jigsaw – attack modeling language

8/2/99 Global Guard - U.C. Davis Security Lab 1

JIGSAW – Attack Modeling Language

Steven J. TempletonU.C. Davis Security Lab


JIGSAW – Origins

• Language as a means of:– Organizing thinking about attacks– Express attack/security concepts in a convenient way to reason

about

• Language based on abstract attack concepts, program/protocol specifications, system configuration

• Emphasis not on detecting new, low level vulnerabilities, but in how these plus system information could be combined into sophisticated multi-stage attacks.

• Of particular interest is detecting new attacks.• Relies on sensor input detecting specific system events or

known attacks, i.e. CIDF GIDOs.


Concept Structure

Requires

ReportTransferChannel

RemoteExecution

ConceptRSH Connection

Spoofing

DOS SeqNumProbing Spoofed Packet Send

•Send CIDIF Report•Audit RSH packet data

Action

Where


Concept Framework

concept <concept_name> extends #- list of concepts on which this concept is based

requires #- labeled list of reports or domain data used in concept

where #- correlate assertions on attributes

report #- expresses details of positive correlations seen

action #- external actions

end.


requires - events needed

#- Specifies the reports or domain specifications required#- Specifies label bindings

e.g. concept Propagate

requiresPush_Transfer_Channel: PUTC #- subscribed reportRemote_Execution: RE #- subscribed reportPull_Transfer_Channel: PLTC #- subscribed report…

e.g. concept Buffer_Overflow

requiresBuffer_Overflow_Detected: BOD #- subscribed

report…

#- The requires section lists the types of reports the concept as agent wishes to subscribe to.


requires - (continued)e.g.

concept Linux5.1-IMAP_buffer_overflow requires

Host_Info: HI #- domain knowledge

Linux_5.1_IMAP_attach_detected: L51IMAP #- subscribed report

…e.g.

concept IIS_List_Overflow_Attack requires

Host_Info: HI #- domain knowledgeIIS_List_Overflow_Detected: IISLOD #- subscribed reportIIS_Access: IISA #- subscribed report…

e.g. concept RSH_connection_spoof

requiresTrusted_Partner: TP #- subscribed reportNetwork_DOS: ND #- subscribed reportSeqNumProbe: SNP #- subscribed reportSpoofedPacketSend: SPS #- subscribed report…


report - changes in KB

#- where values are bound to instantiations of a report and the report is published

e.g. assert Linux5.1-IMAP_vulnerable #- keyword assert is

optional(host <- L51IMAPD.hostname)

retract Linux5.1-IMAP_vulnerable (hostname)

#- explanatory data passed along by binding matching “required” reports

to this report; by default all required reports are bound#- keyword unbind is used to limit growth of explanatory data

e.g. assert SeqNumProbe

(dest <- SNP.dest)unbind SNP #- all other unbound data is lost


report - (continued)e.g.

concept Linux5.1-IMAP_buffer_overflow requires

Host_Info: HI #- domain knowledge

Linux_5.1_IMAP_attach_detected: L51IMAP #- subscribed report

…report

buffer_overflow _detected(host <- HI.host)

…end.



concept RSH_Connection_Spoofingrequires

Trusted_Partner: TP #- subscribed reportNetwork_DOS: ND #- subscribed reportSeqNumProbe: SNP #- subscribed reportSpoofedPacketSend: SPS #- subscribed report…

reportRemote_Execution

(dest <- SPS.target) #- host we can execute on

(source <- SPS.source)(true_src <- SPS.true_src) #- where

remote code must (start_time <- SPS.time) #- come from(end_time <- SPS.time)



concept NIS_Connection_Spoofingrequires

Trusted_Partner: TP #- subscribed reportNetwork_DOS: ND #- subscribed reportSeqNumProbe: SNP #- subscribed reportSpoofedPacketSend: SPS #- subscribed report…

reportRemote_Execution

(dest <- SPS.target) #- host we can execute on

(source <- SPS.source)(true_src <- SPS.true_src) #- where

remote code must (start_time <- SPS.time) #- come from(end_time <- SPS.time)


where - Correlates assertions

#- A list of expressions which must be true for the concept to hold

#- Describes constraints on how reports are to be combined.e.g. DOS.host is SPS.source

DOS.port_set includes SPS.sourceactive(DOS) while active(SPS)

#- Base library of functions can be extended either globally or local

to the particular construct.e.g. defpred is_mail_port(X) (

X in { SMTP, POP, POP2, POP3, IMAP })deffunc number_of_ports(X) (

return card(X.port_set))

#- CBV only, no side-effects#- No external calls allowed


Example: SynFloodconcept SynFlood

requiresSynFlood: SFNetworkAccess: NA

wherenetwork_access(NA.true_src, SF.target)

report Denial_of_Network_Service

(target <- SF.target) update_on(port_set <- port_set + SF.port)(start_time <- SF.time)(stop_time <- SF.time) update

end.


More Examples

concept FileHandleGuessingrequireswherereportend.

concept DNS_Cache_Poisoningrequires

DNS_Cache_Poison_Detected: DNSCPreport

Traffic_Redirectionforall ce in DNSCP.map_list {

(remap <- remap + [DNSCP.old_IPA, DNSCP.new_IPA])}

end.


Example: Connection Spoofingconcept Connection_Spoofing

requiresTrusted_Partner: TPNetwork_DOS: NDSeqNumProbe: SNPSpoofedPacketSend: SPS

whereND.hosts includes TP.hostSPS.source is SPS.targetactive(ND) while active(SPS)not ND.hosts includes SPS.true_srcnot ND.hosts includes SPS.target

report assert Connection_Spoofing

(dest <- SPS.target)(source <- SPS.source)(true_src <- SPS.true_src)(start_time <- SPS.time)(end_time <- SPS.time)

end.


action - external effects

#- used to * send alerts and other informational reports* send CIDF GIDOs to other A-boxes* dynamically change sensors* take response measures


extends - basic inheritance

#- convenient notation when useful reports are not asserted as needed (missing “binds”)

e.g. concept ThinWormextends Worm


Sensor Framework

• Wraps sensor input to provide JIGSAW reports

sensor <sensor_name>requires {

extern <process>: <binding> #- external process- or -gido <gido_src>: <gido_filter> #- GIDO this wraps

#- negotiated via IDIAN}report { #- messages to JSAs

<assertion> ( <assertion_data>+ )}

end.


DOS NetworkDOS NetworkDOS Network

Concept Hierarchy

DOS port

DOS Host

DOS Network

DOS all ports


Concept Hierarchy

SynFlood

DOS port

Halt Computer

DOS Host

PacketStorm

DOS Network

Unplug Cable

DOS all ports

concept SynFloodrequires

SynFloodDetected: SFDreport

Denial_of_Service (host <- SFD.host)( port <- SFD.port_x )

end.


Unplug Cable

DOS all ports

Concept Hierarchy

SynFlood

DOS port

Halt Computer

DOS Host

PacketStorm

DOS Network

concept UnpluggedCablerequires

UPCableDetected: UPCreport

Denial_of_Service (host <- UPC.host)( port <- * )

end.


Unplug Cable

DOS all ports

Concept Hierarchy

SynFlood

DOS port

PingOfDeath

DOS Host

PacketStorm

DOS Networkconcept PacketStormrequires

PacketStormDetected: PSreport

forall h in LocalNet(PS.host,PS.adapter) Denial_of_Service

(host <- PS.host)(port <- * )

end.


DOS Process

Unplug Cable

DOS all ports

Concept Hierarchy?

SynFlood

DOS port

PingOfDeath

DOS Host

PacketStorm

DOS Networkconcept PingOfDeathrequires

PingOfDeath: PODreport

Denial_of_Service (host <- POD.target)(port <- * )(proc <- *)

end.


Unplug Cable

DOS all ports

Concept Hierarchy

SynFlood

DOS port

Halt Computer

DOS Host

PacketStorm

DOS Network

Denial-of-Service


R&D_DOS

Unplug Cable

DOS all ports

Report Specialization

SynFlood

DOS port

PingOfDeath

DOS Host

PacketStorm

DOS Network

Denial-of-Service

FTP_DOS

NIS_DOSSMTP_DOS

HTTP_DOS

Comm_DOS

DMZ_DOS


D.O.S. - Hierarchy of Specialization


Conceptual Execution Model

Communicating Agent Model• Each concept statement defines a JSA (JigSaw Agents)

• JSAs execute concurrently on 1 or more hosts.• requires specifies the types of reports of interest to

the JSA – what it subscribes to• reports are the messages an agent will publish• reports can be either broadcast to all agents, or sent

only to subscribing agents• Remote groups of agents communicate via CIDF

using IDIAN to negotiate report requirements


Uses

• Forward direction as an ID system• In reverse to identify vulnerabilities• In reverse w/ sensors replaced with appropriate

attack scripts as an attack system– Plans how to reach goal

– Can find new combinations of attacks to reach goal e.g.

• Using DNS requests as a method for a worm to pull in its body.

• Port DOS to Spoof IIS Authentication, then buffer overflow list command as a means of remote execution.


Attack Requirementsconcept Propagate

requiresRemote_Execution: RE…

where… …

end.

concept Linux5.1-IMAP_Vulnerablerequires

OS_Linux-5.1: OSL51Not_IMAP_Patched: NIMAPP

…report

Remote_Execution(host <- OSL51.host)

…end.

concept OS_Linux-5.1_IDrequires

OS_Scan: OSSwhere

OSS.OS is Linux_5.1report

OS_Linux-5.1(host_set <- OSL51.host)

end.


Challenges

•Writing more Specifications

•Efficient implementation

•Integration of anomaly detection components into JIGSAW

•Appropriate Time-to-Live for assertions

•Update reports of continuing events


Summary• Simple conceptual framework for modeling attack

concepts• Extensible to handle new attribute relationships• Utilizes new attack detectors to improve

performance• Specifications use behavioral characteristics of

attack and/or critical resources to protect.• CIDF friendly.• While conceptually an agent approach, not tied to

any execution method.• Well suited as an attack tool.

jigsaw – attack modeling language

Documents