Abstract not found

Vulnerability analysis is concerned with the problem of identifying weaknesses in computer systems that can be exploited to compromise their security. In this paper we describe a new approach to vulnerability analysis based on model checking. Our approach involves: Formal specification of desired security properties. An example of such a property is "no ordinary user can overwrite system log files." An abstract model of the system that captures its security-related behaviors. This model is obtained by composing models of system components such as the file system, privileged processes, etc.

Firewalls protect a trusted network from an untrusted network by filtering traffic according to a specified security policy. A diverse set of firewalls is being used today. As it is infeasible to examine and test each firewall for all possible potential problems, a taxonomy is needed to understand firewall vulnerabilities in the context of firewall operations. This paper describes a novel methodology for analyzing vulnerabilities in Internet firewalls. A firewall vulnerability is defined as an error made during firewall design, implementation, or configuration, that can be exploited to attack the trusted network that the firewall is supposed to protect. We examine firewall internals, and cross reference each firewall operation with causes and effects of weaknesses in that operation, analyzing twenty reported problems with available firewalls. The result of our analysis is a set of matrices that illustrate the distribution of firewall vulnerability causes and effects over firewall operations. These matrices are useful in avoiding and detecting unforeseen problems during both firewall implementation and firewall testing. Two case studies of Firewall-1 and Raptor illustrate our methodology.

Vulnerability analysis is concerned with the problem of identifying weaknesses in computer systems that can be exploited to compromise their security. Most vulnerabilities arise from unexpected interactions between different system components such as server processes, filesystem permissions and content, and other operating system services. Existing vulnerability techniques (such as those used in COPS and SATAN) are based on enumerating the known causes of vulnerabilities in the system and capturing these causes in the form of rules, e.g., a world- or group-writable .login file is a well known vulnerability that enables one user to gain all access privileges of another user. However, the generation of the rules relies on expert knowledge about interactions among many components of the system. Issues such as system complexity, race conditions, many possible interleavings, hidden assumptions etc. make it very hard even for experts to come up with all such rules. In contrast, we propose a new model-based approach where the security-related behavior of each system component is modeled in a high-level specification language such as CSP or CCS. These component models can then be composed to obtain all possible behaviors of the entire system. Finding system vulnerabilities can now be accomplished by analyzing these behaviors using automated verification techniques (model checking in particular) to identify scenarios where security-related properties (such as maintaining integrity of password files) are violated. In contrast to previous approaches that mainly address well-known vulnerabilities, our model-based approach has the potential to automatically seek out and identify known and as-yet-unknown vulnerabilities.

This paper combines an analysis of data on security vulnerabilities (published in Bugtraq database) and a focused source-code examination to develop a finite state machine (FSM) model to depict and reason about security vulnerabilities. An in-depth analysis of the vulnerability reports and the corresponding source code of the applications leads to three observations: (i) exploits must pass through multiple elementary activities, (ii) multiple vulnerable operations on several objects are involved in exploiting a vulnerability, and (iii) the vulnerability data and corresponding code inspections allow us to derive a predicate for each elementary activity. Each predicate is represented as a primitive FSM (pFSM). Multiple pFSMs are then combined to create an FSM model of vulnerable operations and possible exploits. The proposed FSM methodology is exemplified by analyzing several types of vulnerabilities reported in the data: stack buffer overflow, integer overflow, heap overflow, input validation vulnerabilities, and format string vulnerabilities. For the studied vulnerabilities, we identify three types of pFSMs, which can be used to analyze operations involved in exploiting vulnerabilities and to identify the security checks to be performed at the elementary activity level. A demonstration of the practical usefulness of the FSM modeling approach was the discovery of a new heap overflow vulnerability now published in Bugtraq. Key words: security vulnerabilities, data analysis, finite state machine modeling. 1.

This paper details the design and implementation of a host-based intrusion detection system (Hewlett-Packard's Praesidium IDS/9000) and a specialized kernel data source which supplies customized data to the IDS. Instead of the common attack-signature matching used in most other intrusion detection systems, IDS/9000 performs real-time monitoring of the system looking for misuse actions that are indicative of either attack or system policy violations. These misuse actions are called building blocks.

Abstract not found

BIOGRAPHICAL SKETCH................................................................................. 78 ix LIST OF FIGURES Figure 1-1: Melissa time line [From the Congressional testimony of Richard Pethia]...2 Figure 2-1: Picture of the formal definition [Cohen 94]........................................6 Figure 2-2: The figure represents the two integrity states a system can have and the transitions that can occur............................................................8 Figure 3-1: An abstract model for an organ of virus or worm program....................14 Figure 3-2: The functional organs of virus and worm programs shown as grayed nodes..................................................................................17 Figure 3-3: A representation of the replication cycle for a worm program...............17 Figure 3-4: A representation of the infection cycle for a virus program...................18 Figure 3-5: Flow of installation and injection operations in a MS Word macro environment..........................................................................21 Figure 3-6: Installing in recently used files...................................................22 Figure 3-7: Updating the registry during installation........................................22 Figure 3-8: The flow chart showing a frequently used method of installation and injection in macro viruses..........................................................23 Figure 3-9: Encrypted virus code with the decryptor routine attached at the beginning..............................................................................32 Figure 3-10: The intermediate virus code obtained after the decryp...

Abstract: Trust in cross-media applications is essential to successful collaboration. Cross media service delivery encompasses different types of security incidents and assumes a level of trust on the part of the participants of any one transaction. As enterprises and participants of cross media transactions become more susceptible to security risks facilitated by the heterogeneity of data being exchanged, it is important to develop protective infrastructures. Such infrastructures should enable reporting of security violations or misconduct on a regular basis with effortless incident submission, automatic classification of reported incidents, searching and collective knowledge extraction from similar incidents and sharing of information by authorized users. We report on such a system currently being developed. The Security Incident Sharing and Classification system (SISC), collects incidents in a database, though its incident submission interface, and classifies them according to different parameters. We demonstrate an automatic classification scheme based on the level of incident severity, where severe incidents are processed faster. The system builds trust through its monitoring and recommendation capabilities, thus preparing enterprises to encounter new security incidents that may arise. This is an open, customizable, self-standing risk monitoring system which can be built into any enterprise. The recommendation component of SISC extracts solution scenarios from the gathered knowledge of classified incidents and makes them available to SISC users.

As the Internet continues to play an increasingly important role in supporting business-to-business and business-to-customer transactions, it is crucial for the participants in these transactions to be informed about and to understand the involved risks and how to guard against them. Most websites presenting Internet and e-commerce security issues provide only specific, technical information aimed at system specialists, leaving out a more interdisciplinary audience of business professionals and entrepreneurs. The EcomRISK.org resource was created to fill this need, by providing an educational background for a more general audience, as well as the means of communicating concerns, problems, and solutions between users and experts, and research tools for future development.