Practical Experimentation as a Tool for Vulnerability Analysis and Security Evaluation
Doctoral thesis, 1995
The first part of this thesis describes the results of applying dependability methods to the security area. A uniform taxonomy for security, expected to contain all characteristic attributes, is presented. This taxonomy will hopefully increase the understanding of security issues. It should, together with the comparative analysis of security and tradi- tional dependability issues, serve as a unified framework and facilitate the dev elopment of common solutions to problems shared by both areas.
A first attempt at a new method for assessing operational security is described. This method, in which data are collected from controlled intrusion experiments, should make it possible to estimate how much effort a typical user must spend breaking into a system. The basic assumption is that the more effort is needed to break into a system, the more secure the system is. Effort is composed of many different parameters, such as CPU time, working time and resources used. The method aims at obtaining real measures of how secure a particular system is, such as "mean effort to breach". The experiments were done on a Unix system, where all breaches are classified into different categories based on which kind of security flaw was exploited. A detailed discussion of the underlying functionality and nature of all flaws is presented.
A hypothesis, that describes the different phases of the attacking process is given. The hypothesis suggests that the attacking process can be split into three phases: the learning phase, the standard attack phase and the innovative attack phase. Most of the expended effort could be referred to the standard attack phase, where the times between breaches seem to be exponentially distributed, which means that traditional methods for reliability modelling of component failures could be applicable.
Finally, two vulnerability analyses of different types and with different target systems are presented. The first analysis concerned a networked personal computer system attacked by ordinary users. This experiment investigates how and to what extent unevenly distributed security features, such as a "secure" file server with untrusted clients, affect overall system security. Since this was an experiment, and not a real life situation, we took the opportunity to collect information about how the attacking process was carried out. The second analysis concerned a beta-release of a security-enhanced database system, composed of secure components, and the analysis was carried out by skilled personnel, similar to a so-called "tiger team". Although the system was believed to be very secure by its developers, the analysis revealed many problems. The design work was analyzed, all problems were classified according to their cause and a detailed analysis was presented of how and why the design was inadequate. The analysis also highlights problems and pitfalls detected in the design of secure systems.