GRAFOS

GRAFOSArtigo: “Generating attack scenarios for thevalidation of security protocolimplementations”E. Martins, A. Morais, A. Cavalli. Generating attack scenarios for the validationof security protocol implementations. 2nd. Brazilian workshop on Systematicand Automated Software Testing (SAST), Brazil, 2008.MARCO ANTONIO GARCIA DE CARVALHOMarço de 2010Grafos e Aplicações

MotivationThis paper is intended to present how to model attack scenarios to be injectedduring runtime.Abstract - In this paper we consider the validation of security protocols,whose aim to ensure some security properties when the communicationmedium is not reliable. The goal is to uncover protocol vulnerabilities that anattacker can exploit and cause security failures. Our approach uses a faultinjector to inject attacks into a communication system and observe wheterthe security properties are violated. One of the key problems is: how togenerate successful attacks that will indicate the existence ofvulnerabilities? We propose an approach tht is similar to model-based testing,as we derive attack scenarios from an attack model representing knownattacks to the protocol under test. The approach can be completelysupported by tools, , as is shown in the paper.MARCO ANTONIO GARCIA DE CARVALHOMarço de 2010Grafos e Aplicações

MotivationContextTwo categories of faults: malicious (attacks) and accidental ones.Attacks are malicious external activities aimed to intentionally violate one ormore security properties of the system.A vulnerability ismalicious or non-malicious faults introduced duringdevelopment phases of the system or in the way it is used, that could beexploited to create intrusion.Security propertiesThe basic security availability(3).properties areconfidentiality(1),integrity(2)and(1)Prevention of unauthorized disclosure of information;(2)Absence of improper system state alteration, that is, the prevention ofunauthorized modification or deletion of information;(3)Prevention of unnecessary witholding of information.MARCO ANTONIO GARCIA DE CARVALHOMarço de 2010Grafos e Aplicações

MotivationSome attacksTraffic analysis, Active eavesdropping, Unauthorized Service(DoSDoS),Man-in-the-Middle(MITM),Smurf, Syn Floodaccess, Denial-of-Modelling attacks and vulnerabilities(1)Formal models: petri nets or UML(2)Attacks trees-they focus on goals that can be transformed on attacks against protocolimplementation;-they allow to describe the actions that should be performed for a successfulattack;-the model is easy to understand;-they allow a hierarchical representation in which high level goals are brokendown in sub-goals, until the desired refinement level is achieved;-is possible to define attack patterns based on most common attacks to a givenprotocol.MARCO ANTONIO GARCIA DE CARVALHOMarço de 2010Grafos e Aplicações

Attacks TreesRoot node represents the achievement of the ultimate goal of the attackEach child node represents sub-goals that have to be accomplished for theparent goal to succeedThe leaves of the tree represent attacker actions.Parent nodes can be related to their children by an OR or an AND relationship.Individual intrusion scenarios are generated by traversing the tree in adepth-first manner.MARCO ANTONIO GARCIA DE CARVALHOMarço de 2010Grafos e Aplicações

Attacks TreesNó raiz = objetivo principalNós filhos = sub-objetivosNó OR = um dos sub-objetivosprecisa ser atingidoNó AND = todos os subobjetivosdevem seratingidosNós folhaMARCO ANTONIO GARCIA DE CARVALHOMarço de 2010AtributosGrafos e Aplicações

ScenariosMARCO ANTONIO GARCIA DE CARVALHOMarço de 2010Grafos e Aplicações

DoS attackMARCO ANTONIO GARCIA DE CARVALHOMarço de 2010Grafos e Aplicações

DoS attackA* search - scenariosMATLAB - computational tool used by graduate student at 2009SecureITree - to model attack trees (computational tool - $$)MARCO ANTONIO GARCIA DE CARVALHOMarço de 2010Grafos e Aplicações