1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions

National Aerospace University Kharkiv Aviation Institute
Department of computer Systems and Networks
Reporter: MSc student Alexander Beloborodov Scientific advisor: Dr.Sc. Anatoliy Gorbenko Odesa 2012
Motivation
Computer Crime and Security Survey Report 2010
Content
Definitions VDB Analysis Cloud Platform Protect your PC Conclusions
10,0% 0,0% 70,0% 60,0% 50,0% 40,0% 30,0% 20,0%
Malware infection (67,1%) Denial of service (17%) Web site defacement (7%) Exploit of users's social network profile (5%) System penetration by outsider (11%)
O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"
08.07.2012
Training Content
Content
The main definitions Vulnerability database analysis Vulnerability lifecycle analysis Cloud platform to avoid intrusions Common suggestions to protect our home systems Conclusions
08.07.2012
Dependability
Content
, . , , , , (, ), , .
[ .. / . ., .., , 2008 . 29]
Dependability is a complex characteristic of a system to provide the required services, which can be justifiably trusted. It includes reliability, availability, survivability, safety, security (integrity, confidentiality), high confidence, maintainability.
[Translated from E.S. Bakhmach Fail-safe programmable logic in the I&CS / ed. V.S. Kharchenko, V.V. Sklyar, Kharkiv, 2008 - p. 29]
08.07.2012
Vulnerability
Content
, , , .
[ National Information Assurance (IA) Glossary. http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf]
Vulnerability is a weakness in an information system, system security procedures, internal controls, or implementation that could be exploited by a threat source.
[National Information Assurance (IA) Glossary. http://www.cnss.gov/Assets/pdf/cnssi_4009.pdf]
O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions" 08.07.2012
Vulnerability Examples
Content
Let we enumerate examples of vulnerabilities
08.07.2012
Common Weakness Enumeration

Name CWE-ID Description
Content
Permissions, Privileges, and Access Control
CWE-264
Failure to enforce permissions or other access restrictions for resources, or a privilege management problem.
Buffer Errors
CWE-119
Buffer overflows and other buffer boundary errors in which a program attempts to put more data in a buffer than the buffer can hold, or when a program attempts to put data in a memory area outside of the boundaries of the buffer. Causing a system to read an attacker-controlled file and execute arbitrary code within that file. Includes PHP remote file inclusion, uploading of files with executable extensions, insertion of code into executable files, and others. Failure to ensure that input contains well-formed, valid data that conforms to the applications specifications. Note: this overlaps other categories like XSS, Numeric Errors, and SQL Injection. Allowing user-controlled input to be injected into command lines that are created to invoke other programs, using system() or similar functions.
Code Injection
Input Validation OS Command Injections
CWE-94
CWE-20
CWE-78
The full list: http://nvd.nist.gov/cwe.cfm

Fault
Content
, , , ( ) , . Fault is any version inequality to specification requirements, a result of an error made in a development, its occurrence by using the system (implementation versions) leads to a computational error or control of the process, crash or system failure - the transition to the defective or inoperable.
08.07.2012
Vulnerability and fault

Content
All the faults are vulnerabilities
All the vulnerabilities are faults
Fault Vulnerability
Any case is possible

10
Vulnerability Data Sources

Data Source Site
www.nvd.nist.gov/ www.cve.mitre.org/ www.osvdb.org/ www.oval.mitre.org/ www.cert.org/
Access
HTML, XML HTML, XML HTML, XML, SQL Dump HTML HTML
Content
National Vulnerability Database (NVD) Common Vulnerabilities and Exposures (CVE) Open Source Vulnerability Database (OSVDB) Open Vulnerability and Assessment Language (OVAL) Computer Emergency Response Team (CERT) Secunia
www.secunia.com/
HTML
Problems: Completeness of the information Timeliness The presence of direct-access and the ability to copy the entire database Accuracy of the information
11
Analysis of XML file of National Vulnerability Database

Content
<entry id="CVE-2010-0020"> <vuln:vulnerable-software-list> cpe:/o:microsoft:windows_server_2008::sp2:x32 </> <vuln:published-datetime>2010-02-10T13:30:00 </> <vuln:modified-datetime>2010-03-10T10:15:00 </> <cvss:score>9.0</> <cvss:access-vector>NETWORK</> <cvss:access-complexity>LOW</> <cvss:confidentiality-impact>COMPLETE</> <cvss:integrity-impact>COMPLETE</> <cvss:availability-impact>COMPLETE</> <vuln:cwe id="CWE-94" /> <vuln:source>MS</vuln:source> <vuln:reference href="http://www.microsoft.com/ security/Bulletin/MS10-012.mspx>MS10-012</> <vuln:summary>The SMB implementation in the Server service in Microsoft Windows Server 2008 SP2 does not properly validate request fields, which allows remote authenticated users to execute arbitrary code via a malformed request, aka "SMB Pathname Overflow Vulnerability." </>
12
Patch Data Sources

Content
08.07.2012
13
VulnerabilityTracker (1)
Content
Definitions VDB Analysis
Graph
Edit Configuration
Cloud Platform Protect your PC Conclusions
Main
Products Tree
Vulnerability Details
08.07.2012
14
VulnerabilityTracker (2)
Content
Viewing comparison results of similar dates (publication, modification, etc.) in various databases by calculating the day differences
In the picture date difference is showed between dates of NVD (date1) and CVE (date2) concerning RedHat Enterprise Linux 5, Apple MacOS Server 10.5.8, Microsoft Windows Server 2008 products
08.07.2012
15
Vulnerability Lifecycle
Content
Let we draw the vulnerability lifecycle
08.07.2012
16
Vulnerability Lifecycle
Content
08.07.2012
17
Service-Oriented Architecture
Content
SOA is employed in: e-banking e-business e-medicine (bioinformatics) e-science e-commerce Geographic Information Systems Enterprise Resource Planning Systems SaaS (EaaS), Grid, Cloud Computing
18
SaaS Examples
Content
08.07.2012
19
The structure of intrusionavoidance system

1. Vulnerability data sources
Content
2. Patch data sources
3.
4. Employing diversity to obtain security gain

Anatoliy Gorbenko, Vyacheslav Kharchenko, Olga Tarasyuk, Alexander Romanovsky.Intrusion-Avoiding Architecture Making Use of Diversity in the Cloud-Based Deployment Environment
20
Vulnerability Data Sources

Content
OSVDB www.osvdb.org
SECUNIA www.secunia.com
They support exporting own databases in NVD CERT the form of XML files
www.nvd.nist.gov
www.cert.org
OVAL
CVE
www.cve.mitre.org
www.oval.mitre.org
The Internet
21
Collecting Information (1)

CVE
Content
CVE-ID PHASE STATUS NVD CVE-ID SCORE CWE PRODUCT LIST OSVDB CVE-ID DISCOVER DATE
OUR Database
CVE-ID PHASE CVE-ID STATUS CVE-ID PUB DATE MOD DATE DISCOVER DATE DISCLOSUR DATE EXPLOIT DATE FIX DATE SCORE CWE
PRODUCT LIST
REFERENCE SUMMARY
DISCLOS DATE
EXPLOIT DATE FIX DATE
08.07.2012
24
Collecting Information (2)

CVE
Content
CVE-ID PHASE STATUS NVD CVE-ID SCORE CWE PRODUCT LIST OSVDB CVE-ID DISCOVER DATE
OUR Database
CVE-ID PHASE STATUS DISCOVER DATE DISCLOSUR DATE EXPLOIT DATE FIX DATE SCORE CWE PRODUCT LIST PUB DATE MOD DATE REFERENCE SUMMARY
DISCLOS DATE
EXPLOIT DATE FIX DATE
Format Converter
08.07.2012
25
Vulnerability Database Scheme

Content
Vulnerabilities Users and policies Products and configurations

26
Deployment Diagram
Content
08.07.2012
28
Reconfiguration Example
Content
Definitions Linux VDB Analysis Cloud Platform Protect your PC Conclusions Windows Oracle Apache httpd Glassfish MySQL Operating System Web Server Application Server Database Management System
Dynamic reconfiguration system chooses less vulnerable configuration

29
Compatibility Graph
Content
Graph was proposed by Aleksey Furmanov

30
Configuration Samples
Content
1. 2.
3.
4. 5.
6.
Configurations were proposed by Aleksey Furmanov
31
Assumptions
Content
The following conventions were accepted in the simulation:

Before the January 1, 2010 operating systems didnt have vulnerabilities. Eliminating vulnerabilities takes particular time which differs for each operating system. According to the article it takes
28.9 days for Microsoft Windows 46.12 days for Apple Mac OS - 46.12 73.89 days for Novel Linux 106.83 days for Red Hat Linux 167.72 days for Sun Solaris.
Jones, J. Days-of-risk in 2006: Linux, Mac OS X, Solaris and Windows. Electronic data Access: http://blogs.csoonline.com/days_of_risk_in_2006 (2006)
32
Reconfiguration Simulation
70
Content
Number of vulnerabilities
60 50 40 30 20 10 0 1
Novel Linux-11 RedHat Linux-5 Aple MacOS Server-10.5.8 Sun/Oracle Solaris-10 MS Windows Server-2008
31
61
91
121
151
181
211
241
271
Day of the year 301 331 361
Now our system is managed by OS MS Windows 11Server 10.5.8 Apple Linux Server 2008 NovelWindows Server 2008 RedHat Linux 55 RedHat Linux Novel Linux MS MacOS 11
08.07.2012
33
Common vulnerabilities in different operating systems

Content
08.07.2012
34
Cloud platform to avoid intrusions

Content
08.07.2012
35
Our Team
Research Group:
Content
Vyacheslav Kharchenko Anatoliy Gorbenko Aleksey Furmanov Anatoliy Shostak Sofia Pokrova
System Analyst
Aleksiy Furmanov
Development Group
Alexander Beloborodov Alexander Lysenko Sofia Pokrova
36
Protecting your systems (1)

Measures to prevent viruses
Content
Turn on the file extensions displaying in your operating system Turn off the CD- DVD-autorun Make a folder autorun.inf on all your flash drives Install an antivirus and regularly update its bases Be careful with email attachments Carefully read window dialogs
08.07.2012
37

Measures to prevent intrusions
Content
Use Secunia Software Personal Inspector to check your system on vulnerability presence Install and configure firewalls Configure access policy on your PC and network equipment you use Never share your user name, password or security questions with anyone No one else must guess your password
08.07.2012
38

Content
Measures to protect private information

Make an email account for registrations or use temporary email (www.shitmail.me, www.mailinator.com) Be careful in social networks, keep your private information in secret Keep the passwords in your mind (our in paper) After login when you dont need to use your account any more dont forget to logout Pay attention the link you click Check the site address you are now
08.07.2012
39
Conclusions
We studied:
Content
What vulnerability and fault mean Vulnerability data sources Patch data sources
We obtained experience in:

Analyzing information of XML files of vulnerability databases Vulnerability lifecycle design
We discussed:
General suggestions to protect our home systems from intrusions
40
Alexander Beloborodov Intrusion-avoidance of Web systems: challenges and solutions E-mail: alexandr.bright@mail.ru

1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions

Încărcat de

Informații document

Descriere originală:

Drepturi de autor

Formate disponibile

Partajați acest document

Partajați sau inserați document

Opțiuni de partajare

Vi se pare util acest document?

Este necorespunzător acest conținut?

Drepturi de autor:

Formate disponibile

1 Training Intrusion-Tolerance of Web Systems Challenges and Solutions

Încărcat de

Drepturi de autor:

Formate disponibile

National Aerospace University Kharkiv Aviation Institute

Department of computer Systems and Networks

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Let we enumerate examples of vulnerabilities

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Common Weakness Enumeration

Permissions, Privileges, and Access Control

The full list: http://nvd.nist.gov/cwe.cfm

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Vulnerability and fault

All the faults are vulnerabilities

All the vulnerabilities are faults

Any case is possible

Vulnerability Data Sources

Analysis of XML file of National Vulnerability Database

Patch Data Sources

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Let we draw the vulnerability lifecycle

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

The structure of intrusionavoidance system

2. Patch data sources

4. Employing diversity to obtain security gain

Vulnerability Data Sources

Collecting Information (1)

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Collecting Information (2)

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Vulnerability Database Scheme

Vulnerabilities Users and policies Products and configurations

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Dynamic reconfiguration system chooses less vulnerable configuration

Graph was proposed by Aleksey Furmanov

The following conventions were accepted in the simulation:

Day of the year 301 331 361

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Common vulnerabilities in different operating systems

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Cloud platform to avoid intrusions

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Protecting your systems (1)

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Protecting your systems (2)

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

Protecting your systems (3)

Measures to protect private information

O.Biloborodov "Intrusion-avoidance of Web systems: challenges and solutions"

We obtained experience in:

S-ar putea să vă placă și