In the Name of Allah
Sharif University
of Technology
Data and Network
Security Lab. (DNSL)
Measuring Software Security
Using SAN Models
Sadegh Dorri Nogoorani,
Mohammad Ali Hadavi, Rasool Jalili
Data and Network Security Lab, Dept. of Computer Engineering
Sharif University of Technology, Tehran, I.R. IRAN
http://ce.sharif.edu/~dorri
The 9th International ISC Conference on Information Security & Cryptology (ISCISC 2012)
Formal Software Security Measurement
2
of
22

Formal Verification



Challenges




Proving properties (safety, liveness)
Measuring metrics (our approach)
Very complicated and time-consuming
A must for mission critical systems
Verification through high level models
Tools in the Literature




Colored and aspect-oriented Petri nets
Discrete-time Markov chains
Queuing models
Our Paper: Stochastic Activity Networks
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
Outline
3
of
22

Background
 Stochastic

Activity Networks
Our General Attack Model
 The
semi-Markov model
 Metrics
 Measurement

Case Study

Conclusions
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
4
Background
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
SANs
5
of
22

Stochastic Activity Networks (SANs) - Since 1984
Probabilistic extensions of activity networks
 Stochastic generalization of Petri nets


Timing of Activities
Not restricted to be exponential
 Exponential, deterministic, normal, uniform
 Programmable cases


Automatic Tools
Easy graphical modeling
 Möbius tool

Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
7
Our General Attack Model
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
The Attack Model
8
of
22

Semi-Markov Attack Model
States: privilege levels (secure, insecure, compromized)
 Transitions: exploit, recover, cancel

Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
Example: Password Compromise
9
of
22
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
Security Metrics
10
of
22

Metrics
 Probability
of Attack Success (PAS) – Probability
 System Misuse Proportion (SMP) – Proportion
 Mean Time to First Breach (MTFB) – Time

Measurement
 The
attack model is transformed to SAN models
 PAS-SAN, SMP-SAN, MTFB-SAN
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
Case Study
11
of
22
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
Measuring SMP
12
of
22

SMP (System Misuse Proportion)
 Steady-state

prob. of being in a compromised state
SMP-SAN
 Places
 Transitions
•
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
Measuring MTFB
13
of
22

MTFB (Mean Time to First Breach)


Average time until (transient) the attacker (token) reaches
a compromised state
MTFB-SAN

One trapping
compromised state
•
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
Measuring PAS
14
of
22

PAS (Probability of Attack Success)
The no. of successful attacks / all attacks
 Transient


PAS-SAN

Recovery =
Attack failed state
•
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
15
Case Study Results
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
Transition Times (Hours)
16
of
22
(dependent on Password Change)
Uniform dist.: Increasing Failure Rate (IFR)
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
PAS (Prob. Attack Succ.)
17
of
22
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
SMP (Sys. Misuse Proportion)
18
of
22
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
MTFB (Mean Time to First Breach)
19
of
22
(about a year)
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
Conclusions and Future Work
20
of
22

Quantitative Analysis


Our Contribution





More reliable and tangible than traditional subjective qualitative
evaluations
Semi-Markov attack model
Can incl. prevention and recovery mechanisms
Can account for adversary skill level, auditing level
Automatic measurement using Möbius
Future Work



Other case studies
One universal SAN model for all metrics
Analytically solve the SAN models
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
21
Thanks!
My Homepage
http://ce.sharif.edu/~dorri
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012
References
22
of
22
1.
2.
J.F. Meyer, A. Movaghar, and W. H. Sanders, Stochastic activity
networks: structure, behavior and application, Int. Workshop on
Timed Petri Nets, 1985, pp. 106-115.
W.H. Sanders and J. F. Meyer, Stochastic activity networks:
formal definitions and concepts, Lec. Formal Methods and
Performance Analysis, LNCS, vol. 2090, Springer-Verlag, 2001, pp.
315-343.
3.
J. Almasizadeh and M. A. Azgomi, A new method for modeling
and evaluation of the probability of attacker success, Int. Conf.
Security Technology, 2008, pp. 49-53.
4.
J. Almasizadeh and M. A. Azgomi, Intrusion process modeling for
security quantification, 4th Int. Conf. Availability, Reliability and
Security, 2009, pp. 114-121.
Measurement of Software Security, S. Dorri Nogoorani, M.A. Hadavi, R. Jalili
14 Sep. 2012