threat modeling for security assessment in · 2015. 7. 28. · lipson, h. f., tracking and tracing...
Post on 21-Jan-2021
0 Views
Preview:
TRANSCRIPT
Real Time
Safety
Threat Modeling forSecurity Assessment inCyber-physical Systems
Janusz ZalewskiFlorida Gulf Coast University
Steven Drager & William McKeeverAir Force Research Lab, Rome, NY
Andrew J. KorneckiEmbry-Riddle Aeronautical University
Copyright © A.J. Kornecki, 2013 page 1
Embry-Riddle Aeronautical University
Presented by A.J. Kornecki at AGH, Krakow, June 25, 2013Based on a paper:
Zalewski, J., Drager, S., McKeever, W., Kornecki A.J. "Threat Modeling for Security Assessment in Cyber-physical Systems", CSIIRW'2012, ACM 978-1-4503-1687-3/12/10, Oak Ridge, Tenn., USA,
October 30 - November 1, 2012
Real Time
Safety
Overview
� Introduction and Motivation� How to Measure? � Control and Cyber-physical Systems� Threat Modeling� Security Risk Assessment� Experiments� Conclusion
Copyright © A.J. Kornecki, 2013 page 2
� Conclusion
Real Time
Safety
Why Threat Modeling?
� System designers must first determine what threats are feasible [and then what security policies make economic sense relative to the values of resources exposed to a threat]exposed to a threat]
Source: D. Kleidermacher, M. Kleidermacher, Embedded Systems Security, Newnes/Elsevier, Oxford, 2012
� In case of imminent security breach: “cyber-physical systems requires either reconfiguration to reacquire the needed resources automatically or a graceful
Copyright © A.J. Kornecki, 2013 page 3
the needed resources automatically or a graceful degradation if they the resources are not available”
Source: National Research Council, Committee for Advancing Software-Intensive Systems Producibility Critical Code: Software Producibility for Defense National Academies Press, 2010
Real Time
Safety
Threat Trends
Denial of Service
“Stealth”/AdvancedScanning Techniques
High
BOTS
Morphing
Malicious Code
Att
ack
So
ph
isti
cati
on
STUXNET/Flame
Password Cracking
Exploiting Known Vulnerabilities
Disabling Audits
Hijacking Sessions
Sweepers
Sniffers
Distributed Attack Tools
Denial of Service
GUIPacket Spoofing
Network Management Diagnostics
Automated Probes/Scans
WWW Attacks
Intr
ud
er K
no
wle
dg
e
Attackers
Back Doors
Zombies
BOTS
Att
ack
So
ph
isti
cati
on
Copyright © A.J. Kornecki, 2013 page 4
• Threats become more complex as attackers proliferate
Password GuessingSelf-Replicating Code
Password Cracking
1980 1985 1990 1995 2000 2005 2012
Intr
ud
er K
no
wle
dg
e
Low
Att
ack
So
ph
isti
cati
on
Lipson, H. F., Tracking and Tracing Cyber-Attacks: Technical Challenges and Global Policy Issues, Special Report CMS/SEI-2002-SR-009, November 2002, page 10.
Real Time
Safety
Example: Modern Aircraft Threat Trends
Copyright © A.J. Kornecki, 2013 page 5 5
{courtesy of Volpe National Transportation System Center, June 2013}
Real Time
Safety
Aircraft Data Network (ADN)
Aircraft control Airline Information Services
Passenger Information and Entertainment
Passenger-Owned Devices
Flight and Embedded Control Cabin Core Entertainment
ServicesControl Systems
Cabin Core
Control the Airplane
Operate the Airline
Entertain the Passengers
Entertain the Passengers
AFDX IFE- TBD
EFB/Gatelink
Engine HUMS
Copyright © A.J. Kornecki, 2013 page 66
Control the Airplane
Operate the Airline
Entertain the Passengers
Entertain the Passengers
Closed Private Public
{source –ARINC 664, Aircraft Data Network, Part 5, Network Domain Characteristics and Interconnection}
Real Time
Safety
Security Standards Guidelines & Initiatives
� FAA/RTCA SC-216 (Aeronautical System Security) & Eurocae WG-72 Subcommitteeso DO-326: Airworthiness Security Process Specification o DO-XXX: Security Assurance and Assessment Methods for o DO-XXX: Security Assurance and Assessment Methods for
Safety-Related Aircraft Systemso DO-YYY: Security Guidance for Instructions for Continuing
Airworthiness (ICA)o FAA Advisory Circular (AC)
� ARINC Network Infrastructure and Security (NIS) Working Group
Copyright © A.J. Kornecki, 2013 page 7
o Best Practices (Security Catalog)o ARINC 842: Guidance for Usage of Digital Certificates
� ICAO Twelfth ANC: o Working Paper 122: Cyber Security For Civil Aviation
(November 2012)
Real Time
Safety
Are We Preoccupied with Measurements?
� We are missing good (any) measures to characterize non-functional software properties related to trustworthiness (safety, security, dependability, etc.), as opposed, for example, to timing properties as opposed, for example, to timing properties (responsiveness, timeliness, schedulability, predictability)
� But there are other means … � How to assess security before the system is put into
operation?
o Theoretical Assessment (analytical model)
Copyright © A.J. Kornecki, 2013 page 8
o Theoretical Assessment (analytical model)o Actual Experiments (measurements)o Simulation (numerical calculations)
Real Time
Safety
A Side-bar: How to Measure?
� NOW: Definition of a metric (meter) is “the length of the path traveled by light in
� For example:
� Property – length� Metric – meter� Measure – devicetraveled by light in
vacuum during a time interval of 1/299 792 458 of a second”
� EARLIER: King Henry I is believed to decree that a yard should be:
� Measure – device
Copyright © A.J. Kornecki, 2013 page 9
that a yard should be: “the distance from the King’s nose to the end of his outstretched thumb”
Real Time
Safety
Classical Views of a Control System
CONVENTIONAL
Copyright © A.J. Kornecki, 2013 page 10
MODERN(cyber-physical)
Real Time
Safety
Cyber-physical System
� Relationship between the computer/software system and its operational environment
SOFTWARESYSTEM OPERATIONAL
ENVIRONMENT
SAFETY
SECURITY
RELIABILITY
Copyright © A.J. Kornecki, 2013 page 11
Real Time
Safety
Safety/Security Views of a Cyber-physical System
SAFETY
Copyright © A.J. Kornecki, 2013 page 12
SECURITY
Real Time
Safety
Analytical Models to Describe System Behavior
� Continuous:
o Differential Equations� Discrete:
o Finite State Machineso Finite Automata
o Petri Netso Bayesian Belief Networkso Queuing Theory
o Rule-based Reasoning
Copyright © A.J. Kornecki, 2013 page 13
o Rule-based Reasoningo Markov Chains ***
Real Time
Safety
Example: Discrete-Time Markov Chains
� It is generally not possible to predict future states
� However, the statistical properties of future states can be predictedThe set of all states and transition probabilities � The set of all states and transition probabilities characterize completely with the Markov chain
� A finite-state machine can be used as a graphical representation of a Markov chain
� How to develop state transition probabilities? � Base them on heuristic analysis of the chain
Copyright © A.J. Kornecki, 2013 page 14
� Base them on heuristic analysis of the chain
More in: Kornecki, A., Stevenson, W., Zalewski, J., "Availability Assessment of Embedded Systems with Security Vulnerabilities", proceedings of 34th IEEE Software Engineering Workshop SEW 2011, Limerick, Ireland, June 20-21, 2011
Real Time
Safety
Case Study - Security Impact Assessment
� A simple case study of a Cooperative Adaptive Cruise Control (CACC)
� Identification of vulnerabilities in incoming messages (commission, omission, corruption, flooding) (commission, omission, corruption, flooding)
Copyright © A.J. Kornecki, 2013 page 15
Real Time
Safety
Case Study – Markov Model
� Markov model with Relex Reliability Studio* tool was used to assess the availability of the system with and without the security component
� CACC implemented as a discrete-time Markov model � CACC implemented as a discrete-time Markov model with three states and the transitions determined by failure rates or repair rates
o Operational State (Normal)
o Degraded State
Copyright © A.J. Kornecki, 2013 page 16
o Degraded State (Flooding, Corruption, Introduction, Deletion)
o Failed State
* http://www.relex.se/
Real Time
Safety
Threats
� Two aspects of handling potential threats in cyber-physical systems:o Threat Modeling: A systematic exploration
technique to expose any circumstance or event technique to expose any circumstance or event having the potential to cause harm to a system in the form of destruction, disclosure, modification of data, and/or denial of service [IEEE 1074-2006]1
o Threat Assessment: Process of formally evaluating the degree of threat to an information system or enterprise and describing the nature of the threat
Copyright © A.J. Kornecki, 2013 page 17
enterprise and describing the nature of the threat [CNSS-4009]2
1. IEEE Standard for Developing a Software Project Life Cycle Processhttp://standards.ieee.org/findstds/standard/1074-2006.html2. National Information Assurance (IA) Glossary http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf
Real Time
Safety
Threat Handling Process: a Sequence of Actions
1. Understand the Adversary’s View2. Create a Model: Data Flow Diagrams3. Determine and Investigate the Threats:
a) Use STRIDE to identify/define the threatsb) Use Threat Trees to assess vulnerabilities
c) Use DREAD to characterize risks
4. Mitigate the Threats
Copyright © A.J. Kornecki, 2013 page 18
4. Mitigate the Threats5. Validate the Mitigations
Real Time
Safety
Understanding the Adversary’s View
Copyright © A.J. Kornecki, 2013 page 19
Real Time
Safety
Identify and Define Threats: STRIDE
� What is STRIDE? � identify and define threats
o Spoofing - a situation in which an attacker successfully masquerades as legitimate party
o Tamperingo Tampering - intentional modification of data by an attacker that would make them harmful to the user
o Repudiation - authentication between users that they can be confident in the authenticity of the messages (but it cannot be provided to an attacker after the event)
o Information Disclosure - a situation when the user data is available to the attacker
Copyright © A.J. Kornecki, 2013 page 20
data is available to the attacker
o Denial of Service - making a resource not available to its intended users due to a malicious attack
o Elevation of Privilege - gaining access to resources that are normally protected from an attacker
Real Time
Safety
Threat Tree Example
Root
Threat
Mitigated
Condition
Mitigated
Condition
Unmitigated
Condition
Copyright © A.J. Kornecki, 2013 page 21
Mitigated
Condition
Mitigated
Condition
Unmitigated
Condition
Real Time
Safety
Characterize Risk: DREAD
� What is DREAD? � characterize risk
o Damage Potential – severity as related to equipment, resources, and environment
o Reproducibility – likelihood of an ability of an event to be reproduced
o Exploitability – likelihood to use system unethically or for malicious purpose
o Affected Users – severity as related to human population
Copyright © A.J. Kornecki, 2013 page 22
o Discoverability – likelihood of a capacity of data/information to be found (being discoverable)
Real Time
Safety
How to Evaluate Security Risk?
� Safety risk is evaluated as a product of severity of consequences and the likelihood of hazards
� Security risk is a measure of the extent to which an entity is threatened by a potential circumstance or entity is threatened by a potential circumstance or event, and typically is a function of [CNSS-4009] :o the adverse impacts that would arise if the event
occurs; and
o the likelihood of occurrence � We need a system for assessing the severity of
computer system security vulnerabilities
Copyright © A.J. Kornecki, 2013 page 23
computer system security vulnerabilities
� Examples: STRIDE Threat Library, Common Weakness Enumeration (CWE), Common Vulnerabilities/Exposures (CVE), and …
Real Time
Safety
What is Common Vulnerability Scoring System?
� CVSS is a system for assessing the severity of computer system security vulnerabilities
http://www.first.org/cvss/cvss-guide.pdf� CVSS defines three groups of metrics for assessing � CVSS defines three groups of metrics for assessing
vulnerabilities: base, temporal and environmental (however, only the base is mandatory)
Copyright © A.J. Kornecki, 2013 page 24
Real Time
Safety
CVSS Base – Impact & Exploitability Metrics
� The base group consists of six metrics divided into two subcategories: impact and exploitability metrics (in lieu of severity)
� Metrics are evaluated on a three-level non-numerical � Metrics are evaluated on a three-level non-numerical scale mapped onto numeric values (1, 2, and 3)
o Impact metrics: � Confidentiality, Integrity, Availability: None,
Partial, Completeo Exploitability metrics:
Copyright © A.J. Kornecki, 2013 page 25
� Access Vector: Local, Adjacent, Full
� Access Complexity: High, Medium, Low� Authentication: Multiple, Single, None
Real Time
Safety
Proposed CVSS Base Scoring Formula:
� All six values are related with different weights by a formula, thus, producing a unique number of the base metric
o BaseScore6 = = ((0.6*Impact) + (0.4*Exploitability) – 1.5)*f(Impact)
o Impact =
= 10.41*(1-(1-Conf.Impact)*(1-Integ.Impact)*(1-Avail.Impact))o Exploitability =
Copyright © A.J. Kornecki, 2013 page 26
o Exploitability = = 20*Access.Vector*Access.Complexity*Authentication
o f(Impact) = 0 if Impact is equal to 0
= 1.176 otherwise
Real Time
Safety
How the Threat Model is Used?
� How the Threat Model is Used?
o In Design: Code Reviewo In Implementation: Penetration Testingo *** In Security Assessment: Simulationo *** In Security Assessment: Simulation
� Example: mapping a cyber-physical system into SDL threat modeling tool (CACC imitation)
Copyright © A.J. Kornecki, 2013 page 27
Real Time
Safety
Microsoft SDL Threat Modeling Tool
� Threat Modeling Is a core element of the Microsoft Security Development Lifecycle (hence SDL) for every-day user making threat modeling easy
� The SDL Threat Modeling Tool enables any developer � The SDL Threat Modeling Tool enables any developer or software architect to:
o Communicate about the security design of their systems
o Analyze designs for security issues using a
Copyright © A.J. Kornecki, 2013 page 28
security issues using a proven methodology
o Suggest and manage mitigations for security issues
Real Time
Safety
Example Microsoft SDL screen-shot
Copyright © A.J. Kornecki, 2013 page 29
http://www.microsoft.com/security/sdl/adopt/threatmodeling.aspx
Real Time
Safety
Security Assessment via Simulation
� An actual example of a message exchange system over the CAN network has been set up
� The example includes two CAN nodes communicating with each other over the CAN bus, with additional with each other over the CAN bus, with additional Internet connectivity for both nodes
� The arrangement imitates part of the functionality of a larger CACC system
CVE ID Publish Date
Update Date
Score Access Complexity Authentication Confiden-tiality
Integrity Availa-bility
CVE-2011-4415 2008-07- 2012-05- 1.2 Remote High Not Required None None None
Copyright © A.J. Kornecki, 2013 page 30
CVE-2011-4415 2008-07-01
2012-05-11
1.2 Remote High Not Required None None None
The ap_pregsub function in server/util.c in the Apache HTTP Server 2.0.x through 2.0.64 and 2.2.x through 2.2.21, when the mod_setenvif module is enabled, does not restrict the size of values of environment variables, which allows local users to cause a denial of service (memory consumption or NULL pointer dereference) via a .htaccess file with a crafted SetEnvIf directive, in conjunction with a crafted HTTP request header, related to (1) the "len +=" statement and (2) the apr_pcalloc function call, a different vulnerability than CVE-2011-3607.
Real Time
Safety
Copyright © A.J. Kornecki, 2013 page 31
Real Time
Safety
Copyright © A.J. Kornecki, 2013 page 32
Real Time
Safety
Conclusions
� Firm modeling process established
� Experimental measurement process set up� Tools ready and easy to use� Potential Case Studies:
o CAN (Controller Area Network)
o Industrial Control Systems: SCADAo Wireless Sensor Networks: Zigbeeo RFID/NFC
o Time-Triggered Systems
Copyright © A.J. Kornecki, 2013 page 33
o Time-Triggered Systems
Real Time
Safety
Comments/Questions
Copyright © A.J. Kornecki, 2013 page 34
top related