Theory Generation for Security Protocols安全协议理论的生成.pptVIP

Attack Graphs Jeannette M. Wing Automatic Generation and Analysis of Attack Graphs joint work with Oleg Sheyner, Somesh Jha (Wisconsin),Roman V. Lototski, Alexey Roschyna, Arvind Kannan, and Meera Sridhar Example of Attack Graph Developed by a Professional Red Team Sandia Red Team “White Board” attack tree from DARPA CC20008 Information battle space preparation experiment Problem Statement Problem: Generating attack graphs by hand is tedious, error-prone, and impractical for large systems. Our Goal: Automate the generation and analysis of attack graphs. Generation Must be fast and completely automatic Must handle large, realistic examples Should guarantee properties of attack graphs Analysis Must enable security analysis by system administrators Should support incremental, partial specification Overview of Our Method Why Model Checking? Pragmatic reasons Off-the-shelf technology Major verification success story Technical reasons Fast, automatic Large state spaces Handles safety and liveness properties Generates counterexamples Counterexample = Attack Definition of Attack Graph Given a finite state model, M, of network a security property ? An attack is an execution of M that violates ?. An attack graph is a set of attacks of M. Properties of Attack Graphs Sound An attack generated violates ?. Exhaustive All possible attacks are represented in G. Succinct Only relevant states are contained in G. Only relevant transitions are contained in G. We developed two algorithms that satisfy these properties. Explicit-State Attack Graph Generation Algorithm Inputs M F = LTL property (safety or liveness) Algorithm Interpret network model M and security property F as Buchi automata [Gerth et al.95]. M and F induce languages L(M ) and L(F). Compute intersection M ? ~F of Buchi automata. L(M ? ~F) = L(M )\L(F) = executions of M that violate F. Derive G from strongly connected components of intersection automaton [Tarjan72]. Performance (Explicit-State) An Illu