A policy-based vulnerability analysis framework

Repeatability is essential to any science—computer science is no exception. However, the area of vulnerability analysis suffers from ambiguous definitions that hinder the repeatability of analysis results. Many researchers have turned to policy-based definitions of a vulnerability in an attempt to alleviate this ambiguity. However, it is rare that security policies are explicitly and precisely defined. As a result, these policy-based approaches merely shift the ambiguity from defining vulnerabilities to defining policies. Other researchers turn to strictly formal models and methods to provide repeatable results, but the practicality of such analysis is limited by the complexity of the environment and the availability of resources. This creates a conflict between repeatability and practicality that is often left unresolved in existing vulnerability analysis methods; an analysis framework either focuses on formal models to provide repeatability, or uses an ad hoc approach to provide practicality. This dissertation addresses this conflict by balancing specific formal and practical objectives to create a vulnerability analysis framework capable of producing repeatable results in realistic environments. This analysis framework relies on three major components: a hierarchy of security policies, a formal model of implementation vulnerabilities, and an implementation vulnerability classification scheme. We address the ambiguity surrounding security policies with a hierarchy that precisely defines security policies at four levels of abstraction. We use this policy hierarchy to provide a formal model of an implementation vulnerability. This model provides the formal foundation for our characteristic-based vulnerability classification scheme, which allows us to examine implementation vulnerabilities at a more practical level of abstraction. We combine these components into a cohesive implementation vulnerability analysis framework that provides insight into both when a system is non-secure, and how to mitigate that non-security.

[1]  Matt Bishop,et al.  A Taxonomy of Buffer Overflow Preconditions , 2010 .

[2]  Daniel F. Sterne,et al.  On the buzzword 'security policy' , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[3]  Hovav Shacham,et al.  You Go to Elections with the Voting System You Have: Stop-Gap Mitigations for Deployed Voting Systems , 2008, EVT.

[4]  Borislava I. Simidchieva,et al.  Specifying and verifying requirements for election processes , 2008, DG.O.

[5]  John D. Howard,et al.  An analysis of security incidents on the Internet 1989-1995 , 1998 .

[6]  Janardhan Kulkarni,et al.  On the Decidability of Model-Checking Information Flow Properties , 2008, ICISS.

[7]  Jeannette M. Wing A symbiotic relationship between formal methods and security , 1998, Proceedings Computer Security, Dependability, and Assurance: From Needs to Solutions (Cat. No.98EX358).

[8]  E. Kleiner,et al.  On the Decidability of the Safety Problem for Access Control Policies , 2007, AVoCS.

[9]  Matt Bishop,et al.  Tree Approach to Vulnerability Classification , 2005 .

[10]  P. K. Aditya,et al.  A Grammar Based Fault Classification Scheme and its Application to the Classification of the Errors , 1995 .

[11]  Elaine J. Weyuker,et al.  Collecting and categorizing software error data in an industrial environment , 2018, J. Syst. Softw..

[12]  Daniel James Weber,et al.  A taxonomy of computer intrusions , 1998 .

[13]  Fred Cohen,et al.  Information system defences: A preliminary classification scheme , 1997, Comput. Secur..

[14]  Michael Norrish,et al.  seL4: formal verification of an OS kernel , 2009, SOSP '09.

[15]  Carl E. Landwehr,et al.  A taxonomy of computer program security flaws , 1993, CSUR.

[16]  Matt Bishop,et al.  Theft of Information in the Take-Grant Protection Model , 1995, J. Comput. Secur..

[17]  Matt Bishop,et al.  A Critical Analysis of Vulnerability Taxonomies , 1996 .

[18]  Richard M. Karp,et al.  Reducibility Among Combinatorial Problems , 1972, 50 Years of Integer Programming.

[19]  R. M. Venkatesan,et al.  Threat-adaptive security policy , 1997, 1997 IEEE International Performance, Computing and Communications Conference.

[20]  Richard J. Lipton,et al.  A Linear time algorithm for deciding security , 1976, 17th Annual Symposium on Foundations of Computer Science (sfcs 1976).

[21]  Dennis Hollingworth,et al.  Protection Analysis: Final Report , 1978 .

[22]  Matt Bishop,et al.  Protocol Vulnerability Analysis , 2005 .

[23]  Samuel T. King,et al.  ReVirt: enabling intrusion analysis through virtual-machine logging and replay , 2002, OPSR.

[24]  J. Meseguer,et al.  Security Policies and Security Models , 1982, 1982 IEEE Symposium on Security and Privacy.

[25]  C. R. Ramakrishnan,et al.  Model-Based Vulnerability Analysis of Computer Systems , 1998 .

[26]  Albert Endres,et al.  An analysis of errors and their causes in system programs , 1975, IEEE Transactions on Software Engineering.

[27]  G. Huling,et al.  Introduction to use of formal methods in software and hardware , 1994, Proceedings of WESCON '94.

[28]  Peter J. Denning,et al.  Protection: principles and practice , 1972, AFIPS '72 (Spring).

[29]  Wei Tu,et al.  Model checking an entire Linux distribution for security violations , 2005, 21st Annual Computer Security Applications Conference (ACSAC'05).

[30]  Sean Peisert,et al.  A model of forensic analysis using goal-oriented logging , 2007 .

[31]  Matt Bishop,et al.  How to Design Computer Security Experiments , 2007, World Conference on Information Security Education.

[32]  Baruch Schieber,et al.  A sublinear space, polynomial time algorithm for directed s-t connectivity , 1992, [1992] Proceedings of the Seventh Annual Structure in Complexity Theory Conference.

[33]  R. P. Abbott,et al.  Security Analysis and Enhancements of Computer Operating Systems , 1976 .

[34]  Micah Sherr,et al.  Source Code Review of the Sequoia Voting System 1 , 2007 .

[35]  Matt Bishop,et al.  What Is Computer Security? , 2003, IEEE Secur. Priv..

[36]  Matt Bishop,et al.  A Practical Formalism for Vulnerability Comparison , 2006 .

[37]  Lawrence Snyder On the synthesis and analysis of protection systems , 1977, SOSP '77.

[38]  Eugene H. Spafford,et al.  Software vulnerability analysis , 1998 .

[39]  Somesh Jha,et al.  Two formal analyses of attack graphs , 2002, Proceedings 15th IEEE Computer Security Foundations Workshop. CSFW-15.

[40]  Carl E. Landwehr,et al.  Formal Models for Computer Security , 1981, CSUR.

[41]  T. Aven A unified framework for risk and vulnerability analysis covering both safety and security , 2011 .

[42]  Matt Bishop Vulnerability Analysis: An Extended Abstract , 1999, Recent Advances in Intrusion Detection.

[43]  S Dunn,et al.  Cargo cult science. , 1996, Oral surgery, oral medicine, oral pathology, oral radiology, and endodontics.

[44]  John Rushby,et al.  Noninterference, Transitivity, and Channel-Control Security Policies 1 , 2005 .

[45]  Deborah A. Frincke,et al.  A Risk Management Approach to the "Insider Threat" , 2010, Insider Threats in Cyber Security.

[46]  Matt Bishop,et al.  Your Security Policy is What , 2006 .

[47]  Jon A. Rochlis,et al.  With microscope and tweezers: the worm from MIT's perspective , 1989, Commun. ACM.

[48]  Ken Thompson,et al.  Reflections on trusting trust , 1984, CACM.

[49]  Kevin W. Hamlen,et al.  Computability classes for enforcement mechanisms , 2006, TOPL.

[50]  Crispan Cowan,et al.  StackGuard: Automatic Adaptive Detection and Prevention of Buffer-Overflow Attacks , 1998, USENIX Security Symposium.

[51]  Peter Hamburger,et al.  Set Theory: Introduction , 1999 .

[52]  Ananth Sankaranarayanan,et al.  A Model for Vulnerability Analysis and Classification , 2007 .

[53]  Lujo Bauer,et al.  Run-Time Enforcement of Nonsafety Policies , 2009, TSEC.

[54]  Judith N. Froscher,et al.  The Handbook for the Computer Security Certification of Trusted Systems , 1992 .

[55]  William L. Fithen,et al.  Formal modeling of vulnerability , 2004, Bell Labs Technical Journal.

[56]  Fred B. Schneider,et al.  Enforceable security policies , 2000, TSEC.

[57]  Elisa Bertino,et al.  A unified framework for enforcing multiple access control policies , 1997, SIGMOD '97.

[58]  Jeffrey D. Ullman,et al.  Protection in operating systems , 1976, CACM.

[59]  Sean W. Smith,et al.  Preventative Directions For Insider Threat Mitigation Via Access Control , 2008, Insider Attack and Cyber Security.

[60]  Keith Marzullo,et al.  Analysis of Computer Intrusions Using Sequences of Function Calls , 2007, IEEE Transactions on Dependable and Secure Computing.

[61]  Fred Cohen,et al.  Information system attacks: A preliminary classification scheme , 1997, Comput. Secur..

[62]  Kan Zhang,et al.  A theory for system security , 1997, Proceedings 10th Computer Security Foundations Workshop.

[63]  Eitan M. Gurari,et al.  Introduction to the theory of computation , 1989 .

[64]  Zhendong Su,et al.  ExecRecorder: VM-based full-system replay for attack analysis and system recovery , 2006, ASID '06.

[65]  Richard R. Linde,et al.  Operating system penetration , 1975, AFIPS '75.

[66]  C. R. Ramakrishnan,et al.  Model-Based Analysis of Configuration Vulnerabilities , 2002, J. Comput. Secur..

[67]  Brian Proffitt,et al.  Estimating the Total Development Cost of a Linux Distribution OCTOBER 2008 , 2008 .

[68]  Sushil Jajodia,et al.  A logical language for expressing authorizations , 1997, Proceedings. 1997 IEEE Symposium on Security and Privacy (Cat. No.97CB36097).

[69]  Carrie Gates,et al.  Case Studies of an Insider Framework , 2009, 2009 42nd Hawaii International Conference on System Sciences.

[70]  Chen-Nee Chuah,et al.  FIREMAN: a toolkit for firewall modeling and analysis , 2006, 2006 IEEE Symposium on Security and Privacy (S&P'06).

[71]  Michael Howard,et al.  Measuring Relative Attack Surfaces , 2005 .

[72]  J. Doug Tygar,et al.  Why Johnny Can't Encrypt: A Usability Evaluation of PGP 5.0 , 1999, USENIX Security Symposium.

[73]  David A. Wagner,et al.  Model Checking One Million Lines of C Code , 2004, NDSS.

[74]  Jorge Lobo,et al.  Usability meets access control: challenges and research opportunities , 2009, SACMAT '09.

[75]  Karl N. Levitt,et al.  Trusted Hardware: Can It Be Trustworthy? , 2007, 2007 44th ACM/IEEE Design Automation Conference.

[76]  Michael Gertz,et al.  Discovery of Multi-Level Security Policies , 2000, DBSec.

[77]  Avishai Wool,et al.  A quantitative study of firewall configuration errors , 2004, Computer.

[78]  Joachim Biskup Some Variants of the Take-Grant Protection Model , 1984, Inf. Process. Lett..

[79]  V. Devita,et al.  We Have Met the Enemy and He Is Us , 2011 .

[80]  Ross J. Anderson,et al.  A security policy model for clinical information systems , 1996, Proceedings 1996 IEEE Symposium on Security and Privacy.

[81]  Ninghui Li,et al.  On safety in discretionary access control , 2005, 2005 IEEE Symposium on Security and Privacy (S&P'05).

[82]  Audun Jøsang,et al.  Security Usability Principles for Vulnerability Analysis and Risk Assessment , 2007, Twenty-Third Annual Computer Security Applications Conference (ACSAC 2007).