Platform
One of our goals for this work was to augment an existing tool in order to leverage preexisting risk analysis capabilities. MulVAL is used as the platform because it is open source, scales well (O(n2)) with the size of the network, and the underlying reasoning engine is extendable by allowing users to introduce custom interaction rules.
MulVal reads a file with custom interaction rules and a file describing the scenario. The custom interaction rules enable extensible scenario specification. The scenario file models the network using primitives (unit clauses) to introduce facts, e.g., specify available services, known vulnerabilities, user accounts, access on a system, and identifying nodes as web servers, network file servers, etc. The standard and custom interaction rule sets specify how knowledge is derived from known facts.
Figure 4 shows a simple interaction rule that states that if a principal’s account on Host is compromised (e.g., through stolen credentials) and Host is accessible (e.g., through the network and a listening login service), an attacker may execute code on Host with the permission levels of the principal’s account. MulVAL generates the attack graph showing the primitive and derived facts leading to the attack goal.
1 execCode(Host, Perm) :- 2 principalCompromised(Victim), 3 hasAccount(Victim, Host, Perm), 4 canAccessHost(Host).
Figure 4 An execCode interaction rule
There were three major steps to generate attack graphs for network layer vulnerabilities: (1) develop MulVAL custom interaction rules to represent route hijacking, (2) incorporate the elements (e.g., node routes, attacker proximity, routing protocol used, traffic type) that are required to determine the success or failure of hijacking attacks, and (3) improve usability by automating the attack graph generation process.
The scenario in Figure 5 was the basis for the MulVAL rule development step. In this scenario, all nodes are gateways using OLSR for dynamic routing and the attacker is conducting an IP address spoofing attack (masquerading as the ftp server node) in order to hijack traffic from the ftp client.
Figure 5 Route Hijack Scenario