on attack/defense treeson attack/defense trees patrick schweitzer satoss, faculty of sciences,...
Post on 21-Jul-2020
6 Views
Preview:
TRANSCRIPT
On Attack/Defense Trees
Patrick SchweitzerSaToSS, Faculty of Sciences, Communication and Technology
University of Luxembourg
November 17th 2009
1/23
Outline
1 Intuition and overview of existing approaches to model attacks
2 Attack Trees
3 The new approach to include defenses
4 Future work
2/23
Intuition and overview
Intuition
Get money(illegally)
Get moneyfrom a bank
Rob a
bank
Steal from
ATM
S2
S2
S2
Hack into
computer
system
Rob a storeEnter with
a gun2 3.1
4.14.2
4.3
3.2
3.33.4
Enter
disguised
Enter
at night2
Go toloan shark
3/23
Intuition and overview
Intuition
Get money(illegally)
Get moneyfrom a bank
Rob a
bank
Steal from
ATM
S2
S2
S2
Hack into
computer
system
Rob a storeEnter with
a gun2 3.1
4.14.2
4.3
3.2
3.33.4
Enter
disguised
Enter
at night2
Go toloan shark
3/23
Intuition and overview
Intuition
Get money(illegally)
Get moneyfrom a bank
Rob a
bank
Steal from
ATM
S2
S2
S2
Hack into
computer
system
Rob a storeEnter with
a gun2 3.1
4.14.2
4.3
3.2
3.33.4
Enter
disguised
Enter
at night2
Go toloan shark
3/23
Intuition and overview
Guide to modeling attacks
Intuitive start: A mindmap (a special graph)
Problem: Complexity
Solution: Computer support (requires formalism)
Literature: Several approaches
4/23
Intuition and overview
Guide to modeling attacks
Intuitive start: A mindmap (a special graph)
Problem: Complexity
Solution: Computer support (requires formalism)
Literature: Several approaches
4/23
Intuition and overview
Guide to modeling attacks
Intuitive start: A mindmap (a special graph)
Problem: Complexity
Solution: Computer support (requires formalism)
Literature: Several approaches
4/23
Intuition and overview
Guide to modeling attacks
Intuitive start: A mindmap (a special graph)
Problem: Complexity
Solution: Computer support (requires formalism)
Literature: Several approaches
4/23
Intuition and overview
Different approaches to modeling attacks
Attack TreesEssentially all information is contained in the leaves.
Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes
Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.
. . .
5/23
Intuition and overview
Different approaches to modeling attacks
Attack TreesEssentially all information is contained in the leaves.
Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes
Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.
. . .
5/23
Intuition and overview
Different approaches to modeling attacks
Attack TreesEssentially all information is contained in the leaves.
Attack Graphs or Attack NetsFinite automata that fulfill security properties;separation of data and processes
Security Pattern DescriptionsDocuments that describe in words the possible attacks on asystem. They are very long exactly like this text which shouldnever have been on the slide because nobody that listens tothe talk reads that much text.
. . .
5/23
Attack Trees
1 Intuition and overview of existing approaches to model attacks
2 Attack Trees
3 The new approach to include defenses
4 Future work
6/23
Attack Trees
Attack Trees - the concept
Attack: How to get free food?
7/23
Attack Trees
Attack Trees - the concept
Attack: How to get free food?
Free food
7/23
Attack Trees
Attack Trees - the concept
Attack: How to get free food?
Free food∨
Eat ’n’ runPretendto work
at restaurant
7/23
Attack Trees
Attack Trees - the concept
Attack: How to get free food?
Free food∨
Eat ’n’ run∧
Order meal Sneak out
Pretendto work
at restaurant∨
Ask Chefto prepare
Salamiattack
7/23
Attack Trees
Attack Trees - the concept
Attack: How to get free food?
Free food∨
Eat ’n’ run∧
Order meal Sneak out
Pretendto work
at restaurant∨
Ask Chefto prepare
Salamiattack∧
Wait oncustomers
Steal part oftheir food
Sneak out
7/23
Attack Trees
Attack Trees - the concept
Attack: How to get free food?
Free food∨
Eat ’n’ run∧
Order meal Sneak out
Pretendto work
at restaurant∨
Ask Chefto prepare
Salamiattack∧
Wait oncustomers
Steal part oftheir food
Sneak out
Essentially a set of multisets,e.g.:
{{{Order meal, sneak out}},
{{Ask Chef to prepare}},
{{Wait on customers,
steal part of their food,
sneak out}}}
7/23
Attack Trees
Properties of the existing model
Important properties of Attack Trees
Uses and and or nodes
Simple normal form: trees of depth 1
Attributes can be attached to the leaves:then the attribute can be calculated for the root
Projection only works for some attributes(Projection = Restriction of an attribute)
8/23
Attack Trees
Properties of the existing model
Important properties of Attack Trees
Uses and and or nodes
Simple normal form: trees of depth 1
Attributes can be attached to the leaves:then the attribute can be calculated for the root
Projection only works for some attributes(Projection = Restriction of an attribute)
8/23
Attack Trees
Properties of the existing model
Important properties of Attack Trees
Uses and and or nodes
Simple normal form: trees of depth 1
Attributes can be attached to the leaves:then the attribute can be calculated for the root
Projection only works for some attributes(Projection = Restriction of an attribute)
8/23
Attack Trees
Properties of the existing model
Important properties of Attack Trees
Uses and and or nodes
Simple normal form: trees of depth 1
Attributes can be attached to the leaves:then the attribute can be calculated for the root
Projection only works for some attributes(Projection = Restriction of an attribute)
8/23
Attack Trees
Including a defense in the framework
Free food∨
Eat ’n’ run∧
Order meal Sneak out
Pretendto work
at restaurant∨
Ask Chefto prepare
Salamiattack∧
Wait oncustomers
Steal part oftheir food
Sneak out
9/23
Attack Trees
Including a defense in the framework
Free food∨
Eat ’n’ run∧
Order meal Sneak out
Policeman
Pretendto work
at restaurant∨
Ask Chefto prepare
Salamiattack∧
Wait oncustomers
Steal part oftheir food
Sneak out
Policeman
9/23
Attack Trees
Attack and Defense Trees
Consider the Defense Tree ’law enforcement’ instead of apoliceman.
Consider the Attack Tree ’Mafia’ attached to law enforcement.
and so on...
New framework: Attack Tree - Defense Tree - Attack Tree - ...
10/23
Attack Trees
Attack and Defense Trees
Consider the Defense Tree ’law enforcement’ instead of apoliceman.
Consider the Attack Tree ’Mafia’ attached to law enforcement.
and so on...
New framework: Attack Tree - Defense Tree - Attack Tree - ...
10/23
Attack Trees
Attack and Defense Trees
Consider the Defense Tree ’law enforcement’ instead of apoliceman.
Consider the Attack Tree ’Mafia’ attached to law enforcement.
and so on...
New framework: Attack Tree - Defense Tree - Attack Tree - ...
10/23
The new approach to include defenses
1 Intuition and overview of existing approaches to model attacks
2 Attack Trees
3 The new approach to include defenses
4 Future work
11/23
The new approach to include defenses
The general idea: two functions describing the nodes
Structure: rooted tree T = (V , E , r , τ, φ)(non-empty, finite, directed, connected, acyclic, rooted)Type: τ : V → {©,�,♦} Connector φ : V → {∨, ∧, ¬, −}
12/23
The new approach to include defenses
The general idea: two functions describing the nodes
Structure: rooted tree T = (V , E , r , τ, φ)(non-empty, finite, directed, connected, acyclic, rooted)Type: τ : V → {©,�,♦} Connector φ : V → {∨, ∧, ¬, −}
τ(v) ∈ {©,�} =⇒ τ(w) ∈ {τ(v),♦} (1)
τ(v) ∈ {©,�} and | Childrenv | > 1 ⇐⇒φ(v) ∈ {∨, ∧} (2)
τ(v) ∈ {©,�} and | Childrenv | ≤ 1 ⇐⇒φ(v) = − (3)
τ(v) = ♦ =⇒ τ(w) ∈ {f (v),♦} (4)
τ(v) = ♦ =⇒ | Childrenv | = 1 (5)
τ(v) = ♦ ⇐⇒φ(v) = ¬ (6)
v , w ∈ V and (v , w) ∈ E
12/23
The new approach to include defenses
The additional properties
∨
−
¬
∧
− −
∧
− − ¬
−
∧
− ∧
− − ¬
∨
− −
∨
− −
13/23
The new approach to include defenses
The additional properties
∨
−
¬
∧
− −
∧
− − ¬
−
∧
− ∧
− − ¬
∨
− −
∨
− −
Property (1):τ(v) ∈ {©,�} =⇒ τ(w) ∈ {τ(v),♦}
13/23
The new approach to include defenses
The additional properties
∨
−
¬
∧
− −
∧
− − ¬
−
∧
− ∧
− − ¬
∨
− −
∨
− −
Property (2):τ(v) ∈ {©,�} and | Childrenv | > 1⇐⇒φ(v) ∈ {∨, ∧}
13/23
The new approach to include defenses
The additional properties
∨
−
¬
∧
− −
∧
− − ¬
−
∧
− ∧
− − ¬
∨
− −
∨
− −
Property (3):τ(v) ∈ {©,�} and | Childrenv | ≤ 1⇐⇒φ(v) = −
13/23
The new approach to include defenses
The additional properties
∨
−
¬
∧
− −
∧
− − ¬
−
∧
− ∧
− − ¬
∨
− −
∨
− −
Property (4):τ(v) = ♦ =⇒ τ(w) ∈ {f (v),♦}
13/23
The new approach to include defenses
The additional properties
∨
−
¬
∧
− −
∧
− − ¬
−
∧
− ∧
− − ¬
∨
− −
∨
− −
Property (5):τ(v) = ♦ =⇒ | Childrenv | = 1
13/23
The new approach to include defenses
The additional properties
∨
−
¬
∧
− −
∧
− − ¬
−
∧
− ∧
− − ¬
∨
− −
∨
− −
Property (6):τ(v) = ♦ ⇐⇒ φ(v) = ¬
13/23
The new approach to include defenses
Semantics of the Adtrees
∨
−
¬
∧
D1 −
∧
D2 D3 ¬
A1
∧
A2 ∧
A3 A4 ¬
∨
D4 D5
∨
A5 A6
Semantics of the adtree:Unique variable associated to leaf
JvK =
v if v ∈ L(T ),∨
w∈Childrenv
JwK if φ(v) = ∨,
∧
w∈Childrenv
JwK if φ(v) = ∧,
JwK if φ(v) = − and
Childrenv = {w},
¬JwK if φ(v) = ¬ and
Childrenv = {w}.
14/23
The new approach to include defenses
Logical formulas associated to trees
∨
−
¬
∧
D1 −
∧
D2 D3 ¬
A1
∧
A2 ∧
A3 A4 ¬
∨
D4 D5
∨
A5 A6Propositional logic corresponding to thetree:
((¬(D1 ∧ ((D2 ∧ D3 ∧ (¬A1))))))∨(A2 ∧ (A3 ∧ A4 ∧ (¬(D4 ∨ D5)))∨(A5 ∨ A6)
15/23
The new approach to include defenses
Trees in normal form
∨
A1 A5 A6 ¬
D1
¬
D2
¬
D3
∧
A2 A3 A4 ¬
D4
¬
D5
Normal form:A1 ∨ A5 ∨ A6 ∨ ¬D1 ∨ ¬D2 ∨ ¬D3 ∨ (A2 ∧ A3 ∧ A4 ∧ ¬D4 ∧ ¬D5)
16/23
The new approach to include defenses
Exemplary transformation: Distributivity ∧ to ∨
∧
b
X1
. . .
k
b
Xk
∨
b
Y1
. . .
l
b
Yl
−→ ∨
∧
b
X1
. . .
k
b
Xk
b
Y1
. . .
l
∧
b
X1
. . .
k
b
Xk
b
Yl
With k ≥ 1 and l ≥ 2
17/23
The new approach to include defenses
Full set of transformation rules
• Distributivity (A ∨ B) ∧ C → (A ∧ C) ∨ (B ∧ C)• 1−level absorption (A ∧ B) ∨ A → A
• 2−level absorption as above• Double negation ¬¬A → A
• Empty refinement no formula• Associativity (∨ and ∧) (A ∨ B) ∨ C → A ∨ B ∨ C
• De Morgan (∨ and ∧) ¬(A ∨ B) → ¬A ∧ ¬B
• Idempotency (∨ and ∧) X ∨ X → X
18/23
The new approach to include defenses
Full set of transformation rules
• Distributivity (A ∨ B) ∧ C → (A ∧ C) ∨ (B ∧ C)• 1−level absorption (A ∧ B) ∨ A → A
• 2−level absorption as above• Double negation ¬¬A → A
• Empty refinement no formula• Associativity (∨ and ∧) (A ∨ B) ∨ C → A ∨ B ∨ C
• De Morgan (∨ and ∧) ¬(A ∨ B) → ¬A ∧ ¬B
• Idempotency (∨ and ∧) X ∨ X → X
18/23
The new approach to include defenses
Full set of transformation rules
• Distributivity (A ∨ B) ∧ C → (A ∧ C) ∨ (B ∧ C)• 1−level absorption (A ∧ B) ∨ A → A
• 2−level absorption as above• Double negation ¬¬A → A
• Empty refinement no formula• Associativity (∨ and ∧) (A ∨ B) ∨ C → A ∨ B ∨ C
• De Morgan (∨ and ∧) ¬(A ∨ B) → ¬A ∧ ¬B
• Idempotency (∨ and ∧) X ∨ X → X
18/23
The new approach to include defenses
Currently working on
Proving the uniqueness of the normal forms
Requires: • Strong termination (Patrick - almost finished)Applying rules indefinitely is not possible
• Local confluence (Barbara - finished)Order of applying the rules leads to same result
19/23
The new approach to include defenses
Currently working on
Proving the uniqueness of the normal forms
Requires: • Strong termination (Patrick - almost finished)Applying rules indefinitely is not possible
• Local confluence (Barbara - finished)Order of applying the rules leads to same result
19/23
The new approach to include defenses
Currently working on
Proving the uniqueness of the normal forms
Requires: • Strong termination (Patrick - almost finished)Applying rules indefinitely is not possible
• Local confluence (Barbara - finished)Order of applying the rules leads to same result
19/23
The new approach to include defenses
Termination function
Termination function:A function from the trees into a totally ordered set,s.t. the value before applying a transformation rule >
the value after applying a transformation rule.
20/23
The new approach to include defenses
Termination function
Termination function:A function from the trees into a totally ordered set,s.t. the value before applying a transformation rule >
the value after applying a transformation rule.
Whiteboard
20/23
Future work
1 Intuition and overview of existing approaches to model attacks
2 Attack Trees
3 The new approach to include defenses
4 Future work
21/23
Future work
Work on generalizing the framework
Introduce attributes to the leaves
Allow directed acyclic graphs
Consider temporal order of children
Check out the two existing software packages
. . .
22/23
Summary
1 Intuition and overview of existing approaches to model attacks
2 Attack Trees
3 The new approach to include defenses
4 Future work
23/23
top related