1. Field
Cyber security.
2. Discussion of the Background Art
The configuration of cyber infrastructure is its “DNA”. With even a partial knowledge of it, an adversary can obtain a deep understanding of its logical structure and hence of its structural vulnerabilities Such an understanding can allow the adversary to plan devastating attacks. For example, one can not only identify targets to attack but high-value ones such as single points of failure. Thus, it is critical to prevent or delay the acquisition of configuration knowledge by the adversary.
The present disclosure also provides many additional advantages, which shall become apparent as described below.
Configuration-Space Randomization (CSR) proactively, at random times, and at minimum change-cost, changes values of critical configuration variables. The change is accomplished in such a way that end-to-end system requirements continue to be satisfied but the adversary is forced to distinguish between current and obsolete values of the critical configuration variables. He cannot simply sniff messages in communication channels, read off their values from the messages and assume that these are current.
With each attack, one can associate a set of configuration variables, whose values, if known by an adversary, would enable him to launch an attack. This set of variables is called “critical” for that attack, Given a set of attacks and associated critical variables, CSR computes the minimum set of variables whose values, if obscured, would prevent the planning of all attacks.
CSR is implemented by specifying end-to-end system requirements for both security and functionality as constraints on component configurations, and then moving the cyber infrastructure through different solutions to those constraints. By definition, each solution satisfies the requirements. Each new solution must incur a minimum change cost from the current one, CSR accomplishes minimum-cost change by the use of a MaxSAT constraint solver.
Further objects, features and advantages of the present disclosure will be understood by reference to the following drawings and detailed description.
The present inventor has successfully evaluated the technique of the present disclosure for two different types of networks. The first is a fault-tolerant virtual private network. The second is a Multipoint Generic Routing Encapsulation (GRE) network. In both cases we change both physical and logical network identifiers. In the second case we also change the next-hop MGRE server identity.
CSR uniquely changes configurations in such a way that end-to-end security and functionality requirements continue to be satisfied, the change is at minimum cost, and that at least one variable from the critical set of each attack is changed. It is unique to the present disclosure to satisfy all of these design requirements simultaneously.
Prior solutions do not satisfy any of the above three design requirements that CSR does. They do not allow changing arbitrary configuration variables. They are restricted to changing definite ones such as IP addresses. Even for the variable that they do change, they provide no assurance that changes would continue to satisfy end-to-end security and functionality requirements. For example, when they change an IP address, they do not update firewall, tunneling and routing configurations to maintain end-to-end reachability and access-control requirements. They do not even consider minimum-cost change. Neither do they consider minimizing the set of configuration variables to change because this set is tightly restricted and hence very small.
Configuration is the “glue” for logically integrating components such as routers, switches, firewalls, servers and end-hosts to satisfy end-to-end infrastructure requirements. Configuration can be regarded as the “DNA” of infrastructure in that its analysis can provide a deep understanding of its structure, behavior and vulnerabilities. Due to the large gap between end-to-end requirements and detailed configurations satisfying these, a large number of configuration errors are made. It is well-documented that such errors are responsible for 50%-80% of cyber attacks and downtime in cyber infrastructure. Furthermore, knowledge of configuration can allow an adversary to map out the infrastructure and plan devastating attacks. He can identify not just targets but high-value targets such as single points of failure or those controlling physical systems. For example, such mapping and planning was used by the Stuxnet worm to severely damage Iran's nuclear facilities.
Thus, it is critical to develop systems that (a) eliminate configuration errors and (b) prevent, or drastically reduce the ability of an adversary to gain knowledge of the configuration. To achieve both these objectives. Applied Communication Sciences (ACS) has built a prototype called Assured and Dynamic Configuration or ADC, shown in
To achieve its first objective, ADC first provides a conceptual understanding of the infrastructure by displaying visualizations of logical structures and relationships latent in the Current Configuration. These also highlight various types of structural vulnerabilities. Then, ADC allows specification of a System Requirement on security and functionality in a new high-level language. Finally, ADC changes configurations to bring them into compliance with the requirements. If unable to do so, it outputs a concise root cause.
To achieve its second objective, ADC first allows specification of critical configuration parameters or variables. A parameter is critical if its knowledge would allow an adversary to plan an effective attack. Then, ADC periodically changes values of these parameters and propagates changes to other parameters throughout the system in such a way that System Requirement continues to be satisfied. This technique is called configuration-space randomization.
ADC leverages the ConfigAssure technology. ConfigAssure contains fundamental tools for eliminating configuration errors. ConfigAssure provides tools for visualization, specification, synthesis, debugging, verification and reconfiguration planning. ConfigAssure exploits the power of modern SAT-based constraint solvers that can solve millions of constraint in millions of Boolean variables in seconds.
ADC System Overview
As shown in
ADC will then eliminate configuration errors and randomly change values of Critical Parameters, and of any other dependent ones, so that System Requirement holds and the number of changes is minimized. These configurations are then applied to the System Components.
To initially eliminate configuration errors, Critical Parameters is set to be the empty set. Then, ADC will change parameters in Current Configuration to their correct values to enforce System Requirement. Once the system is in a correct configuration, Critical Parameters is set to a non-empty set. For each class of attack, we assume that a set of Critical Parameters can be chosen so that randomly changing their values will (a) significantly invalidate the adversary's attempt at mapping and understanding the network and (b) blunt the force of his attack. If ADC establishes that System Requirement itself is unsolvable, it outputs a concise root-cause. ADC also presents a large number of visualizations of the logical structure latent in the configurations. These promote system understanding and highlight any structural vulnerabilities.
We now describe the architecture of ADC. Reference is made to
The new configuration is input to a Configuration Applicator. This first transforms configurations into vendor-specific formats, and then applies these to components. An out-of-band network is assumed over which the new configurations are transmitted to the components via a reliable protocol such as FTP. ADC can also check whether these configurations would be accepted by components. ADC is now described in more detail.
The System Requirement specifies the overall connectivity, security, performance and fault-tolerance architecture. ADC formalizes the intuition that a system architecture is a superposition of logical structures and relationships associated with different protocols. ADC provides a Requirement Library of such structures and relationships. Superposition is formalized by composition with Boolean operators, mainly AND but also NOT, OR, IMPLIES and XOR.
Conventional configuration languages force the administrator to pin down the exact value of each configuration parameter satisfying System Requirement. In general, System Requirement may be a complex one consisting of many subsidiary requirements. A value that is correct for implementing one requirement may be incorrect for another. It is hard to pick the exact values that will satisfy all requirements. An administrator spends an enormous amount of time choosing values and then backtracking if choices made to satisfy a requirement conflict with those made to satisfy an earlier one.
ADC eliminates such backtracking. It allows the administrator to specify requirements as constraints on configuration variables. A constraint is equivalent to a set of values. ADC then uses a constraint solver to compute the intersection of all these sets. This intersection then satisfies all requirements.
An ADC requirement is a constraint. A constraint is simply a relationship between configuration parameters. Conventional configuration languages force the administrator to pin down the exact value of each configuration parameter. A value that is correct for implementing one requirement may be incorrect for another. It is hard to pick the exact values that will satisfy a typically large number of requirements. By contrast, a constraint allows the administrator to specify a set of acceptable values. Thus, the chances of finding a non-empty intersection of these sets are much higher. This intersection is exactly what modern constraint solvers efficiently compute. For example, Princeton's ZChaff solver can solve millions of Boolean constraints in millions of Boolean variables in seconds. Constraint solvers generalize the advantage of spreadsheets. In the latter, constraints are only arithmetic and one way. With the former, constraints can be symbolic and multi-way in that there is no notion of dependent and independent variables.
However, Boolean logic is too low level to be useful as a specification language for configuration. For example, for networking, one would like variables whose values are not Boolean but host names, interfaces, addresses. One would like constraints between these to capture logical structures such as subnets. IP Security (IPSec)/Multiprotocol Label Switching (MPLS) tunnels and static routes.
A good constraint language for configuration is called Equality with Uninterpreted Functions (EUF). It can be regarded as Boolean logic with data structures. EUF constraints can be efficiently solved by Satisfiability Modulo Theories (SMT) solvers such as Yices. In fact, for this language, they are faster than even SAT solvers.
A very important feature of EUF is that variables names can be complex terms, not just structure-free atomic ones. This means that the administrator will not have to find a distinct atomic name for each variable. There can be thousands of configuration variables in a large system. Finding distinct names for these and relating these across multiple components is hard, EUF allows one to define a small number of semantically meaningful function symbols and combine them in a large number of ways. Each combination is a semantically meaningful variable. For example, instead of inventing new variables for the IP address of each interface, we define a function symbol “ip address” of two arguments, a host and an interface. Now, for any host H and interface I, the term “ip address H I” represents the IP address of I at H. Internally, this term is implemented as the expression ip_address(H, I).
The current configuration is the set of configuration files of all system components. These are parsed into a large constraint CDB of the form xl=clz,25 . . . z,25 xk=ck where each xi is a variable occurring in the System Requirement and ci is its value. The value is extracted from analyzing component configuration files. Currently, ADC only analyzes Cisco IOS configuration files. The analysis is done in two stages. First, the files are parsed into a Prolog database. Then, the values of variables are extracted from this database.
These are specified as a list of configuration variables. For each class of attack, we assume that a set of Critical Parameters can be chosen so that randomly changing their values will significantly invalidate the adversary's attempt at mapping and understanding the network or blunt the force of his attack. The choice of critical variables depends on what configuration information we'd like the adversary not to acquire, or what configuration information is likely to assist the adversary plan an effective attack. For example:
The Requirement Transformer accomplishes the following tasks:
We now sketch how these tasks are accomplished.
4.1 Transforming Current Configuralion into a Conjunction CDB of Constraints of the Form x=c
Section 2, above outlines how to accomplish this task.
4.2 Computing NormalForm
This task is accomplished by the Prolog predicate eval(P, Q) where P is a system requirement and Q is a constraint that can be submitted to an SMT solver. This constraint is a Boolean combination of primitive constraints mainly of the form T1=T2 where T1 and T2 are terms representing configuration variables or constants. Other primitive constraints are on bitvector and arithmetic operations. If P is a constraint in the Requirement Library, then ADC rewrites it into a simpler constraint R, and recursively calls eval on R. The rewrite rules are defined by the infix, binary predicate=>whose first argument is a constraint and the second argument is its simplified version. If P is a Boolean combination of constraints then eval is recursively called on the constituents, and the results combined. If no=>rules apply, then eval returns the constraint itself.
An example of a=>rule for IPSec is:
ipsec_tunnel(H1, I1, H2, I2, ID1, ID2)=>
and_each([ipsec_ea(H1, I1, H2, I2)=ipsec_ea(H2, I2, H1, I1),
ipsec_ha(H1, I1, H2, I2)=ipsec_ha(H2, I2, H1, I1),
ipsec_key(H1, I1, H2, I2)=ipsec_key(H2, I2, H1, I1),
ipsec_remote(H1, I1, H2, I2)=ip_address(H2, I2),
ipsec_remote(H2, 12, H1, I1)=ip_address(H1, I1),
ipsec_local(H1, I1, H2, I2)=ip_address(H1, I1),
ipsec_local(H2, I2, H1, I1)=ip_address(H2, I2),
ipsec_acl_id(H1, I1, H2, I2)=ID1,
ipsec_acl_id(H2, I2, H1, I1)=ID2]).
This encodes the requirement that in order for there to be an IPSec tunnel between interface I1 of host H1 and interface I2 of host H2, the IPSec keys and encryption and hash algorithms must be identical, and the peer addresses should be symmetric. Furthermore, the access-control list identifiers at each end must be as specified, and_each returns a conjunction of all constraints in its argument.
4.3 Computing MTDConstraint
To create MTDConstraint, ADC randomly selects a configuration variable x in Critical Parameters, find its value c in Current Configuration and then lets MTDConstraint be not(x=c). This forces a new value of x to be found, if possible. If a new value cannot be found, for example, if x=c were part of System Requirement, then no solution is produced and the current configuration is unchanged. When ADC recomputes a solution, a new critical variable could be selected.
The Requirement Transformer sends the conjunction FinalReq=CDB NormalFormz,25 MTDConstraint to the Requirement Solver for solution. The Requirement Solver further transforms FinalReq and all type declarations into the concrete syntax of an SMT solver, calls that solver, and parses the result back into Prolog. Currently, the Yices SMT solver is used.
If the solution does not exist then the constraint solver returns an “unsat-core”. This is a typically small conjunction of unsolvable constraints whose solvability is a necessary condition for that of FinalReq. If in this set there is an equation x=c where x=c is also in CDB, then this equation signifies a configuration error. Repair then means finding a new value of x. This is accomplished by deleting x=c from CDB and reattempting a solution to FinalReq. Effectively, we let x “float”. This repair step is repeated till either a solution is found or no more deletions are possible. If the latter, then NormalFormz,25 MTDConstraint is unsolvable and the resulting unsat-core is reported to the user. Note that since CDB is finite, the repair algorithm will terminate.
Effectively, the above plan repairs implementation errors: CDB does not implement NormalFormz,25 MTDConstraint so it needs to be changed so that it does. The above plan could also be used to repair NormalFormz,25 MTDConstraint itself. But, the unsolvability of that constraint represents a design error that requires human intervention before it is changed.
This nmodule translates a solution produced by the Requirement Solver into vendor-specific configuration files for all components. When these are applied to the components, their configuration variables are set to values in the solution. A solution is of the form xl=cl . . . , x=ck where each xi is a variable and each ci is a constant. Intuitively, it keeps a list of IOS block types it needs to generate for each router. It goes through the solution and associates each equation with one or more blocks for a given router. Then, it processes the information in each block and generates the IOS block.
The critical set of an attack is defined as the set of variables whose values an adversary needs to know to launch that attack. In each moving-target defense cycle. ADC needs to change at least one variable in each set to defend against all attacks. ADC must now solve two problems. The first is finding the minimum set of variables whose values, if changed, would defend against all attacks. This is not, in general, the union of all the critical sets. For example, let there be three attacks, A(1), A(2) and A(3) with the following critical sets: XA(1)={x1, x2}, XA(2)={x2, x3}, XA(3)={x3, x4}. Even though there are four critical variables in all, it is only necessary to change just two. In fact, three solutions are possible: {x1, x3}, {x2, x3}, {x2, x4}.
The second problem ADC must solve is ensuring that values of variables in the minimum set must be changeable from their current values. In other words, the constraint that their values be different from their current ones should not be inconsistent with System Requirement.
We now sketch how both these problems can be addressed with a MaxSAT constraint solver. We model finding a minimal set with minimizing variable value change cost. MaxSAT allows one to associate weights with a set of constraints. It then finds a solvable subset of this set with maximum weight. The weight of a set of constraints is the sum of weights of all constraints in that set.
ADC would now construct the MTDConstraint of Section [0044] as follows: For every attack A, where the critical set of A is {x1, . . . , xk)}, generate the disjunction xl=cl . . . xk=ck where ci is the current value of xi, in the configuration database CDB, and return a conjunction of these. ADC would also generate a constraint called ChangeCost that declares the cost of changing a variable's value from its current one. Finally, ADC would submit FinalReq where:
FinalReq=CDBz,25 NormalFormz,25 MTDConstraintz,25 ChangeCost
to a MaxSAT constraint solver. Recall that NormalForm is a normalized version of System Requirement. Obviously, FinalReq is inconsistent because MTDConstraint forces all variable values to be different from those in CDB. MaxSAT will then drop some constraints in CDB so that the change cost is a minimum. Thereby, at least one variable in each attack's critical set will be changed but at minimum cost and be consistent with System Requirement.
8.1 Designing Requirements for a Fault-Tolerant Virtual Private Network
Reference is made to
Automatic rerouting over this ring can be accomplished by running a routing protocol such as Open Shortest Path First (OSPF) over the four gateway routers. However, OSPF does not recognize IPSec links. For OSPF to do so, both link end points need to be on the same subnet. In general, the end points of an IPSec tunnel are in different subnets. To create the illusion that these end points are directly connected, we need to use a new type of tunnel called GRE. Thus, a GRE tunnel is set up under every IPSec tunnel and OSPF is made to run over the GRE network. Now, for example, if Miami should fail, video would be automatically rerouted via Phoenix to Dallas.
The above VPN is supported by a wide-area network (WAN), also set up as a ring over which the RIP routing protocol is run. Each gateway router is connected to its own wide-area network router.
All WAN and VPN routers are controlled over an out-of-band network. Control interfaces of all routers are connected to a switch in the middle.
The above design is refined into more concrete requirements. These can be handed to a network administrator for implementation. The requirements are:
8.1.1 Specifying Requirements in ADC
These requirements are specified in ADC's language as in Table 1 in about 66 lines.
When this specification is uploaded to ADC, ADC generated two Linux scripts and eight Cisco IOS files totaling 450 lines. The script for North and configuration file for Seattle are listed in Table 2 below.
8.1.2 Testing Configurations
The generated configurations were applied to emulated routers in a GNS3 tested and a number of tests performed to evaluate whether intended requirements were satisfied.
8.1.2.1 Testing Connectivity
Using GNS3, consoles to the Dallas and Seattle routers were opened as shown in
8.1.2.2 Testing Encryption
To test whether the pings are encrypted, we use GNS3's embedded Wireshark capability to capture packets flowing in and out of Seattle. As shown in
8.1.2.3 Testing Fault-Tolerance
To test that fault-tolerance has been correctly implemented, we first do a trace route to 192.168.120.1 and notice that there are two routes that packets take to travel from Seattle to Dallas. One is via Miami and the other via Phoenix. We then suspend Miami via the GNS3 GUI. Another trace route reveals just one path to Dallas, via Phoenix. Referring to
This section describes the experiment we ran to assess the use of ADC to defend the fault-tolerant VPN network of Section 8 against an attack where an adversary infers network topology from sniffing routing protocol updates. An adversary could use this information to identify a single point of failure and concentrate his DoS resources on bringing it down. Our moving-target defense periodically changes the network identifiers of links (identified as critical parameters or variables in ADC) so that the adversary is forced to disambiguate between current and stale routing protocol updates. If he does not, then his view of the network becomes more and more distorted over time. However, as in the previous section, trace route shows that end-to-end connectivity continues to be maintained.
9.1 Specifying Moving-Target Defense
The critical variables and their possible values are:
These are encoded with the following lines in the specification:
Declare Critical Variables
critical variables
Specify their choices
or network id Seattle Tunnel0=1.0.0.0
or network id Miami Tunnel1=2.0.0.0
or network id NewYork FastEthernet0/0=201.1.1.0
Replace network addresses with variables in GRE tunnels and subnet
specifications. ADC will replace these with values and then generate
actual addresses.
gre tunnel
gre tunnel
subnet
9.2 Emulating Adversary Behavior
We used GNS3's embedded Wireshark tool to sniff OSPF packets on selected links and plot the topology latent in these packets. Since OSPF packets convey link state information, the entire topology of the OSPF domain can be reconstructed from analysis of those packets. As shown in
This application claims priority to U.S. Provisional Application No. 61/829,309 filed May 31, 2013 entitled “Moving-Target Defense With Configuration-Space Randomization.” The above application is incorporated by reference.
The disclosed invention was made with government support under contract No. FA8750-11-C-0012, awarded by the United States Department of Defense. The government has certain rights in the present invention.
Number | Date | Country | |
---|---|---|---|
61829309 | May 2013 | US |