ABSTRACT
Enterprise security management requires constantly identifiying deep security
problems arising from vulnerabilities and configuration settings on each
component of a large IT system. For example, just knowing a vulnerable program
exists on a machine is not sufficient to determine what mitigation measure is
appropriate. One also needs to consider the nature of the vulnerability, as
well as the machines that can reach and be reached by the vulnerable host. A
large IT system's security threats often manifest as potential multi-step,
multi-host attack paths that could enable an attacker to penetrate deep into
the IT network.
Until recently, analysis that can reveal such deep security problems had to be
done in a labor-intensive, manual, and repetitive way. Recent trends towards
sharing vulnerability information in a language-based, machine-readable format
make automating deeper analysis possible. MulVAL is a tool that aims at
realizing this automation. MulVAL builds upon OVAL, a machine configuration
language developed by MITRE. The OVAL language can be used to write definitions
for reported vulnerabilities and common configuration problems. Those
definitions can then be interpreted by an OVAL-compatible host scanner to
report configuration issues on a machine. The scanning output from all the host
becomes the input to MulVAL, which reasons about deeper security problems
caused by the discovered configuration issues. MulVAL reasoning is conducted
by applying a set of Datalog rules to the data tuples from the scanners. The
analysis process can produce an attack graph that shows the causality relations
between configuration issues and an attacker's potential privileges. The attack
graph can be further used to distinguish more important configuration issues
from less important ones. Unlike previous tools, MulVAL is both based on a
formal logic and scalable to enterprise-size networks. This talk explains how
MulVAL works and how to leverage the MulVAL reasoning framework to produce
various useful information for automating enterprise security management.
BIOGRAPHY
Xinming (Simon) Ou is an Assistant Professor at Computing and Information
Sciences Department of Kansas State University. He obtained his PhD degree in
Computer Science from Princeton University in 2005, and worked as post-doc
research associates at Purdue University and the Idaho National Laboratory,
before joining Kansas State University in 2006. Xinming's research focuses on
applying formal, logic-based techniques to reasoning about security of large
and complex systems.