Measuring Software Security Using SAN Models

In the Name of Allah

Data and Network Security Lab. (DNSL)

Sharif University of Technology

The 9th International ISC Conference on Information Security & Cryptology (ISCISC 2012)

Sadegh Dorri Nogoorani, Mohammad Ali Hadavi, Rasool Jalili

Data and Network Security Lab, Dept. of Computer Engineering Sharif University of Technology, Tehran, I.R. IRAN

http://ce.sharif.edu/~dorri

Measuring Software Security Using SAN Models

22

of

Formal Software Security Measurement

14 Sep. 2012 Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili

2

Formal Verification Proving properties (safety, liveness) Measuring metrics (our approach)

Challenges Very complicated and time-consuming A must for mission critical systems Verification through high level models

Tools in the Literature Colored and aspect-oriented Petri nets Discrete-time Markov chains Queuing models Our Paper: Stochastic Activity Networks

22

of

Outline


3

Background

Stochastic Activity Networks

Our General Attack Model

The semi-Markov model

Metrics

Measurement

Case Study

Conclusions

Background

14 Sep. 2012

4

Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili

22

of

SANs


5

Stochastic Activity Networks (SANs) - Since 1984 Probabilistic extensions of activity networks

Stochastic generalization of Petri nets

Timing of Activities Not restricted to be exponential

Exponential, deterministic, normal, uniform

Programmable cases

Automatic Tools Easy graphical modeling

Möbius tool

Our General Attack Model

14 Sep. 2012

7


22

of

The Attack Model


8

Semi-Markov Attack Model States: privilege levels (secure, insecure, compromized)

Transitions: exploit, recover, cancel

22

of

Example: Password Compromise

14 Sep. 2012

9


22

of

Security Metrics


10

Metrics

Probability of Attack Success (PAS) – Probability

System Misuse Proportion (SMP) – Proportion

Mean Time to First Breach (MTFB) – Time

Measurement

The attack model is transformed to SAN models

PAS-SAN, SMP-SAN, MTFB-SAN

22

of

Case Study

14 Sep. 2012

11


22

of

Measuring SMP


12

SMP (System Misuse Proportion)

Steady-state prob. of being in a compromised state

SMP-SAN

Places

Transitions •

22

of

Measuring MTFB


13

MTFB (Mean Time to First Breach)

Average time until (transient) the attacker (token) reaches a compromised state

MTFB-SAN

One trapping compromised state

•

22

of

Measuring PAS


14

PAS (Probability of Attack Success)

The no. of successful attacks / all attacks

Transient

PAS-SAN

Recovery = Attack failed state

•

Case Study Results

14 Sep. 2012

15


22

of

Transition Times (Hours)

(dependent on Password Change)

14 Sep. 2012

16


Uniform dist.: Increasing Failure Rate (IFR)

22

of

PAS (Prob. Attack Succ.)

14 Sep. 2012

17


22

of

SMP (Sys. Misuse Proportion)


18

22

of

MTFB (Mean Time to First Breach)


19

(about a year)

22

of

Conclusions and Future Work


20

Quantitative Analysis More reliable and tangible than traditional subjective qualitative

evaluations

Our Contribution Semi-Markov attack model Can incl. prevention and recovery mechanisms Can account for adversary skill level, auditing level Automatic measurement using Möbius

Future Work Other case studies One universal SAN model for all metrics Analytically solve the SAN models

My Homepage

http://ce.sharif.edu/~dorri

Thanks! 21

Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili 14 Sep. 2012

22

of

References


22

1. J.F. Meyer, A. Movaghar, and W. H. Sanders, Stochastic activity networks: structure, behavior and application, Int. Workshop on Timed Petri Nets, 1985, pp. 106-115.

2. W.H. Sanders and J. F. Meyer, Stochastic activity networks: formal definitions and concepts, Lec. Formal Methods and Performance Analysis, LNCS, vol. 2090, Springer-Verlag, 2001, pp. 315-343.

3. J. Almasizadeh and M. A. Azgomi, A new method for modeling and evaluation of the probability of attacker success, Int. Conf. Security Technology, 2008, pp. 49-53.

4. J. Almasizadeh and M. A. Azgomi, Intrusion process modeling for security quantification, 4th Int. Conf. Availability, Reliability and Security, 2009, pp. 114-121.