defining a model for defense in depth - acsa) - c...sullivan / locasto modelling defense in depth...
TRANSCRIPT
Defining a Model for Defense in Depth
James Sullivan, Michael Locasto
University of Calgary
LAW 2015
Sullivan / Locasto Modelling Defense in Depth LAW 2015 1 / 33
Introduction — Key Problem
Problem: What is the ideal way to arrange and configure a set of securitymechanisms?
What security mechanisms should be included?
What should their layout be?
How fail-safe is the arrangement?
Cost-benefit analysis — budgets are finite
Sullivan / Locasto Modelling Defense in Depth LAW 2015 2 / 33
Introduction — Challenges
Why is this hard?There are many different flavors of security products, and most ofthem claim to be better than the rest
“Protect your devices with the best free antivirus on the market.” – Avast Antivirus, 2015
“...award-winning FREE antivirus, spyware, & malware protection...” – AVG, 2015
“Buy now the best antivirus program for all your devices.” – Panda Security, 2015
“...award-winning security technologies that protect against the very latest threats...” – Kaspersky Security, 2015
“Protects better and faster than the competition.” – Symantec, 2015
Sullivan / Locasto Modelling Defense in Depth LAW 2015 3 / 33
Introduction — Challenges
Why is this hard?System can be arranged in many ways
Sullivan / Locasto Modelling Defense in Depth LAW 2015 4 / 33
Introduction — Challenges
Why is this hard?
Some mechanisms may negatively interfere with one another, and thisis hard to predict.
. . . it is possible to connect two systems, both of which arejudged to be secure, such that the composite system is notsecure.— D. McCullough, 19881
1D. McCullough. “Noninterference and the composability of security properties”.In: Security and Privacy, 1988. Proceedings., 1988 IEEE Symposium on. 1988,pp. 177–186. doi: 10.1109/SECPRI.1988.8110.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 5 / 33
Motivation — Antivirus Composition Study
Even if security mechanisms work well by themselves, there is no guaranteethat they won’t interfere with each other. A case study demonstrated this:
Pairs of commodity Antiviruses installed on a single host
Standard set of AMTSO2 tests performed on the system
Expected: Both Antiviruses pass the AMTSO tests (identifying andquarantining the malicious files), despite the other’s presence.
Actual: Some Antiviruses prevented the other from passing the EICARtests. In some cases, both products failed the test simultaneously.
2AMTSO Feature Settings Check.http://www.amtso.org/feature-settings-check.html. AMTSO.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 6 / 33
Motivation — Antivirus Composition Study
Structure of Study
Five of the most popular commodity AVs installed pairwise ineach order of installation
AMTSO tests performed multiple times on the system with eachpair
Normalize by eliminating AVs that did not pass a given test inisolation (i.e. non-AMTSO-compliant AVs)
Results
Frequency of one AV failing to identify a file: 5.3%
Frequency of both AVs failing to quarantine a file: 10.7%
Sullivan / Locasto Modelling Defense in Depth LAW 2015 7 / 33
Approaches to System Design
What techniques do we have to aid secure system design?
1 Trial and Error (Live testing)
2 Simulation
3 Modelling
Sullivan / Locasto Modelling Defense in Depth LAW 2015 8 / 33
Approaches — Trial and Error
Set up a security configuration and measure its effectiveness.
Gives the most accurate view of the effectiveness of the configuration
“Reactive” security. Find a mistake, fix mistake, goto 1.
Mistakes are expensive: Ideally, holes are found before the system islive
Sullivan / Locasto Modelling Defense in Depth LAW 2015 9 / 33
Approaches — Simulation
Perform simulations of the system to measure its effectiveness.
Simulation results can be close enough to actual results to makeinformed decisions
How accurate does the simulation need to be? How to balance costand accuracy?
Where does input to the simulation come from?
Canned trafficLive traffic (honeypots)
Sullivan / Locasto Modelling Defense in Depth LAW 2015 10 / 33
Approaches — Modelling
Construct a simplified model of the system to analyze.
Often the cheapest way to get information about a system
A good model will both predict system properties and explain systembehavior.
Details are lost: How much information loss is acceptable?
Sullivan / Locasto Modelling Defense in Depth LAW 2015 11 / 33
Approaches
Ideally, some combination of these approaches is used to make informeddecisions.
Modeling Simulation Live TestingQuickly analyze many configurations
Test select numberof configurations
Get live results about chosenconfiguration
The sooner we find system flaws, the cheaper they are to fix.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 12 / 33
Approaches — Our Contribution
Defense Graphs: a modelling technique to aid secure system design.
Complementary to simulation and live testing
Provides quick analytical results about system behaviour
Formalizes intuitions and best practices about system design
Sullivan / Locasto Modelling Defense in Depth LAW 2015 13 / 33
Model — Definitions
Defense Graph: A directed, acyclic graph D representing a system ofcomposed security mechanisms.
Vertices: Security Mechanisms or Policy Selectors.
Edges: Data path between vertices.
A Defense graph has a unique entry point α and a unique target β. αis connected to all vertices and β is reachable from all vertices.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 14 / 33
Model — Definitions
Security Mechanism: An automaton that interprets some inputlanguage I and enforces a policy on it, emitting an output language O.
We say that a mechanism accepts an input i ∈ I when i ∈ O.
Conversely, a mechanism rejects an input i ∈ I if i 6∈ O.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 15 / 33
Model — Definitions
Policy Selector: A point at which:
Data is redirected or multiplexed (e.g. a switch)
Host A SwitchInternal GW
External GW
Firewall Server
A number of independent data streams are combined and somedecision is made based on their contents (e.g. all-or-nothing)
Reject
RejectAccept
Accept
Sullivan / Locasto Modelling Defense in Depth LAW 2015 16 / 33
Model — Definitions
Composition: Two mechanisms are composed if there is direct datapath from one to the other. Two types of composition:
Deterministic: Consistent order of operation on data stream.
Non-Deterministic: Inconsistent order of operation. Treated asone mechanism nij with a known input language Ii ∪ Ij butunknown output language.
Deterministic Composition
Non-Deterministic Composition
Mechanism
Mechanism
Mechanism
Mechanism
Sullivan / Locasto Modelling Defense in Depth LAW 2015 17 / 33
Model — Examples of Composition
Deterministic Composition
The typical case for a well-structured network
E.g. An external firewall filters traffic before the internal IDSaudits it
Non-Deterministic Composition
More commonly seen on single-host systems
Race conditions on data access
AV case study– these constructs are unreliable and can causestrange failures in the mechanisms.
Either can cause incorrect policy enforcement.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 18 / 33
Properties of Defense Graphs
We define several properties which can be used to reason about DefenseGraphs.
Coverage: What type of input is instrumented?
Redundancy: What proportion of that input is instrumentedmultiple times?
Independence: Do mechanisms depend on each other to workproperly? Are compositions present?
Cost: What does the whole configuration cost? (Performance,budget, etc.)
Sullivan / Locasto Modelling Defense in Depth LAW 2015 19 / 33
Properties — Coverage
Coverage refers to the types of inputs which the system can makepolicy decisions about.
Each mechanism m has coverage C (m) = I . The entire system’scoverage is:
C (D) =
|M|⋃i=0
C (mi )
Or the union of all of the mechanisms’ coverage.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 20 / 33
Properties — Redundancy
Redundancy between two mechanisms is the proportion of the overlapin their coverage sets.
Mechanisms m1,m2 have redundancy R(m1,m2) = |C(m1)∩C(m2)||C(m1)∪C(m2)| .
The entire system’s redundancy is the total overlap between all pairs.
R(D) =
2|M|∑i=0
|M|∑j 6=i
R(mi ,mj)
|M|2 − |M|
Sullivan / Locasto Modelling Defense in Depth LAW 2015 21 / 33
Properties — Independence
Independence means that a mechanism does not rely on the correctoutput of another mechanism.
If there is a walk from one mechanism to another, then the output ofthe first mechanism decides the input to the next– thus, there isdependency.
I (m1,m2) =
{0 : ∃w = (α, . . . ,m1) with m2 ∈ w
1 : otherwise
The independence of the system is the proportion of independent pairsto the total number of pairs:
I (D) =
2|M|∑i=0
|M|∑j=0,j 6=i
I (mi ,mj)
|M|2 − |M|
Sullivan / Locasto Modelling Defense in Depth LAW 2015 22 / 33
Intuition about Independence
Independence is a desirable property of a system.
Prevents mechanism composition
mi ,mj are composed =⇒ I (mi ,mj) = 0 or I (mj ,mi ) = 0
I (mi ,mj) = 1 or I (mj ,mi ) = 1 =⇒ mi ,mj are not composed.
Incorrect decisions by one mechanism don’t affect the other
However, dependence is a natural property of linear data processing, andof layering security mechanisms “in sequence”.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 23 / 33
Dependency Hurts
. . .i f ( ( e r r = SSLHashSHA1 . update (&hashCtx , &serverRandom ) ) != 0)
goto f a i l ;i f ( ( e r r = SSLHashSHA1 . update (&hashCtx , &s ignedParams ) ) != 0)
goto f a i l ;goto f a i l ;
i f ( ( e r r = SSLHashSHA1 . f i n a l (&hashCtx , &hashOut ) ) != 0)goto f a i l ;
. . .
Entry if if s
ifEmpty
failAll input
Sullivan / Locasto Modelling Defense in Depth LAW 2015 24 / 33
Properties — Cost
Cost is some measurement of the expense of a set of mechanisms andtheir arrangement.A number of possible metrics:
Performance of the system (packet throughput)
Resource Consumption of the system
Financial Cost
For example, if J is a set of computational tasks and T (D, J) is thetotal time taken to run the task by a system with defense graph D,then cost is given by:
P(D) =
|J|∑i=0
T (D, ji )
T (D0, ji )
Where D0 is the unprotected system.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 25 / 33
The “Optimal” Configuration
We can derive a configuration that maximizes the C,R,I properties:
Entry
Selector
Mechanism 1 Mechanism 2 ... Mechanism n
AND
Target
Clearly, this isn’t what oursystems look like. But thisconfiguration prevents anyinterference between policydecisions.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 26 / 33
Applying Defense Graphs
A model should be able to satisfy two requirements:
Explanatory: The model should be able to explain phenomena andobservations about a system within its own language.
Predictive: The model should also be able to predict some propertiesabout an underlying system.
We demonstrate the explanatory abilities of our model– showing itspredictive abilities requires further work.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 27 / 33
Saltzer & Schroeder’s Principles
Saltzer and Schroeder defined well-known security principles in 19753. Wecan express these security principles in the Defense Graph model.
Economy of Mechanism: Keep the design as simple and small aspossible.
Complex structures (such as non-deterministic compositions) should beavoided in a Defense Graph in favour of simple and reliable constructs.
More mechanisms may not give more security (and can increase thedependencies in the system).
3Jerome H Saltzer and Michael D Schroeder. “The protection of information incomputer systems”. In: Proceedings of the IEEE 63.9 (1975), pp. 1278–1308.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 28 / 33
Saltzer & Schroeder’s Principles
Complete Mediation: Every access to every object must be checkedfor authority.
If the coverage of the system is low, there will be many inputs to thesystem that have no policies enforced on them, exposing the target toarbitrary data.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 29 / 33
Contributions of Defense Graphs
Defense Graphs are:
A tool to identify regions of complexity and composition in asystem
A tool to make dependency relationships explicit in a system
A tool to analyze and predict basic properties of a system arisingfrom its layout
Defense Graphs are not:
A tool to determine what will happen when two mechanismscompose
Instead, they tell us which mechanisms are at risk of composition
A tool to determine the “Optimal” layout of a system
But we can eliminate anti-patterns or encourage stronger patterns
A replacement for other analysis techniques
Complementary to testing, static analysis, simulation, etc.
Sullivan / Locasto Modelling Defense in Depth LAW 2015 30 / 33
Conclusion
Defense Graphs are a formal modelling tool which put the focus onthe layout of security mechanisms.
Makes anti-patterns and points of composition apparent in thesystem
Allows for simple analysis of properties of a system
Can be used to re-define intuitions about security, and someknown principles
Sullivan / Locasto Modelling Defense in Depth LAW 2015 31 / 33
Future Work
Model building is iterative, and there are many areas to expand on.
Capture other types of security mechanisms
Analyze the ability of the model to predict properties of systems
Identify some common anti-patterns in insecure systems
Develop tools to automate the generation and analysis of DefenseGraphs
Sullivan / Locasto Modelling Defense in Depth LAW 2015 32 / 33
Questions?
Sullivan / Locasto Modelling Defense in Depth LAW 2015 33 / 33