Generation of Scenario Graphs Using Model Checking

Generation of Scenario Graphs Using Model Checking HCES 05/01/2003

Generation of Scenario Graphs Using Model Checking

Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU),Jeannette Wing (CMU)


Example of Attack Graph Developed by a Professional Red Team

• Sandia Red Team “White Board” attack tree from DARPA CC20008 Information battle space preparation experiment

Sandia Red Team “White Board” attack graph from DARPA CC20008 Information battle space preparation experiment

Drawn By Hand


Definitions

• Given – a finite state model M– a correctness property

• An failure scenario is an execution of M that violates .

• An scenario graph is a set of failure scenarios of M.


Properties of Scenario Graphs

• Exhaustive– All possible failure scenarios are represented in G.

• Succinct– Only relevant states are contained in G.– Only relevant transitions are contained in G.


Problem Statement

• Problem: Generating scenario graphs by hand is tedious, error-prone, and impractical for large systems.

• Our Goal: Automate the generation and analysis of scenario graphs.

– Generation Must be fast and completely automatic Must handle large, realistic examples Should guarantee properties of scenario graphs

– Analysis Enables tool-aided post-generation analysis


Overview of Our Method

Phase 1

Generator

System Model Correctness Property

Scenario Graph

MinimizationAnalyzer

Query: What system transitions lead to failure?

Scenario Subgraph

…CostAnalyzer

Phase 2

Annotations

ReliabilityAnalyzer

Query: What is the likelihood of failure?

Probabilistic Scenario Graph


Explicit-State Scenario Graph Generation

• Based on Automata-Theoretic Model Checking

– Interpret both model M and correctness property as Buchi automata.

– M and induce languages L(M), L().

– L(M)\L() = executions of M that violate .

– Construct M ~ by computing intersection of Buchi automata.

• can be any LTL property.


LTL Property =F c

Explicit-State Algorithm Illustrated

Never c¬ = G ¬c

c

a

a

d

b

a

b

a

a

a

a

a

Model M

∩

c

a

a

d

b

a

b

a

a

a

a

a

¬c c T


Explicit-State Algorithm (Cont.)

c

a

a

d

b

a

b

a

a

a

a

a

Find strongly connectedcomponents (SCCs) (R. Tarjan ’72)

Collect SCCs with acceptance states

b

a

a

a

Add paths from initial states

a

a


Performance

0

20

40

60

80

100

120

0 100000 200000 300000 400000 500000 600000 700000 800000 900000

Graph Edges (N)

Gen

erat

ion

Tim

e -

T(N

)

Linear Regression R2 = 0.9967


State Hashing

Full State

O(E)

Full State Size

CompleteCoverage

Method

Performance(Amortized)

Memory Overheadper State

Completeness

Hashcompact

O(E)

8 bytes

PartialCoverage

Traceback

O(E)O(depth)

14 bytes

CompleteCoverage


Example Attack Graph

Begin

IIS bufferoverflow

CAN-2002-0364

Squid portscanCVE-2001-1030

LICQ remote-to-user

CVE-2001-0439Local buffer

overflowCVE-2002-0004

Done!

Security property (LTL):

G (intruder.privilege(host) < root)


Application: Attack Graphs

System and Goal Specification

Model Builder

Attack Graph Generators

Attack GraphAnalyzers

Host Configuration

Data

NetworkConfiguration

DataMITRE

SQLdatabase

OutpostServer

OutpostClients

Graphical User Interface

Generation of Scenario Graphs Using Model Checking

Documents

Transcript of Generation of Scenario Graphs Using Model Checking