NCSA hosts network security talk

released July 14, 2005

NCSA will host a talk by Princeton's Xinming Ou at 10 a.m. Friday (July 22) in Room 3405 at the Siebel Center. His talk will discuss "MulVAL: A logic-based network security analyzer."

Abstract: An important process in network security management is to analyze the configuration of network elements and machines to discover potential attack paths. To automate this analysis process, two problems must be addressed. First, with thousands of new software vulnerabilities being reported every year, how to build a formal model that can reason about the vast majority of those software security bugs. Second, with enterprise networks becoming larger and more complex, how to design an analysis mechanism that can scale to networks with thousands of hosts.

We show how to achieve this automation by presenting MulVAL, a logic-based network security analyzer that can reason about potential multihost, multistage attacks in a network. MulVAL adopts Datalog as the modeling language for the elements in the analysis (bug specification, configuration description, reasoning rules, operating- system permission and privilege model, etc.). The reasoning rules derive exploit semantics of software security bugs from existing vulnerability databases. We also leverage existing network and machine scanning tools by expressing their output in Datalog and feeding it to the MulVAL reasoning engine. Once all the information is collected, the analysis can be performed in seconds for networks with thousands of hosts.

We implemented our framework on the Red Hat Linux platform. Our framework can reason about 84% of the Red Hat bugs reported in OVAL, a formal vulnerability definition language. We tested our tool on a real network with hundreds of users. The tool detected a potential attack path caused by software vulnerabilities and the system administrators took remediation measures.

 

Briefs Archive