Professional Documents
Culture Documents
SASSI13 Proceedings
SASSI13 Proceedings
Proceedings
Jrgen Gromann (ed.)
SASSI13
Security Assessment for Systems, Services and Infrastructures
September 19 and 20, 2013 at the Technical University (TU) in Berlin
Security failures and data breaches are impacting not only enterprises but also critical
infrastructures and public services. Solely in Germany successful attacks on IT systems in cause
damage by 4.8 million euros a year. At the same time, we are experiencing how the current IT
landscape is changing rapidly. Just a few years ago, the Internet was dedicated to interconnect
stationary end user devices. Nowadays, the tendency towards an Internet of things makes the
situation more complex. Mobile devices, home automation, smart grids and even vehicles are
connected via the Internet and becoming theoretical accessible and thus vulnerable to hacker
attacks. However, we are more than ever dependent on a secure and mature ICT infrastructure.
One of the keys to get and maintain such a secure and dependable infrastructure is a mature,
systematic and capable security risk analysis and testing program. This workshop will provide a
forum to discuss innovative security testing approaches and their combination with security risk
analysis. At the same time, the workshop tries to draw a line to the industrial requirements and
the challenges that arise when security testing meets the demands of cost efficiency and
scalability. Experts from industry and academia will present and discuss their solutions to the key
issues security risk analysis, vulnerability testing, model based security testing, and
standardization. The contributions are complemented by industry grade research results from four
large European research projects.
Content:
Keynotes
Ralf Bker, BSI: Implementing Germany's Cyber Security Strategy
Stig Torsbakken, Nets: Risk analysis and testing - perspectives from the frontline
Session 1: Security risk assessment and testing
Jan Stijohann, SIEMENS: Towards Systematic and Traceable Security Assessment
Ketil Stlen, SINTEF: Test-based risk assessment
Samson Yoseph Esayas, Universitetet i Oslo: Legal Risk Management: a Method for Proactive Management of Legal Risks
Session 2: Standardization & Certification
Gerard Gaudin, G2C: A full set of new standards in Cyber Defence addressing the full scope of security event detection issues
Jrgen Gromann, Fraunhofer FOKUS: Security Testing Improvment Profile (STIP)
Luca Vigano, Universit di Verona: The SPaCIoS Tool - property-driven and vulnerability-driven security testing
Luca Compagna: Formal Validation and Testing of Security Standards at SAP: from research to industry
Session 3: Active security testing
Bruno Legeard, FEMTO-ST/UFC & Smartesting: Model-based vulnerability testing from patterns and behavioral model
Martn Ochoa, Siemens/TU Mnchen: Model-based vulnerability testing
Prof. Dr. Sachar Paulus, Kuppinger Cole: Trustworthy software development
Ari Takanen, Codenomicon: Traffic Capture Fuzzer: Effective method for model based fuzzing
Session 4: Active and passive security testing
Riccardo Scandariato, KU Leuven: Security vulnerability prediction
Graham Steel, Cryptosense: Security analysis of APIs, including the W3C Crypto API
Ana Cavalli, Institut Mines-Telecom: Application of passive testing techniques to secure interoperability testing
Wissam Mallouli, Montimage: Passive testing for security checking using MMT
Keynote
Ralf Bker
(Bundesamt fr Sicherheit in der Informationstechnik)
Implementing Germany's
Cyber Security Strategy
Ralf Bker
Implementing Germany's Cyber Security Strategy
Vita:
Ralf Bker is a cyber security consultant at the Federal Office for Security in IT
(BSI).
Ralf Bker
Implementing Germany's Cyber Security Strategy
Abstract:
Germany sees itself exposed to attack by cyber-activists in ever-increasing
extent. The attacks are not predictable and thus can not be planned for
thechallenged company. In recent years the attackers are becoming more
professional and effective with respect to their resources and tools. Thus, a
once achieved level of protection need always be regarded as provisional. The
Alliance for Cyber Security is an initiative of the German Federal Office for
Information Security (BSI), which has been founded in cooperation with the
German Federal Association for Information Technology, Telecommunications
and New Media (BITKOM). As a coalition of all the major players in the field of
cyber security in Germany, the Alliance aims to increase the cyber security in
Germany and to strengthen the resilience of Germany against cyber attacks.
Implementing
Germany's Cyber Security Strategy
Ralf Bker
Federal Office for Information Security (BSI)
Germany
19 September 2013
Contents
About BSI
Example: IT-Grundschutz
Prevention
Prevention
Founded in 1991
Cyber
Cyber Staff: ~ 600 employees
Security
Security Budget: 50 million
Crypto
Crypto
Innovation
Innovation
CI
CI Security
Security
Secure
Secure eIdentities
eIdentities
Certification
Certification
Awareness
Awareness Raising
Raising
Consultancy
Consultancy &
& Support
Support for
for Federal
Federal
Gov.
Gov.
Reaction
Reaction Sustainability
Sustainability
Target Groups
Public
Public Sector
Sector General
General
Public
Public
Research
Research Private
Private
Community
Community Sector
Sector
National
Cyber Response Centre
Associated agencies
Federal Criminal Police Office (BKA)
Federal Police (BPol)
Customs Criminological Office (ZKA)
Federal foreign intelligence service (BND)
Federal Armed Forces (BW)
Liaison officers
Launch: 16-June-2011
BSI's Situation Room
National
IT Crisis Reaction Centre
Quelle: Contagio
Cause of Cyber-Problem
Automatic production of Malware
At least 36.955.387 new Malware in 2012
Total: ber 100.000.000
Malware Construction Kits (example)
Winlock Builder (Ramsomware) ~80$
SpyEye ~150$
Carberp ~5000$
Polymorphe scrambling aditional ~1000$
BlackShades (Remote Administration Tool) ~75$
Beta Bot ~460$
Citadel (Banking Trojaner) ~3000$
Zeus/Zbot (Banking Trojaner) ~8000$
Price list
Crimepack:
$400
Phoenix Exploits Kit:
$400
Adrenaline:
$3.500
(inkl. 24x7-Support)
Eleonore Exploits Pack
$700
YES Exploit System
Quelle: Pandalabs $800
Lagebild der
Cyber-Security Mobile Devices
Cause:
Exploids in Mobile Devices
Old OS Versionen: 36,5% Android V 2.3
Apple support only IPhone 4 and newer
Recklessness from User
400000 35000
40000 30000
25000
4000
20000
400 15000
40 10000
4 5000
0
0,4 01.07.2012 01.09.2012 01.11.2012
klassische Malware Android andere Smartphone
Participants
recommendations,
analyses,
reporting service,
awareness
Alliance for Cyber Security in Germany
Main objectives
Assess risks of cyber space for Germany, design and
implement adequate security controls.
Strengthen national capabilities to protect cyber space, to
fend off cyber attacks, and to manage cyber crises.
On an international level, play a leadership role in the field of
cyber security.
Engagement with industry
Categories
Immediate measures
Situation in cyber space
Attack methods
Tools
Best practices
Analyses
Business Continuity Management
Awareness
Background information
Stakeholder
in the Alliance for Cyber Security
Alliance for Cyber Security
Situational
Awareness Solutions
Cyber Exchange of
Security experiences
measures
Exchange of Experience
early warnings
distribution of experiences in
incident handling
dialog between solution
providers and customers
4. Alliance for Cyber Security: Information Flows
Numbers and Facts
(Stand September 2013)
Partner: 75 Multiplikatoren: 21
Homepage
Homepage
Homepage
Cyber-Security Situation Overview
Statutory Provision
strategic operational
situation overview
neutral
Administration
German economic, CIIP Companies
Controlling institution
Research
Web-Page
BSI Allianz fr Cyber-Sicherheit
Situation Overview:
Statistics
Partner Allianz Indicators
fr Cyber-Sicherheit Numbers
News
BSI contractors
Open source
Information
Presentation
Administrator
solutions and advice
Link (3. Level)
What's Next?
Vulnerabilities
Malware
Botnets
Drive-by-Attacks
DDoS-Attacks
Spam
Exploit-Kits
Hacktivism
Contact
Ralf Bker
Godesberger Allee 185-189
53175 Bonn
Germany
Ralf.Bker@bsi.bund.de
https://www.bsi.bund.de/EN/
Keynote
Stig Torsbakken
(Nets)
Risk analysis and testing - perspectives from the
frontline
Stig Torsbakken
Risk analysis and testing - perspectives from the frontline
Vita:
Stig Torsbakken is leading the Security Response Team (SIRT) in Nets and has
six years of experience from fighting the frontline and handling critical security
incidents. With prior risk analysis experience, he has genuine interest in
combining risk analysis and security testing with real-life incident handling
experience.
Stig Torsbakken
Risk analysis and testing - perspectives from the frontline
Abstract:
Nets - a northern European leader in payment solutions, information services
and digital security solutions - feels the heat of the frontline an a daily basis.
As part of Nordic, critical infrastructure protecting digital values, Nets is an
attractive target for cyber criminals equipped with ever more sophisticated
weapons. How can we use risk analysis and security testing to protect against
tomorrow's threatscape?
Nets Information Security
Risik analysis and testing: a frontline perspective
t
o
e
d
i
Agenda
t
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Nets
Nets threat landscape
Nets security testing
Seurity testing and security incidents
2
C
l
i
c
k
t
o
e
d
i
Nets
t
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
3
Three lines of defence
C
l
i
c
k
t
o
e
d
i
t
M
a
s
t
e
r
t
e
x
t
s
t
(Ref. ECIIA & FERMA Guidance on the 8th EU Company Law Directive)
1 2 3
1st Line of Defence 2nd Line of Defence 3rd Line of Defence
Board of Directors
Executive Management
Customers
4
NETS Information Security Organization
C
l
i
c
k
t
o
e
d
i
t
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
5
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Critical 2
High 29 Category Exposed to
malicious code
Medium 115
Malicious code
Low 60 infection
206 Vulnerability
DDoS
Target Client
Reconnaissance
Perimeter
Mobile device
Policy violation
Network
Guest Exercise or
network network defense
Linux testing
Phishing
6
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Nets impact
Ransomware
Banking Trojans
7
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
8
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
9
C
l
i
c
k
t
o
e
d
i
t
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
11
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Vulnerability scanning
External: 4
Internal: 4+
Pentesting
New applications/systems: approx. 1 every week (!)
Yearly pentests: 20
Risk analysis
Yearly risk analysis of all infrastructure
Narrowing scope
12
non-PCI VLAN X VLAN Z PCI
VLAN Y VLAN
768
C
l
i
c
k
Scanner
t
o
e
d
i
Virtual Scanners/HIABS
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
VLAN
769
FW_DH_PCI Scanner
Scanner
Scanner
Scanningless scanning
Physical Scanners/HIABS
13
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Pentesting
Typical findings
Input validation (XSS, CSRF, script injections etc.)
Default passwords
Vulnerable/unsecure protocols
Design flaws
Narrow scope
Narrow scope
14
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Pentesting
Nmap
AppScan
Metasploit
soapUI
Burp Suite
15
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Pentesting
16
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Vulnerability
Threat scans
intelligence Pentests
Risk
Vulnerability Security
analysis
management incident
Patch
level Inventory
control
17
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
18
C
l
i
c
k
t
o
e
d
i
M
a
s
t
e
r
t
e
x
t
s
t
y
l
e
s
Threat Vulnerability
intelligence scans
Pentests
Inventory Patch
control level
19
Session 1
Security risk assessment and testing
Jan Stijohann
(Siemens)
Towards Systematic and Traceable Security Assessment
Ketil Stlen
(SINTEF)
Test-based risk assessment
Samson Yoseph Esayas
(Universitetet i Oslo)
Legal Risk Management: a Method for Proactive Management of Legal Risks
Session 1 Talk 1
Jan Stijohann
(Siemens)
Vita:
Jan Stijohann works as a security researcher and consultant for Siemens. As
part of the CERT Security Assessment team (CSA), he performs practical
software security assessments but is also engaged in several internal and
external research projects. His research interests cover static and dynamic
binary analysis techniques to improve black box security testing as well as
general security assessment approaches. He graduated in 2011 with a Masters
degree from the Grenoble Institute of Technology (France) and the Karlsruhe
Institute of Technology (Germany).
Jan Stijohann
Towards Systematic and Traceable Security Assessment
Abstract:
Todays security assessments are often not systematic much less standardized. In particular, there
are no clearly defined criteria for choosing certain assessment activities or test approaches. Thus
different analysts come to different results and sound quality assurance is hardly possible.
Literature suggests basing the choice and prioritization of tests on risk considerations but lacks a
systematic approach for a traceable transition from abstract and business-oriented risk analysis
into the concrete and technical security testing world. We aim at bridging this gap in two steps:
The first one bridges between high-level and non-technical business worst case scenarios and
less abstract technical threat scenarios using a technical description of the system and a
systematic STRIDE-based elicitation approach. The second is a rule-based step that maps a
technical thread scenario to test types, that is, to classes of tests that need to be adapted to the
particular system under validation. Our method provides traceability for the (risk-based) choice of
assessment activities and can be used to introduce a standardized minimum quality assurance
level. The talk goes through the above process, discusses first practical experiences, and outlines
future work to better adapt the process to the use in industrial environments.
SASSI 13, Berlin RERAT: Reverse Engineering Methods and Risk Analysis for Testing
Where do I start?
What to do (next)?
How to prioritize?
Industry acceptance
Automation
Information gain must outweigh cost of preliminary analysis
Preliminary analysis must be manageable by security assessment people
no binary RE experts
Vulnerability indicators
Map to
activities
Assessment
activity
suggestions
Siemens AG 2013. All rights reserved
Page 8 June 2013 CERT Security Assessments | Jan Stijohann Restricted
Some Details
Static / Dynamic
binary analysis
SUV - Characteristics:
Pattern
Vulnerability indicators matching
Activities Map to
library activities
Assessment
activity
suggestions
Rules Siemens AG 2013. All rights reserved
Page 9 June 2013 ssments | Jan Stijohann Restricted
Challenges
Static / dynamic binary analysis take time & require rare expertise
How to automate analysis?
How to leverage the required expert knowledge?
Assessment Activities
mutation-based or block-based fuzzing, Needs adaptation to SUT
tool-supported source code analysis, Collected in library
DFDs
useful for high-level overview
detecting certain design flaws
keep DFD as additional high-level view
Assessment
Map to
activity
activities
library Assessment
activity
Mapping suggestions
Siemens AG 2013. All rights reserved
Page 18 June 2013
rules ssments | Jan Stijohann Restricted
Reverse Engineering analysis
DFD generator /
DFD-relevant SA results DFD-relevant DA results
analyzer
Manual adaptations
High-level, annotated DFD
and extensions ights reserved
Page 19 June 2013 CERT Security Assessments | Jan Stijohann Restricted
SUV - Characteristics: Code snippet examples
Static analysis
Static analysis
[1] D. Doan, Commercial off The Shelf (COTS) security issues and
approaches, Monterey, California. Naval Postgraduate School, 2006.
[4] Eagle, Chris. The IDA Pro Book, 2nd Edition. No Starch Press, 2011.
Ketil Stlen
(SINTEF)
Vita:
Stlen is currently Chief Scientist at SINTEF and Professor at the University of Oslo. Stlen has
broad experience from basic research as well as applied research. He did his PhD at Manchester
University on formal reasoning about concurrent programs. At Technische Universitt Mnchen
his research focused on the theory of refinement and rules for compositional and modular system
development - in particular, together with Manfred Broy he designed the Focus method as
documented in the Focus-book published in 2001. At the OECD Halden Reactor Project he led
several research activities concerned with the modeling and dependability-analysis of safety-
critical systems. At SINTEF he led the development of the CORAS method since the very beginning.
He was the technical manager of the EU-project (the CORAS project) ending in 2003 in which the
first version of the CORAS method was developed. He has since then led several research projects
funded by the Research Council of Norway which have considerably refined and extended the
original CORAS approach. A book on the CORAS method supported by a free tool was published in
2011. Stlen is currently managing several major Norwegian research projects focusing on issues
related to modeling, security, risk analysis, and trust.
Ketil Stlen
Test-based risk assessment
Abstract:
Security risk analysis is a process that is carried out in order to identify and
assess security specific risks. Traditional risk analysis often rely heavily on
expert judgment for the identification of risks and their causes and the
estimation of their likelihood and consequence. The outcome of these kinds of
risk analysis is therefore dependent on the participant's background,
experience, and knowledge, which in turn reflects an uncertainty in the
correctness of the results. In order to validate the correctness of the risk
analysis results, the risk analysis process can be complemented by other ways
of gathering information of relevance. One possibility is to employ security
testing. In this talk we present experiences from combining the CORAS method
for security risk analysis with security testing.
Berlin 19.9 2013
Practical experiences:
NESSOS: http://www.nessos-project.eu/
Diamonds: http://heim.ifi.uio.no/~ketils/diamonds/diamonds.htm
Vita:
Samson Yoseph Esayas (LLB, LLM, Researcher at Norwegian Research Center
for Computers and Law, University Of Oslo).
Samson Yoseph Esayas
Legal Risk Management
Abstract
It is commonplace that legal services are often sought reactively i.e. when a legal
problem has already occurred. Such an approach has not always been viewed as
satisfactory because disputes and litigation consumes time and resources which could
otherwise be used more productively. In the book The Future of Law, Richard Susskind
predicts a paradigm shift in the approach to a legal problem: from problem solving to
problem prevention: where understanding legal problems and identifying associated
risks and controlling them before any question of escalation becomes a priority. This
raises the questions of what kind of methods a lawyer can employ to ensure legal risk
management. One possibility is to supplement the conventional legal method of
identifying which law applies to a given case with methods for risk analysis developed
in other disciplines, such as IT Security. In such disciplines, the risks can be identified,
analyzed and addressed in a structured way. The question remains: to what extent, and
in which way, such methods for risk management may be applied within the legal
domain.
Legal Risk Management: Proactive
Management of Legal Risks
Introduction
Risk management
A real-life example
ISO 31000:2009
Risk assessment
Monitoring and review
Risk identification
Risk analysis
Risk evaluation
Risk treatment
Risk matrix
Who does risk management in an
enterprise?
Board of directors/CEO: enterprise risk
Chief risk officer (CRO)/chief finance officer (CFO): financial
risk
Product developers (e.g. engineers): product risk
Safety officer: risk related to health/environment/safety
Project managers: project risk
IT system engineers: IT security risk
Compliance officer: compliance risk
Uncertainty about
Facts
Legal norms
Legal risk
Risk analysis:
legal & factual uncertainty
Risk evaluation:
quantitative & qualitative
Risk treatment:
legal & factual risk controls
A real-life example
of identified legal risk
Checking compliance
through testing (audit testing)
Gerard Gaudin
(G2C)
Abstract:
Standards for IT security indicators and associated event classification model are missing (or are
still very poor), and are hindering IT security measures benchmarking. The ETSI ISG ISI initiative
(launched during fall 2011), which is based on 4-year experience and frameworks of the European
network of Club R2GS grassroots associations in Cyber Defence and SIEM (France, UK and
Germany today), fills this gap while being strictly compliant to ISO 2700x IT security standards. It
addresses the full scope of security event detection issues through 5 Working Items:
ISI-001(Indicators), a powerful way to assess security measures level of effectiveness,
ISI-002 (Event Model), a comprehensive security event classification model,
ISI-003 (Maturity), to assess the maturity level regarding overall event detection,
ISI-004 (Detection Implementation), to demonstrate how to produce indicators and how to
detect the related events,
ISI-005 (Event Testing), to produce fake events and to test the effectiveness of detection means.
ISG ISI (Information Security Indicators)
Risk Management Dispatch and put into hierarchy Controls and ISMS
the133 ISMS control points
(ISO 27005) depending on IS components (ISO 27002/1 and Cobit)
(Plan et Do)
Gerard Gaudin (ISG ISI chairman) SASSI13 Workshop in Berlin 19 September 2013 2
ISG ISI (Information Security Indicators)
Address the scope of main missing security
event detection standardization issues
5 closely linked Work Items
ISI Indicators (ISI-001-1 and Guide ISI-001-2) = A powerful way to assess
security controls level of enforcement and effectiveness (+ benchmarking)
ISI Event Model (ISI-002) = A comprehensive security event classification
model (taxonomy + representation)
ISI Maturity (ISI-003) = Necessary to assess the maturity level regarding
overall SIEM capabilities (technology/people/process) and to weigh event
detection results. Methodology complemented by ISI-005 (which is a more
detailed and case by case approach)
ISI Event Detection (ISI-004) = Demonstrate through examples how to
produce indicators and how to detect the related events with various means
and methods (with classification of use cases/symptoms)
ISI Event Testing (ISI-005) = Propose a way to produce security events
and to test the effectiveness of existing detection means (for major types of
events)
Gerard Gaudin (ISG ISI chairman) SASSI13 Workshop in Berlin 19 September 2013 3
ISG ISI (Information Security Indicators)
Event
reaction
measures
Fake events
(Simulation)
Security Event
Real Detected
prevention detection
measures events measures events
Residual risk
(event model-
centric vision)
Gerard Gaudin (ISG ISI chairman) SASSI13 Workshop in Berlin 19 September 2013 4
ISG ISI (Information Security Indicators)
Protect. Prof. Risk Analysis BCP Reaction Plans Event Model MITRE CAPEC
NIST 800-86 MITRE CEE
Projects Contracts Phys. Sec. Forensics Glossary
1
Base (or technical) IETF RFC 4765/ NIST 800-126 ITU-T
frameworks 5070/6045/5424 (SCAP) X.152X
Gerard Gaudin (ISG ISI chairman) SASSI13 Workshop in Berlin 19 September 2013 5
ISG ISI (Information Security Indicators)
ISI-001 specifications
Position the proposed operational indicators against
ISO 27002 controls and ISO 27006 technical controls =
provide more assurance to governance and auditors
ISO ISO 27006 Vulnerability
27002 technical Incident type (behavioural, software,
Comments
control control indicators configuration, general
areas areas security) type indicators
A5 Non-continuous checking
Gerard Gaudin (ISG ISI chairman) SASSI13 Workshop in Berlin 19 September 2013 6
ISG ISI (Information Security Indicators)
ISI-002 specifications (1)
The diversified uses of the event model
Gerard Gaudin (ISG ISI chairman) SASSI13 Workshop in Berlin 19 September 2013 7
ISG ISI (Information Security Indicators)
ISI-002 specifications (2)
ISI-001 and ISI-002 against the ISO 27004
standard measurement model
Counting of some
events (ISI-001-1)
Event classifi-
cation model
(ISI-002)
Gerard Gaudin (ISG ISI chairman) SASSI13 Workshop in Berlin 19 September 2013 8
ISG ISI (Information Security Indicators)
ISI-003 specifications
The mandatory taking into account of the
organizations SIEM maturity level
A good security event detection level (still often very low today)
requires many conditions (tools appropriately configured, advan-
ced processes especially for use case creation, seasoned experts)
This overall maturity level can be assessed accurately through 10
KPIs (with a clear correspondence with the 20 US CAG Critical
Controls)
Provision (with these KPIs) of a reckoning formula to assess its
detection levels with major kinds of security events (and to weigh
the results of its own measurements)
This methodology may be complemented by a more dedicated and
case by case one based on the production of security events and
testing of the effectiveness of existing detection means (for major
types of events)
Gerard Gaudin (ISG ISI chairman) SASSI13 Workshop in Berlin 19 September 2013 9
ISG ISI (Information Security Indicators)
ISI-005 specifications
Guidelines to stimulate security events are missing
and are required (same motivations as ISI-003)
Gerard Gaudin (ISG ISI chairman) SASSI13 Workshop in Berlin 19 September 2013 10
ISG ISI (Information Security Indicators)
ISG ISI started in Autumn 2011 = Members of the Unit and of the 5
Work Items are European and US experts
Gerard Gaudin (ISG ISI chairman) SASSI13 Workshop in Berlin 19 September 2013 11
ISG ISI (Information Security Indicators)
The Club R2GS network and standardization
ISO JTC1 SC27
Grard Gaudin
ITU-T SG17 Q4
Whole European MITRE (US)
Coordination ETSI ISG ISI
European
Commission
- Main works: - Main works: - Main works: - Main works: - Main works:
. 7 WGs (0 to 6) . Link with Cabinet . Marketing to be launched to be launched
. WG 4 (all added Office (Project collaterals in fall 2013 in fall 2013
values & especially Auburn) . Relations between
How to detect) . Establishment of a Risk Analysis and
. WG 6 (Security 1st set of UK state- ISI indicators and
Incident Manage- of-the-art figures event model (contri-
ment) (related to ISI indi- bution to ETSI and
. Matinales cators) ISO)
. Assises Cyber . ISO SC27/ETSI ISG
Dfense et SIEM ISI Liaison officer Link: http://en.wikipedia.org/wiki/Information_security_indicators
Grard Gaudin 29 August 2013
Gerard Gaudin (ISG ISI chairman) SASSI13 Workshop in Berlin 19 September 2013 12
Session 2 Talk 2
Jrgen Gromann
(Fraunhofer FOKUS)
Technical Guide to Information Security Testing and Assessment NIST Special Publication 800-115
TMMi, TPI and TPI NEXT
Informa7on
Security
Test
depth
gathering
func7onal
tes7ng
Security
test
tool
Security
risk
Genera7on
of
integra7on
assessment
security
test
Fuzzing
technique
models
Security
passive
Security
risk
Security
test
tes7ng/security
assessment
scope
genera7on
monitoring
Traceability
&
Security
test
Security
test
Sta7c
security
test
coverage
execu7on
iden7ca7on
automa7on
tes7ng
STIP level definition
Key area: Security risk assessment technique
Banking
Automo7ve
Radio
protocols
Smart
cards
Telecommunica7on
Industrial
automa7on
Evaluation of the DIAMONDS Case Studies
STIP results for the international case studies
Evaluation of the DIAMONDS Case Studies
Progress in all case studies
Banknote processing machine case study
Summary & Conclusion
Contact:
Jrgen Gromann
Fraunhofer Institute for Open Communication Systems FOKUS
MOTION Modeling and Testing for System and Service Solutions
Kaiserin-Augusta-Allee 31, 10589 Berlin, Germany
E-Mail: juergen.grossmann@fokus.fraunhofer.de
Session 2 Talk 3
Luca Vigan
(Universit di Verona)
Luca Vigan
(Universit di Verona, Italy)
Gmail resource?
Your credentials?
if then
Here they are your credentials!
My credentials
Property
Property Model
Model
Model
Checker
SUV
Input
Output
From AVANTSSAR to SPaCIoS
(the story of SAML SSO)
Specification of the available services (new) Service specified
BPMN + Annotations
CONN HLPSL++
CONN AnB
CONN ASLan++
CONNECTOR
ASLan ASLan
The AVANTSSAR Validation Platform
Services Secured service/policy
Policy
P CP
CS
Composed service/policy
CP TS Wrapper
CS
orchestration/ validation
problem
TS ORCHESTRATOR composition TS VALI DATOR secure
insecure
TS Wrapper
Vulnerability
Ugarte: Look, Rick. Know what this is? Something that even you have never
seen. Letters of transit signed by General de Gaulle. [Marshal
Weygand] Cannot be rescinded. Not even questioned.
From AVANTSSAR to SPaCIoS
(the story of SAML SSO)
..a few but critical fields neglected in the IdP SSO service provisioned by Google..
..so that any SP can access to the Googles resources of IdPs members!
3 dcembre 1627.
C'est par mon ordre et pour le bien de l'Etat que le porteur du prsent a fait ce qu'il a fait.
Richelieu
From AVANTSSAR to SPaCIoS
(the story of SAML SSO)
From AVANTSSAR to SPaCIoS
(the story of SAML SSO)
Property
Property Model
Model
1. Step_C_1()
2. Step_SP_1()
3. Step_C_2() Model
Checker Can we automate this task?
Attack
trace
SUV
Property
Property Model
Model
1. Step_C_1()
2. Step_SP_1()
3. Step_C_2() Model
Checker
Attack
trace GET http://
HTTP/1.1 200 OK
GET http://
HTTP/1.1 302
SUV data Concretization
Test execution
Test case
engine
SUV
Input
Output
Research prototype
Security
model checking
security testing
Analyst
penetration testing
User I nterface
Complements state-of-the-art
SUV Fault Security Model of User
source location goals the attacker guidance
Model code
of the
SUV
Targets industrially-relevant Source Trace-
Test Results
driven fault Libraries
based
Security Protocols & Web Apps M odel
inference localization
Property-driven
inference and and vulnerability-driven
adjustment Model of test case generation
the SUV
Broad security range
Abstract Test case Vulnerabilities
execution trace
logic-flaws, injections, AC, Attack Patterns
Security Goals
good coverage of OWASP top 10
Test Execution Engine Attacker Models
Promising results
SAML SSO, OAuth2, ..
WebGoat, Shopping Cart, ..
SUV
Complements state-of-the-art
Rigorous, formal
Automated (at least most of it)
Promising results
SAML SSO, OAuth2, ..
WebGoat, Shopping Cart, ..
Complements state-of-the-art
Targets industrially-relevant
Security Protocols & Web Apps
Promising results
SAML SSO, OAuth2, ..
WebGoat, Shopping Cart, ..
User I nterface
SUV Fault Security Model of User
source location goals the attacker guidance
Model code
of the
SUV
Source Trace-
Test Results
SUV
Workflow
Workflow
Use case 1
property-driven security
testing
One example
Company enriching its products with security standards (SAML SSO, OAuth2, ..)
security standards are highly configurable which options and recommendations?
companys internal requirements some deviations w.r.t. standard?
security impact?
Security
impact?
Property
Property Model
Model
1. Step_C_1()
2. Step_SP_1()
3. Step_C_2() Model
Checker
Attack
trace GET http://
HTTP/1.1 200 OK
GET http://
HTTP/1.1 302
SUV data Concretization
Test execution
Test case
engine
SUV
Input
Output
Demo
later
Use case 2
model-inference
Black-box model inference
Models?
Property
Property Model
Model
Model
Checker
Test execution
Test case
engine
SUV
Input
Output
Black-box model inference
White-box model inference Models?
Property
Property Model
Model
Model
Checker
Test execution
Test case
engine
SUV
Input
Output
Black-box model inference
White-box model inference Models?
Sequence diagrams
Property
Property Model
Model
Model
Checker
Attack
trace translator
Test execution
Test case
engine
SUV
Input
Output
Black-box model inference
White-box model inference Models?
Sequence diagrams
Network traces
Property
Property Model
Model
Model
Checker
Test execution
Test case
engine
SUV
Input
Output
Use case 3
mutation-based testing
No attack
traces?
Property
Property Model
Model
Model
Checker
Test execution
Test case
engine
SUV
Input
Output
Details
tomorrow
Use case 4
vulnerability-driven testing
Well-known
vulnerabilities?
Property
Property Model
Model
Model
Checker
Attack
trace
Test execution
Test case
engine
SUV
Input
Output
Well-known
vulnerabilities?
Attack
Instantiation
pattern
files
models
Test execution
Test case
engine
SUV
Input
Output
Attack Pattern + Instantiation file + SUV data
Details
tomorrow
Use case 5
Evolutionary fuzzing
for filtered type-1 and 2 XSS
Use case 6
Testing based on
Business logic patterns
Promising results
OWASP Top 10 The SPaCIoS Tool
A1 Injection WebGoat lesson: String SQL Injection
WebGoat lesson: Numeric SQL Injection
SIEMENS InfoBase and eHealth
A2 Broken Authentication & SAML, OpenID, OAuth: e.g., authentication logic-flaws
Session Management Password brute-forcing on SIEMENS InfoBase and eHealth
A3 Cross-Site Scripting WebGoat lesson: Stored XSS
WebGoat lesson: Reflected XSS
SIEMENS InfoCase and eHealth
A4 Insecure Direct Object SIEMENS InfoBase and eHealth: File Enumeration and Path Traversal
References
A6 Sensitive Data Exposure SAML, OpenID, OAuth: data confidentiality logic flaws
A7 Missing Function Level WebGoat lesson: Bypass Business Layer Access Control,
Access Control WebGoat lesson: Bypass Data Layer Access Control
WebGoat lesson: Role Based Access Control
SIEMENS eHealth
A8 CSRF SIEMENS InfoBase and eHealth
Filtered type-1 and type-2 XSS that other scan tools were not able to find
Shopping for free on several shopping cart web sites (to be published)
Complements state-of-the-art
Thank you!
Security
Analyst
Targets industrially-relevant
Security Protocols & Web Apps The SPaCI oS Tool
User I nterface
SUV Fault Security Model of User
source location goals the attacker guidance
Model code
of the
SUV
Broad security range Source Trace-
Test Results
driven fault Libraries
based
inference localization
M odel Property-driven
inference and and vulnerability-driven
Promising results
SUV
SAML SSO, OAuth2, ..
WebGoat, Shopping Cart, ..
Luca Compagna
(SAP)
Vita:
Dr. Luca Compagna is contributing to the Product Security Research at SAP
where is responsible for various internally- and externally-funded research
projects. He received his MSc in Informatics Eng. from the U. of Genova and
his Ph.D. in Computer Science jointly from the U. of Genova and Edinburgh. His
area of interests include security engineering, automated reasoning, and their
application to the modelling and analysis of industrial relevant scenarios. He
contributed to various projects on information security and he has published
various scientific publications in his area of interest.
Luca Compagna
Formal Validation and Testing of Security Standards at SAP
Abstract:
Security standards such as OASIS SAML Single Sign-On, OpenID, and OAuth are key enablers for
the challenging collaborative business scenarios that are envisaged for the cloud and the web
overall, both within corporate boundaries and beyond. Major software companies, SAP among
them, adopt and develop some of these security standards within their core products. Security
standards are highly configurable so to offer interoperability and to be applicable in a multitude
of environments. A risk emerges from this openness and freedom as the chosen configuration
options could have an impact on security. Companies must be extremely careful in properly
implementing their security standard solutions in a way that interoperability is achieved without
endangering the security of the overall targeted scenario. The picture is even more complex
considering that internal requirements of the company itself could demand for small deviations
from the standard and make the overall security assessment more difficult. All in all, evaluating
the consequences of a certain decision, regardless if that is a legitimate security standard option
or a reasonable small deviation, is not an easy task for human-being and would benefit a lot from
tool support. In this talk we will introduce all these important challenges through real industrial
examples and we will describe how SAP is leveraging on off-the-shelf research methodology and
tools achieved in the SPaCIoS EU-funded research project to cope with these challenges.
Validation and Testing of Security Standards at SAP:
from research to industry
Luca Compagna, Product Security Research (SAP AG)
Take away message
Open challenge
- Development team using the prototype on their own?
The SAML2 SSO story: seed for internal transfer at SAP dev. units
Business problem and challenges
Instrumentation-based Testing with Demo
Conclusion
Security Considerations for At the best of our knowledge no other SAML2 SSO producer
SAML
performed such a rigorous analysis
Agenda
The SAML2 SSO story: seed for internal transfer at SAP dev. units
Business problem and challenges
Instrumentation-based Testing with Demo
Conclusion
Company enriching its products with security standards (SAML SSO, OAuth2, ..)
security standards are highly configurable which options and recommendations?
companys internal requirements some deviations wrt standard?
security impact?
Company enriching its products with security standards (SAML SSO, OAuth2, ..)
security standards are highly configurable which options and recommendations?
companys internal requirements some deviations wrt standard?
security impact?
Company enriching its products with security standards (SAML SSO, OAuth2, ..)
security standards are highly configurable which options and recommendations?
companys internal requirements some deviations wrt standard?
security impact?
Options:
Client_ID
Property: resource
shall be confidential
Agenda
The SAML2 SSO story: seed for internal transfer at SAP dev. units
Business problem and challenges
Instrumentation-based Testing with Demo
Conclusion
Property
Property Model
Model
1. Step_C_1()
2. Step_SP_1()
3. Step_C_2()
Model Checker
Abstract
trace
SUV
Input
Output
Security
impact?
Property
Property Model
Model
1. Step_C_1()
2. Step_SP_1()
3. Step_C_2()
Model Checker
Abstract
GET http://
trace
HTTP/1.1 200 OK
GET http://
SUV data Concretization HTTP/1.1 302
Test execution
Test case
engine SUV
Input
Output
Reports
Launching pad for XSS: combination of our authentication flaw with missing input validation
GET uri_i
SUV
GET uri
Tester
SUV
HTTP 302, <SAML req.>
The SAML2 SSO story: seed for internal transfer at SAP dev. units
Business problem and challenges
Instrumentation-based Testing with Demo
Conclusion
Devised an approach to
detect logic flaws via model checking and test them on real systems
evaluate the security consequences of design/development decisions
End users
Standardization bodies working on a draft protocol (design verification)
Development team implementing protocols in the companys premises (e.g., SAP)
Open challenges
Performances: offline analysis together with virtualization
Usability: where the models come from? E.g., sequence diagrams, network traces,
Contact information:
Luca Compagna
luca.compagna@sap.com
Session 3
Active security testing
Bruno Legeard
(FEMTO-ST/UFC & Smartesting)
Model-based vulnerability testing from patterns and behavioral model
Martn Ochoa
(Siemens/Technische Universitt Mnchen)
Model-based vulnerability testing
Prof. Dr. Sachar Paulus
(Kuppinger Cole)
Trustworthy software development
Ari Takanen
(Codenomicon)
Traffic Capture Fuzzer: Effective method for model based fuzzing
Session 3 Talk 1
Bruno Legeard
(FEMTO-ST/UFC & Smartesting)
Vita:
Professor at the University of Franche-Comt/Femto-st Institute, Bruno
Legeard is co-founder and senior scientist at Smartesting. He is internationally
recognized as an expert and a well-known speaker in the model-based testing
field. He is strongly experienced in deploying model-based testing solutions
both in enterprise information systems area and in the embedded systems
field. In 2007, Bruno Legeard authored with Dr. Mark Utting the first industry-
oriented book on model-based testing, "Practical Model-Based Testing: A Tools
Approach", Morgan & Kaufmann Publisher.
Bruno Legeard
Model-based vulnerability testing
Abstract:
Our experience with commercially available or open-source web application
vulnerability scanners show that these tools provide lots of false negative in
presence of complex vulnerabilities such as multistep XSS or logical
vulnerabilities. In this talk, we present a novel approach for vulnerability
detection based on test patterns and behavioral & environmental modeling.
These artifacts strongly help to be much more precise and pertinent in order to
reveal known vulnerabilities in the system. To minimize deployment efforts of
such Model-Based Vulnerability Testing technologies, we show how test
patterns may be generic and reusable, and how we can split the behavioral &
environmental model into generic and reusable modeling elements, and
specific and ad-hoc modeling elements to be developed for each test project.
Model-based and Pattern-driven
Vulnerability Testing
Efficient detection of Multistep XSS
Bruno Legeard
1
Agenda
2
Model-Based Testing tool vendor
3
Model-Based Testing tool vendor
4
Agenda
5
Vulnerability testing state of the practice
Static Techniques Dynamic Techniques
Intrusive
Manual proxies
Manual Code
Penetration (Burp suite,
Techniques review
Testing Webscarab
.)
DAST
9
DAST Main techniques
Research level
Model-based vulnerability testing
Behavioral fuzzing
10
DAST Main techniques
Research level
Model-based vulnerability testing
Behavioral fuzzing
11
Web application vulnerability scanners
www.sectoolmarket.com
An up-to-date
Benchmark of
Web
application
vulnerability
scanners
(July 2012)
12
Web application vulnerability scanners -
Architecture
Automated Crawler
13
Example IBM Rational AppScan - Reporting
14
Web application vulnerability scanners
Benchmark #1
- vs1 HP WebInspect
- vs2 IBM Appscan
- vs3 - Acunetix
15
SQL Injection Vulnerability Detection
Web application vulnerability scanners
Benchmark #2 Real e-learning web app
Autocomplete Web
Internal IP
DOM HTML Application
Unencrypted Directory Disclosure Server
Vulnerability Based Attribute Not Source Code
Login Request Listing Pattern Configuration Scanner
XSS Disabled for Disclosure
Found
Password Field Pattern Found
17
Prevalence of XSS attacks
18
Cross-Site Scripting (XSS)
Raw data
Stored in database
Reflected from web input (form field, hidden field, url, etc)
Sent directly into rich JavaScript client
19
Cross-Site Scripting Illustrated
1 Attacker sets the trap update my profile
Application with
stored XSS
Attacker enters a malicious vulnerability
script into a web page that
stores the data on the server
Communication
Bus. Functions
Administration
Transactions
E-Commerce
Knowledge
Accounts
Finance
Mgmt
2 Victim views page sees attacker profile
Custom Code
Reflected
Link in other website / e-mail link
Stored
Multistep XSS
e.g. bulletin board, forum
DOM-Based
21
Multistep XSS WackoPicko Example
22
Challenge: Multi-step XSS Discovery
23
Model-based and Pattern-based vulnerability
testing Research objectives
Accuracy Precision
Capability to focus on the relevant Capability to avoid both false
part of the software (e.g. from a risk positive and false negative.
assessment point of view) depending
on the targeted vulnerability types. 24
Agenda
25
MBVT Overall Process
Generic
Generic
Specific
This approach is composed of four Activities:
1. Test Purpose Definition
2. Model Design
3. Test Generation
4. Concretization, Test Execution and Verdict Assignment 26
Test Purpose for Multi-step XSS
Name Multi-step XSS
Description
Objective(s) Detect if an input can embed malicious datum enabling a Multi-step XSS attack.
Prerequisites N/A
Translation Procedure Identify a sensible user input, inject the malicious datum
<script>alert(rxss)</script>.
from vTP Oracle Find the page where the input is rendered, and check if a message box rxss
to test appears.
purposes Variant(s)
Known Issue(s)
Affiliated vTP Reflected XSS
Reference(s)
Generic
Def/use
method
27
1 - Test Purpose Definition
29
F Bouquet et. al., A subset of precise UML for model-based testing, 2007.
Modeling: Wackopicko Example
Class Diagram
Specific
State-Machine
Specific
30
3 - Test Generation
Observation Technique for XSS: crawl the source page to see if the
injected vector has been sanitized.
Test terminology dedicated to Vulnerability Testing:
List of malicious vectors (xml file)
Body of the SUTs operations (HTTP level, Browser level)
32
Experiments on WackoPicko
35
Discussion
Potential solutions:
Use of a behavioral crawler to infer most parts of models
Use of User traces to complement the results of the crawler
Identify the reusability capacity of each artifact
36
Discussion
The approach does not suit every vulnerability type.
MBVT Scope based on OWASP TOP 10 2013:
A1 - Injection
A2 - Broken Authentication and Session Management
A3 - Cross-Site Scripting (XSS)
Legend: A4 - Insecure Direct Object References
Done A5 - Security Misconfiguration
Doable A6 - Sensitive Data Exposure
Out of scope A7 - Missing Function Level Access Control
Under study A8 - Cross-Site Request Forgery (CSRF)
A9 - Using Components with Known Vulnerabilities
A10 - Unvalidated Redirects and Forwards
37
Conclusion and Future Works
39
Session 3 Talk 2
Martn Ochoa
(Siemens/TUM)
Vita:
Martn Ochoa is a post-doctoral research in software engineering at the
Technical University of Munich. His research interests lie in the intersection of
security and applied formal methods. He obtained a M.Sc. in mathematics
from the Ludwig Maximillians University of Munich and a Ph.D. in Computer
Science from the Technical University of Dortmund. Prior to his current
affiliation at the TUM, he has worked as a security consultant and researcher
for Siemens.
Martn Ochoa
Model-based vulnerability testing
Abstract:
In this talk we present two methodologies developed within the context of the
SPaCIoS project for testing systems against common security vulnerabilities
based on models. SPaCiTE allows vulnerability testers to generate concrete
attack traces from models of the system behavior based on abstract formal
traces obtained with the help of a model-checker and mutation operators. On
the other hand, VERA allows vulnerability testers to generate concrete attack
traces from explicit models of the attackers. We show applications of these
technologies to WebGoat, an insecure application developed for didactic
purposes.
Model-based Vulnerability Testing
Attacker vs. System models
Martn Ochoa
TUM / Siemens
Together with
J.Oudinet, M.Bchler (TUM) A. Blome (SIEMENS)
M.Torabi-Dashti (ETH) M. Peroli (UNIVR) Keqin Li
(SAP)
SASSI 13
September 20 2013
Sunday, October 13, 13
Two complementary approaches
Goal
Find vulnerabilities
in the SUT
Motivation
URL
Motivation
XSS?
URL
Motivation
XSS?
URL
SQL-i?
Motivation
XSS?
URL
SQL-i?
Path-Traversal attack?
Sunday, October 13, 13
VERA: Modeling the attacker
Motivation
XSS?
URL
SQL-i? Old software versions?
Path-Traversal attack?
Sunday, October 13, 13
VERA: Modeling the attacker
Motivation
Challenges
Example:
Visit URL
Fail
[!E(m)] rcv(m)/
[!E(m)] rcv(m)/
Cong
Attacker model
Payloads
<script>alert(42)</script>
Login/passwords
l:admin, p:admin
Advantages
Proof of concept
Demo
General approach:
Model:
Mutations possible:
Reected XSS
Persistent XSS
SQL-i
RBAC violations
and tested against WebGoat and SAP applications
Demo
VERA:
VERA: A flexible model-based vulnerability testing tool.
Blome et al. ICST 2013
SPaCiTE:
Semi-automatic Security Testing of Web Applications from a Secure Model. Bchler
et al. SERE 2012
Sachar Paulus
(Kuppinger Cole)
Vita:
Prof. Dr. Sachar Paulus: Senior Analyst at Kuppinger Cole, CEO of a
management consultancy for security (paulus.consult), and Professor for
Information Systems and Security Management. Sachar was member of a
number of advisory boards (e.g., RISEPTIS, the Advisory Board for Research
and Innovation on Security, Privacy and Trust in the Information Society).
Sachar Paulus
Trustworthy software development
Abstract:
In the last years, many attempts have been made to overcome the issue of
insecure and untrusted software. A number of terms have been used to catch
the expectation on how solid a piece of software should be: secure, safe,
dependable and trusted. Yet, we were as an industry not yet able to fulfill this
goal - both on the theoretical as well on the practical side lots of innovations
have appeared, but it seems that overall the situation has become worse
instead of better. This talk aims at giving an overview on current best practices
and corresponding research activities to help software developers creating
trustworthy software, and, among others, the OPTET project.
Trustworth
So+ware
Development
Prof.
Dr.
Sachar
Paulus
Main data
15 partners
6 Universities
3 SMEs
5
Use
Case:
Ambient
Assistent
Living
6
Trustworthiness
vs.
Security
The
trustworthiness
A
system's
of
a
component
The
state
of
availability,
is
dened
by
being
free
from
reliability,
and
Reliance
on
how
well
it
danger
or
its
another
en?ty
secures
a
set
of
threat
maintenance
func?onal
and
support
non-func?onal
proper?es
7
Socio-technical
Model
8
Trustworthiness
and
Trust
in
Socio-Technical
Systems
Trustworthiness
Trust
Likelihood
that
the
Belief
that
engaging
system
will
in
the
system
for
successfully
meet
all
some
purpose
will
of
the
trustors
produce
an
requirements
acceptable
outcome
9
Trustworthiness
a/ributes
Analysis
of
sonware
a/ributes
and
proper?es,
based
on
S-Cube
and
ISO
9126
Extensive
literature
review
whether
the
a/ribute/property
contributes
to
trustworthiness
(or
to
trust)
(*)
Iden?ed
~40
a/ributes,
of
various
relevance
depending
on
the
use
case
11
Secure
Development
Prac?ces
/
Methodologies
12
Common
Criteria
and
Trustworthiness
Mapping
of
CC
FSRs
to
TW
a/ributes
Iden?fying
addi?onal
reqs
for
a
CC+
Work
in
progress
13
Trustworthiness
metrics
Planned
ac?vi?es
Development
of
a
computa?onal
model
for
ONE
metric
for
trustworthiness
Process
metrics
14
Metrics
-
Example
15
Metric
Tool
as
a
Generic
Enabler
16
Summary
17
References
"Towards
Trustworthiness
Assurance
in
the
Cloud",
Francesco
Di
Cerbo,
Pascal
Bisson,
Alan
Hartman,
Sebas?en
Keller,
Per
Hakon
Meland,
Micha
Moe,
Nazila
Gol
Mohammadi,
Sachar
Paulus
and
Stuart
Short.
In:
Cyber
Security
and
Privacy
EU
Forum
2013.
To
appear
in
Springer
Communica?ons
in
Computer
and
Informa?on
Science,
Heidelberg.
18
Session 3 Talk 4
Ari Takanen
(Codenomicon)
Vita:
Ari Takanen, founder and CTO of Codenomicon, has been active in the field of
software security testing research since 1998 focusing on information security
issues in next-generation networks and security critical environments. He has
worked with numerous software development projects across the industry,
both from software quality aspect but lately more on security test automation
perspective. Ari is the author of several papers on software security, and is a
frequent speaker at security and testing conferences, leading universities and
international corporations. He is also the author of two books on VoIP security
and security testing.
Ari Takanen
Traffic Capture Fuzzer
Abstract:
Codenomicon's Traffic Capture Fuzzer (TCF) finds vulnerabilities in proprietary
protocols where there is no ready model based fuzzer available. TCF uses
captures of actual network traffic and creates a behavioral model based on
the captures. Codenomicon's powerful anomalisation engine creates the test
cases from this inferred model. The fuzzing framework can create and execute
fuzz tests for new or proprietary protocols easily, even during development.
Defensics Software Development Kit (SDK) allows users to enhance the TCF
operation. The SDK increases the focus and impact of the capture based
testing. Compared to the other fuzzing platforms, it requires much less
expertise, time and effort from the user to create the test cases: most of the
work is automatic.
Traffic Capture Fuzzer:
Effective method for
model based fuzzing
1
Background
Fuzzing and security testing since 1996
Model-based since 1998
Commercial spin-off Codenomicon in 2001
100 ppl around the world
200+ customers include Cisco, NSN, Microsoft, Adobe,
Verizon, T-Systems, BT, NTT, government agencies
Integrity:
Hacker controlled processes can now change anything in
the system
Confidentiality
Hacker controlled processes can now eavesdrop on all data
and communications 4
Security Vulnerability
= Just A Software Bug
Industry is Slowly Waking Up to
the Unknown Threats
All software has All our zero-day
undetected exploitable vulnerabilities were found You would be a fool
vulnerabilities with Fuzzing. not to Fuzz.
- Security Vendor 2009 Software Vendor 2010 Analyst 2011
6
What is Fuzzing?
7
Fuzzing techniques
Taming infinity
The set of malformed inputs is infinite
Need meaningful testing in finite time
A good fuzzer is skillful at picking values that
are most likely to find bugs
Boundary conditions
Illegal values
Bad checksums
Tough strings
Fuzzing techniques:
Random
Pump random bits at a port
No protocol knowledge
Dumb
Occasionally effective
Shallow code coverage
Mutation/Template-Based Fuzzing
Quality of tests is based on the used template
(seed) and mutation technique
Slow to execute, least bugs found
Generational/Specification-Based Fuzzing
Full test coverage, as the model
is built from specification
Fast to execute, most bugs found
10
Example: Traffic
Capture Fuzzing
Step 1: Load Template
Traffic Capture Fuzzer is
special from other
model-based test
generators
It does not use internal
model
Test generation is based
on recorded traffic
capture
Contact:
Ari Takanen, CTO, art@codenomicon.com
Dr. Volker Baier, volker@codenomicon.com
Graham Steel
(Cryptosense)
Security analysis of APIs, including the W3C Crypto API
Ana Cavalli
(Institut Mines-Telecom)
Application of passive testing techniques to secure interoperability testing
Wissam Mallouli
(Montimage)
Passive testing for security checking using MMT
Session 4 Talk 1
Riccardo Scandariato
(KU Leuven)
Abstract:
Identifying security vulnerabilities in a code base is like finding the proverbial
needle in a haystack, as the occurrence of a vulnerability is a relatively rare
event. In this respect, prediction models are useful to guide the quality
assurance activities, e.g., to identify the code locations that deserve special
attention. We present an approach to predict which components of a software
system contain security vulnerabilities. The approach is based on text mining
the source code and leverages on machine learning techniques. The evaluation
is performed in the context of applications written in the Java and C++. The
results show that the technique has excellent prediction power and performs
better than state-of-the-art approaches.
!!!"#$
!%
&!'$
$(
)
*+,!
(
+-
)$ !+
.(!
/
!0
1$! (!
3
(
(
!$%
)
$(
!
! !
$
$
!
2
$!!+.+!0
5
(3!
!
!
"
#
4
!
$!!+.+!0
#
-
'+
$
($!.+!0
5$
# $ '.'30
3
!$
#$
6
5!$/ !
9
* (.(0$!!+
($!
*$
!
9$
!
*
!+:+ !;
8
*$
!
9
=(.0*(
.$0
*
$!!$=
$
!
<
*!
3
(
*!
?3)&,@ ,!
?!
!
,
$+!.
$$
!0
9!
>
:+ !
9
!$(!%
C(
(!(
+!$
,$
+
/ (! !(
1$$
!$$C(*
.+ !0
D(! !(
$
E!$(
3/
$
+ (!
AB
?$
3 ( $
7
! *!++ !! !(
("!
1/ C!!
(
!
!
5
(3!
1
!*
."!
0
AA
'($
+
( ( ( &
( (
' &' '
&
&
)
* %
#
#
AF
$%G
! !
-
./3
(0'+!! !. "0
&'+++.#"0
1
)
$+<<H
(+
!$
+A8H
A2
%
)+ $
!$$C(:
+ !
&($
($
*
$
!
3+:
'+
5$$()$
( A4
!$
(
Session 4 Talk 2
Graham Steel
(Cryptosense)
Vita:
Graham Steel holds a masters in mathematics from the University of
Cambridge and a Ph.D. in informatics from the University of Edinburgh. He has
been a researcher at INRIA, the French national agency for computer science
research, where he was part of the Prosecco project team based in central
Paris. He recently cofounded the Spin-Off company Cryptosense, which
provides solutions to an international clientele in particular in the financial,
industrial and government sectors. Steel's main research interests are in
formal analysis of information security and applied cryptography. His current
work on cryptographic API verification involves using formal techniques to
construct and analyze abstract models of cryptographic device interfaces. In
addition to international conference and journal publications, his recent
results have featured in Wired magazine and the New York Times.
Graham Steel
Security analysis of APIs, incl. The W3C Crypto API
Abstract:
Using a unique combination of reverse-engineering and model-checking, Cryptosense
technologies permit automated security analysis of cryptographic APIs (www.cryptosense.com). In
the domain of smartcards and Hardware Security Modules (HSMs), Cryptosense Analyzer has
already been used to find and help to fix several previously unknown vulnerabilities and to assist
with secure device configuration. It is now part of standard security testing and monitoring in two
national security agencies as well as a large international bank.
Currently, the commercially available version of Cryptosense Analyzer only deals with interfaces
conforming to the industry standard PKCS#11. In our development programme we are working on
the Cryptosense Generator that, given an annotated specification of an interface in e.g. a header
file, can produce a specific version of the Cryptosense Analyzer customized for that interface. We
are experimenting with MS and Java APIs as well as some proprietary interfaces. More recently,
we have been investigating the W3C Crypto API that lets developers implement secure application
protocols on the level of Web applications, including message confidentiality and authentication
services, by exposing trusted cryptographic primitives from the browser. In this talk we will
demonstrate the Cryptosense Analyzer and describe our recent results.
Security Analysis for Cryptographic APIs
Graham Steel
c
Cryptosense 2013
Cryptographic Security Today
Graham Steel 2/ 32
Cryptography in Practice v1
Graham Steel 3/ 32
Cryptography in Practice v1
Graham Steel 5/ 32
Cryptography in Practice v2
Literature consulted
Graham Steel 7/ 32
Cryptography in Practice v2
Graham Steel 8/ 32
Cryptography in Practice v3
Graham Steel 9/ 32
Cryptography in Practice v3
C GenerateKey :
new n,k
T h(n, k); T
C SetAttributeValue :
T , h(n, k) h(n, k); T
T can specify new values for any attributes, but may cause
CKR TEMPLATE INCONSISTENT, CKR ATTRIBUTE READ ONLY
Wrap :
h(x1 , y1 ), h(x2 , y2 ); wrap(x1 ), {y2 }y1
extract(x2 )
Unwrap :
new n1
h(x2 , y2 ), {y1 }y2 , T ; unwrap(x2 ) h(n1 , y1 ); extract(n1 ), T
Encrypt :
h(x1 , y1 ), y2 ; encrypt(x1 ) {y2 }y1
Decrypt :
h(x1 , y1 ), {y2 }y1 ; decrypt(x1 ) y2
!
www.cryptosense.com
Ana Cavalli
(Institut Mines-Telecom)
Ana
Cavalli
Khalifa
Toumi
Ins2tut
Mines-
Telecom/
TELECOM
SudParis
Planning
Conformance
tes2ng
Ac2ve
tes2ng
techniques
Fault
models
Passive
tes2ng
(Monitoring)
A
case
study
(Inter-Trust
project)
2
Conformance
testing
Conformance
tes2ng:
to
check
that
an
implementa2on
conforms
to
a
specica2on
to
check
that
the
implementa2on
sa2ses
some
expected
proper2es
Faults
detected
:
output
faults,
if
the
implementa2on
transi2on
produce
a
wrong
output
transfer
faults,
if
the
implementa2on
transi2on
go
in
a
wrong
state
mixtes
faults,
both
output
and
transfer
faults
3
What
is
active
testing
?
IUT
Ac4ve
Tester
Verdict:
PASS,FAIL,
INCONC.
Formal
Test
Specica4on
Suites
Objec4ves
To
op2mize
tests
produc2on
by
reduc2on
of
2me
and
cost
HandcraRed
tests
have
a
high
cost
Test
suites
for
real
protocols
are
in
average
very
huge
5
To
improve
faults
coverage
Limitations
of
active
testing
6
Components
Testing
Test
in
context,
embedded
tes2ng:
Tests
focused
on
some
components
of
the
system,
to
avoid
redundant
tests
Interfaces
semi-controllables
In
some
cases
it
is
not
possible
Environment
to
apply
ac2ve
tes2ng
a bc c b a
ib
C ia
Internal
Message
Context
Module
A
Embedded
Module
7
Why
passive
testing?
Conformance
tes4ng
is
essen4ally
focused
on
verifying
the
conformity
of
a
given
implementa4on
to
its
specica4on
It
is
based
on
the
ability
of
a
tester
that
s2mulates
the
implementa2on
under
test
and
checks
the
correc2on
of
the
answers
provided
by
the
implementa2on
Closely
related
to
the
controllability
of
the
IUT
In
some
cases
this
ac2vity
becomes
dicult,
in
par2cular:
if
the
tester
has
not
a
direct
interface
with
the
implementa2on
or
when
the
implementa2on
is
built
from
components
that
have
to
run
in
their
environment
and
cannot
be
shutdown
or
interrupted
(for
long
2me)
in
order
to
test
them
8
Passive
Testing
based
on
Invariants
-Test
by
invariants
Simple
(Output)
invariant
Deni2on
:
invariant
in
which
the
test
is
an
output
Meaning
:
immediatly
aRer
the
sequence
prambule
there
is
always
the
expected
output
Example
:
(i1
/
o1)
(i2
/
o2)
(preambule
in
blue,
expected
output
in
red)
9
Test
by
invariants
:
Obligation
(Input)
invariant
10
Test
by
invariants
:
succession
invariant
11
PASSIVE
vs
ACTIVE
TESTING
IUT
Ac4ve
Tester
Verdict:
PASS,FAIL,
INCONC.
Formal
Test
Specica4on
Suites
+&-:
Possibility to focus on a specific part of the
specification
Automatic test generation
" May modify (crash) the IUT behavior
IUT
+&-:
No interferences with the IUT 12
System modelisation is not necessary
" No test generation
Application
of
passive
testing
(monitoring)to
secure
interoperability
The
Inter-Trust
project
q The projet has as a main objective the development of different
techniques to insure secure interoperability
q Case study based on the interoperability of two information
systems belonging to two differents nations (Nation 1 and Nation
2) that need to interoperate
q We have used the language ORBAC to describe the security
properties and the tool MMT to verify the properties using
monitoring
q The proposed scenario is the following:
q Nation 2 need to access some resources of Nation 1
q These resources can be confidential, secret or public and
they can be accessed by different intelligence officers
q We need to check that the resources of Nation 1 are
accessed by the authorized intelligence officers of Nation 2
14
OrBAC
language
qOrganization Based Access Control OrBAC
q Abstraction of security policies: abstract rules
q Role, View, Activity
q Context:
q Spatial context, Temporal context,
User-declared context, Prerequisite
context and Provisional context
q Example: Permission(org,role,activity,view,context)
15
MotOrBAC
Tool
qMotOrBAC Functionalities
q Edition, simulation and analysis of the security rules
q Delegation management
q Entity hierarchies
q Conflict management
Plug-ins interface
16
Plug-in1 Plug-in2 ... Plug-ink
Intelligent
System
Architecture
17
General
Architecture
18
Inter-Trust
Platform
Administra2on
AC
Interoperability
model
templates
security
policy
Plateform
MotOrBAC INTER-TRUST
AdOrBAC
VPO
Sning
the
Probe
MMT
communica2on
Analyzing
traces,
Engine
MMT
detec2ng
aaacks
System2
and
19
verifying
proper2es
Plateform
Result
les
(HTML)
INTER-TRUST
19
Interoperability
Scenario
(1)
1.
Specica2on
of
the
local
policy
of
each
par2cipant
SYSTEM
IR: Information
23
Interoperability
Scenario
(5)
1.
Spcica2on
of
the
local
policy
of
S1
Example
1:
An
ORT
has
the
right
to
manage
intelligence
informa2on
if
the
informa2on
has
a
security
level
Conden2al
or
lower.
Rule1:permission(S1, ORT, manage, IR_C, defaut_ctx)
25
Interoperability
Scenario
(7)
2.
Deriva2on
of
the
interoperability
policy
Exemple 1:
2.
1
VPO
crea2on
Creating a Virtual Private Organization
(VPO) between S1and another S2 nation
called VPO_S2_to_S1
Each
en2ty
in
the
view
V
of
the
system
S1
will
belong
to
the
view
IR
in
the
VPO
Exemple 2:
use(VPO_S2_to_S1, O, V)
use(S1, O, V) and
2.
2
Mapping
between
sub_view(S1, V, IR) and
en22es
tag_interrop(O, true)
26
Example
1:
An
ORT
in
S2
has
the
right
to
read
the
intelligence
informa2on
of
S1
if
the
security
level
of
this
informa2on
is
Conden2al
or
lower.
Rule:
permission(VPO_S2_to_S1, ORT, read, IR_C,
need_to_know)
27
Interoperability
Scenario
(9)
3.
Edi2on
of
the
policy
with
MOtOrBAC
and
resolu2on
of
conicts
28
Interoperability
Scenario
(10)
4.1
Ini2aliza2on
of
the
service
web
service
for
managing
the
policy
29
Monitoring Results
30
Conclusions
Passive
tes2ng
(monitoring)
techniques
are
well
adapted
to
validate
security
proper2es:
they
can
be
used
for
vulnerabili2es
detec2on,
intrusion
detec2on,
etc.
They
can
be
used
for
the
systems
supervision
They
are
complementary
of
ac2ve
tes2ng
techniques
31
References
1. Pramila
Mouaappa,
Stephane
Maag
and
Ana
Cavalli,
"IOSTS
based
Passive
Tes2ng
approach
for
the
Valida2on
of
data-centric
Protocols",12th
Interna2onal
Conference
on
Quality
SoRware
(QSIC
2012),
Xian,
China,
27th-29th
August
2012.
2.
Nahid
Shahmehri,
Amel
Mammar,
Edgardo
Montes
de
Oca,
David
Byers,
Ana
Cavalli,
Shanai
Ardi
and
Willy
Jimenez,
"An
Advanced
Approach
for
Modeling
and
Detec2ng
SoRware
Vulnerabili2es",
Journal
Informa2on
and
SoRware
Technology,
vol
54,
issue
9,
September
2012.
3.
Anderson
Morais
and
Ana
Cavalli,
"A
Distributed
Intrusion
Detec2on
Scheme
for
Wireless
Ad
Hoc
Networks",
27th
Annual
ACM
Symposium
on
Applied
Compu2ng
(SAC'12),
March
25-29,
2012,
Riva
del
Garda
(Trento),
Italy
4.
Fayal
Bessayah,
Ana
Cavalli,
A
Formal
Passive
Tes2ng
Approach
For
Checking
Real
Time
Constraints,
7th
Interna2onal
Conference
on
the
Quality
of
Informa2on
and
Communica2ons
Technology,
September
29th
2010,
Porto,
Portugal.
5.
Csar
Andrs,
Stephane
Maag,
Ana
Cavalli,
Mercedes
G.
Merayo,
Manuel
Nunez,
"Analysis
of
the
OLSR
Protocol
by
using
formal
passive
tes2ng",
APSEC
2009,
December
2009,
Penang,
Malaysia.
6.
Felipe
Lalanne,
Stephane
Maag,
Edgardo
Montes
de
Oca,
Ana
Cavalli,
Wissam
Mallouli
and
Arnaud
Gonguet
,
An
Automated
Passive
Tes2ng
Approach
for
the
IMS
PoC
Service,
24th
ACM/IEEE
Interna2onal
Conference
on
Automated
SoRware
Engineering,
November
2009,
Auckland,
New
Zealand.
7.
Ana
Rosa
Cavalli,
Azzedine
Benameur,
Wissam
Mallouli,
Keqin
Li,
A
Passive
Tes2ng
Approach
for
Security
Checking
and
its
Prac2cal
Usage
for
Web
Services
Monitoring,
invited
paper,
NOTERE
2009,
29-June
3-July,
2009,
Montral,
Canada.
8.
Ana
Cavalli,
Stephane
Maag
and
Edgardo
Montes
de
Oca,
A
Passive
Conformance
Tes2ng
Approach
for
a
Manet
Rou2ng
Protocol,
The
24th
Annual
ACM
Symposium
on
Applied
Compu2ng
SAC'09,
March
9-12
2009,
Hawaii,
USA.
32
9.
Ana
R.
Cavalli,
Edgardo
Montes
De
Oca,
Wissam
Mallouli,
Mounir
Lallali,
Two
Complementary
Tools
for
the
Formal
Tes2ng
of
Distributed
Systems
with
Time
Constraints,
The
12-th
IEEE/ACM
Interna2onal
Symposium
on
Distributed
Simula2on
and
Real
Time
Applica2ons
(DS-RT
2008),
October
27-29,
Vancouver,
Canada.
10.
Wissam
Mallouli,
Fayal
Bessayah,
Ana
R.
Cavalli,
Azzedine
Benameur,
Security
Rules
Specica2on
and
Analysis
Based
on
Passive
Tes2ng,
The
IEEE
Global
Communica2ons
Conference
(GLOBECOM
2008),
November
30
-
December
04,
New
Orleans,
USA.
11.
J.-M.
Orset,
B.
Alcalde
and
A.
Cavalli,
An
EFSM-Based
Intrusion
Detec2on
System
for
Ad
Hoc
Networks,
ATVA
05,
Taipei,
Taiwan,
October
2005.
12.
E.
Bayse,
A.
Cavalli,
M.
Nez,
and
F.
Zadi.
A
passive
tes2ng
approach
based
on
invariants:
applica2on
to
the
wap.
In
Computer
Networks,
volume
48,
pages
247-266.
Elsevier
Science,
2005.
13.
Csar
Andrs,
Mara-Emilia
Cambronero,
Manuel
Nez:
Formal
Passive
Tes2ng
of
Service-Oriented
Systems.
IEEE
SCC
2010:
610-613
14.
Csar
Andrs,
Mercedes
G.
Merayo,
Manuel
Nez:
Mul2-objec2ve
Gene2c
Algorithms:
Construc2on
and
Recombina2on
of
Passive
Tes2ng
Proper2es.
SEKE
2010:
405-410
15.
Csar
Andrs,
Mercedes
G.
Merayo,
Manuel
Nez:
Passive
Tes2ng
of
Timed
Systems.
ATVA
2008:
418-427
33
Session 4 Talk 4
Wissam Mallouli
(Montimage)
Vita:
Dr. Wissam Mallouli is currently a research & development engineer at
Montimage France. He received his Masters degree from the Evry Val
dEssonne University in 2005 and his PhD in computer science from Telecom
and Management SudParis (France) in 2008. His topics of interest cover formal
testing and monitoring of functional behaviours and security aspects of
distributed systems and networks. He worked in several European and French
research projects. He also participates to the program/organizing committees
of numerous national and international conferences. He published more than
25 papers in conference proceedings, books and journals. More details can be
found on his webpage http://www.mallouli.com.
Wissam Mallouli
Passive testing for security checking using MMT
Abstract:
Network monitoring is a laborious challenging task that is vital for a network operator, a service
provider or a corporate network infrastructure in order to keep the network operation stable,
smooth and safe. Monitoring provides valuable real time and historical information to understand
the network usage trends and dynamics and thus detect misbehaviours and attacks. The
vulnerabilities introduced by this open world: Critical infrastructures are more than ever open to
the Internet, the dematerialization of corporate IT and the success of cloud services are pushing
towards proactive mechanisms for detecting and preventing anomalies. In this context, Deep
Packet Inspection (DPI) is considered as a catalyser in the shift towards advanced monitoring. DPI
is the process of capturing network traffic, analysing and inspecting it closely to determine
accurately what is really happening in the network. In this presentation, we will present an
events-based network monitoring solution part of MMT tool that inspects network traffic against
a set of security properties denoting both security rules and attacks. In the context of DIAMONDS,
this solution has been applied to an industrial case study provided by Thales Group that consists
of a set of QoS-aware ad-hoc radio communication protocols. It will be adapted to test secure
interoperation in the context of INTER-TRUST project.
Network Monitoring for
Security Checking
2
Network monitoring: Basics
3
Need for network monitoring
Diagnose & react
Remote User
Typical problem
Remote user arrives at
Regional Offices
regional office and
experiences slow or no
response from corporate web
server
Where to begin?
Where is the problem?
What is the problem?
What is the solution? WWW Servers
4
Network monitoring: Components
Interface for real-time monitoring.
Store collected data in a database for post
Monitoring Monitoring
application
analysis (history, reporting ). Application or
DataBase
7
Deep Packet Inspection
Based Monitoring
What is DPI
Application classification
Traffic attributes extraction
What is DPI
Technology consisting of digging deep into the packet
header and payload to inspect encapsulated
content
Content may be spread over many packets
Packet Header Layers Packet Payload / Application Layers
L2 L3 L4 L5 L7
Email (SMTP, POP3, IMAP)
Internet Transport
Web (HTTP/S)
Ethernet Protocol Layer
Instant Messaging (IM)
(IP) (TCP/UDP)
Peer-to-Peer (P2P) Applications
Deep Packet
Inspection
11
Why to DPI
Network Visibility
Understand how bandwidth is utilized
What is the application mix
Who is using what, where and when?
Traffic Management (Application Control)
Block undesired traffic (spam, worms, etc.)
Prioritize and shape traffic (limit P2P, QoS, QoE)
Advanced policy enforcement
Zero Facebook, OTT services, per application policy rules
Security
Understand network attacks
Core component in next generation firewalls
Etc.
12
Inside DPI
Group packets belonging to the
same session
Events & Attributes extraction Application classification
Detect application type (Skype,
Bittorrent, etc.) or application
family
Event analysis and parsing Considered as the core of DPI
DPI Engine
13
From classification to attributes and
events extraction
Application classification is a first step towards accurate
traffic information extraction
How can we get the HTTP method (Get, Post, etc.) if we dont
know the type of the traffic
When the application type is known decoding becomes easy
What are traffic attributes?
Meta-attributes: timestamp, data source etc.
Protocol field derived from the packet data: IP@, attachment
size, encoding type, etc.
Flow parameter: packet mean size, inter-arrival delay, packets
lost, reordered, etc.
The application class can be considered as a traffic attribute
14
Attribute extraction with DPI
With the extraction capability, DPI can provide
input for security analysis
15
Network as a Database
(source) http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars/1
18
The HBGary Hack
Attack Method Attacked System Vulnerability Lost Assets
3 Unauthorized use of E-mail, Twitter accounts, Password double use Email accounts of
passwords from 2 and LinkedIn accounts of HBGary officials
HBGarry officials
4 Unauthorized use of Machine running Password double use Non-superuser account
passwords from 2 support.hbgary.com of HBGary official
19
The HBGary Hack:
Where can security monitoring help?
Attack Method Attacked System Vulnerability Lost Assets
20
Security monitoring with DPI:
Abstract description
The concept:
Detect the occurrence of events on the network
Input provided by DPI
Event can be: packet arrival, HTTP POST request, etc.
Inspect and analyze the succession of events to detect
properties
Property: Succession of events that are linked with time and
logical constraints
If we detect event A, then we MUST detect event B after 10 seconds
The idea:
Monitor the network looking for the occurrence of
properties.
21
Security monitoring using DPI:
Abstract description
Example: SQL injection
www.abcd.com/page?name=Select * Where 1
The events to be detected
HTTP GET request
URL parameter contains SQL statement
The property
It is not allowed to have a URL parameter containing SQL
statement in an HTTP GET request
If the property is detected on the network then most
probably there is an attack attempt!
Nice Theory! But very challenging
22
Security monitoring using DPI
Challenges
The number of events that can occur on a network is
huge!
Solution: Use DPI for the events extraction
Group events/attributes by application and add new ones
when needed
The expressivity of the properties (need to combine
time and logical constraints)
Complex analysis and processing especially in high
bandwidth links
Optimization techniques, multi-core implementations, smart
traffic filtering
23
Properties Expressivity
Considering security monitoring, properties can be used to express:
A Security rule describes the expected behavior of the application
or protocol under-test.
The non-respect of the Security property indicates an abnormal behavior.
Set of properties specifying constraints on the message exchange
i.e. the access to a specific service must always be preceded by an authentication phase
An Attack describes a malicious behavior whether it is an attack
model, a vulnerability or a misbehavior.
The respect of the Security property indicates the detection of an
abnormal behavior that might indicate the occurrence of an attack.
Set of properties referring to a vulnerability or to an attack
A big number of requests from the same user in a limited period can be considered as a
behavioral attack
24
Properties Expressivity
A security property is composed of 2 parts:
A Context
A condition to verify
25
Properties Expressivity
A security property is composed of 2 parts:
A Context
A condition to verify
26
https://github.com/montimage/MMT_Security
Traffic View
Config
DB Plugins
MMT Probe
Add analysis
Analysis modules
modules
Quality Security &
Traffic
Functional HW/SW Probe
Monitoring Monitoring Analysis Can be installed
on dedicated HW
MMT Extract
Deep Packet Inspection functionalities Software library
Traffic classification (600+ protocols) (SDK)
Protocol decoding & attributes extraction Can be integrated
Extraction of metrics in 3rd party SW
29
Network threats and vulnerabilities
Detection of potential attacks
Link spoofing, Data alteration, Flooding attack, Blackhole
attack, Denial of service, Replay
Data alteration
header header
Node A Node B
intrusive
30
Testing architecture
SMARTESTING MONTIMAGE
Security test generation model and test purposes Specification of 19 security properties
specification Client /Server architecture
Generation of test scenarios denoting attacks using Certify- Notification of exchanged PDUs
it Parsing and extraction of relevant information
FSCOM Online analysis of captured PDUs and detection of attacks
TTCN3 test cases specification occurrences
Test execution using TT-Workbench
31
Security Rules Specification : Example
Security requirement: Every node must periodically send a notification
message that includes the list of its neighbors on its allocated service slot.
Attack scenario 1: A malicious node sends a message on a non-allocated
service slot. This provokes slot reallocation. If done repeatedly, it provokes
denial of service.
Specified security properties
If one node receives two successive MSG_SPHY_DATA_IND messages
from the same source, then these two messages must to be separated
by 50 slots (Prop 1).
If one node receives two MSG_SPHY_DATA_IND messages from different
sources, then these two messages must have two different slot ids (Prop
2).
32
Analysis results: Attack Scenario 1
33
Inter-trust overall objectives
36
The Inter-trust global architecture
Modelling security
policies
Negotiating
security policies
Dynamically
generates aspects
to be woven
Based on the
negotiated policy
Interprets the
negotiated policy
aspects woven
into the application
Injects code
Captures application
events
Detects non compliance
of security requirements
Stand-alone monitoring
and testing tools
45
THANK YOU
Wissam Mallouli
wissam.mallouli@montimage.com
46
Some of the material used in these slides come
from the Internet
Thanks to them
47