Abstract GEGICK, MICHAEL CHARLES. Analyzing Security Attacks to Generate Signatures from Vulnerable Architectural Patterns. (Under the direction of Dr. Laurie Williams.) Current techniques for software security vulnerability identification include the use of abstract, graph-based models to represent information about an attack. These models can be in the form of attack trees or attack nets and can be accompanied with a supporting text- based profile. Matching the abstract models to specific system architectures for effective vulnerability identification can be a challenging process. This thesis suggests that abstract regular expressions can be used to represent events of known attacks for the identification of security vulnerabilities in future applications. The process of matching the events in the regular expression to a sequence of components in a system design may facilitate the means of identifying vulnerabilities. Performing the approach in the design phase of a software process encourages security to be integrated early into a software application. Students in an undergraduate security course demonstrated a strong ability to accurately match regular expressions to a system design. The identification of vulnerabilities is limited to known attacks of other systems and does not offer descriptions of what new attacks are possible to a future application. Extending the approach to incorporate new attacks is an avenue of future work. Analyzing Security Attacks to Generate Signatures from Vulnerable Architectural Patterns by Michael Charles Gegick A thesis submitted to the Graduate Faculty of North Carolina State University in partial fulfillment of the requirements for the Degree of Master of Science Computer Science Raleigh 2004 APPROVED BY: _______________________________________ Committee Member _______________________________________ Committee Member _______________________________________ Chair of Advisory Committee Biography Michael has a BA in Biology from Washington and Jefferson College (1998) and a BS in Computer Science from North Carolina State University (2001). He enjoys swimming, biking, running, and rock climbing. ii Acknowledgements Thanks to the members of my thesis committee, Dr. Laurie Williams (chair), Dr. Annie Antón and Dr. Julia Earp for their support and suggestions during my research. Dr. Williams helped to steer me through the entire thesis and was always optimistic and amazingly patient. I would like to sincerely thank Dr. Gary McGraw (of Cigital), Dr. Michael Reiter (of Carnegie Mellon University), and Dr. Eugene Spafford, Dr. Pascal Meunier, and Rajeev Gopalakrish (each of Purdue University) for taking the time to understand my thesis approach and give opinions on its validity and practicality in the field of security engineering. I would also like to thank Nick Green and Eric Isakson for their suggestions on the approach when I first arrived at the concept. Additionally, Bruce Wieand was helpful in determining if regular expressions were a possible means of representing events that may occur in an attack and deserves much appreciation. Without Julie Starr, the teacher for CSC405 at North Carolina State University, the feasibility and validation studies would not have been possible. She was very cooperative and understanding with the incorporation of my assignment in her class. Many thanks to Penney Martin for helping to elicit the idea proposed in this thesis. This material is based upon work supported by the National Science Foundation under Grant No. 0346903. Any opinions, findings, and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of the National Science Foundation. iii Table of Contents LIST OF TABLES................................................................................................................... vi LIST OF FIGURES................................................................................................................ vii 1.0 Introduction .......................................................................................................................1 2.0 Background......................................................................................................................5 2.1 Vulnerability Representation ..........................................................................................5 2.2 Security Collaboration for non-experts.........................................................................14 2.3 Integrating Security into the Software Process ............................................................17 2.4 Risk Management ........................................................................................................19 3.0 Methodology....................................................................................................................21 3.1 Background ..................................................................................................................21 3.2 Regular Expressions ....................................................................................................23 3.3 The System Design......................................................................................................29 3.4 Knowledge Base of Regular Expressions ....................................................................31 3.5 Methodology Scenario – Securing Applications from Enumerated Threats (SAFET)..32 3.6 Risk Management ........................................................................................................33 4.0 Vulnerability Collection Methodology ..............................................................................35 4.1 Limitations ....................................................................................................................38 5.0 Vulnerability Collection Results.......................................................................................40 6.0 Feasibility Study..............................................................................................................66 6.1 Feasibility Study Methodology .....................................................................................66 6.2 Feasibility Study Results ..............................................................................................69 6.3 Metadata ......................................................................................................................72 6.4 Valid and Invalid Answers ............................................................................................73 6.5 Unique Attack Paths.....................................................................................................78 6.6 Regular Expressions Not Represented in the Design..................................................80 6.7 Miscellaneous Data......................................................................................................84 7.0 Validation Study ..............................................................................................................86 7.1 Validation Study Methodology......................................................................................86 7.2 Validation Study Results ..............................................................................................87 7.3 Metadata ......................................................................................................................90 7.4 Valid and Invalid Answers ............................................................................................91 7.5 Unique Attack Paths.....................................................................................................96 7.6 Regular Expressions Not Represented in the Design................................................100 7.7 Miscellaneous Data....................................................................................................103 8.0 Conclusions and Future Work.......................................................................................105 9.0 References....................................................................................................................110 10.0 ppendices....................................................................................................................112 10.1 Vulnerability Collection.............................................................................................113 10.2 Feasibility Assignment .............................................................................................135 10.3 Time Spent on the Feasibility Study.........................................................................145 10.4 Valid and Invalid Attack Paths for the Feasibility Study ...........................................146 10.5 Feasibility Study Likert Scale ...................................................................................166 10.6 Student Comments on the Feasibility Study ............................................................167 10.7 Time Spent on the Validation Study.........................................................................169 10.8 Valid and Invalid Attack Paths for the Validation Study ...........................................170 10.9 Validation Study Likert Scale ...................................................................................200 10.10 Student Comments for the Validation Study ..........................................................201 10.11 Student Questions in