© Crown Copyright (2000)
Module 2.6
Vulnerability Analysis
“You Are Here”
M2.1 Security Requirements
M2.2 Development Representations
M2.3 Functional Testing
M2.4 Development Environment
M2.5 Operational Environment
M2.6 Vulnerability Analysis
M2.7 Penetration Testing
M2.8 Assurance Maintenance/Composition
MODULE 2 - ASSURANCE
What is Vulnerability Analysis?
• A search for vulnerabilities in the TOE or its intended operation
• Analysis of their impact
• Input to penetration testing
• Involves– assessment of developer’s analysis– evaluator analysis based on previous results
Vulnerabilities - A Few Terms
• potential vulnerability– suspected, not proven
• known vulnerability– demonstrated by developer or evaluator
• exploitable vulnerability– leading to compromise of assets
• non-exploitable vulnerability– assets will not be compromised in practice
Sources of Vulnerability
The security functions could be
• inadequate to counter the threats
• incorrectly implemented
• bypassed
• tampered with
• directly attacked
• misused
Bypassing Attacks
• Avoid monitored interface
• Inherit privilege to bypass
• Access unprotected area
Attacker AssetSecurity Function
Covert Channels
Subject ‘A’
Resource Subject ‘B’Reads
Reads
Modifies AccessDenied
Unclassified
Secret
Tampering Attacks
• Modify/spoof/read critical data
• Undermine assumptions/dependencies
• De-activate, disable or delay enforcement
Attacker AssetSecurity Function
Direct Attacks
• Security function behaves as specified
• Attacker manipulates input/outputs
Attacker AssetSecurity Function
Misuse
• Consider all modes of operation
• Examine potential for insecure states:– mis-configuration of security functions– insecure use of TOE
• Can insecure states be detected or prevented?
• Repeat/witness TOE installation procedures
Exploitability
• Are known vulnerabilities exploitable?
• Suitable countermeasures– procedural– technical
• Relevance to Security Target?
• Within attacker capabilities?
Strength Determination - 1
• Confirm minimum strength met
Level Resistant to
Basic Casual unsophisticated attacks
Medium Knowledgeable attackers with limitedopportunities or resources
High Beyond normal practicality to defeat
Strength Determination - 2
STRENGTHRATING
Detection
Equipment
Time Collusion
Expertise
Chance
ITSEC Requirements - 1
Effectiveness Analysis
• Developer Analysis– Binding– Strength of Mechanisms– Ease of Use– Construction & Operational Vulnerability
Assessment
• Independent Vulnerability Analysis
Binding Analysis
• Analysis of mechanism interactions– permissible– mandatory– forbidden
• Protection against indirect attack
• Absence of conflict
ITSEC Requirements - 2
ITSEC Requirements - 3
• ITSEC Figure 4
Aspect E1 E2 E3 E4 E5 E6
Security Target
Formal SPM
Architectural Design
Detailed Design
Code/hardware drawings
Operational documentation
Common Criteria Requirements
Aspect EAL1 EAL2 EAL3 EAL4 EAL5 EAL6 EAL7
Misuse - Developer
Misuse - Evaluator
SOF
Covert Channels
Developer VulnerabilityAnalysis
IndependentVulnerability Analysis
Evaluation Reporting
• Examination of documentation– show how & where requirements satisfied
• Analysis– demonstrate completeness with respect to
vulnerabilities considered– justify non-exploitability
Summary
• Methodical search for vulnerabilities– checklist approach
• Validation of developer analysis– confirm absence of exploitable vulnerabilities
• Independent analysis by evaluators
• Input to penetration testing
Further Reading - 1
ITSEC Evaluation
• UKSP 05 Part III, Chapter 3
• UKSP 05 Part V
• UKSP 04 Part III, Chapter 4
• ITSEM, Annex 6.C
Further Reading - 2
CC Evaluation
• CC Part 3, Sections 2.6.7 and 14
• CEM Part 2, Chapters 6-8 (AVA sections) & Annex B
• UKSP 05 Part V
Exercise 1 - Vulnerabilities
Client ObjectServer
Mechanism
access
request notify
object
mediates
subject(client)
object
details
Exercise 2 - Strength
• Password mechanism can be defeated by– manual attack, taking 20 days– automated attack, taking 5 minutes
• What is the strength of this mechanism?
• How might the strength be improved?
Exercise 3 - Misuse
• Should lamp be lit in– CIPHER mode?– CLEAR mode?
CRYPTODEVICEDATA
CIPHER Encrypted
CLEAR Cleartext