Hong Chen
Ninghui Li
ABSTRACT
An operating system relies heavily on its access control mechanisms to defend against local and remote attacks. The complexities of modern access control mechanisms and the scale of possible configurations are often overwhelming to system administrators and software developers. Therefore mis-configurations are very common and the security consequences are serious. Given the popularity and uniqueness of Microsoft Windows systems, it is critical to have a tool to comprehensively examine the access control configurations. However, current studies on Windows access control mechanisms are mostly based on known attack patterns. We propose a tool, WACCA, to systematically analyze the Windows configurations. Given the attacker's initial abilities and goals, WACCA generates an attack graph based on interaction rules. The tool then automatically generates attack patterns from the attack graph. Each attack pattern represents attacks of the same nature. The attack subgraphs and instances are also generated for each pattern. Compared to existing solutions, WACCA is more comprehensive and does not rely on manually defined attack patterns. It also has a unique feature in that it models software vulnerabilities and therefore can find attacks that rely on exploiting these vulnerabilities. We study two attack cases on a Windows Vista host and discuss the analysis results.
- Handle. http://technet.microsoft.com/en-us/sysinternals/bb896655.aspx.Google Scholar
- Python for Windows extensions. http://python.net/crew/mhammond/win32/.Google Scholar
- P. Ammann, D. Wijesekera, and S. Kaushik. Scalable, graph based network vulnerability analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security, pages 217--224, 2002. Google ScholarDigital Library
- A. Chaudhuri, P. Naldurg, S. K. Rajamani, G. Ramalingam, and L. Velaga. EON: Modeling and analyzing dynamic access control systems with logic programs. In Proceedings of the 15th ACM Conference on Computer and Communications Security, pages 381--390, 2008. Google ScholarDigital Library
- H. Chen, N. Li, and Z. Mao. Analyzing and comparing the protection quality of security enhanced operating systems. In Proceedings of the 16th Network and Distributed System Security Symposium (NDSS), 2009.Google Scholar
- S. Chen, J. Dunagan, C. Verbowski, and Y.-M. Wang. A black-box tracing technique to identify causes of least privilege incompatibilities. In Proceedings of the Network and Distributed System Security Symposium, 2005.Google Scholar
- S. Govindavajhala and A. W. Appel. Windows access control demystified. Technical Report TR-744-06, Department of Computer Science, Princeton University, Jan. 2006.Google Scholar
- T. X. R. Group. The XSB programming system. http://xsb.sourceforge.net/.Google Scholar
- J. D. Guttman, A. L. Herzog, J. D. Ramsdell, and C. W. Skorupka. Verifying information flow goals in Security-Enhanced Linux. Journal of Computer Security, 13(1):115--134, 2005. Google ScholarDigital Library
- B. Hicks, S. Rueda, L. S. Clair, T. Jaeger, and P. D.McDaniel. A logical specification and analysis for SELinux MLS policy. In Proceedings of the ACM Symposium on Access Control Models and Technologies, pages 91--100, 2007. Google ScholarDigital Library
- M. Howard. Mitigate security risks by minimizing the code you expose to untrusted users. MSDN Magazine, November 2004.Google Scholar
- M. Howard, J. Pincus, and J. M. Wing. Measuring relative attack surfaces. In Proceedings of Workshop on Advanced Developments in Software and Systems Security, December 2003.Google Scholar
- T. Jaeger, R. Sailer, and X. Zhang. Analyzing integrity protection in the SELinux example policy. In Proceedings of the 12th USENIX Security Symposium, pages 59--74, August 2003. Google ScholarDigital Library
- T. Jaeger, X. Zhang, and F. Cacheda. Policy management using access control spaces. ACM Transactions on Information Systems Security, 6(3):327--364, 2003. Google ScholarDigital Library
- S. Jha, O. Sheyner, and J. Wing. Two formal analyses of attack graphs. In In Proceedings of the 15th Computer Security Foundation Workshop, pages 49--63, 2002. Google ScholarDigital Library
- S. Lipner. The trustworthy computing security development lifecycle. In Proceedings of the 20th Annual Computer Security Applications Conference, pages 2--13, 2004. Google ScholarDigital Library
- P. K. Manadhata, K. M. C. Tan, R. A. Maxion, and J. M. Wing. An approach to measuring a system's attack surface. Technical Report CMU-CS-07-146, CMU, August 2007.Google ScholarCross Ref
- M.Miller. Modeling the trust boundaries created by securable objects. In Proceedings of the 2nd Conference on USENIX Workshop on Offensive Technologies, pages 1--7, Berkeley, CA, USA, 2008. USENIX Association. Google ScholarDigital Library
- P. Naldurg, S. Schwoon, S. K. Rajamani, and J. Lambert. NETRA: Seeing through access control. In Proceedings of the 4th ACM Workshop on Formal Methods in Security Engineering, pages 55--66, 2006. Google ScholarDigital Library
- S. Noel, S. Jajodia, B. O'Berry, and M. Jacobs. Efficient minimum-cost network hardening via exploit dependency graphs. In Proceedings of the 19th Annual Computer Security Applications Conference, page 86, 2003. Google ScholarDigital Library
- NSA. Security Enhanced Linux. http://www.nsa.gov/selinux/.Google Scholar
- X. Ou, W. F. Boyer, and M. A. McQueen. A scalable approach to attack graph generation. In Proceedings of the 13th ACM Conference on Computer and Communications Security, pages 336--345, 2006. Google ScholarDigital Library
- X. Ou, S. Govindavajhala, and A. W. Appel. MulVAL: A logic-based network security analyzer. In Proceedings of the 14th USENIX Security Symposium, Aug. 2005. Google ScholarDigital Library
- C. R. Ramakrishnan and R. Sekar. Model-based analysis of configuration vulnerabilities. Journal of Computer Security, 10(1-2):189--209, 2002. Google ScholarDigital Library
- R. W. Reeder, L. Bauer, L. F. Cranor, M. K. Reiter, K. Bacon, K. How, and H. Strong. Expandable grids for visualizing and authoring computer security policies. In Proceeding of the 26th Annual SIGCHI Conference on Human Factors in Computing Systems, pages 1473--1482, 2008. Google ScholarDigital Library
- R.W. Reeder, P. G. Kelley, A.M.McDonald, and L. F. Cranor. A user study of the expandable grid applied to P3P privacy policy visualization. In Proceedings of the 7th ACM workshop on Privacy in the Electronic Society, pages 45--54, 2008. Google ScholarDigital Library
- O. Sheyner, J. Haines, S. Jha, R. Lippmann, and J. M. Wing. Automated generation and analysis of attack graphs. In Proceedings of the 2002 IEEE Symposium on Security and Privacy, pages 273--284, 2002. Google ScholarDigital Library
- Tresys technology, SETools - Policy analysis tools for SELinux. http://oss.tresys.com/projects/ setools.Google Scholar
Index Terms
- Towards analyzing complex operating system access control configurations
Recommendations
On the Designing of a Tamper Resistant Prescription RFID Access Control System
Recently, Chen et al. have proposed a novel tamper resistant prescription RFID access control system, published in the Journal of Medical Systems. In this paper we consider the security of the proposed protocol and identify some existing weaknesses. The ...
An Approach for Security Assessment of Network Configurations Using Attack Graph
NETCOM '09: Proceedings of the 2009 First International Conference on Networks & CommunicationsWith increasing network security threats, the network vulnerability must consider exploits in the context of multistage, multi-host attack scenarios. The general approach to this problem is to construct an attack graph for a given network configuration. ...
Heat-ray: combating identity snowball attacks using machinelearning, combinatorial optimization and attack graphs
SOSP '09: Proceedings of the ACM SIGOPS 22nd symposium on Operating systems principlesAs computers have become ever more interconnected, the complexity of security configuration has exploded. Management tools have not kept pace, and we show that this has made identity snowball attacks into a critical danger. Identity snowball attacks ...
Comments