the rare glitch project: scenario graph generation and mdp-based analysis computer science...

The Rare Glitch Project:Scenario Graph Generation andMDP-Based Analysis

The Rare Glitch Project:Scenario Graph Generation andMDP-Based Analysis

Computer Science DepartmentCarnegie Mellon University

Pittsburgh, PA

Jeannette M. Wing

The work on survivability analysis is funded by DARPA. It is done jointly with Somesh Jha (University of Wisconsin) and Oleg Sheyner (CMU graduate student).

Carnegie Mellon: The Rare Glitch Project 2 Jeannette M. Wing

Overview of Our MethodOverview of Our Method

Checker

(Network) Model

(Survivability) Property

Phase 1

Scenario Graph

Analyzer

Reliability Query,Cost Query, etc.Phase

2

Scenario Set


Relation to ARO ProposalRelation to ARO Proposal

Hypothesis: Our two-phase method and tool suite are applicable to analyzing embedded systems.

Rationale Network model is simpler (bus-based, not end-to-end). Reliability and cost are important factors in embedded

systems design.

Our plan Enrich and make current tool suite robust. Apply method to embedded systems examples. Pursue foundational issues wrt models for reliability

and cost analyses.


Survivable SystemsSurvivable Systems

What if a terrorist hacker brings down the nation’s power grid? an act of Mother Nature causes the international

financial network to fail?

Critical infrastructures Utilities: gas, electricity, nuclear, water, … Communications: telephone, networks, … Transportation: airlines, railways, highways, … Medical: emergency services, hospitals, … Financial: banking, trading, …


SurvivabilitySurvivability

A system is survivable if it can continue to provide end services despite the presence of faults.


Modeling for Survivability AnalysisModeling for Survivability Analysis

Our starting point Handle both benign and malicious faults.

Throw out independence assumption. Incorporate semantics of end service in model.

Do not necessarily treat nodes and links the same. Include cost in the model from the start.

Steps in our approach Model general network topology (nodes and links) Analyze in two phases for

Functional behavior Reliability, cost, etc.


Phase 1Phase 1

Network Model =

Survivability Property =

Scenario Graph =

Model Checker = (modified) NuSMV

A set of concurrently executing Finite State Machines.

A predicate in CTL.

A set of related examples.


Simple Example: A Banking SystemSimple Example: A Banking System

FRB 1

FRB 3FRB 2

MC 1 MC 3MC 2

Bank A Bank CBank B

a1a2

b1 b2 c1


Network ModelNetwork Model

Processes Nodes and links are processes (i.e., FSMs)

banks, money centers, federal reserve banks, and links Communication via shared variables (i.e., finite

queues) representing channels, and hence interconnections.

Failures Faults represented by special state variable

fault:{normal, failed, intruded} Links and banks can fail at any time

Failed link blocks all traffic. Failed bank routes all checks to an arbitrarily chosen

money center. Money centers and federal reserve banks do not fail.


Survivability PropertiesSurvivability Properties

Fault-related Money never deposited into wrong account.

AG(error)

Service-related A check issued eventually clears.

AG(checkIssued AF(checkCleared))


Scenario GraphsScenario Graphs

Given a state machine, M, and a property, P, a scenario graph is a concise representation of the set of traces of M with respect to P. P = fault property

A fault scenario graph represents all system traces that end in a state that does not satisfy P.

P = service property A service success (fail) scenario graph represents all

system traces in which an issued service successfully finishes (fails to finish).


Fault Scenario GraphFault Scenario Graph

Intuition:

• Each “counterexample” spit out by the model checker is a scenario.

• Survivability property gives a slice of the model.

Each path is a scenario of how a fault can occur.


Survivability PropertiesSurvivability Properties

Fault-related Money never deposited into wrong account.

AG(error)

Service-related A check issued eventually clears.

AG(checkIssued AF(checkCleared))


A Service Success Scenario GraphA Service Success Scenario Graph

issueCheck(A, C)

send(A, MC-2)

send(MC-2, FRB-1)

send(FRB-1, FRB-3)

send(FRB-3, MC-3)

send(MC-3, C)

debitAccount

send(FRB-2, FRB-3)

send(MC-1, FRB-2)

send(A, MC-1)

up(a2)

up(c1)

down(a2) & up(a1)


A Service Fail Scenario GraphA Service Fail Scenario Graph

issueCheck(A, C)

FAIL

down(A)

up(a2)

up(A)

pick(MC-2)

down(c1)

down(a2)

pick(MC-1)

down(a1)

down(c1)

down(c1)

up(a1)

send(A, MC-2) send(A, MC-1)

FAIL

FAIL

FAIL


Overview of MethodOverview of Method

Network Model

Reliability Query,Cost Query, etc.Analyzer

Scenario Set

Survivability Property

Phase 2

Phase 1

Scenario Graph

Checker

Annotations(e.g., probabilities, cost)


Phase 2: Reliability Analysis (in a Nutshell)Phase 2: Reliability Analysis (in a Nutshell)

Annotations = Probabilities Use Bayesian Networks to model dependence of

events.

Symbolic Use symbolic probabilities

high, medium, low Use NDFA theory to compute scenario set.

Continuous Use numeric probabilities

[0.0, 1.0] Use Markov Decision Processes to model both

nondeterministic and probabilistic transitions.


Phase 2: Continuous AnalysisPhase 2: Continuous Analysis

Use real values for probabilities.

May leave probabilities of some events unspecified.

Markov Decision Processes Mix of nondeterministic and probabilistic transitions

Why? System is not closed. Hard to assign probabilities to some faults (e.g.,

intrusions). Environment makes choice (i.e., decision) and can be

demonic!


Reliability AnalysisReliability Analysis

Goal of (malicious) environment: Devise an optimal policy to minimize reliability.

Assign to each state, s, a value, V(s), computed using a standard policy iteration algorithm from MDP literature.

Let V* be the value function after convergence. Then, for initial state of scenario graph, s0, V*(s0) computes worst-case probability of service eventually finishing.


A Typical ExampleA Typical Example

V(Bad) = 0.0V(Good) = 1.0

0.6

0.7

0.6

BadGood

0.40.

60.3

0.7

0.65


Bayesian Network for Bank ExampleBayesian Network for Bank Example

P(a2 | a1) = 1/2

P(a2 | a1) = 1/4

P(a1) = 1/2 a1

a2

c1

P(c1) = 1/2

b2

P(b2) = 1/2

b1

P(b1) = 1/2


A Service Success Scenario GraphA Service Success Scenario Graph

issueCheck(A, C)

send(A, MC-2)

send(MC-2, FRB-1)

send(FRB-1, FRB-3)

send(FRB-3, MC-3)

send(MC-3, C)

debitAccount

send(FRB-2, FRB-3)

send(MC-1, FRB-2)

send(A, MC-1)

up(a2)

up(c1)

down(a2) & up(a1)3/8 1/4

1/2The worst case probability that a check issued by Bank A on Bank C is

(1/2 * 3/8) + (1/2 * 1/4) = 5/16


Cost-Benefit AnalysisCost-Benefit Analysis

Goal: Choose a set of links to upgrade to achieve higher reliability, given my cost constraints (e.g., fixed budget).

Identify new actions that correspond to decisions an architect needs to make (e.g., upgrade a1).

Associate a cost with each action.

Define constraints on costs.


Upgrade Links in Banking SystemUpgrade Links in Banking System

FRB 1

FRB 3FRB 2

MC 1 MC 3MC 2

Bank A Bank CBank B

a1a2

b1 b2 c1??

?


Cost Constraint ExampleCost Constraint Example Assume:

If we upgrade a1 and c1 then P(a1) and P(c1) both increase to 3/4 .

If a2 is upgraded, then P(a2) is: P(a2|a1) = 3/4 P(a2| a1) = 3/8

Aim: Maximize the worst-case reliability subject to the constraint that at most two links can be upgraded. Solve this non-linear integer programming problem:

xa1 + xa2 + xc1 < 2

Best option: Upgrade a1 and c1. xa1 = 1 and xa2 = 1 7/16

xa1 = 1 and xc1 = 1 39/64xa2 = 1 and xc3 = 1 9/16


Constrained Markov Decision ProcessesConstrained Markov Decision Processes

<S, A, P, c, d>

S is a finite state space.

A is a finite set of actions.

P are transition probabilities. Psas’ is the probability of moving from state s to s’ if action a is chosen.

c: (S x A) is the immediate cost. c(s, a) is the cost of choosing action a at state s.

d: (S x A) k is a k-dimensional vector of immediate costs, captures additional cost constraints.


Survivability Case StudiesSurvivability Case Studies

Somesh Jha Trading floor model of major investment bank (being

“sanitized”) 10K lines of NuSMV half-million nodes in scenario graph 50 threat scenarios 45 found by system 5 new threat scenarios found With independence assumption, too many misses.

B2B e-commerce NYC start-up (Jha) 50K lines of Statecharts 2 million NuSMV beyond capability of tool

Oleg Sheyner Intrusion detection (ongoing)


Intrusion Detection System Case StudyIntrusion Detection System Case Study Done by Oleg Sheyner and Lincoln Labs.

Motivated by hand drawn poster of attack scenarios.

Illustrates only first part of method.


Example of Attack Tree Developed by a Professional Red TeamExample of Attack Tree Developed by a Professional Red Team

Sandia Red Team “White Board” attack tree from DARPA CC20008 Information battle space preparation experiment


Phase 1 Example:Multistage Network Penetration

database

adversary

ftp

sshd

firewall router

IDSip1

ip2

ipaftp

Goal: Root access to host ip2

Attack Arsenal

• Sshd buffer overflow - remotely get root• Ftp .rhosts file - establish trust between hosts• Remote login - exploit trust between hosts• Local buffer overflow - locally get root

Detected


NuSMV EncodingNuSMV Encoding

Network 1 attack host, 2 target hosts

with services 3x3 connectivity matrix

existence of routing path ability to connect to ftp and

ssh services 3x3 trust matrix

Adversary Privilege levels for each

host

Attacks 4 attacks some have multiple flavors

NuSMV Statistics 82 bits of state (282 states)

<40K representation nodes~7000 reachable states

2 sec runtime on 1GHz Pentium III

8MB of memory used


Scenario-Generating PropertiesScenario-Generating Properties

Don’t care about detection

AG (adversary.privilege[2] < root)

Want stealth

AG ((adversary.privilege[2] < root) or (IDS.detected))


The Rare Glitch Tool SuiteThe Rare Glitch Tool Suite

…

Prism

Checkmate

PVS

Symp

nuSMV

Specification

Model

Counter-examples

Checkers and Provers

Specification and Modeling Languages

Analysis Engines

Reliability and Cost Analyzers

Explanation Generator

Abstraction/Refinement Processor

…

XMLScenario graphXML2nuSMV


Plan in Relationship to The Rare Glitch ProjectPlan in Relationship to The Rare Glitch Project Enrich and make current tool suite robust.

Integrate with other existing project tools.

Apply method to embedded systems examples. Work with Clarke to add reliability analysis to

automotive example.

Pursue foundational issues wrt models for reliability and cost analyses. Understand relationship to other probabilistic models,

hybrid models, etc.

the rare glitch project: scenario graph generation and mdp-based analysis computer science...

Documents

rare glitch project9jeannette

rare glitch project3jeannette

rare glitch project6jeannette

rare glitch project7jeannette

rare glitch project8jeannette

rare glitch project2jeannette

rare glitch project4jeannette

rare glitch project5jeannette