Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way

1. Vulnerability Analysis Taxonomy Achieving completeness in a systematic way Javier Tallón Guerri 10ICCC - Norway

2. 1.Vulnerability Analysis according to CEM 2.Pieces for a correct vulnerability analysis 1.Attack Patterns 2.Systematic and repeatable methodology 3.Example 4.Lessons learned 2

4. 1. Vulnerability Analysis according to CEM The evaluator vulnerability analysis is to determine that the TOE is resistant to penetration attacks performed by an attacker possessing a Basic (for AVA_VAN.1 and AVA_VAN.2), Enhanced- Basic (for AVA_VAN.3), Moderate (for AVA_VAN.4) or High (for AVA_VAN.5) attack potential. Independent vulnerability analysis should consider generic potential vulnerabilities under each of the following headings • Bypassing • Tampering • Direct attacks • Monitoring • Misuse 4

5. 1. Vulnerability Analisys according to CEM Due to the generic nature of the Common Criteria, this classification is too abstract and does not help to achieve the required completeness to the evaluator’s work. CEM classification is useless by itself 5

6. 1. Vulnerability Analisys according to CEM From AVA_VAN.4, vulnerability analysis should be METHODICAL: “This method requires the evaluator to specify the structure and form the analysis will take” CEM ask for a methodical analysis but does not provide any method. Every method would be acceptable 6

7. 1. Vulnerability Analisys according to CEM Very generic + = Poor vulnerability Undefined Vulnerability classification methodology Analisys 7

9. 2. Pieces for a correct Vulnerability Analysis Here is the question… How to achieve completeness in a systematic way? We will focus in software assessment 9

11. 2.1 Attack Patterns Vs Very generic vulnerability Attack Patterns classification Thinking like bad guys 11

12. 2.1 Attack Patterns Attack Pattern: an attack pattern describes the approach used by attackers to generate an exploit against software. For example: MITRE provides CAPEC (Common Attack Pattern Enumeration and Classification) 12

13. 2.1 Attack Patterns 13

14. 2.1 Attack Patterns CAPEC provides a free collection of attack patterns CAPEC is not the panacea Each lab should manage its own attack pattern collection 14

15. 2.1 Attack Patterns Lab Street Know How work Attack Patterns 15

17. 2.2 Systematic and Repeatable Methodology Systematic and Undefined Methodology Vs Repeatable Methodology 17

18. ADV_ARC AGD ASE_SPD ALC ATE ADV_TDS Misuse Deliv. Vuln. Malfunction Attack Path Vulnerability scanners Forensic analysis Disassemblers Debuggers Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda Systematic and + Bespoke Lab Tools + Lab Know How = Repeatable Methodology

19. 2.2 Systematic and Repeatable Methodology Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda 19

21. 2.2 Systematic and Repeatable Methodology ASE ADV AGD ATE ALC AVA 21

22. 2.2 Systematic and Repeatable Methodology AGD ALC ATE ADV_ARC ASE_SPD ADV_TDS Misuse Deliv. Vuln. Malfunction Attack Flow Vulnerability Analysis method 22

24. 2.2 Systematic and Repeatable Methodology “Forensic analysis” techniques Debuggers Lab T&T Disassemblers Vulnerability scanners 24

26. 2.2 Systematic and Repeatable Methodology Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda Bespoke Lab + Lab Tools + Know How 26

27. 2.2 Systematic and Repeatable Methodology Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda Bespoke Lab + Lab Tools + Know How 27

28. ADV_ARC AGD ASE_SPD ALC ATE ADV_TDS Misuse Deliv. Vuln. Malfunction Attack Path Vulnerability scanners Forensic analysis Disassemblers Debuggers Attack Patterns x Vulnerability Analysis method x Lab T&T Penetration testing agenda Systematic and + Bespoke Lab Tools + Lab Know How = Repeatable Methodology

30. 3. Example TOE Auth Database SQL Access SQL XML Web XML Resource Network Control Service Parser Database Module 30

31. 3. Example TOE Auth Database SQL Access SQL XML Web XML Resource Network Control Service Parser Database Module Sniffing Attacks Man in the Middle Denial of Service through Resource Depletion 31

32. 3. Example TOE Auth Database SQL Access SQL XML Web XML Resource Network Control Service Parser Database Module Detect Unpublicized Web Services Web Services Protocol Manipulation 32

33. 3. Example TOE Auth Database SQL Access SQL XML Web XML Resource Network Control Service Parser Database Module XML Routing Detour Attacks Oversized Payloads Sent to XML Parsers XEE (XML Entity Expansion) XML Ping of Death XML Schema Poisoning XML Attribute Blowup XML Injection Recursive Payloads Sent to XML Parsers 33

34. 3. Example TOE Auth Database SQL Access SQL XML Web XML Resource Network Control Service Parser Database Module Authentication Bypass Password Brute Forcing Authentication Abuse Try Common (default) Usernames and Passwords Reflection Attack in Authentication Protocol Exploitation of Session Variables, Resource IDs and other Dictionary-based Password Attack Trusted Credentials 34

35. 3. Example TOE Auth Database SQL Access SQL XML Web XML Resource Network Control Service Parser Database Module SQL Injection Blind SQL Injection 35

37. 4. Lessons learned Motivation Creativity + = Systematic and Wonderful Attack Patterns Repeatable Vulnerability Methodology Analysis 37

38. Thanks for your attention! Javier Tallón Epoche & Espri, S.L. Avda. de la Vega, 1 28108, Alcobendas, Madrid, Spain. eval@epoche.es 38

Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way

Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way

Recommended

More Related Content

What's hot

What's hot(7)

Similar to Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way

Similar to Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way (11)

More from Javier Tallón

More from Javier Tallón(20)

Recently uploaded

Recently uploaded(20)

Vulnerability Analysis Taxonomy Achieving Completeness In A Systematic Way