CAIRIS

Although CAIRIS was designed as a security requirements management tool, it’s a big tool which does much more than just manage requirements. This is the first of a series of postings that describes just some of things you can do with CAIRIS.

In this posting, we look at how attack trees can be incorporated into CAIRIS. Attack trees are a formal, methodical way of describing the security of systems (Schneier, 1999). They are a lightweight approach for modelling attacks; this is a good thing as they are simple enough that people can quickly create and contribute to them. Once the trees are created, it would be useful if these could be incorporated into a larger system’s design with the minimum of effort.

Attack trees have been used in conjunction with CAIRIS during the design of webinos, but CAIRIS was only used to support the creation and management of attacker personas. Once the insights had been drawn from the attack trees and incorporated into the other design models, they were largely forgotten. However, it might be useful to have these attack trees around in some form, in case people want to see how resulting threats or vulnerabilities arose.

CAIRIS doesn’t support attack trees, but it does support KAOS obstacle models. Obstacles are conditions representing undesired behaviour that prevent an associated goal from being achieved (van Lamsweerde and Letier, 2000), where the associated goal is some form of requirement the system needs to satisfy. The obstacle model is represented using the same top-down approach notation as attack tree, so they seem a good candidate for representing the attacks, and the sort of things that need to hold for an attack to be successful.

To illustrate how we can incorporate attack trees into CAIRIS using obstacle models, let’s look at a simple example.

We teach attack trees to our second year ethical hacking students at BU, and we encourage them to use low fidelity approaches for modelling their trees; this ensures technology doesn’t get in the way of ideation. Our students are taught how to identify and exploit vulnerabilities using tools like nmap and metasploit, and attack trees allow them to visualise what they have done, so they can explain their attacks to others.

Here is an example of a partially complete attack tree that arose when discussing how a vsftpd backdoor in Metasploitable might be exploited.

attackTreeSketch

We can quickly render this tree into something machine readable using graphviz. Here is the attack tree rendered in graphviz’s Dot language (downloadable from here).

digraph AT {
  node [shape=box];
  edge [dir=none];

  "Backdoor to host" [style=rounded];
  "or_1" [shape=triangle,label="or"];
  "Exploit vsftpd backdoor" [style=rounded];
  "and_1" [shape=triangle,label="and"];
  "Telnet to vulnerable host" [style=rounded];
  "Append smiley to credentials" [style=rounded];
  "Run vsftpd as daemon" [style=rounded];
  "or_2" [shape=triangle,label="or"];
  "and_2" [shape=triangle,label="and"];
  "Disable telnet";
  "Install exploited vsftpd package" [style=rounded];
  "Build exploited vsftpd software" [style=rounded];
  "Download exploited vsftpd source" [style=rounded];
  "Compile exploited vsftpd source" [style=rounded];
  "Configure inetd for vsftpd" [style=rounded];
  "Disable vsftpd in inetd";

  "Backdoor to host" -> "or_1";
  "or_1" -> "Exploit vsftpd backdoor";
  "Exploit vsftpd backdoor" -> "and_1";
  "and_1" -> "Telnet to vulnerable host";
  "Telnet to vulnerable host" -> "Disable telnet";
  "and_1" -> "Append smiley to credentials";
  "and_1" -> "Run vsftpd as daemon";
  "Run vsftpd as daemon" -> "or_2";
  "or_2" -> "Install exploited vsftpd package";
  "or_2" -> "Build exploited vsftpd software";
  "Build exploited vsftpd software" -> "and_2";
  "and_2" -> "Download exploited vsftpd source";
  "and_2" -> "Compile exploited vsftpd source";
  "and_2" -> "Configure inetd for vsftpd";
  "Configure inetd for vsftpd" -> "Disable vsftpd in inetd";
}

This is the model generated by graphviz based on the Dot file.

attackTreeRendered

We can use CAIRIS’ at2om.py script to convert an attack tree rendered in Dot to a CAIRIS model. However, two pieces of information need to be provided in order to create a CAIRIS model:

Armed with this information, we can run at2om.py, assuming we are in the CAIRIS source code directory when running the script.

$ ./at2om.py --context "Metasploitable default setup" --author "EHC Group A" --out Exploit_vsftpd_backdoor.xml $HOME/Exploit_vsftpd_backdoor_graphviz.dot

at2om.py generates this CAIRIS model, which can be imported directly into CAIRIS either using the GUI or the cimport.py model import tool.

<?xml version="1.0"?>
<!DOCTYPE cairis_model PUBLIC "-//CAIRIS//DTD MODEL 1.0//EN" "http://cairis.org/dtd/cairis_model.dtd">

<cairis_model>

<cairis>
  <project_settings name="Metasploitable default setup">
    <contributors>
      <contributor first_name="None" surname="None" affiliation="EHC Group A" role="Scribe" />
    </contributors>
  </project_settings>
  <environment name="Metasploitable default setup" short_code="Metasploitable default setup">
    <definition>Metasploitable default setup</definition>
    <asset_values>
      <none>TBC</none>
      <low>TBC</low>
      <medium>TBC</medium>
      <high>TBC</high>
    </asset_values>
  </environment>
</cairis>

<goals>
  <goal name="Disable telnet" originator="EHC Group A">
    <goal_environment name="Metasploitable default setup" category="Maintain" priority="Medium">
      <definition>"Disable telnet"</definition>
      <fit_criterion>TBC</fit_criterion>
      <issue>None</issue>
    </goal_environment>
  </goal>
  <goal name="Disable vsftpd in inetd" originator="EHC Group A">
    <goal_environment name="Metasploitable default setup" category="Maintain" priority="Medium">
      <definition>"Disable vsftpd in inetd"</definition>
      <fit_criterion>TBC</fit_criterion>
      <issue>None</issue>
    </goal_environment>
  </goal>
  <obstacle name="Append smiley to credentials" originator="EHC Group A">
    <obstacle_environment name="Metasploitable default setup" category="Threat">
      <definition>"Disable vsftpd in inetd"</definition>
    </obstacle_environment>
  </obstacle>
  <obstacle name="Exploit vsftpd backdoor" originator="EHC Group A">
    <obstacle_environment name="Metasploitable default setup" category="Threat">
      <definition>"Disable vsftpd in inetd"</definition>
    </obstacle_environment>
  </obstacle>
  <obstacle name="Install exploited vsftpd package" originator="EHC Group A">
    <obstacle_environment name="Metasploitable default setup" category="Threat">
      <definition>"Disable vsftpd in inetd"</definition>
    </obstacle_environment>
  </obstacle>
  <obstacle name="Telnet to vulnerable host" originator="EHC Group A">
    <obstacle_environment name="Metasploitable default setup" category="Threat">
      <definition>"Disable vsftpd in inetd"</definition>
    </obstacle_environment>
  </obstacle>
  <obstacle name="Compile exploited vsftpd source" originator="EHC Group A">
    <obstacle_environment name="Metasploitable default setup" category="Threat">
      <definition>"Disable vsftpd in inetd"</definition>
    </obstacle_environment>
  </obstacle>
  <obstacle name="Configure inetd for vsftpd" originator="EHC Group A">
    <obstacle_environment name="Metasploitable default setup" category="Threat">
      <definition>"Disable vsftpd in inetd"</definition>
    </obstacle_environment>
  </obstacle>
  <obstacle name="Download exploited vsftpd source" originator="EHC Group A">
    <obstacle_environment name="Metasploitable default setup" category="Threat">
      <definition>"Disable vsftpd in inetd"</definition>
    </obstacle_environment>
  </obstacle>
  <obstacle name="Run vsftpd as daemon" originator="EHC Group A">
    <obstacle_environment name="Metasploitable default setup" category="Threat">
      <definition>"Disable vsftpd in inetd"</definition>
    </obstacle_environment>
  </obstacle>
  <obstacle name="Backdoor to host" originator="EHC Group A">
    <obstacle_environment name="Metasploitable default setup" category="Threat">
      <definition>"Disable vsftpd in inetd"</definition>
    </obstacle_environment>
  </obstacle>
  <obstacle name="Build exploited vsftpd software" originator="EHC Group A">
    <obstacle_environment name="Metasploitable default setup" category="Threat">
      <definition>"Disable vsftpd in inetd"</definition>
    </obstacle_environment>
  </obstacle>
</goals>

<associations>
  <goal_association environment="Metasploitable default setup" goal_name="Configure inetd for vsftpd" goal_dim="obstacle" ref_type="resolve" subgoal_name="Disable vsftpd in inetd" subgoal_dim="goal" alternative_id="0">
    <rationale>None</rationale>
  </goal_association>
  <goal_association environment="Metasploitable default setup" goal_name="Telnet to vulnerable host" goal_dim="obstacle" ref_type="resolve" subgoal_name="Disable telnet" subgoal_dim="goal" alternative_id="0">
    <rationale>None</rationale>
  </goal_association>
  <goal_association environment="Metasploitable default setup" goal_name="Run vsftpd as daemon" goal_dim="obstacle" ref_type="or" subgoal_name="Install exploited vsftpd package" subgoal_dim="obstacle" alternative_id="0">
    <rationale>None</rationale>
  </goal_association>
  <goal_association environment="Metasploitable default setup" goal_name="Run vsftpd as daemon" goal_dim="obstacle" ref_type="or" subgoal_name="Build exploited vsftpd software" subgoal_dim="obstacle" alternative_id="0">
    <rationale>None</rationale>
  </goal_association>
  <goal_association environment="Metasploitable default setup" goal_name="Exploit vsftpd backdoor" goal_dim="obstacle" ref_type="and" subgoal_name="Run vsftpd as daemon" subgoal_dim="obstacle" alternative_id="0">
    <rationale>None</rationale>
  </goal_association>
  <goal_association environment="Metasploitable default setup" goal_name="Exploit vsftpd backdoor" goal_dim="obstacle" ref_type="and" subgoal_name="Telnet to vulnerable host" subgoal_dim="obstacle" alternative_id="0">
    <rationale>None</rationale>
  </goal_association>
  <goal_association environment="Metasploitable default setup" goal_name="Exploit vsftpd backdoor" goal_dim="obstacle" ref_type="and" subgoal_name="Append smiley to credentials" subgoal_dim="obstacle" alternative_id="0">
    <rationale>None</rationale>
  </goal_association>
  <goal_association environment="Metasploitable default setup" goal_name="Build exploited vsftpd software" goal_dim="obstacle" ref_type="and" subgoal_name="Download exploited vsftpd source" subgoal_dim="obstacle" alternative_id="0">
    <rationale>None</rationale>
  </goal_association>
  <goal_association environment="Metasploitable default setup" goal_name="Build exploited vsftpd software" goal_dim="obstacle" ref_type="and" subgoal_name="Compile exploited vsftpd source" subgoal_dim="obstacle" alternative_id="0">
    <rationale>None</rationale>
  </goal_association>
  <goal_association environment="Metasploitable default setup" goal_name="Build exploited vsftpd software" goal_dim="obstacle" ref_type="and" subgoal_name="Configure inetd for vsftpd" subgoal_dim="obstacle" alternative_id="0">
    <rationale>None</rationale>
  </goal_association>
  <goal_association environment="Metasploitable default setup" goal_name="Backdoor to host" goal_dim="obstacle" ref_type="or" subgoal_name="Exploit vsftpd backdoor" subgoal_dim="obstacle" alternative_id="0">
    <rationale>None</rationale>
  </goal_association>
</associations>

</cairis_model>

This file, which can be imported directly into CAIRIS using either the GUI, or the cimport model import script.

$ ./cimport.py --type all --overwrite 1 Exploit_vsftpd_backdoor.xml

With the model now imported into CAIRIS, it’s possible to visualise the model, and start integrating insights from the model into the rest of a system’s design.

atObsModel