Vulnerability Take Grant (VTG): An efficient approach to analyze network vulnerabilities

doi:10.1016/j.cose.2007.03.002

Computers & Security

Volume 26, Issue 5, August 2007, Pages 349-360

https://doi.org/10.1016/j.cose.2007.03.002 Get rights and content

Abstract

Modeling and analyzing information system vulnerabilities help predict possible attacks to computer networks using vulnerabilities information and the network configuration. In this paper, we propose a comprehensive approach to analyze network vulnerabilities in order to answer the safety problem focusing on vulnerabilities. The approach which is called Vulnerability Take Grant (VTG) is a graph-based model consists of subject/objects as nodes and rights/relations as edges to represent the system protection state. Each node may have properties including single vulnerabilities such as buffer overflow. We use the new concept of vulnerability rewriting rule to specify the requirements and consequences of exploiting vulnerabilities. Analysis of the model is achieved using our bounded polynomial algorithm, which generates the most permissive graph in order to verify whether a subject can obtain an access right over an object. The algorithm also finds the likely attack scenarios. Applicability of the approach is investigated by modeling widespread vulnerabilities in their general patterns. A real network is modeled as a case study in order to examine how an attacker can gain unauthorized access via exploiting the chain of vulnerabilities. Our experience shows the efficiency, applicability, and expressiveness in modeling a broader range of vulnerabilities in our approach in comparison to the previous approaches.

Introduction

The goal of vulnerability analysis in computer and network systems is to analyze vulnerabilities' dependencies to find the attack scenarios before malicious attackers find them. Currently, several tools exist which analyze the single host vulnerabilities in isolation. However, protecting networks against attacks requires considering all network vulnerabilities; vulnerabilities inter-dependencies; and the dependency among services.

Considering individually, a service may provide an acceptable level of security, but a combination of such services may lead to subtle attack scenarios. For example, the file transfer protocol (ftp) and the hypertext transfer protocol (http), provided simultaneously in the same host, may permit an attacker to write into a web directory using ftp. This causes the web server to execute a program written by the attacker. Accordingly, a comprehensive analysis of network vulnerabilities needs consideration of individual hosts as well as their relationships.

The complexity of analyzing network vulnerabilities increases extremely as the number of hosts and services increases. Manual handling of such complexity is very difficult or even impossible in the case of current enormous networks. Accordingly, automated approaches are necessary for vulnerability analysis.

Our vulnerability analysis problem is to determine whether an attacker can obtain unauthorized access to a particular resource. This is a specific form of the safety problem, which asks “Given an initial configuration of a protection system, can a subject s obtain some access right r over an object o?” (Shapiro, 2003). In other words, we focus on determining whether a set of known vulnerabilities allows a given subject to acquire some specific set of rights over an object representing a resource.

Based on the authors' knowledge, the previous literature has not explored the safety problem focusing on vulnerabilities. Approaches proposed in Zerkle and Levitt, 1996, Dacier and Deswarte, 1994, Ritchey and Ammann, 2001, Ramakrishnan and Sekar, 2002, Shahriari and Jalili, 2004, Noel et al., 2003, Noel et al., 2004, and Noel and Jajodia (2004) analyze network vulnerabilities from the point of view of the relations among individual hosts and network configurations. These approaches mainly use model checking and graph-based techniques to generate and analyze an attack graph; the task has been done in exponential time. In Ammann et al. (2002) and Noel et al. (2003), polynomial time approaches have been suggested for the same problem without any specific upper bound on polynomial degree.

In this paper, we propose a new access control based model to address the concept of vulnerabilities and their effects on the system protection state. The model has been motivated from the Take-Grant protection model; a graph-based access control model, where subjects and objects are considered as nodes of a graph, and access rights as well as administrative rights (Take and Grant) are considered as the edges (Jones et al., 1976). We also propose a framework to model vulnerabilities based on their pre-conditions and post-conditions as well as an algorithm to analyze the model with bounded polynomial time in the size of the protection system graph. The proposed algorithm can generate possible attack scenarios. The applicability of the framework has been shown through real examples of vulnerabilities. The examples cover a general form of widespread vulnerabilities such as buffer-overflow and cross-site scripting.

The remainder of this paper is organized as follows. In Section 2, we review previous works on the Take-Grant protection model and network vulnerability analysis. The outline of our proposed approach has been presented in Section 3. The detail of our approach has been presented in Section 4. Section 5 discusses the applicability of the approach through modeling broad types of vulnerabilities and their rewriting rules. Section 6 presents an algorithm to analyze the model in order to answer the safety problem considering vulnerabilities. Section 7 provides a real case study. The conclusion and future works have been presented in Section 8.

Section snippets

Related work

The Take-Grant protection model was first developed by Jones et al. (1976) where the safety problem could be solved in linear time. They provided the necessary and sufficient conditions under which rights and information could be transferred between two entities of the protection system and a linear time algorithm to test those conditions. Applications of the Take-Grant model to various systems have been explored separately (Bishop, 1981, Bishop, 1996, Jones, 1978, Snyder, 1977, Wu, 1981, Frank

Outline of the approach

The proposed approach is composed of three steps. In the first step, the network configuration and known vulnerabilities are collected. In the second step, the gathered information is used to construct the initial model. The last step involves analyzing the model to capture all the ways through which the rights can be transferred. Fig. 1 depicts the schematic outline of our approach.

To construct the model, we need to know the current host and network configuration of rights, and the set of host

Vulnerability Take-Grant model

In this section we present the generalized Vulnerability Take-Grant model. Our approach is based on extending the initial take-grant model. Some definitions are provided first and the formal model is presented later on.

Applicability of the model

Here we show how real-world vulnerabilities can be modeled using our approach. As stated before, exploiting most vulnerabilities causes the protection state of the system to be altered. Thus, exploiting vulnerabilities is addressed in our model by vulnerability rewriting rules. In fact the vulnerability rewriting rules represent the transitions which are caused by the vulnerability exploitation. We model some well-known and realistic vulnerabilities in operating systems and web applications as

Analysis

In this section we present our approach to analyzing the model. Our analysis is based on the following question:

“Is it possible for attacker A to achieve access right r over y or not?”

Rights in the Take-Grant protection model can be transferred either cooperatively or unilaterally. It is also the case in application of this model in vulnerability analysis. The attacker can exploit some vulnerabilities unilaterally; however, exploiting other vulnerabilities require cooperation of other subjects

Case study

In this section, we represent the application of Vulnerability Take-Grant model and the acquired results in vulnerability analysis of a typical network. Besides the previously introduced rewriting rules, we need some general rules to analyze the real world vulnerabilities. For example, each user's access rights are a subset of the root's access rights. This fact can be shown in the VTG model as a set of take edges drawn from the root user-account to other user accounts defined on the same host.

Conclusions and future works

In this paper, we introduced a new method for network venerability analysis, which was motivated from Take-Grant protection model. This method affords the possibility of representing the protection state of a network with a formal model. We demonstrated how different types of vulnerabilities could be represented in our model if an appropriate level of abstraction is selected. The attacker's capability to access the resources of network can be analyzed by the model. We also introduced the

Acknowledgments

The authors are grateful to Reza Sadoddin for his valuable comments and constant cooperation on finalizing this paper. The authors also acknowledge the comments of Matt Bishop on the draft version of this paper and his guides about future directions.

Hamid Reza Shahriari received his M.Sc. in Computer Science from Amir-Kabir University of Technology, Tehran, Iran, in 2000. He is currently a Ph.D. student in Computer Science in Sharif University of Technology, working on his thesis on vulnerability analysis of computer networks. His research interests are Information Security and Formal Methods in Security.

References (36)

S. Hansman et al.
A taxonomy of network and computer attacks
Journal of Computer Security
(2005)
Ammann P, Wijesekera D, Kaushik S. Scalable, graph-based network vulnerability analysis. In: Proceedings of nineth ACM...
Bishop M. Hierarchical take-grant protection systems. In: Proceedings of 8th symposium on operating systems principals;...
Bishop M. Practical Take-Grant systems: do they exist? Ph.D. thesis, Department of Computer Sciences, Purdue...
M. Bishop
Conspiracy and information flow in the Take-Grant protection model
Journal of Computer Security
(1996)
M. Bishop et al.
A critical analysis of vulnerability taxonomies
(September 1996)
CERT Advisory CA-2000–02. Malicious HTML tags embedded in client web requests [online]. Available from:...
Cheops-ng, the network swiss army knife [online]. Available from:...
M. Dacier et al.
Privilege graph: an extension to the typed access matrix model
Proceedings of third European symposium on research in computer security (ESORICS 94), (Brighton, UK)
Lecture Notes in Computer Science: Computer Security
(1994)
R. Derasion
The Nessus attack scripting language reference guide
(2000)

J. Frank et al.

Extending the Take-Grant protection system

(1996)

Internet Security Systems. System Scanner information [online]. Available from:...

Isamil O, Etoh M, Kadobayashi Y. A proposal and implementation of automatic detection/collection system for cross-site...

Jones A, Lipton R, Snyder L. A linear time algorithm for deciding security. In: Proceedings of 17th annual symposium on...

A. Jones

Protection mechanism models: their usefulness

Foundations of secure computing

(1978)

Jha S, Sheyner O, Wing J. Two formal analyses of attack graphs. In: Proceedings of 15th IEEE computer security...

S. Jajodia et al.

Topological analysis of network attack vulnerability

Mitre Corporation. Common vulnerabilities and exposure database [online]. Available from:...

Cited by (19)

Attack Dynamics: An Automatic Attack Graph Generation Framework Based on System Topology, CAPEC, CWE, and CVE Databases
2022, Computers and Security
Citation Excerpt :
Depending on the standards is one of these properties that would aid in the communication of inputs and the results. Initially, network vulnerability analysis tools relied solely on the network structure and the location of hosts and servers within it Shahriari and Jalili (2007). This category also includes the input of known exploits in some cases.
Through a built-in security analysis feature based on metadata, this article provides a novel framework that starts with a scenario input and produces a collection of visualizations based on Common Attack Pattern Enumeration and Classification (CAPEC) and Common Weakness Enumeration (CWE) Standards. It immediately links enterprise mitigations from MITRE ATT&CK framework to the security flaws it discovered. It’s also integrated with a third-party optimization tool targeted at cutting security costs for businesses, which it can perform in real-time or later using JSON output in the preferred format, depending on the execution mode. All of these stages are conducted without human intervention. Adaptive metadata with a variety of rules for capturing different sorts of known or prospective attack types allows for the production of attack graphs. It can be used as a quick and practical what-if analysis tool to detect potential intrusions for a variety of network configuration setups and assigned access privileges. As a threat modeler, it is suitable for both novice and expert users. Due to the easy input scheme and human-readable outputs, it can also be utilized as an educational tool.
Vulnerability analysis of networks to detect multiphase attacks using the actor-based language Rebeca
2010, Computers and Electrical Engineering
Increasing use of networks and their complexity make the task of security analysis more and more complicated. Accordingly, automatic verification approaches have received more attention recently. In this paper, we investigate applying of an actor-based language based on reactive objects for analyzing a network environment communicating via Transport Protocol Layer (TCP). The formal foundation of the language and available tools for model checking provide us with formal verification support. Having the model of a typical network including client and server, we show how an attacker may combine simple attacks to construct a complex multiphase attack. We use Rebeca language to model the network of hosts and its model checker to find counter-examples as violations of security of the system. Some simple attacks have been modeled in previous works in this area, here we detect these simple attacks in our model and then verify the model to find more complex attacks which may include simpler attacks as their steps. We choose Rebeca because of its powerful yet simple actor-based paradigm in modeling concurrent and distributed systems. As the real network environment is asynchronous and event-based, Rebeca can be utilized to specify and verify the asynchronous systems, including network protocols.
A Dynamic Data Slice Approach to the Vulnerability Analysis of E-Commerce Systems
2020, IEEE Transactions on Systems, Man, and Cybernetics: Systems
Analysis framework of network security situational awareness and comparison of implementation methods
2019, Eurasip Journal on Wireless Communications and Networking
An Attack Vector Evaluation Method for Smart City Security Protection
2019, International Conference on Wireless and Mobile Computing, Networking and Communications
A Survey of Architecture and Implementation Method on Cyber Security Situation Awareness Analysis
2019, Tien Tzu Hsueh Pao/Acta Electronica Sinica

View all citing articles on Scopus

Rasool Jalili received his Ph.D. in Computer Science from The University of Sydney, Australia in 1995. He then joined, as an assistant professor, the Department of Computer Engineering, Sharif University of Technology, Tehran, Iran, where he is doing research in the areas of Distributed Systems and Information Security.

View full text