jigsaw – attack modeling language
DESCRIPTION
JIGSAW – Attack Modeling Language. Steven J. Templeton U.C. Davis Security Lab. JIGSAW – Origins. Language as a means of: Organizing thinking about attacks Express attack/security concepts in a convenient way to reason about - PowerPoint PPT PresentationTRANSCRIPT
8/2/99 Global Guard - U.C. Davis Security Lab 1
JIGSAW – Attack Modeling Language
Steven J. TempletonU.C. Davis Security Lab
8/2/99 Global Guard - U.C. Davis Security Lab 2
JIGSAW – Origins
• Language as a means of:– Organizing thinking about attacks– Express attack/security concepts in a convenient way to reason
about
• Language based on abstract attack concepts, program/protocol specifications, system configuration
• Emphasis not on detecting new, low level vulnerabilities, but in how these plus system information could be combined into sophisticated multi-stage attacks.
• Of particular interest is detecting new attacks.• Relies on sensor input detecting specific system events or
known attacks, i.e. CIDF GIDOs.
8/2/99 Global Guard - U.C. Davis Security Lab 3
Concept Structure
Requires
ReportTransferChannel
RemoteExecution
ConceptRSH Connection
Spoofing
DOS SeqNumProbing Spoofed Packet Send
•Send CIDIF Report•Audit RSH packet data
Action
Where
8/2/99 Global Guard - U.C. Davis Security Lab 4
Concept Framework
concept <concept_name> extends #- list of concepts on which this concept is based
requires #- labeled list of reports or domain data used in concept
where #- correlate assertions on attributes
report #- expresses details of positive correlations seen
action #- external actions
end.
8/2/99 Global Guard - U.C. Davis Security Lab 5
requires - events needed
#- Specifies the reports or domain specifications required#- Specifies label bindings
e.g. concept Propagate
requiresPush_Transfer_Channel: PUTC #- subscribed reportRemote_Execution: RE #- subscribed reportPull_Transfer_Channel: PLTC #- subscribed report…
e.g. concept Buffer_Overflow
requiresBuffer_Overflow_Detected: BOD #- subscribed
report…
#- The requires section lists the types of reports the concept as agent wishes to subscribe to.
8/2/99 Global Guard - U.C. Davis Security Lab 6
requires - (continued)e.g.
concept Linux5.1-IMAP_buffer_overflow requires
Host_Info: HI #- domain knowledge
Linux_5.1_IMAP_attach_detected: L51IMAP #- subscribed report
…e.g.
concept IIS_List_Overflow_Attack requires
Host_Info: HI #- domain knowledgeIIS_List_Overflow_Detected: IISLOD #- subscribed reportIIS_Access: IISA #- subscribed report…
e.g. concept RSH_connection_spoof
requiresTrusted_Partner: TP #- subscribed reportNetwork_DOS: ND #- subscribed reportSeqNumProbe: SNP #- subscribed reportSpoofedPacketSend: SPS #- subscribed report…
8/2/99 Global Guard - U.C. Davis Security Lab 7
report - changes in KB
#- where values are bound to instantiations of a report and the report is published
e.g. assert Linux5.1-IMAP_vulnerable #- keyword assert is
optional(host <- L51IMAPD.hostname)
retract Linux5.1-IMAP_vulnerable (hostname)
#- explanatory data passed along by binding matching “required” reports
to this report; by default all required reports are bound#- keyword unbind is used to limit growth of explanatory data
e.g. assert SeqNumProbe
(dest <- SNP.dest)unbind SNP #- all other unbound data is lost
8/2/99 Global Guard - U.C. Davis Security Lab 8
report - (continued)e.g.
concept Linux5.1-IMAP_buffer_overflow requires
Host_Info: HI #- domain knowledge
Linux_5.1_IMAP_attach_detected: L51IMAP #- subscribed report
…report
buffer_overflow _detected(host <- HI.host)
…end.
8/2/99 Global Guard - U.C. Davis Security Lab 9
report - (continued)e.g.
concept RSH_Connection_Spoofingrequires
Trusted_Partner: TP #- subscribed reportNetwork_DOS: ND #- subscribed reportSeqNumProbe: SNP #- subscribed reportSpoofedPacketSend: SPS #- subscribed report…
reportRemote_Execution
(dest <- SPS.target) #- host we can execute on
(source <- SPS.source)(true_src <- SPS.true_src) #- where
remote code must (start_time <- SPS.time) #- come from(end_time <- SPS.time)
8/2/99 Global Guard - U.C. Davis Security Lab 10
report - (continued)e.g.
concept NIS_Connection_Spoofingrequires
Trusted_Partner: TP #- subscribed reportNetwork_DOS: ND #- subscribed reportSeqNumProbe: SNP #- subscribed reportSpoofedPacketSend: SPS #- subscribed report…
reportRemote_Execution
(dest <- SPS.target) #- host we can execute on
(source <- SPS.source)(true_src <- SPS.true_src) #- where
remote code must (start_time <- SPS.time) #- come from(end_time <- SPS.time)
8/2/99 Global Guard - U.C. Davis Security Lab 11
where - Correlates assertions
#- A list of expressions which must be true for the concept to hold
#- Describes constraints on how reports are to be combined.e.g. DOS.host is SPS.source
DOS.port_set includes SPS.sourceactive(DOS) while active(SPS)
#- Base library of functions can be extended either globally or local
to the particular construct.e.g. defpred is_mail_port(X) (
X in { SMTP, POP, POP2, POP3, IMAP })deffunc number_of_ports(X) (
return card(X.port_set))
#- CBV only, no side-effects#- No external calls allowed
8/2/99 Global Guard - U.C. Davis Security Lab 12
Example: SynFloodconcept SynFlood
requiresSynFlood: SFNetworkAccess: NA
wherenetwork_access(NA.true_src, SF.target)
report Denial_of_Network_Service
(target <- SF.target) update_on(port_set <- port_set + SF.port)(start_time <- SF.time)(stop_time <- SF.time) update
end.
8/2/99 Global Guard - U.C. Davis Security Lab 13
More Examples
concept FileHandleGuessingrequireswherereportend.
concept DNS_Cache_Poisoningrequires
DNS_Cache_Poison_Detected: DNSCPreport
Traffic_Redirectionforall ce in DNSCP.map_list {
(remap <- remap + [DNSCP.old_IPA, DNSCP.new_IPA])}
end.
8/2/99 Global Guard - U.C. Davis Security Lab 14
Example: Connection Spoofingconcept Connection_Spoofing
requiresTrusted_Partner: TPNetwork_DOS: NDSeqNumProbe: SNPSpoofedPacketSend: SPS
whereND.hosts includes TP.hostSPS.source is SPS.targetactive(ND) while active(SPS)not ND.hosts includes SPS.true_srcnot ND.hosts includes SPS.target
report assert Connection_Spoofing
(dest <- SPS.target)(source <- SPS.source)(true_src <- SPS.true_src)(start_time <- SPS.time)(end_time <- SPS.time)
end.
8/2/99 Global Guard - U.C. Davis Security Lab 15
action - external effects
#- used to * send alerts and other informational reports* send CIDF GIDOs to other A-boxes* dynamically change sensors* take response measures
8/2/99 Global Guard - U.C. Davis Security Lab 16
extends - basic inheritance
#- convenient notation when useful reports are not asserted as needed (missing “binds”)
e.g. concept ThinWormextends Worm
8/2/99 Global Guard - U.C. Davis Security Lab 17
Sensor Framework
• Wraps sensor input to provide JIGSAW reports
sensor <sensor_name>requires {
extern <process>: <binding> #- external process- or -gido <gido_src>: <gido_filter> #- GIDO this wraps
#- negotiated via IDIAN}report { #- messages to JSAs
<assertion> ( <assertion_data>+ )}
end.
8/2/99 Global Guard - U.C. Davis Security Lab 18
DOS NetworkDOS NetworkDOS Network
Concept Hierarchy
DOS port
DOS Host
DOS Network
DOS all ports
8/2/99 Global Guard - U.C. Davis Security Lab 19
Concept Hierarchy
SynFlood
DOS port
Halt Computer
DOS Host
PacketStorm
DOS Network
Unplug Cable
DOS all ports
concept SynFloodrequires
SynFloodDetected: SFDreport
Denial_of_Service (host <- SFD.host)( port <- SFD.port_x )
end.
8/2/99 Global Guard - U.C. Davis Security Lab 20
Unplug Cable
DOS all ports
Concept Hierarchy
SynFlood
DOS port
Halt Computer
DOS Host
PacketStorm
DOS Network
concept UnpluggedCablerequires
UPCableDetected: UPCreport
Denial_of_Service (host <- UPC.host)( port <- * )
end.
8/2/99 Global Guard - U.C. Davis Security Lab 21
Unplug Cable
DOS all ports
Concept Hierarchy
SynFlood
DOS port
PingOfDeath
DOS Host
PacketStorm
DOS Networkconcept PacketStormrequires
PacketStormDetected: PSreport
forall h in LocalNet(PS.host,PS.adapter) Denial_of_Service
(host <- PS.host)(port <- * )
end.
8/2/99 Global Guard - U.C. Davis Security Lab 22
DOS Process
Unplug Cable
DOS all ports
Concept Hierarchy?
SynFlood
DOS port
PingOfDeath
DOS Host
PacketStorm
DOS Networkconcept PingOfDeathrequires
PingOfDeath: PODreport
Denial_of_Service (host <- POD.target)(port <- * )(proc <- *)
end.
8/2/99 Global Guard - U.C. Davis Security Lab 23
Unplug Cable
DOS all ports
Concept Hierarchy
SynFlood
DOS port
Halt Computer
DOS Host
PacketStorm
DOS Network
Denial-of-Service
8/2/99 Global Guard - U.C. Davis Security Lab 24
R&D_DOS
Unplug Cable
DOS all ports
Report Specialization
SynFlood
DOS port
PingOfDeath
DOS Host
PacketStorm
DOS Network
Denial-of-Service
FTP_DOS
NIS_DOSSMTP_DOS
HTTP_DOS
Comm_DOS
DMZ_DOS
8/2/99 Global Guard - U.C. Davis Security Lab 25
D.O.S. - Hierarchy of Specialization
8/2/99 Global Guard - U.C. Davis Security Lab 26
Conceptual Execution Model
Communicating Agent Model• Each concept statement defines a JSA (JigSaw Agents)
• JSAs execute concurrently on 1 or more hosts.• requires specifies the types of reports of interest to
the JSA – what it subscribes to• reports are the messages an agent will publish• reports can be either broadcast to all agents, or sent
only to subscribing agents• Remote groups of agents communicate via CIDF
using IDIAN to negotiate report requirements
8/2/99 Global Guard - U.C. Davis Security Lab 27
Uses
• Forward direction as an ID system• In reverse to identify vulnerabilities• In reverse w/ sensors replaced with appropriate
attack scripts as an attack system– Plans how to reach goal
– Can find new combinations of attacks to reach goal e.g.
• Using DNS requests as a method for a worm to pull in its body.
• Port DOS to Spoof IIS Authentication, then buffer overflow list command as a means of remote execution.
8/2/99 Global Guard - U.C. Davis Security Lab 28
Attack Requirementsconcept Propagate
requiresRemote_Execution: RE…
where… …
end.
concept Linux5.1-IMAP_Vulnerablerequires
OS_Linux-5.1: OSL51Not_IMAP_Patched: NIMAPP
…report
Remote_Execution(host <- OSL51.host)
…end.
concept OS_Linux-5.1_IDrequires
OS_Scan: OSSwhere
OSS.OS is Linux_5.1report
OS_Linux-5.1(host_set <- OSL51.host)
end.
8/2/99 Global Guard - U.C. Davis Security Lab 29
Challenges
•Writing more Specifications
•Efficient implementation
•Integration of anomaly detection components into JIGSAW
•Appropriate Time-to-Live for assertions
•Update reports of continuing events
8/2/99 Global Guard - U.C. Davis Security Lab 30
Summary• Simple conceptual framework for modeling attack
concepts• Extensible to handle new attribute relationships• Utilizes new attack detectors to improve
performance• Specifications use behavioral characteristics of
attack and/or critical resources to protect.• CIDF friendly.• While conceptually an agent approach, not tied to
any execution method.• Well suited as an attack tool.