Information Technology Reference
In-Depth Information
hypotheses are advanced whenever needed, and secondly, provides any additional
evidences. Alike [8], we consider a hacking scenario as a combination of more
generic and reusable fragments, which are basically described in advance with-
out an a priori knowledge about the whole hacking scenario that is looked for.
Every scenario fragment is depicted by an optional set of hypotheses underlying
the scenario-fragment occurrence, a set of pre-conditions that must be satisfied,
and a set of actions to achieve a sub-goal of the whole scenario objective. The
inclusion of hypotheses is due to the fact that investigation on sophisticated
attack scenarios needs to be tolerant to potential lack of data. The latter is gen-
erated by intruders who want to alter any trace that could prove their identity
or activity.
As the combination of scenario fragments leads to the accumulation of hy-
potheses, care need to be taken from inconsistency introduction. In fact, some
hypotheses are contradictory with each other and could not arise in the same
whole hacking scenario. Moreover as hypotheses are described by a set of rela-
tions between variables and values, two hypotheses using the same variable with
different values might make no sense if grouped together in a scenario.
Figure 1 shows a set of attack scenarios relative to an unauthorized modifi-
cation of access accounts on a remote server. The attack can be achieved after:
1) exploiting a remote vulnerability that grants privileged access; 2) escalating
one's privilege via local vulnerability exploit, 3) Logging to the system from a
trusted server. The node Log from a trusted server
X
is composed by a hypoth-
esis stating that a trust relationship is established between servers
S
and
X
,a
post-condition stating that the user
Usr
is being logged to the server
X
at that
time and an action asserting a telnet connection by the user to the server
S
.
hyp: trust(X,S)
Unauthorized gain of root
privilege on server "S"
pre−cond: maintain−access(Usr,X)
action: telnet(Usr,S)
remote exploit of vulnarbility
granting privileged access
privilege escalation through
local vulnerability exploit
log from trusted
server "X"
remote login by
user impersonation
remote exploit of a vulnerability
granting unprivileged access
unauthorized access
gain to server "X"
stole user
sniff user
brute−force
user password
spoof user
private key
password
IP address
Fig. 1.
Attack scenarios model
3
S-TLA: An Extension to the Temporal Logic of Actions
We provide in the following a Temporal Logic of Security Actions, S-TLA, as
an extension to the Temporal Logic of Actions, TLA. We emphasize only on the
new introduced concepts regarding TLA, as S-TLA embodies TLA and a TLA
