Information Technology Reference
In-Depth Information
reachable(H, DNS, 53)
,
reachable(H, Mail, 25)
,
reachable(DNS, CS, all)
,
reachable(Mail, CS, all)
,and
reachable(CS, DBMS, all)
.
The attacker's goal is to gain root level privilege on server CS, and a user level
privilege on host DBMS. Figure 1 depicts two different attack paths that achieve
the attacker's goals in this system. In one attack path, the attacker first gains
root level privilege on the DNS server. Once inside the network, the attacker
gains appropriate privileges on hosts CS and DBMS. In the second attack path,
the attacker first gains root level privilege on the Sendmail server instead of the
DNS server.
3 Noninterfering Rules
We first consider a class of rules (which we call noninterfering rules) that can
never interfere with an attacker's goal of performing a successful attack. While
these rules can provide the attacker with new capabilities that assist him in his
goal, they can never restrict the set of goal states that he can reach. This means
that an attacker can invoke such rules freely (whenever they are applicable)
without worrying about the order in which he invokes them, and he never needs
to backtrack in order to reach his goal.
Definition 4.
Let
T
=(
A,∆,s
0
,S
G
)
be a
state transition rule system
.Wesay
that a rule
δ
(
A, B, C, D
)
∈ ∆
is a
noninterfering rule
in
T
if:
-
For al l
c ∈ C
and for all rules
δ
(
A
,B
,C
,D
)
∈ ∆
,
c ∈B
.
=
δ
(
A, B, C, D
)
∈ ∆
,
d ∈A
.
-
For al l
d ∈ D
,
d
is not a member of any minimal goal state in
S
G
.
We call a set of noninterfering rules a
noninterfering ruleset
.
-
For al l
d ∈ D
and for all rules
δ
(
A
,B
,C
,D
)
=
δ
(
A, B, C, D
)
Proposition 3.
Let
δ ∈ ∆
be a noninterfering rule in system
T
and let
s, t
be
states such that
(
s, t
)
∈ δ
. Then, for every goal state
s
g
that is reachable from
s
,
there exists a dominating goal state
t
g
≥ s
g
that is reachable from
t
.
Figure 2 presents an algorithm for constructing the set of noninterfering
rules of a state transition rule-system. The complexity of
computeNRS()
is
O
(
2
.|∆|
). Figure 3 presents an algorithm for extending a state
transition sequence using only noninterfering rules.
findMaximal()
takesasar-
guments a partial attack path
seq
(in reverse order, so
s
0
is the last element of
the state sequence
seq
), and a noninterfering ruleset
∆
.Itusestherulesin
∆
to
extend
seq
until the path cannot be extended further, and it returns the resulting
path (again in reverse order). The complexity of
findMaximal()
is
O
(
|A|
+
|A|.|S
M
|
|∆|
2
.|A|
2
).
Proposition 4.
If
T
=(
A,∆,s
0
,S
G
)
has a goal state that is reachable from
s
0
,andif
∆
is a noninterfering ruleset in
T
, then findMaximal
(
s
0
,∆
)
is a
successful attack path in
T
.
s
0
,∆
) is not a goal state,
then
T
is secure, i.e., no goal state is reachable from
s
0
.
In particular, if the first state in
findMaximal
(
