A paper is out: Impact Estimation using Data Flows over Attack Graphs

In October I presented a part of my work to measure the security of a network at the NordSec 2009 conference. You can find the paper here. Any feedback is welcome.

Abstract

We propose a novel approach to estimating the impact of an attack using a data model and an impact model on top of an attack graph. The data model describes how data flows between nodes in the network -- how it is copied and processed by softwares and hosts -- while the impact model models how exploitation of vulnerabilities affects the data flows with respect to the confidentiality, integrity and availability of the data. In addition, by assigning a loss value to a compromised data set, we can estimate the cost of a successful attack. We show that our algorithm not only subsumes the simple impact estimation used in the literature but also improves it by explicitly modeling loss value dependencies between network nodes. With our model, the operator will be able to use less time when comparing different security patches to a network.

Off to a new topic: JavaFX Script and bidirectional bindings

I did try JavaFX/F3 two years ago and what I liked at that time was the possibility to bind variables so that updates could be propagated back and forth (bidircetional) to GUIs without having to implement a lot of listeners and call functions. However, this does not seem to work as nicely anymore (Netbeans with JavaFX kit 1.7). Only unidirectional bindings seem to work. That means that developers still need to create function to handle updates. More on the subject of bidirectional bindings can be found here and here.

(Though, I suggested on the mailing list once that JavaFX should have different levels of access to variables in order to provide encapsulation that otherwise was missing, and that was actually added! I don't know if it was on my suggestion or from somebody else since nobody commented on my email, but I gladly accept the honor of introducing that mechanism to JavaFX :-). So everything is not that bad with JavaFX...).

Nevertheless, the binding does not work as it did. Although, there is a rather undocumented keyword "inverse" that in certain circumstances can be used to create a bidirectional binding. But, in order to get around the limitations of "inverse", I have come up with the solution shown below, that at least, provides a nice separation between the bidirectional updating from GUI to model and back again. The idea is to use a binding class that mediates the updates between a "StackEntry" and the GUI using the "replace" keyword.

import javafx.scene.control.TextBox;
import javafx.stage.Stage;
import javafx.scene.Scene;


class StackEntry {
 var title: String = "first" ;
 var notes: String = "";
}

class StackEntryBinding {
 var entry:StackEntry = null on replace {
         title = entry.title;
         notes = entry.notes;
     };

 var title: String = entry.title on replace {
         println("new title={title}");
         entry.title = title;
     };
 var notes: String = entry.notes on replace {
         println("new notes={notes}");
         entry.notes = notes;
     };


}

var entry = StackEntry {};
var currentEntry:StackEntryBinding = StackEntryBinding {
 entry: bind entry;
};

def foo = currentEntry;

def input = TextBox {
           text: bind foo.title with inverse;
}

println("textBox={input.text}");

currentEntry.title = "second";

println("textBox={input.text}");

foo.title = "third";

println("currentEntry.entry.title={currentEntry.entry.title}");

input.text="fourth";

println("foo.title={foo.title}");

entry = StackEntry {};

println("currentEntry.entry.title={currentEntry.entry.title}");
println("textBox={input.text}");

Stage {
 scene:Scene {
     content: input
 }

}

// The resulting output looks like this:

new title=first
new notes=
textBox=first
new title=second
textBox=second
new title=third
currentEntry.entry.title=third
new title=fourth
foo.title=fourth
new title=first
currentEntry.entry.title=first
textBox=first

Google Chrome uses BIBA security model

Google Chrome (see page 27) uses a modified version of the BIBA security model with three security levels.

A Fuzzy risk calculation approach as alternative to the CVSS computation

In my previous post I asked some questions about CVSSv2. The looking around for information about CVSS I stumbled over this paper: A Fuzzy Risk Calculations Approach for a Network Vulnerability Ranking System (TM 2007-090). The author describes a fully fuzzy systems approach for ranking vulnerabilities that also can rank networks. The approach is partly based on CVSSv1 and its performance is compared to CVSSv1. It would be interesting to adjust the approach to CVSSv2. One thing that is solved in the paper is that different combinations of input values should yield different output values. This seems to a problem in the CVSSv2, see here and here.

Making sense of the CVSS equations for risk analysis

I am considering to use the CVSS standard to get realistic input values to a real-time risk management model I am developing in a research project. This vulnerability scoring system is meant to be easy to use and understandable. However, I have been trying to make sense of the equations of CVSSv2 without much success. This is how the equation for the base score looks like:

BaseScore =
round_to_1_decimal(((0.6*Impact)+(0.4*Exploitability)–1.5)
*f(Impact))

Impact = 10.41*
(1-(1-ConfImpact)*(1-IntegImpact)*(1-AvailImpact))

Exploitability = 20 *
      AccessVector*AccessComplexity*Authentication

f(impact)= 0 if Impact=0, 1.176 otherwise

It is not clear at all why the equation looks like this. Especially the parts marked with bold. If we look at the old version (CVSSv1) it is much easier to understand:

BaseScore = round_to_1_decimal(10 * AccessVector
                  * AccessComplexity
                  * Authentication
                  * ((ConfImpact * ConfImpactBias)
                  + (IntegImpact * IntegImpactBias)
                  + (AvailImpact * AvailImpactBias)
        ))

As can be seen CVSSv1 is much more straight forward than CVSSv2. In CVSSv1 the different parts might be interpreted as probabilities or costs.

I have a lot of questions about CVSSv2 that I would like to ask:

• Most important: Can anybody tell me what the numerical values of ConfImpact, IntegImpact and AvailImpact mean? Are they probabilities, risk metrics of their own or anything else?
  
• Why are the impact values combined with a noisy-OR instead of just being added?
• Why are the values of the access vector, authentication and access complexity weighted and then added together with the impact instead of just being multiplied?
• Did the people behind CVSSv2 try to adjust the weights of the CVSSv1 to fit the requirements of CVSSv2 before changing to the new equation? If not, why?
• There is a lot of research in knowledge representation and elicitation, how has it influenced this work (if at all)?

Communicating risk using a logarithmic scale?

According to this post, our innate sense of numbers is logarithmic and not linear. This means that a choice between a risk of 100 or 200 is comparable to a choice between a risk of 200 or 400. Maybe we should consider this when communication risk? What do you think?

Back to the FAIR discussion

Previously I have tried to argue why FAIR is a valid approach. Now I think there is some research result that might be helpful to understand why FAIR works

Overcoming Bias: Average Your Guesses

In short, the article states that making two (many?) guesses is better than making one guess...

So if you have an approach (FAIR) that lets an expert make several informed guesses and combine them rigorously, then it is quite likely you will get a better estimation than only by making one single guess.