Security Policy Analysis using Deductive Spreadsheets

1
Security Policy Analysis using Deductive
Spreadsheets
Anu Singh, C. R. Ramakrishnan, I. V.
Ramakrishnan, Scott D. Stoller, David S.
Warren Department of Computer ScienceStony
Brook University
2
Outline

• Security policy analysis
• Deductive spreadsheets
• Deductive Spreadsheets as a policy analysis tool
• Multi-host multi-stage vulnerability analysis
• Security-Enhanced Linux policy analysis

3
Desiderata for a Security Policy Analyzer

• Facilitate development and exploration of
  security policies.
• Analyses specified in high-level language.
• Easy-to-use interface.
• Explain analysis results, show how they follow
  from the policy.
• Enable exploration of what if scenarios
• Highlight the changes in analysis results due to
  change in the policy.

4
Security Policy Example - RBAC

• Role Based Access Control RBAC is a well known
  model for access control policies

objects
user
permission
role
r
u
read
file
RBAC Model
Access control policy example user u is
permitted to read an object o if the user has
role r.
file1
Analysis Information flow between objects
read
user
flow
file2
write
5
Deductive Spreadsheets (DSS)

• DSS System (XcelLog) Architecture
• XcelLog is implemented as an add-in to Microsoft
  ExcelTM.
• Formula language supports set and tuple
  operations like Datalog.
• XSB tabled logic programming system is the
  underlying deductive engine.

6

• DSS DEMO

7

• Case Study 1
• Multi-Host Multi-Stage Vulnerability Analysis
  MulVAL, Ou, USENIX 2005.

8
Network Vulnerability Analysis

• Hosts
• Users
• Access Rights
• Services
• Host Access Control Lists
• Vulnerable Programs

• Vulnerability analysis
• Determine the privileges that a user can acquire
  on different hosts by exploiting remote software
  vulnerabilities.

9
Representing Network Configuration in DSS
10
Computing Accessible Hosts
What machines a user can acquire access to by
exploiting the remote vulnerabilities through
network access ? Recursively computing the set
of accessible hosts over multiple hops.
accessible hosts
accessible hosts
accessible hosts
access
hacl
hacl
Privileges of remotely exploitable vulnerable
programs
Privileges of remotely exploitable vulnerable
programs
11
Vulnerability Analysis in DSS
Cyclic dependency (Recursion)
Compute privileges acquired by normaluser on
different machines.
The uaccess sheet represents the privileges and
access information.
12
Vulnerability Analysis using DSS

• What additional privileges a user can acquire?

The uexec sheet lists the privileges that a user
acquires by exploiting remote vulnerabilities.
Difference between uexec and uaccounts
13
Benefits of using DSS

• DSS can express non-trivial analyses.
• The usability benefits of the spreadsheet
  paradigm come for free.
• DSS provides explanations of analysis results.
• Incremental evaluation.
• Effects of changes to a policy can be easily
  explored.
• DSS-based security policy tools can be developed
  and customized rapidly.

14

• Case Study 2
• Security-Enhanced Linux (SELinux) Policy Analysis

15
SELinux Policy Example

• Resources are organized into types
• Example apmd_t, named_t
• Access vector rule
• Resources (processes) in a specified type, called
  the source type, have specified permissions for
  the resources in a specified type, called the
  target type.

execute
source type
target type
root
su_exec_t
Security-critical binaries
16
SELinux Policy Analysis

• Privilege Escalation or Write-Execute (W-E)
  Vulnerability NETRA, FMSE 2006
• A non-administrative type has write permission
  for a resource, and an administrative type has
  execute permission for the same resource.

17
SELinux Policy Analysis using DSS
apmd_t has attribute files_unconfined_type
access rule

Entry (root,su_exec_t) in cell (writeExecuteAttack
apmd_t) indicates W-E vulnerability.
su_exec_t has attribute file_type
18
SELinux Policy Analysis using DSS

• Information-Flow SLAT, Guttman, WITS 2003
• Direct information flow is possible from a type
  t1 to a type t2
• Information-flow relation is the transitive
  closure of the direct flow relation.
• Use of information-flow analysis
• Examine the types from which or to which
  information flows for selected types of interest.
  
• Restrict attention to flows that do not pass
  through a specified type that acts as an
  information firewall.

tf
t2
t1
info-flow
19
SELinux Policy Analysis using DSS

• Integrity Vulnerability
• A non-administrative type s has write permission
  for a resource, and an administrative type t has
  read permission for that resource.
• Integrity of Trusted Computing Base (TCB)
• Integrity violation is possible if there are
  types outside the TCB from which information can
  directly flow into the TCB.
• Policy Incompleteness Gokyo, Jaeger, ACM
  Transactions 2003
• The permissions that are not explicitly allowed
  or denied (never-allow), reflect a kind of
  incompleteness in the policy specification.
• Consistency
• Check consistency of the allow and deny rules in
  the policy.

Benefits of using DSS are same as that discussed
for MulVAL.
20
Future Work

• Refine the granularity of dependencies from
  cell-level to individual values in the set in a
  cell.
• Extend the cell-highlighting feature to elide
  rows and columns that do not contain highlighted
  cells.
• Automatically extend a sheet when its row or
  column set is changed.
• Semi-automatically translate Datalog
  specifications into DSS.

21
QUESTIONS ?
22
References

• DSS Ramakrishnan, Ramakrishnan, Warren. ICLP 06
• Gokyo Jaeger, Edwards, Zhang. ACM Transactions
  on Information Systems Security, 03
• Lopol Kissinger, Hale. Security Enhanced Linux
  Symposium, 06
• MulVAL Ou, Govindavajhala, Appel. Usenix
  Security Symposium, 05.
• NETRA Naldurg, Schwoon, Rajamani, Lambert. FMSE
  06
• PAL Starosta, Stoller. WITS 04
• RBAC Sandhu, Coyne, Feinstein, Youman. IEEE
  Computer, 96
• SELinux Policy NSA Tresys Technology
• SLAT Guttman, Herzog, Ramsdell. WITS, 03