Automating Security Mediation Placement

King, Dave; Jha, Susmit; Muthukumaran, Divya; Jaeger, Trent; Jha, Somesh; Seshia, Sanjit A.

doi:10.1007/978-3-642-11957-6_18

Cited by 13 publications

(17 citation statements)

References 28 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Given available security policies, we claim that building system-wide infor- mation flow problems can be largely automated, resulting a similar effort as configuring information flow problems for single entities (programs or MAC policies). We design an automated method to produce mediator placements from such problems that is an extension of the basic graph cut idea [37,19] to address general lattices and constrained mediators.…”

Section: Designmentioning

confidence: 99%

“…Researchers had the insight that placing a mediator to resolve information flow errors for a lattice policy containing two levels li and lj is tantamount to generating an edge cut 4 of the data flow graph with the nodes mapped to li as the sources and the nodes mapped to lj as the sinks [37,19]. This property is called Cut-Mediation Equivalence.…”

Section: Computing Minimal Mediationmentioning

confidence: 99%

“…In the context of security lattices, researchers previously suggested a simple greedy solution to the problem that returns the union of the solutions for each individual cut problem [19].…”

Section: Computing Minimal Mediationmentioning

confidence: 99%

“…Our goal is to use the system's available security policies to produce a system-wide policy with the minimal mediation necessary to resolve the system's information flow errors as defined in Definition 2.1. We are motivated by prior work that demonstrated that a placement of mediators that resolves all information flow errors is equivalent to a cut of error paths in the data flow graph [37,19]. However, to make this idea practical, we explore how to produce an information flow policy for the example web application that resolves its local and remote threats.…”

mentioning

confidence: 99%

See 3 more Smart Citations

Transforming commodity security policies to enforce Clark-Wilson integrity

Muthukumaran

Rueda

Talele

et al. 2012

Proceedings of the 28th Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

Modern distributed systems are composed from several offthe-shelf components, including operating systems, virtualization infrastructure, and application packages, upon which some custom application software (e.g., web application) is often deployed. While several commodity systems now include mandatory access control (MAC) enforcement to protect the individual components, the complexity of such MAC policies and the myriad of possible interactions among individual hosts in distributed systems makes it difficult to identify the attack paths available to adversaries. As a result, security practitioners react to vulnerabilities as adversaries uncover them, rather than proactively protecting the system's data integrity. In this paper, we develop a mostly-automated method to transform a set of commodity MAC policies into a system-wide policy that proactively protects system integrity, approximating the Clark-Wilson integrity model. The method uses the insights from the Clark-Wilson model, which requires integrity verification of security-critical data and mediation at program entrypoints, to extend existing MAC policies with the proactive mediation necessary to protect system integrity. We demonstrate the practicality of producing Clark-Wilson policies for distributed systems on a web application running on virtualized Ubuntu SELinux hosts, where our method finds: (1) that only 27 additional entrypoint mediators are sufficient to mediate the threats of remote adversaries over the entire distributed system and (2) and only 20 additional local threats require mediation to approximate Clark-Wilson integrity comprehensively. As a result, available security policies can be used as a foundation for proactive integrity protection from both local and remote threats.

show abstract

Section: Designmentioning

confidence: 99%

Section: Computing Minimal Mediationmentioning

confidence: 99%

“…In the context of security lattices, researchers previously suggested a simple greedy solution to the problem that returns the union of the solutions for each individual cut problem [19].…”

Section: Computing Minimal Mediationmentioning

confidence: 99%

mentioning

confidence: 99%

See 2 more Smart Citations

Transforming commodity security policies to enforce Clark-Wilson integrity

Muthukumaran

Rueda

Talele

et al. 2012

Proceedings of the 28th Annual Computer Security Applications Conference

Self Cite

View full text Add to dashboard Cite

show abstract

“…However, building either attack trees or attack graphs currently requires knowledge about the likely vulnerabilities on individual hosts, which may be incomplete (i.e., previously-unknown vulnerabilities may be missed) and brittle (i.e., vulnerabilities may be patched). Alternatively, researchers have developed methods to place security monitoring to block or limit adversary access to prevent attacks based on classical problems [27,30,17]. These methods focus on only one layer of the system, such as the network, a single host, or a single program because the size of the graphs becomes prohibitive.…”

Section: Introductionmentioning

confidence: 99%

Monitor placement for large-scale systems

Talele

Teutsch

Erbacher

et al. 2014

Proceedings of the 19th ACM Symposium on Access Control Models and Technologies

Self Cite

View full text Add to dashboard Cite

System administrators employ network monitors, such as traffic analyzers, network intrusion prevention systems, and firewalls, to protect the network's hosts from remote adversaries. The problem is that vulnerabilities are caused primarily by errors in the host software and/or configuration, but modern hosts are too complex for system administrators to understand, limiting monitoring to known attacks. Researchers have proposed automated methods to compute network monitor placements, but these methods also fail to model attack paths within hosts and/or fail to scale beyond tens of hosts. In this paper, we propose a method to compute network monitor placements that leverages commonality in available access control policies across hosts to compute network monitor placement for large-scale systems. We introduce an equivalence property, called flow equivalence, which reduces the size of the placement problem to be proportional to the number of unique host configurations. This process enables us to solve mediation placement problems for thousands of hosts with access control policies containing of thousands of rules in seconds (less than 125 for a network of 9500 hosts). Our method enables administrators to place network monitors in large-scale networks automatically, leveraging the actual host configuration, to detect and prevent network-borne threats.

show abstract

Designing for Attack Surfaces: Keep Your Friends Close, but Your Enemies Closer

Jaeger

Muthukumaran

et al. 2015

Security, Privacy, and Applied Cryptography Engineering

Self Cite

View full text Add to dashboard Cite

Abstract.It is no surprise to say that attackers have the upper hand on security practitioners today when it comes to host security. There are several causes for this problem ranging from unsafe programming languages to the complexity of modern systems at large, but fundamentally, all of the parties involved in constructing and deploying systems lack a methodology for reasoning about the security impact of their design decisions. Previous position papers have focused on identifying particular parties as being "enemies" of security (e.g., users and application developers), and proposed removing their ability to make securityrelevant decisions. In this position paper, we take this approach a step further by "keeping the enemies closer," whereby the security ramifications of design and deployment decisions of all parties must be evaluated to determine if they violate security requirements or are inconsistent with other party's assumptions. We propose a methodology whereby application developers, OS distributors, and system administrators propose, evaluate, repair, and test their artifacts to provide a defensible attack surface, the set of entry points available to an attacker. We propose the use of a hierarchical state machine (HSM) model as a foundation for automatically evaluating attack surfaces for programs, OS access control policies, and network policies. We examine how the methodology tasks can be expressed as problems in the HSM model for each artifact, motivating the possibility of a comprehensive, coherent, and mostly-automated methodology for deploying systems to manage accessibility to attackers.

show abstract

Automating Security Mediation Placement

Cited by 13 publications

References 28 publications

Transforming commodity security policies to enforce Clark-Wilson integrity

Transforming commodity security policies to enforce Clark-Wilson integrity

Monitor placement for large-scale systems

Designing for Attack Surfaces: Keep Your Friends Close, but Your Enemies Closer

Contact Info

Product

Resources

About