Model-Based Vulnerability Analysis of Computer Systems

Vulnerability analysis is concerned with the problem of identifying weaknesses in computer systems that can be exploited to compromise their security. Most vulnerabilities arise from unexpected interactions between di erent system components such as server processes, lesystem permissions and content, and other operating system services. Existing vulnerability techniques (such as those used in COPS and SATAN) are based on enumerating the known causes of vulnerabilities in the system and capturing these causes in the form of rules, e.g., a worldor group-writable .login le is a well known vulnerability that enables one user to gain all access privileges of another user. However, the generation of the rules relies on expert knowledge about interactions among many components of the system. Issues such as system complexity, race conditions, many possible interleavings, hidden assumptions etc. make it very hard even for experts to come up with all such rules. In contrast, we propose a new model-based approach where the security-related behavior of each system component is modeled in a high-level speci cation language such as CSP or CCS. These component models can then be composed to obtain all possible behaviors of the entire system. Finding system vulnerabilities can now be accomplished by analyzing these behaviors using automated veri cation techniques (model checking in particular) to identify scenarios where security-related properties (such as maintaining integrity of password les) are violated. In contrast to previous approaches that mainly address well-known vulnerabilities, our model-based approach has the potential to automatically seek out and identify known and as-yet-unknown vulnerabilities.