Friday, December 4, 2009

Anatomy of a Vulnerability

When one thinks of vulnerabilities, one considers a weakness in a security design, some flaw that can be exploited to defeat the defense. In medieval days, a vulnerability of a castle was that it could be laid siege. In more modern terms, a bulletproof vest could be vulnerable to a specially made bullet, or by aiming at a different body part not protected by the vest. in fact, as many different security measures that have been invented have been circumvented almost at the point of conception.

A computer vulnerability is a flaw in the security of a computer system. The security is the support structure that prevents unauthorized access to the computer. When a vulnerability is exploited, the person using the vulnerability will gain some additional influence over the computer system that may allow a compromise of the systems' integrity.

Computers have a range of different defenses, ranging from passwords to file permissions. Computer "virtual" existence is a completely unique concept that doesn't relate well to physical security. However, in terms of computer security, the techniques to break in are finite and can be described.

This book breaks down the logic to computer security vulnerabilities so that they can fit within specific categories that make them understandable. Provided with a vulnerability, the danger and function of each possible type of vulnerability can be explained, and paths of access enhancements can be determined.

There are four basic types of vulnerabilities, which are relative to two factors: what is the specific target of the vulnerability in terms of computer or person, and the other is how quickly the vulnerability works. One could imagine this as a matrix:

 

Affects Person

Affects Computer

Instantaneous

Social Engineering

Logic Error

Requires a duration of time

Policy Oversight

Weakness

Logic error is a short cut directly to a security altering effect, usually considered a basic bug. These types of problem occur due to a special circumstance (usually poorly written code) that allows heightened access. This is the type of vulnerability usually thought of first.

Weakness is a security measure that was put into place, but has a flaw in its design that could lead to a security breach. They usually involve security that may or may not be distinctly solid, but is possible for people to bypass. The term "Security through Obscurity" fits in this arena, being that a system is secure because nobody can see or understand the hidden elements. All encryption fits under this category as it is possible to eventually break the encryption, regardless of how well it is constructed. The idea isn't that security isn't present, it is the fact that security is present with a method of defeating it also being present.

Social Engineering is a nebulous area of attacking associated with a directed attack against policy of the company. Policy is being used in a high level sense, because it could be an internal worker committing sabotage, a telephone scam directed at a naive employee, or digging for information that was thrown away in dumpsters.

Policy oversight is a flaw in the planning to avoid a situation, which would be such conditions as not producing adequate software backups, having proper contact numbers, having working protection equipment (such as fire extinguishers), and so forth. The most common policy oversight seems to be not having support of the company's management to legally pursue computer criminals, which renders all the existing countermeasures established to protect the company useless.

The following vulnerability map creates a visual way to envision security situations that you may have already encountered and their relation to the four types of vulnerabilities:

Vulnerability Attributes

All four types of security problems ultimately have the same basic attributes, so any taxonomy of problems for policy issues will have the same basic model for computer vulnerabilities. Vulnerabilities have five basic attributes, which are Fault, Severity, Authentication, Tactic, and Consequence. Examining these attributes can provide a complete understanding of the vulnerability.

Fault describes how the vulnerability came to be, as in what type of mistake was made to create the problem.

Severity describes the degree of the compromise, such as if they gained administrator access or access to files a regular user normally would not see.

Authentication describes if the intruder must have successfully registered with the host proof of identity before exploiting the vulnerability.

Tactic describes the issue of who is exploiting whom, in terms of location. If a user must have an account on the computer already, that is one situation. If the user can come from a location other than the keyboard, that is another.

Consequence describes the outcome. Consequence is the mechanics behind access promotion, and demonstrates how a small amount of access can lead to far greater compromises.

Fault

The mistakes that occur which cause vulnerabilities are referred to as its fault. Taimur Aslam, Ivan Krsul, and Eugene H. Spafford of the COAST Laboratory first defined the scope of faults in 1996 from a high level. However, the taxonomy is strong in its categorization of faults, but what needs to be understood is that fault does not equate to vulnerability, it is only an aspect of a vulnerability.

In the chapter Computer Security Faults the Aslam-Krsul-Spafford Fault Taxonomy will be presented, including additional details to demonstrate how the taxonomy can be used. These details consist of common mistakes, examples of fault in standard operating systems, buffer overflows, and other examples of how problems fall into their taxonomy.

Severity

All vulnerabilities yield an outcome, therefore to judge the extent of the access level gained from a vulnerability, severity is used. There are six levels of severity that can be used to define a vulnerability:

administrator access, read restricted files, regular user access, spoofing, non-detectability, and denial of service.

Severity

Description

Administrator Access

This level of access allows administrative activities on the computer, above and beyond that of a normal user.

Read Restricted Files

This level of severity allows access to files that can normally not be accessed, or can view information not supposed to be viewed that may lead to a security compromise.

Regular User Access

Access as a regular user has a strong degree of severity because there are typically many more ways to interact with the system than without access at all.

Spoofing

Spoofing allows the intruder to assume the identity of a user, computer, or network entity. This can result in other systems trusting the intruder and allow a system compromise.

Non-Detectability

This degree of severity arises when a logging system has been disabled or otherwise malfunctions. This can allow an intruder to perform actions that cannot be recorded.

Denial of Service

Although denial of service the lowest degree of severity, it is only because it is the farthest from being interactive with the system.

It is important to stress that severity is based on influence over the system, and that all of the levels of severity presented allow at least some influence. Denial of service, for example, is a severe problem but still contains but a single interaction: disable. Severity is most important when considering that it can be used to achieve the intruder's goals, whatever they may be.

Authentication

A basic Boolean yes-or-no value, authentication is a condition asking if the intruder must register identity with the host first. If the intruder must "log in", they must have already bypassed a level of security to reach that point. However, it warrants its own category because of the fact that being authenticated on a host gives the user access to a far more robust command set that may have hundreds, thousands, or even millions of possible features that may yield greater access. Most administrators will assume that if a hacker has gained access to a host at the regular user level, they probably already have administrator access.

Tactic

The way that a vulnerability is exploited is very critical, so tactic describes who can exploit whom and where. A local user will have access to far more resources than an intruder without access, and so internal access is desirable before attempting to penetrate a host. Remote users without access can still influence the computer, and may gain access from a server function. People running client software that is dependent on remote file servers may be fed bogus commands, also allowing a compromise. Likewise, a man-in-the-middle attack occurs when someone is eavesdropping on the communications between two locations. In the most extreme cases, when an intruder has physical access to the host, they can brute force their way into the logic a number of other ways.

Internal Tactic - The actual attack occurs on the host through the software, not requiring a network or physical access.

Physical Access Tactic - This attack only can be performed if the attacker is at the keyboard or has physical access to either the computer or the user of the computer.

Server Tactic - This attack takes advantage of the server being available to be connected to exploit a service.

Client Tactic - This attack occurs when the hostile information is sent to the victim's computer via a server the victim is connected to.

Man-in-the-Middle Tactic - This tactic exists when another party intervenes or interjects themselves between two communicating parties.

All tactics are cumulative, that is, there can be several tactics involved in exploiting a single vulnerability. However, each step that occurs when multiple tactics are required exists in one of these five basic tactics.

Computer Vulnerabilities

Anatomy of a Vulnerability

As an example, an attack could be initiated by a connection to a server via a server tactic, but could also require a man-in-the-middle tactic to complete the exploit.

Consequence

Unlike severity, which states the outcome of a single vulnerability, consequence builds a "road map" for almost any level of access to promote itself to fully interactive administrator rights. One can think of this aspect as the function component of the vulnerability. All vulnerabilities follow a logical "input"/"output" flow, and the end-result operation of the actual exploit itself is covered under consequence. Likewise, each consequence implies a step-by-step operation to improving the level of access.

Attributes and Vulnerabilities

Attributes of vulnerabilities become easy to identify as they are compared against other type of vulnerabilities. The following matrix shows if the attributes require a different taxonomy across different vulnerability types. It shows the rather surprising relationship between logic errors, weaknesses, social engineering, and policy oversight:

 

Fault

Severity

Authentication

Perspective

Consequence

Logic Error

Specific

Independent

Independent

Independent

Specific

Weakness

Specific

Independent

Independent

Independent

Specific

Social Engineering

Specific

Independent

Independent

Independent

Specific

Policy Oversight

Specific

Independent

Independent

Independent

Specific

Although the focus of this book is primarily on "logic errors", the other aspects of vulnerability -weakness, social engineering, and policy oversight have different consequences and faults, but have the same severity, authentication, and tactic taxonomies! Even more fascinating is there is a direct relationship between the attributes across all four types of vulnerabilities, they are the same!

As an example, a man-in-the-middle attack is an attribute of tactic which could apply to logic errors (an attack on a protocol), weakness (a sniffer running capturing packet data), social engineering (eavesdropping on telephones), or policy oversight (someone interceding on another's behalf.) Therefore, the actual properties of these attributes are independent and problems can be identified the same across all four types!

In short, without actually pointing out where a vulnerability is located, the concept of the vulnerability can be described by these five attributes. The only element missing to completely describe any vulnerability is a step-by-step description of its execution, which is handy but not conceptually necessary if all we want to do is understand its function.

No comments:

Post a Comment