defining a model for defense in depth - acsa) - c...sullivan / locasto modelling defense in depth...

Defining a Model for Defense in Depth

James Sullivan, Michael Locasto

University of Calgary

LAW 2015

Sullivan / Locasto Modelling Defense in Depth LAW 2015 1 / 33

Introduction — Key Problem

Problem: What is the ideal way to arrange and configure a set of securitymechanisms?

What security mechanisms should be included?

What should their layout be?

How fail-safe is the arrangement?

Cost-benefit analysis — budgets are finite


Introduction — Challenges

Why is this hard?There are many different flavors of security products, and most ofthem claim to be better than the rest

“Protect your devices with the best free antivirus on the market.” – Avast Antivirus, 2015

“...award-winning FREE antivirus, spyware, & malware protection...” – AVG, 2015

“Buy now the best antivirus program for all your devices.” – Panda Security, 2015

“...award-winning security technologies that protect against the very latest threats...” – Kaspersky Security, 2015

“Protects better and faster than the competition.” – Symantec, 2015



Why is this hard?System can be arranged in many ways



Why is this hard?

Some mechanisms may negatively interfere with one another, and thisis hard to predict.

. . . it is possible to connect two systems, both of which arejudged to be secure, such that the composite system is notsecure.— D. McCullough, 19881

1D. McCullough. “Noninterference and the composability of security properties”.In: Security and Privacy, 1988. Proceedings., 1988 IEEE Symposium on. 1988,pp. 177–186. doi: 10.1109/SECPRI.1988.8110.


http://dx.doi.org/10.1109/SECPRI.1988.8110

Motivation — Antivirus Composition Study

Even if security mechanisms work well by themselves, there is no guaranteethat they won’t interfere with each other. A case study demonstrated this:

Pairs of commodity Antiviruses installed on a single host

Standard set of AMTSO2 tests performed on the system

Expected: Both Antiviruses pass the AMTSO tests (identifying andquarantining the malicious files), despite the other’s presence.

Actual: Some Antiviruses prevented the other from passing the EICARtests. In some cases, both products failed the test simultaneously.

2AMTSO Feature Settings Check.http://www.amtso.org/feature-settings-check.html. AMTSO.


http://www.amtso.org/feature-settings-check.html

Motivation — Antivirus Composition Study

Structure of Study

Five of the most popular commodity AVs installed pairwise ineach order of installation

AMTSO tests performed multiple times on the system with eachpair

Normalize by eliminating AVs that did not pass a given test inisolation (i.e. non-AMTSO-compliant AVs)

Results

Frequency of one AV failing to identify a file: 5.3%

Frequency of both AVs failing to quarantine a file: 10.7%


Approaches to System Design

What techniques do we have to aid secure system design?

1 Trial and Error (Live testing)

2 Simulation

3 Modelling


Approaches — Trial and Error

Set up a security configuration and measure its effectiveness.

Gives the most accurate view of the effectiveness of the configuration

“Reactive” security. Find a mistake, fix mistake, goto 1.

Mistakes are expensive: Ideally, holes are found before the system islive


Approaches — Simulation

Perform simulations of the system to measure its effectiveness.

Simulation results can be close enough to actual results to makeinformed decisions

How accurate does the simulation need to be? How to balance costand accuracy?

Where does input to the simulation come from?

Canned trafficLive traffic (honeypots)


Approaches — Modelling

Construct a simplified model of the system to analyze.

Often the cheapest way to get information about a system

A good model will both predict system properties and explain systembehavior.

Details are lost: How much information loss is acceptable?


Approaches

Ideally, some combination of these approaches is used to make informeddecisions.

Modeling Simulation Live TestingQuickly analyze many configurations

Test select numberof configurations

Get live results about chosenconfiguration

The sooner we find system flaws, the cheaper they are to fix.


Approaches — Our Contribution

Defense Graphs: a modelling technique to aid secure system design.

Complementary to simulation and live testing

Provides quick analytical results about system behaviour

Formalizes intuitions and best practices about system design


Model — Definitions

Defense Graph: A directed, acyclic graph D representing a system ofcomposed security mechanisms.

Vertices: Security Mechanisms or Policy Selectors.

Edges: Data path between vertices.

A Defense graph has a unique entry point α and a unique target β. αis connected to all vertices and β is reachable from all vertices.



Security Mechanism: An automaton that interprets some inputlanguage I and enforces a policy on it, emitting an output language O.

We say that a mechanism accepts an input i ∈ I when i ∈ O.

Conversely, a mechanism rejects an input i ∈ I if i 6∈ O.



Policy Selector: A point at which:

Data is redirected or multiplexed (e.g. a switch)

Host A SwitchInternal GW

External GW

Firewall Server

A number of independent data streams are combined and somedecision is made based on their contents (e.g. all-or-nothing)

Reject

RejectAccept

Accept



Composition: Two mechanisms are composed if there is direct datapath from one to the other. Two types of composition:

Deterministic: Consistent order of operation on data stream.

Non-Deterministic: Inconsistent order of operation. Treated asone mechanism nij with a known input language Ii ∪ Ij butunknown output language.

Deterministic Composition

Non-Deterministic Composition

Mechanism

Mechanism

Mechanism

Mechanism


Model — Examples of Composition

Deterministic Composition

The typical case for a well-structured network

E.g. An external firewall filters traffic before the internal IDSaudits it

Non-Deterministic Composition

More commonly seen on single-host systems

Race conditions on data access

AV case study– these constructs are unreliable and can causestrange failures in the mechanisms.

Either can cause incorrect policy enforcement.


Properties of Defense Graphs

We define several properties which can be used to reason about DefenseGraphs.

Coverage: What type of input is instrumented?

Redundancy: What proportion of that input is instrumentedmultiple times?

Independence: Do mechanisms depend on each other to workproperly? Are compositions present?

Cost: What does the whole configuration cost? (Performance,budget, etc.)


Properties — Coverage

Coverage refers to the types of inputs which the system can makepolicy decisions about.

Each mechanism m has coverage C (m) = I . The entire system’scoverage is:

C (D) =

|M|⋃i=0

C (mi )

Or the union of all of the mechanisms’ coverage.


Properties — Redundancy

Redundancy between two mechanisms is the proportion of the overlapin their coverage sets.

Mechanisms m1,m2 have redundancy R(m1,m2) = |C(m1)∩C(m2)||C(m1)∪C(m2)| .

The entire system’s redundancy is the total overlap between all pairs.

R(D) =

2|M|∑i=0

|M|∑j 6=i

R(mi ,mj)

|M|2 − |M|


Properties — Independence

Independence means that a mechanism does not rely on the correctoutput of another mechanism.

If there is a walk from one mechanism to another, then the output ofthe first mechanism decides the input to the next– thus, there isdependency.

I (m1,m2) =

{0 : ∃w = (α, . . . ,m1) with m2 ∈ w

1 : otherwise

The independence of the system is the proportion of independent pairsto the total number of pairs:

I (D) =

2|M|∑i=0

|M|∑j=0,j 6=i

I (mi ,mj)

|M|2 − |M|


Intuition about Independence

Independence is a desirable property of a system.

Prevents mechanism composition

mi ,mj are composed =⇒ I (mi ,mj) = 0 or I (mj ,mi ) = 0

I (mi ,mj) = 1 or I (mj ,mi ) = 1 =⇒ mi ,mj are not composed.

Incorrect decisions by one mechanism don’t affect the other

However, dependence is a natural property of linear data processing, andof layering security mechanisms “in sequence”.


Dependency Hurts

. . .i f ( ( e r r = SSLHashSHA1 . update (&hashCtx , &serverRandom ) ) != 0)

goto f a i l ;i f ( ( e r r = SSLHashSHA1 . update (&hashCtx , &s ignedParams ) ) != 0)

goto f a i l ;goto f a i l ;

i f ( ( e r r = SSLHashSHA1 . f i n a l (&hashCtx , &hashOut ) ) != 0)goto f a i l ;

. . .

Entry if if s

ifEmpty

failAll input


Properties — Cost

Cost is some measurement of the expense of a set of mechanisms andtheir arrangement.A number of possible metrics:

Performance of the system (packet throughput)

Resource Consumption of the system

Financial Cost

For example, if J is a set of computational tasks and T (D, J) is thetotal time taken to run the task by a system with defense graph D,then cost is given by:

P(D) =

|J|∑i=0

T (D, ji )

T (D0, ji )

Where D0 is the unprotected system.


The “Optimal” Configuration

We can derive a configuration that maximizes the C,R,I properties:

Entry

Selector

Mechanism 1 Mechanism 2 ... Mechanism n

AND

Target

Clearly, this isn’t what oursystems look like. But thisconfiguration prevents anyinterference between policydecisions.


Applying Defense Graphs

A model should be able to satisfy two requirements:

Explanatory: The model should be able to explain phenomena andobservations about a system within its own language.

Predictive: The model should also be able to predict some propertiesabout an underlying system.

We demonstrate the explanatory abilities of our model– showing itspredictive abilities requires further work.


Saltzer & Schroeder’s Principles

Saltzer and Schroeder defined well-known security principles in 19753. Wecan express these security principles in the Defense Graph model.

Economy of Mechanism: Keep the design as simple and small aspossible.

Complex structures (such as non-deterministic compositions) should beavoided in a Defense Graph in favour of simple and reliable constructs.

More mechanisms may not give more security (and can increase thedependencies in the system).

3Jerome H Saltzer and Michael D Schroeder. “The protection of information incomputer systems”. In: Proceedings of the IEEE 63.9 (1975), pp. 1278–1308.


Saltzer & Schroeder’s Principles

Complete Mediation: Every access to every object must be checkedfor authority.

If the coverage of the system is low, there will be many inputs to thesystem that have no policies enforced on them, exposing the target toarbitrary data.


Contributions of Defense Graphs

Defense Graphs are:

A tool to identify regions of complexity and composition in asystem

A tool to make dependency relationships explicit in a system

A tool to analyze and predict basic properties of a system arisingfrom its layout

Defense Graphs are not:

A tool to determine what will happen when two mechanismscompose

Instead, they tell us which mechanisms are at risk of composition

A tool to determine the “Optimal” layout of a system

But we can eliminate anti-patterns or encourage stronger patterns

A replacement for other analysis techniques

Complementary to testing, static analysis, simulation, etc.


Conclusion

Defense Graphs are a formal modelling tool which put the focus onthe layout of security mechanisms.

Makes anti-patterns and points of composition apparent in thesystem

Allows for simple analysis of properties of a system

Can be used to re-define intuitions about security, and someknown principles


Future Work

Model building is iterative, and there are many areas to expand on.

Capture other types of security mechanisms

Analyze the ability of the model to predict properties of systems

Identify some common anti-patterns in insecure systems

Develop tools to automate the generation and analysis of DefenseGraphs


Questions?


defining a model for defense in depth - acsa) - c...sullivan / locasto modelling defense in depth...

Documents