Post on 17-Jul-2015
Vulnerability Analysis TaxonomyVulnerability Analysis Taxonomy
Achieving completeness in a systematic wayAchieving completeness in a systematic way
Javier Tallón GuerriJavier Tallón Guerri10ICCC 10ICCC -- NorwayNorway
1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis1.Attack Patterns2.Systematic and repeatable
2
2.Systematic and repeatable methodology
3.Example
4.Lessons learned
1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis1.Attack Patterns2.Systematic and repeatable
3
2.Systematic and repeatable methodology
3.Example
4.Lessons learned
1. Vulnerability Analysis according to CEM
� The evaluator vulnerability analysis is to determine that the TOE is
resistant to penetration attacks performed by an attacker
possessing a Basic (for AVA_VAN.1 and AVA_VAN.2), Enhanced-
Basic (for AVA_VAN.3), Moderate (for AVA_VAN.4) or High (for
AVA_VAN.5) attack potential.
4
� Independent vulnerability analysis should consider generic potential
vulnerabilities under each of the following headings
• Bypassing
• Tampering
• Direct attacks
• Monitoring
• Misuse
1. Vulnerability Analisys according to CEM
� Due to the generic nature of the Common
Criteria, this classification is too abstract
and does not help to achieve the required
completeness to the evaluator’s work.
5
completeness to the evaluator’s work.
� CEM classification is useless by itself
� From AVA_VAN.4, vulnerability analysis should be METHODICAL:
“This method requires the evaluator to specify the structure and form the
analysis will take”
CEM ask for a methodical analysis but does not provide any method.
1. Vulnerability Analisys according to CEM
� CEM ask for a methodical analysis but does not provide any method.
� Every method would be acceptable
6
1. Vulnerability Analisys according to CEM
Very genericvulnerability + Undefined = Poor
Vulnerability
7
vulnerability classification + Undefined
methodology = VulnerabilityAnalisys
1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis1.Attack Patterns2.Systematic and repeatable
8
2.Systematic and repeatable methodology
3.Example
4.Lessons learned
2. Pieces for a correct Vulnerability Analysis
� Here is the question…
How to achieve completeness in a systematic
9
How to achieve completeness in a systematic
way?
� We will focus in software assessment
1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis1.Attack Patterns2.Systematic and repeatable
10
2.Systematic and repeatable methodology
3.Example
4.Lessons learned
2.1 Attack Patterns
Very genericvulnerability Vs Attack Patterns
11
� Thinking like bad guys
vulnerability classification Vs Attack Patterns
� Attack Pattern: an attack pattern describes
the approach used by attackers to generate
an exploit against software.
2.1 Attack Patterns
12
� For example: MITRE provides CAPEC
(Common Attack Pattern Enumeration and
Classification)
2.1 Attack Patterns
13
� CAPEC provides a free collection of attack patterns
� CAPEC is not the panacea
2.1 Attack Patterns
14
� CAPEC is not the panacea
� Each lab should manage its own attack pattern collection
Lab Know How
Streetwork
2.1 Attack Patterns
15
AttackPatterns
1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis1.Attack Patterns2.Systematic and repeatable
16
2.Systematic and repeatable methodology
3.Example
4.Lessons learned
2.2 Systematic and Repeatable Methodology
Undefined VsSystematic and
Repeatable
17
Methodology Vs Methodology
x x
AGD ALC ATEADV_ARCADV_TDS
Misuse Deliv. Vuln. Malfunction
ASE_SPD
Attack Path
DisassemblersDebuggers
Forensic analysis
Vulnerability scanners
Systematic andRepeatable
Methodology
Attack Patterns x Vulnerability
Analysismethod
Penetration testing agenda
+
LabT & T
=
xLab
Know HowBespokeLab Tools+
Attack x Vulnerability Labx
2.2 Systematic and Repeatable Methodology
19
Attack Patterns x Analysis
method
Penetration testing agenda
LabT & Tx
Attack x Vulnerability Labx
2.2 Systematic and Repeatable Methodology
20
Attack Patterns x Analysis
method
Penetration testing agenda
LabT & Tx
ASE
ADV
AGD
2.2 Systematic and Repeatable Methodology
21
AGD
ATE
ALC
AVA
AGD ALC ATE ADV_ARCADV_TDS
Misuse Deliv. Vuln. Malfunction
ASE_SPD
Attack Flow
2.2 Systematic and Repeatable Methodology
22
VulnerabilityAnalysismethod
Attack x Vulnerability Labx
2.2 Systematic and Repeatable Methodology
23
Attack Patterns x Analysis
method
Penetration testing agenda
LabT & Tx
DisassemblersDebuggers
“Forensic analysis” techniques
2.2 Systematic and Repeatable Methodology
24
Lab T&T DisassemblersDebuggers
Vulnerability scanners
Attack x Vulnerability Labx
2.2 Systematic and Repeatable Methodology
25
Attack Patterns x Analysis
method
Penetration testing agenda
LabT & Tx
Attack Patterns x Vulnerability
Analysismethod
LabT & Tx
2.2 Systematic and Repeatable Methodology
26
Patterns x method
Penetration testing agenda
+
T & TxLab
Know How
BespokeLab
Tools+
Attack Patterns x Vulnerability
Analysismethod
LabT & Tx
2.2 Systematic and Repeatable Methodology
27
Patterns x method
Penetration testing agenda
+
T & TxLab
Know How
BespokeLab
Tools+
x x
AGD ALC ATEADV_ARCADV_TDS
Misuse Deliv. Vuln. Malfunction
ASE_SPD
Attack Path
DisassemblersDebuggers
Forensic analysis
Vulnerability scanners
Systematic andRepeatable
Methodology
Attack Patterns x Vulnerability
Analysismethod
Penetration testing agenda
+
LabT & T
=
xLab
Know HowBespokeLab Tools+
1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis1.Attack Patterns2.Systematic and repeatable
29
2.Systematic and repeatable methodology
3.Example
4.Lessons learned
3. Example
AuthDatabase
TOE
30
WebService
AccessControlModule
XMLParser
ResourceDatabase
SQL
SQLXML Network
AuthDatabase
SQL
TOE
3. Example
31
WebService
AccessControlModule
XMLParser
ResourceDatabase
SQLXML
Sniffing AttacksMan in the Middle
Denial of Service through Resource Depletion
Network
AuthDatabase
SQL
TOE
3. Example
32
WebService
AccessControlModule
XMLParser
ResourceDatabase
SQLXML
Detect Unpublicized Web ServicesWeb Services Protocol Manipulation
Network
AuthDatabase
SQL
TOE
3. Example
33
WebService
AccessControlModule
XMLParser
ResourceDatabase
SQLXML
Oversized Payloads Sent to XML ParsersXML Ping of Death XML Injection
XML Routing Detour AttacksXEE (XML Entity Expansion)XML Attribute Blowup Recursive Payloads Sent to XML Parsers
XML Schema Poisoning
Network
AuthDatabase
SQL
TOE
3. Example
34
WebService
AccessControlModule
XMLParser
ResourceDatabase
SQLXML
Password Brute Forcing Try Common (default) Usernames and Passwords Dictionary-based Password Attack
Authentication Bypass Authentication Abuse Reflection Attack in Authentication Protocol Exploitation of Session Variables, Resource IDs and other Trusted Credentials
Network
AuthDatabase
SQL
TOE
3. Example
35
WebService
AccessControlModule
XMLParser
ResourceDatabase
SQLXML
SQL InjectionBlind SQL Injection
Network
1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis1.Attack Patterns2.Systematic and repeatable
36
2.Systematic and repeatable methodology
3.Example
4.Lessons learned
4. Lessons learned
CreativityCreativityCreativityCreativityMotivationMotivationMotivationMotivation
37
Attack Patterns + Systematic andRepeatable
Methodology = Wonderful Vulnerability
Analysis
Thanks for your attention!
Javier Tallón
38
Epoche & Espri, S.L. Avda. de la Vega, 128108, Alcobendas,Madrid, Spain.
eval@epoche.es