.

    A vulnerability can be viewed as a feature that gives additional privileges to the attacker.

    The paper ranks the privilege sets of nine user classes, ranging from common user to root.

    The paper provides a ranking of the impacts of each privilege level, with the root level causing the greatest damage and the user level causing the least.

  • Taxonomy of Software Program FlawsWangs work also explored the link between a flaw and the risk posed by that flaw.

    A flaw that could be exploited in multiple ways can be considered more risky.Than one that can be exploited only in one way.

  • Taxonomy of Software Program FlawsAlhazmi et al. test the efficacy of vulnerability discovery models to predict the number of vulnerabilities in a software product.

    Having a target number of vulnerabilities could help the security analyst, but traditional taxonomybased classifications would have to be used to find the actual vulnerabilities.

  • NETWORK VULNERABILITY TAXONOMIES

  • Network Vulnerability TaxonomiesRistenbatt describes a methodology name Network Communications Vulnerability Assessment (NCVA)which was developed to perform network vulnerability assessment.

    The first taxonomy classified the various types of networks according to their design.

  • Network Vulnerability TaxonomiesThe objective of this taxonomy was to provide the analyst with a high-level overview of the network. The top-level categories were:

    The transfer strategyThe network transfer control methodThe transfer link structureLink access method or protocolSystem topology architecture

  • Network Vulnerability TaxonomiesThe second taxonomy outlined the typical network susceptibilities.

    He defines susceptibilities as system features that might be targeted by attackers. Susceptibilities are potential vulnerabilities.

    The network susceptibilities taxonomy has five classes:

    TopologyPhysical layerData link layerNetwork layerManagement and control

  • Network Vulnerability TaxonomiesJayaram and Morse provide a taxonomy of security threats to networks. Their taxonomy has five categories:

    Physical threatsSystem weak spotsMalign problemsAccess rightsCommunication-based threats

  • Network Vulnerability TaxonomiesA more elaborate taxonomy of threats to networks is provided by Welch and Lathrop.

    The taxonomy was developed to build a security architecture for a wireless network.

    The taxonomy is hierarchical and provides a systematic approach for analyzing al the security threats faced by a network.

    They begin by considering threats to each of the basic security properties: confidentiality and integrity.

  • Network Vulnerability TaxonomiesThe taxonomy lists seven attacks that pose a threat to security properties:

    Traffic analysisPassive eavesdroppingActive eavesdroppingUnauthorized accessMan-in-the-middleSession highjackingReplay attacks

  • Network Vulnerability TaxonomiesPothamsetty and Akyol made an effort at producing a taxonomy of network protocol vulnerabilities.

    Their main goal was to organize information about known vulnerabilities.

    They classify the vulnerabilities into seven categories:

    Clear text communicationNon-robust protocol message parsingInsecure protocol state handlingInability to handle abnormal packet ratesReplay and reuseProtocol field authenticationEntropy problems

  • PROPERTIES OF A TAXONOMY FOR SECURITY ASSESSMENT

  • Properties of a Taxonomy for Security AssessmentThe goal is to identify a set of characteristics for a very specific taxonomy: one that can be used effectively in a security assessment process.

    The taxonomy must be tailored to the viewpoint of an assessment professional. It should also help make the process as objective as possible.

    The basic properties of such a taxonomy would be:

    Application- or system-specific taxonomyTaxonomy must be layered or hierarchicalFirst level of classification attack impactSecond level of classification system-specific attack typesThird level of classification system components (attack targets)Fourth level of classification system features (source of vulnerability)Classes need not be mutually exclusive

  • Properties of a Taxonomy for Security AssessmentThe efficacy of a security assessment process should be measured by its objectivity and vulnerability coverage.

    A process with good vulnerability coverage explores all relevant system features that are likely to have vulnerabilities.

    Although there are no metrics for measuring objectivity and vulnerability coverage, we believe that a taxonomy with the above properties greatly aids a security assessment process.

  • ConclusionThis article presents a survey of all taxonomies related to computer and network security.

    The survey analyzes existing work on security taxonomies and assess their usefulness in terms of security assessment.

    The analysis helps identify specific properties of taxonomies that aid security assessment.

    ********************************************************************