Detecting AAA Vulnerabilities by Mining Execution Profiles

Security vulnerabilities are often due to latent software defects, which can be exploited by a malicious attacker. For example, a buffer overflow vulnerability can derive from a program’s failure to check the size of its input. Security vulnerabilities are often present in complex software after deployment, and these defects must be identified early so as to minimize the damages that attackers can inflict. Meanwhile, Authentication, Authorization, and Accounting (AAA) services, such as Kerberos, Pubcookie, and Shibboleth, address the growing security demands for network access control. Distributed applications rely on AAA platforms to protect users and other stakeholders. However, AAA middleware potentially contains latent defects, which in turn can cause security holes. If such a vulnerability is exploited, the attacker can compromise any application that relies on the AAA services. Therefore, it is crucial to identify and correct latent AAA defects. We are pursuing an integrated methodology for the identification of defects in AAA platforms. Our approach is based on execution capture, replay, profiling, and on mining the resulting execution profiles. We have used (or plan to use) a suite of complementary execution profiling techniques to reveal program or user behavior associated with exploits. Such techniques include code coverage profiling, object state profiling, information flow analysis, event sequence profiling, and temporal profiling. Our array of profiling techniques is more comprehensive and has a finer granularity than those used in other security platforms, such as Intrusion Detection Systems (IDS) and firewalls. In particular, we monitor the source code, the back-end database, and various event sequences. We have used statistical methods borrowed from multivariate visualization, such as correspondence analysis and multidimensional scaling.