Defining a Model for Defense in Depth

Transcription

1 Defining a Model for Defense in Depth James Sullivan, Michael Locasto University of Calgary LAW 2015 Sullivan / Locasto Modelling Defense in Depth LAW / 33

2 Introduction Key Problem Problem: What is the ideal way to arrange and configure a set of security mechanisms? What security mechanisms should be included? What should their layout be? How fail-safe is the arrangement? Cost-benefit analysis budgets are finite Sullivan / Locasto Modelling Defense in Depth LAW / 33

3 Introduction Challenges Why is this hard? There are many different flavors of security products, and most of them claim to be better than the rest Protect your devices with the best free antivirus on the market. Avast Antivirus, 2015 Buy now the best antivirus program for all your devices. Panda Security, award-winning FREE antivirus, spyware, & malware protection... AVG, award-winning security technologies that protect against the very latest threats... Kaspersky Security, 2015 Protects better and faster than the competition. Symantec, 2015 Sullivan / Locasto Modelling Defense in Depth LAW / 33

4 Introduction Challenges Why is this hard? System can be arranged in many ways

5 Introduction Challenges Why is this hard? Some mechanisms may negatively interfere with one another, and this is hard to predict.... it is possible to connect two systems, both of which are judged to be secure, such that the composite system is not secure. D. McCullough, D. McCullough. Noninterference and the composability of security properties. In: Security and Privacy, Proceedings., 1988 IEEE Symposium on. 1988, pp doi: /SECPRI Sullivan / Locasto Modelling Defense in Depth LAW / 33

6 Motivation Antivirus Composition Study Even if security mechanisms work well by themselves, there is no guarantee that they won t interfere with each other. A case study demonstrated this: Pairs of commodity Antiviruses installed on a single host Standard set of AMTSO 2 tests performed on the system Expected: Both Antiviruses pass the AMTSO tests (identifying and quarantining the malicious files), despite the other s presence. Actual: Some Antiviruses prevented the other from passing the EICAR tests. In some cases, both products failed the test simultaneously. 2 AMTSO Feature Settings Check. AMTSO. Sullivan / Locasto Modelling Defense in Depth LAW / 33

7 Motivation Antivirus Composition Study Structure of Study Results Five of the most popular commodity AVs installed pairwise in each order of installation AMTSO tests performed multiple times on the system with each pair Normalize by eliminating AVs that did not pass a given test in isolation (i.e. non-amtso-compliant AVs) Frequency of one AV failing to identify a file: 5.3% Frequency of both AVs failing to quarantine a file: 10.7% Sullivan / Locasto Modelling Defense in Depth LAW / 33

8 Approaches to System Design What techniques do we have to aid secure system design? 1 Trial and Error (Live testing) 2 Simulation 3 Modelling Sullivan / Locasto Modelling Defense in Depth LAW / 33

9 Approaches Trial and Error Set up a security configuration and measure its effectiveness. Gives the most accurate view of the effectiveness of the configuration Reactive security. Find a mistake, fix mistake, goto 1. Mistakes are expensive: Ideally, holes are found before the system is live Sullivan / Locasto Modelling Defense in Depth LAW / 33

10 Approaches Simulation Perform simulations of the system to measure its effectiveness. Simulation results can be close enough to actual results to make informed decisions How accurate does the simulation need to be? How to balance cost and accuracy? Where does input to the simulation come from? Canned traffic Live traffic (honeypots) Sullivan / Locasto Modelling Defense in Depth LAW / 33

11 Approaches Modelling Construct a simplified model of the system to analyze. Often the cheapest way to get information about a system A good model will both predict system properties and explain system behavior. Details are lost: How much information loss is acceptable? Sullivan / Locasto Modelling Defense in Depth LAW / 33

12 Approaches Ideally, some combination of these approaches is used to make informed decisions. Modeling Simulation Live Testing Quickly analyze many configurations Test select number of configurations Get live results about chosen configuration The sooner we find system flaws, the cheaper they are to fix. Sullivan / Locasto Modelling Defense in Depth LAW / 33

13 Approaches Our Contribution Defense Graphs: a modelling technique to aid secure system design. Complementary to simulation and live testing Provides quick analytical results about system behaviour Formalizes intuitions and best practices about system design Sullivan / Locasto Modelling Defense in Depth LAW / 33

14 Model Definitions Defense Graph: A directed, acyclic graph D representing a system of composed security mechanisms. Vertices: Security Mechanisms or Policy Selectors. Edges: Data path between vertices. A Defense graph has a unique entry point α and a unique target β. α is connected to all vertices and β is reachable from all vertices. Sullivan / Locasto Modelling Defense in Depth LAW / 33

15 Model Definitions Security Mechanism: An automaton that interprets some input language I and enforces a policy on it, emitting an output language O. We say that a mechanism accepts an input i I when i O. Conversely, a mechanism rejects an input i I if i O. Sullivan / Locasto Modelling Defense in Depth LAW / 33

16 Model Definitions Policy Selector: A point at which: Data is redirected or multiplexed (e.g. a switch) Host A Switch Internal GW External GW Firewall Server A number of independent data streams are combined and some decision is made based on their contents (e.g. all-or-nothing) Reject Accept Reject Accept Sullivan / Locasto Modelling Defense in Depth LAW / 33

17 Model Definitions Composition: Two mechanisms are composed if there is direct data path from one to the other. Two types of composition: Deterministic: Consistent order of operation on data stream. Non-Deterministic: Inconsistent order of operation. Treated as one mechanism n ij with a known input language I i I j but unknown output language. Deterministic Composition Mechanism Mechanism Non-Deterministic Composition Mechanism Mechanism Sullivan / Locasto Modelling Defense in Depth LAW / 33

18 Model Examples of Composition Deterministic Composition The typical case for a well-structured network E.g. An external firewall filters traffic before the internal IDS audits it Non-Deterministic Composition More commonly seen on single-host systems Race conditions on data access AV case study these constructs are unreliable and can cause strange failures in the mechanisms. Either can cause incorrect policy enforcement. Sullivan / Locasto Modelling Defense in Depth LAW / 33

19 Properties of Defense Graphs We define several properties which can be used to reason about Defense Graphs. Coverage: What type of input is instrumented? Redundancy: What proportion of that input is instrumented multiple times? Independence: Do mechanisms depend on each other to work properly? Are compositions present? Cost: What does the whole configuration cost? (Performance, budget, etc.) Sullivan / Locasto Modelling Defense in Depth LAW / 33

20 Properties Coverage Coverage refers to the types of inputs which the system can make policy decisions about. Each mechanism m has coverage C(m) = I. The entire system s coverage is: C(D) = M i=0 C(m i ) Or the union of all of the mechanisms coverage. Sullivan / Locasto Modelling Defense in Depth LAW / 33

21 Properties Redundancy Redundancy between two mechanisms is the proportion of the overlap in their coverage sets. Mechanisms m 1, m 2 have redundancy R(m 1, m 2 ) = C(m 1) C(m 2 ) C(m 1 ) C(m 2 ). The entire system s redundancy is the total overlap between all pairs. R(D) = 2 M M R(m i, m j ) i=0 j i M 2 M Sullivan / Locasto Modelling Defense in Depth LAW / 33

22 Properties Independence Independence means that a mechanism does not rely on the correct output of another mechanism. If there is a walk from one mechanism to another, then the output of the first mechanism decides the input to the next thus, there is dependency. { 0 : w = (α,..., m 1 ) with m 2 w I (m 1, m 2 ) = 1 : otherwise The independence of the system is the proportion of independent pairs to the total number of pairs: I (D) = M 2 M i=0 j=0,j i M 2 M I (m i, m j ) Sullivan / Locasto Modelling Defense in Depth LAW / 33

23 Intuition about Independence Independence is a desirable property of a system. Prevents mechanism composition m i, m j are composed = I (m i, m j ) = 0 or I (m j, m i ) = 0 I (m i, m j ) = 1 or I (m j, m i ) = 1 = m i, m j are not composed. Incorrect decisions by one mechanism don t affect the other However, dependence is a natural property of linear data processing, and of layering security mechanisms in sequence. Sullivan / Locasto Modelling Defense in Depth LAW / 33

24 Dependency Hurts... i f ( ( e r r = SSLHashSHA1. update (&hashctx, &serverrandom ) )!= 0) goto f a i l ; i f ( ( e r r = SSLHashSHA1. update (&hashctx, &signedparams ) )!= 0) goto f a i l ; goto f a i l ; i f ( ( e r r = SSLHashSHA1. f i n a l (&hashctx, &hashout ) )!= 0) goto f a i l ;... Empty if Entry if if s All input fail Sullivan / Locasto Modelling Defense in Depth LAW / 33

25 Properties Cost Cost is some measurement of the expense of a set of mechanisms and their arrangement. A number of possible metrics: Performance of the system (packet throughput) Resource Consumption of the system Financial Cost For example, if J is a set of computational tasks and T (D, J) is the total time taken to run the task by a system with defense graph D, then cost is given by: P(D) = J i=0 Where D 0 is the unprotected system. T (D, j i ) T (D 0, j i ) Sullivan / Locasto Modelling Defense in Depth LAW / 33

26 The Optimal Configuration We can derive a configuration that maximizes the C,R,I properties: Entry Selector Mechanism 1 Mechanism 2... Mechanism n AND Clearly, this isn t what our systems look like. But this configuration prevents any interference between policy decisions. Target Sullivan / Locasto Modelling Defense in Depth LAW / 33

27 Applying Defense Graphs A model should be able to satisfy two requirements: Explanatory: The model should be able to explain phenomena and observations about a system within its own language. Predictive: The model should also be able to predict some properties about an underlying system. We demonstrate the explanatory abilities of our model showing its predictive abilities requires further work. Sullivan / Locasto Modelling Defense in Depth LAW / 33

28 Saltzer & Schroeder s Principles Saltzer and Schroeder defined well-known security principles in We can express these security principles in the Defense Graph model. Economy of Mechanism: Keep the design as simple and small as possible. Complex structures (such as non-deterministic compositions) should be avoided in a Defense Graph in favour of simple and reliable constructs. More mechanisms may not give more security (and can increase the dependencies in the system). 3 Jerome H Saltzer and Michael D Schroeder. The protection of information in computer systems. In: Proceedings of the IEEE 63.9 (1975), pp Sullivan / Locasto Modelling Defense in Depth LAW / 33

29 Saltzer & Schroeder s Principles Complete Mediation: Every access to every object must be checked for authority. If the coverage of the system is low, there will be many inputs to the system that have no policies enforced on them, exposing the target to arbitrary data. Sullivan / Locasto Modelling Defense in Depth LAW / 33

30 Contributions of Defense Graphs Defense Graphs are: A tool to identify regions of complexity and composition in a system A tool to make dependency relationships explicit in a system A tool to analyze and predict basic properties of a system arising from its layout Defense Graphs are not: A tool to determine what will happen when two mechanisms compose Instead, they tell us which mechanisms are at risk of composition A tool to determine the Optimal layout of a system But we can eliminate anti-patterns or encourage stronger patterns A replacement for other analysis techniques Complementary to testing, static analysis, simulation, etc. Sullivan / Locasto Modelling Defense in Depth LAW / 33

31 Conclusion Defense Graphs are a formal modelling tool which put the focus on the layout of security mechanisms. Makes anti-patterns and points of composition apparent in the system Allows for simple analysis of properties of a system Can be used to re-define intuitions about security, and some known principles Sullivan / Locasto Modelling Defense in Depth LAW / 33

32 Future Work Model building is iterative, and there are many areas to expand on. Capture other types of security mechanisms Analyze the ability of the model to predict properties of systems Identify some common anti-patterns in insecure systems Develop tools to automate the generation and analysis of Defense Graphs Sullivan / Locasto Modelling Defense in Depth LAW / 33

33 Questions? Sullivan / Locasto Modelling Defense in Depth LAW / 33