Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
Generation of Scenario Graphs Using Model Checking
Somesh Jha (University of Wisconsin), Oleg Sheyner (CMU),Jeannette Wing (CMU)
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
Example of Attack Graph Developed by a Professional Red Team
• Sandia Red Team “White Board” attack tree from DARPA CC20008 Information battle space preparation experiment
Sandia Red Team “White Board” attack graph from DARPA CC20008 Information battle space preparation experiment
Drawn By Hand
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
Definitions
• Given – a finite state model M– a correctness property
• An failure scenario is an execution of M that violates .
• An scenario graph is a set of failure scenarios of M.
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
Properties of Scenario Graphs
• Exhaustive– All possible failure scenarios are represented in G.
• Succinct– Only relevant states are contained in G.– Only relevant transitions are contained in G.
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
Problem Statement
• Problem: Generating scenario graphs by hand is tedious, error-prone, and impractical for large systems.
• Our Goal: Automate the generation and analysis of scenario graphs.
– Generation Must be fast and completely automatic Must handle large, realistic examples Should guarantee properties of scenario graphs
– Analysis Enables tool-aided post-generation analysis
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
Overview of Our Method
Phase 1
Generator
System Model Correctness Property
Scenario Graph
MinimizationAnalyzer
Query: What system transitions lead to failure?
Scenario Subgraph
…CostAnalyzer
Phase 2
Annotations
ReliabilityAnalyzer
Query: What is the likelihood of failure?
Probabilistic Scenario Graph
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
Explicit-State Scenario Graph Generation
• Based on Automata-Theoretic Model Checking
– Interpret both model M and correctness property as Buchi automata.
– M and induce languages L(M), L().
– L(M)\L() = executions of M that violate .
– Construct M ~ by computing intersection of Buchi automata.
• can be any LTL property.
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
LTL Property =F c
Explicit-State Algorithm Illustrated
Never c¬ = G ¬c
c
a
a
d
b
a
b
a
a
a
a
a
Model M
∩
c
a
a
d
b
a
b
a
a
a
a
a
¬c c T
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
Explicit-State Algorithm (Cont.)
c
a
a
d
b
a
b
a
a
a
a
a
Find strongly connectedcomponents (SCCs) (R. Tarjan ’72)
Collect SCCs with acceptance states
b
a
a
a
Add paths from initial states
a
a
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
Performance
0
20
40
60
80
100
120
0 100000 200000 300000 400000 500000 600000 700000 800000 900000
Graph Edges (N)
Gen
erat
ion
Tim
e -
T(N
)
Linear Regression R2 = 0.9967
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
State Hashing
Full State
O(E)
Full State Size
CompleteCoverage
Method
Performance(Amortized)
Memory Overheadper State
Completeness
Hashcompact
O(E)
8 bytes
PartialCoverage
Traceback
O(E)O(depth)
14 bytes
CompleteCoverage
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
Example Attack Graph
Begin
IIS bufferoverflow
CAN-2002-0364
Squid portscanCVE-2001-1030
LICQ remote-to-user
CVE-2001-0439Local buffer
overflowCVE-2002-0004
Done!
Security property (LTL):
G (intruder.privilege(host) < root)
Generation of Scenario Graphs Using Model Checking HCES 05/01/2003
Application: Attack Graphs
System and Goal Specification
Model Builder
Attack Graph Generators
Attack GraphAnalyzers
Host Configuration
Data
NetworkConfiguration
DataMITRE
SQLdatabase
OutpostServer
OutpostClients
Graphical User Interface