Model-Based Analysis of Configuration Vulnerabilities

Vulnerability analysis is concerned with the problem of identifying weaknesses in computer systems that can be exploited to compromise their security. In this paper we describe a new approach to vulnerability analysis based on model checking. Our approach involves: • Formal specification of desired security properties. An example of such a property is “no ordinary user can overwrite system log files.” • An abstract model of the system that captures its security-related behaviors. This model is obtained by composing models of system components such as the file system, privileged processes, etc. • Verification techniques to check whether the abstract model satisfies the security properties. This approach can be used to automatically detect known and as-yet-unknown vulnerabilities. This is in contrast with approaches such as those used in COPS and SATAN, which mainly address previously exploited vulnerabilities. Another advantage of our approach is that it is modular. For instance, to identify system vulnerabilities after addition of a server program, we only need to develop a model for the new server; the reanalysis of the system is done automatically. Traditional model checkers can analyze only finite-state systems. Finite-state models cannot capture components such as file systems where files can be added, renamed or removed. Hence finite-state techniques cannot be used to detect vulnerabilities that depend on file names, contents, or directory structures. In our approach, we permit infinite-state models by developing an alternative model checking technique that exploits the nature of vulnerabilities. We demonstrate the usefulness of this technique by showing how it detects nontrivial vulnerabilities in a simplified model of a Unix system.