Tuesday, September 2, 2008

Google Chrome uses BIBA security model

Google Chrome (see page 27) uses a modified version of the BIBA security model with three security levels.

Friday, August 15, 2008

A Fuzzy risk calculation approach as alternative to the CVSS computation

In my previous post I asked some questions about CVSSv2. The looking around for information about CVSS I stumbled over this paper: A Fuzzy Risk Calculations Approach for a Network Vulnerability Ranking System (TM 2007-090). The author describes a fully fuzzy systems approach for ranking vulnerabilities that also can rank networks. The approach is partly based on CVSSv1 and its performance is compared to CVSSv1. It would be interesting to adjust the approach to CVSSv2. One thing that is solved in the paper is that different combinations of input values should yield different output values. This seems to a problem in the CVSSv2, see here and here.

Friday, August 8, 2008

Making sense of the CVSS equations for risk analysis

I am considering to use the CVSS standard to get realistic input values to a real-time risk management model I am developing in a research project. This vulnerability scoring system is meant to be easy to use and understandable. However, I have been trying to make sense of the equations of CVSSv2 without much success. This is how the equation for the base score looks like:

BaseScore =

Impact = 10.41*

Exploitability = 20 *

f(impact)= 0 if Impact=0, 1.176 otherwise

It is not clear at all why the equation looks like this. Especially the parts marked with bold. If we look at the old version (CVSSv1) it is much easier to understand:

BaseScore = round_to_1_decimal(10 * AccessVector
* AccessComplexity
* Authentication
* ((ConfImpact * ConfImpactBias)
+ (IntegImpact * IntegImpactBias)
+ (AvailImpact * AvailImpactBias)

As can be seen CVSSv1 is much more straight forward than CVSSv2. In CVSSv1 the different parts might be interpreted as probabilities or costs.

I have a lot of questions about CVSSv2 that I would like to ask:
  • Most important: Can anybody tell me what the numerical values of ConfImpact, IntegImpact and AvailImpact mean? Are they probabilities, risk metrics of their own or anything else?
  • Why are the impact values combined with a noisy-OR instead of just being added?
  • Why are the values of the access vector, authentication and access complexity weighted and then added together with the impact instead of just being multiplied?
  • Did the people behind CVSSv2 try to adjust the weights of the CVSSv1 to fit the requirements of CVSSv2 before changing to the new equation? If not, why?
  • There is a lot of research in knowledge representation and elicitation, how has it influenced this work (if at all)?

Wednesday, August 6, 2008

Communicating risk using a logarithmic scale?

According to this post, our innate sense of numbers is logarithmic and not linear. This means that a choice between a risk of 100 or 200 is comparable to a choice between a risk of 200 or 400. Maybe we should consider this when communication risk? What do you think?

Monday, June 30, 2008

Back to the FAIR discussion

Previously I have tried to argue why FAIR is a valid approach. Now I think there is some research result that might be helpful to understand why FAIR works

Overcoming Bias: Average Your Guesses

In short, the article states that making two (many?) guesses is better than making one guess...

So if you have an approach (FAIR) that lets an expert make several informed guesses and combine them rigorously, then it is quite likely you will get a better estimation than only by making one single guess.

Wednesday, April 23, 2008

Example of a "Mesh" design, part 2

Amritw has had interesting blog entries about swarm intelligence. As an example of this he points to a recent paper about project Phalanx. In this project they have developed a shield of bots to defend against DDoS from botnets. This example is a case of replication thus a sort of mesh design

Friday, April 18, 2008

Example of a "Mesh" design

I read this interesting entry On Chains, Meshes, and Defense in Depth yesterday. 

A mesh design means that you use several security mechanisms for defending your system. However, you design them in such a way that the only by breaking all of them you can break into the system. There were suggestions that this was hard to achieve outside cryptography. Somebody mentioned that it is also possible in other security settings as well. However, nobody came up with any example of a mesh design outside cryptography. 

So I have been thinking about this and I think replication is sort of mesh design for availability. You have to compromise all of the replicated servers in order to "break" the system. What do you think about that?


Friday, February 29, 2008

Microsoft, Symantec officials outed by major hack in Sweden

Read about the intrusion at Computer Sweden:
Passwords for many of Sweden's cyber elite are now available on the Internet following a hack against The Swedish Computer Society, an organization of IT professionals. Among the victims are a former security officer at Microsoft, a Symantec security expert and the director of Sweden's largest Internet bank.

Thursday, January 17, 2008

Use Leopard OpenSnoop/DTrace for intrusion detection?

Leopard has this interesting program that let you see what files a program opens or tries to open:

Hidden Gems In Leopard: OpenSnoop - The Apple Blog

DTRace seems to be a good thing to use to monitor for possible intrusions.

Powered by ScribeFire.

Monday, January 14, 2008

PhD Thesis: A logic-programming approach to network security analysis

I have read this interesting PhD thesis called A logic-programming approach to network security analysis (2005) from Princeton University Computer Science Department. It is about modeling a network with respect to its security flaws. The model consists of logical statements written in Datalog that looks very similar to Prolog rules. The author captures the network topology, network and computer configurations and vulnerabilities in the model by analyzing a high-level security policy, the output from a scanner and firewall configurations.

From this model the author claims that he is able to do the following analysis (page 23):

  • checking network configurations against a high-level policy specification that captures data confidentiality and integrity,
  • hypothetical analysis that assumes various vulnerability situations, and
  • the generation of attack trees.