Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way

1,070 views

Published on

  • Be the first to comment

  • Be the first to like this

Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way

  1. 1. Vulnerability Analysis Taxonomy Achieving completeness in a systematic way Javier Tallón Guerri 10ICCC - Norway
  2. 2. 1.Vulnerability Analysis according to CEM2.Pieces for a correct vulnerability analysis 1.Attack Patterns 2.Systematic and repeatable methodology3.Example4.Lessons learned 2
  3. 3. 1.Vulnerability Analysis according to CEM2.Pieces for a correct vulnerability analysis 1.Attack Patterns 2.Systematic and repeatable methodology3.Example4.Lessons learned 3
  4. 4. 1. Vulnerability Analysis according to CEM The evaluator vulnerability analysis is to determine that the TOE is resistant to penetration attacks performed by an attacker possessing a Basic (for AVA_VAN.1 and AVA_VAN.2), Enhanced- Basic (for AVA_VAN.3), Moderate (for AVA_VAN.4) or High (for AVA_VAN.5) attack potential. Independent vulnerability analysis should consider generic potential vulnerabilities under each of the following headings • Bypassing • Tampering • Direct attacks • Monitoring • Misuse 4
  5. 5. 1. Vulnerability Analisys according to CEM Due to the generic nature of the Common Criteria, this classification is too abstract and does not help to achieve the required completeness to the evaluator’s work. CEM classification is useless by itself 5
  6. 6. 1. Vulnerability Analisys according to CEM From AVA_VAN.4, vulnerability analysis should be METHODICAL: “This method requires the evaluator to specify the structure and form the analysis will take” CEM ask for a methodical analysis but does not provide any method. Every method would be acceptable 6
  7. 7. 1. Vulnerability Analisys according to CEM Very generic + = Poor vulnerability Undefined Vulnerability classification methodology Analisys 7
  8. 8. 1.Vulnerability Analysis according to CEM2.Pieces for a correct vulnerability analysis 1.Attack Patterns 2.Systematic and repeatable methodology3.Example4.Lessons learned 8
  9. 9. 2. Pieces for a correct Vulnerability Analysis Here is the question…How to achieve completeness in a systematic way? We will focus in software assessment 9
  10. 10. 1.Vulnerability Analysis according to CEM2.Pieces for a correct vulnerability analysis 1.Attack Patterns 2.Systematic and repeatable methodology3.Example4.Lessons learned 10
  11. 11. 2.1 Attack Patterns Vs Very generic vulnerability Attack Patterns classification Thinking like bad guys 11
  12. 12. 2.1 Attack Patterns Attack Pattern: an attack pattern describes the approach used by attackers to generate an exploit against software. For example: MITRE provides CAPEC (Common Attack Pattern Enumeration and Classification) 12
  13. 13. 2.1 Attack Patterns 13
  14. 14. 2.1 Attack Patterns CAPEC provides a free collection of attack patterns CAPEC is not the panacea Each lab should manage its own attack pattern collection 14
  15. 15. 2.1 Attack Patterns Lab Street Know How work Attack Patterns 15
  16. 16. 1.Vulnerability Analysis according to CEM2.Pieces for a correct vulnerability analysis 1.Attack Patterns 2.Systematic and repeatable methodology3.Example4.Lessons learned 16
  17. 17. 2.2 Systematic and Repeatable Methodology Systematic and Undefined Methodology Vs Repeatable Methodology 17
  18. 18. ADV_ARCAGD ASE_SPD ALC ATE ADV_TDSMisuse Deliv. Vuln. Malfunction Attack Path Vulnerability scanners Forensic analysis Disassemblers Debuggers Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda Systematic and + Bespoke Lab Tools + Lab Know How = Repeatable Methodology
  19. 19. 2.2 Systematic and Repeatable Methodology Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda 19
  20. 20. 2.2 Systematic and Repeatable Methodology Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda 20
  21. 21. 2.2 Systematic and Repeatable Methodology ASE ADV AGD ATE ALC AVA 21
  22. 22. 2.2 Systematic and Repeatable Methodology AGD ALC ATE ADV_ARC ASE_SPD ADV_TDS Misuse Deliv. Vuln. Malfunction Attack Flow Vulnerability Analysis method 22
  23. 23. 2.2 Systematic and Repeatable Methodology Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda 23
  24. 24. 2.2 Systematic and Repeatable Methodology “Forensic analysis” techniques Debuggers Lab T&T Disassemblers Vulnerability scanners 24
  25. 25. 2.2 Systematic and Repeatable Methodology Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda 25
  26. 26. 2.2 Systematic and Repeatable Methodology Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda Bespoke Lab + Lab Tools + Know How 26
  27. 27. 2.2 Systematic and Repeatable Methodology Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda Bespoke Lab + Lab Tools + Know How 27
  28. 28. ADV_ARCAGD ASE_SPD ALC ATE ADV_TDSMisuse Deliv. Vuln. Malfunction Attack Path Vulnerability scanners Forensic analysis Disassemblers Debuggers Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda Systematic and + Bespoke Lab Tools + Lab Know How = Repeatable Methodology
  29. 29. 1.Vulnerability Analysis according to CEM2.Pieces for a correct vulnerability analysis 1.Attack Patterns 2.Systematic and repeatable methodology3.Example4.Lessons learned 29
  30. 30. 3. Example TOE Auth Database SQL Access SQLXML Web XML Resource Network Control Service Parser Database Module 30
  31. 31. 3. Example TOE Auth Database SQL Access SQLXML Web XML Resource Network Control Service Parser Database Module Sniffing Attacks Man in the Middle Denial of Service through Resource Depletion 31
  32. 32. 3. Example TOE Auth Database SQL Access SQLXML Web XML Resource Network Control Service Parser Database Module Detect Unpublicized Web Services Web Services Protocol Manipulation 32
  33. 33. 3. Example TOE Auth Database SQL Access SQL XML Web XML Resource Network Control Service Parser Database ModuleXML Routing Detour Attacks Oversized Payloads Sent to XML ParsersXEE (XML Entity Expansion) XML Ping of Death XML Schema PoisoningXML Attribute Blowup XML InjectionRecursive Payloads Sent to XML Parsers 33
  34. 34. 3. Example TOE Auth Database SQL Access SQL XML Web XML Resource Network Control Service Parser Database ModuleAuthentication Bypass Password Brute ForcingAuthentication Abuse Try Common (default) Usernames and PasswordsReflection Attack in Authentication ProtocolExploitation of Session Variables, Resource IDs and other Dictionary-based Password AttackTrusted Credentials 34
  35. 35. 3. Example TOE Auth Database SQL Access SQLXML Web XML Resource Network Control Service Parser Database Module SQL Injection Blind SQL Injection 35
  36. 36. 1.Vulnerability Analysis according to CEM2.Pieces for a correct vulnerability analysis 1.Attack Patterns 2.Systematic and repeatable methodology3.Example4.Lessons learned 36
  37. 37. 4. Lessons learnedMotivation Creativity + = Systematic and WonderfulAttack Patterns Repeatable Vulnerability Methodology Analysis 37
  38. 38. Thanks for your attention!Javier TallónEpoche & Espri, S.L.Avda. de la Vega, 128108, Alcobendas,Madrid, Spain.eval@epoche.es 38

×