Method of Pentest Synthesis and Vulnerability
Detection
Iryna Hahanova
Abstract - The structural method for penetration test generation and vulnerability simulation for infrastructure of telecommunication hardware- software information cybernetic systems (CS), focused to protect against unauthorized access the services defined in the system specification by means of penetrating through legal interfaces of component interaction, which have vulnerabilities, is proposed. A protection service infrastructure is created with cybersystem and maintains it during the life cycle, serving all subsequent CS modifications, and constantly improving its intelligence by enlarging the history and libraries of constructive and destructive components.
I. Introduction
The notions defined by the words "penetration" and "vulnerability" are complementary to each other. If there is
vulnerability, the destructiveness that corresponds to the
cybersystem functionality may penetrate into it like as the hole. The converse is true, if the penetration was detected, it happened due to vulnerability (hole). The problem of cyberspace protection against unauthorized access lies in "impossible" distinguishing the notions "destructiveness" and "constructiveness" or a valid user. However, there are techniques, technologies, software and systems for effective protecting of corporate or personal cyberspace with a given probability of penetration. The following notions are used in existing publications in this field [1-10]. Penetration test is a set of internal and external destructive impacts focused to detect access vulnerabilities for CS services by means of simulation or analysis of penetrations on cybersystem models. The quality of the test is determined by its fullness, expressed as a percentage, relative to test all the possible types of vulnerabilities, generated manually or automatically for each specific cybersystem. The result of testing the real system (System Under Penetration Test -SUPT) forms a quantitative assessment of the vulnerability, and a list of structural vulnerabilities of pre-assigned types, detected during test experiment. If the testing process has detected non-empty list of destructiveness (vulnerabilities), it is necessary to perform diagnosis based on diagnostic tests to determine the location, cause and kind of the vulnerability with a given depth for searching destructiveness. After reveal of all vulnerabilities their removing is performed through partial or complete
Manuscript received December 8, 2012.
Hahanova I.V. is with Computer Engineering Faculty, Kharkov National University of Radioelectronics, Kharkov, Ukraine (e-mail: [email protected]).
reconstruction of cybersystem by using proven library structural solutions. All described above procedures use three libraries: 1) negative one, describing all the possible types of vulnerabilities; 2) positive one, where each vulnerability is associated with hardware and software solutions to remove the destructiveness; 3) unproven solutions - the "intelligence" of CS that can be redefined when functioning cybersystem. All three libraries must be updated when designing and utilizing cybersystem in real time.
Objectives of the infrastructure for protecting cybersystem are:
1) Synthesis of CS deductive model for testing, diagnosis, and repairing invulnerability of cybersystem [1,2];
2) Generating test patterns for checking and diagnosing vulnerabilities, which are close to 100% coverage.
3) Creating a vulnerability detection algorithms with given diagnosis granularity.
4) Creating test generators for checking and diagnosing vulnerabilities, which are close to 100% coverage.
5) Testable design (modification) of invulnerable cybersystems free from the vulnerabilities at the current state of technological and mathematical culture.
6) Development of embedded infrastructure for protecting cybersystem, focused to monitoring, testing, diagnosis and repairing invulnerability in real time during the operation.
7) Development of specialized algorithms and plans for monitoring, testing, diagnosis and repairing invulnerability of CS in real time during the operation.
8) Verification of testable infrastructure solutions designed for real CS’s.
The object of testing is a cybernetic system of interacting hardware-software, telecommunication, and information components, focused on providing quality services through the standard interfaces to the authorized users in real time. All types of vulnerabilities (penetrations) don’t lead the object under test beyond the bounds of given functionality of cybersystem that is described by Boolean function:
Y = f(X1,X2,...,Xi,...,Xn), Xi,Ye{0,1}.
Therefore, the model of vulnerabilities is applied to graph structure of functional modules with input and output transaction variables. Transaction graph is represented by arcs - functionalities (services) with monitors (assertions) -and nodes, which form the states of cybersystem through variables, memory, interface input-output ports, transceivers, terminals, and computers:
68
R&I, 2012, №4
F = (A*B)xS, where S = {Si,S2,...,Si,...,Sm} - nodes or state of CS when simulating test segments. Each state Si = {Si1,Si2,...,Sij,...,Sip} is determined by the values
of essential variables CS (variables, memory, terminals, and computers). Oriented arcs of the graph are the function blocks:
n n
B = (B1,B2,...,Bi,...,Bn), и Bi = B; n Bi = 0 ,
i=1 i=1
where each of them can be associated with assertion Ai e A = {A1,A2,...,Ai,..., An} for monitoring the
functionalities in time and space.
There are basic technologies for testing security of cybersystems: OSSTMM - The Open Source Security Methodology Manual; NIST Guideline on Network Security Testing; ISACA Switzerland - Testing IT Systems Security With Tiger Teams; Draft Guideline on Network Security Testing; NIST Special Publication 800-26 Security Self-Assessment Guide for Information Technology Systems; Cybersecurity Vulnerability Assessment Methodologies (Cybersecurity VAMs); Information Systems Security Assessment Framework, OISSG.
II. Apparatus of Boolean derivatives for test synthesis
An apparatus of Boolean derivatives is designed for checking significant variables and components of cybersystem, including significance analysis of destructive components (vulnerability and penetration) for cybersystem state. Methods of taking Boolean derivatives by truth table, disjunctive form or cubic coverage to create conditions for activating the input variables, when synthesizing tests to check the vulnerabilities (penetrations), are proposed. Consideration of the method is performed on following three examples of logic functions: 1) f(x) = X1 v X1X2. 2) f(x) = X1X2 v X1X3 . 3) f(x) = X2X3 v X1X2X3 .
Issues to be addressed: 1) Definition of all derivatives of first-order by analysis, cubic and tabular form of logical functions representation. 2) Verification of activation conditions, obtained by their modeling on one of forms of functionality description. 3) Synthesis of activation tests for variables of logic function on the basis of calculating derivatives.
Example 1. Define all the derivatives of first order by analytical form of logical function f(x) = X1 v X1X2 . Application of calculation formula
f,( ч df(x1,x2,...,xi,...,xn)
1 (xi)_ J _
dxi
= f(x1,x2,...,xi = 0,...,xn) © f(x1,x2,...,xi = l,...,xn)
defines Boolean first derivative as the sum modulo two of zero and unit residual functions.
For the function it is obtained:
df(x1,X2)
= f(0,X2) © f(1,X2) =
dx1
(0 v 0x2)Ф (1 v 1x2) = 0Ф1 = 1;
df(x1,x2) dx 2
= f(x1,0) © f(x 1,1) =
= (x1 v x1 • 0) © (x1 v x1 • 1) = (x1 v x1 -1) © (x1 v x1 • 0) = = (x1 v x1) © (x1 v 0) = x1 © x1 = 0.
Zero value of derivative means the absence of activation conditions of the variable X2 , which allows considering it as insignificant, and therefore to remove it from the number of variables, which form functionality.
Example 2. Define all the derivatives of first order by analytical form of logical function f(x) = X1X2 v X1X3 . For the function the following calculations are performed:
df(x 1,X2,X3)
dx1
= f(0,X2,X3) © f(1,X2,X3) =
= (0-x2 v 0 • x3) © (1-x2 v 1 • x3) = = (0 v 1 x3) © (x2 v 0 • x3) =
= x3 © x2 = x2x3 vx2x3;
df(x 1,X2,X3)
dx2
= f(x1,0, X3) © f(x1,1,X3) =
= x1x3 © (x1 v x3) =
= x1x3(x1 v x3) v x1x3(x1 v x3) =
= (x1 v x3)(x1 v x3) v x1x3x1x3 = x1;
df(x1,x2,x3)
dx3
= f(x1,X2,0) © f(x1,x2,1) =
= X1X2 © (x1 v X2) =
= X1X2( X1 v X2) v x1x2(x1 v X2) =
= (X1 v X2)( X1 v X2) v X1X2X1X2 = X1.
For three variables 4 activation conditions are obtained, which correspond to four logical paths in the circuit structure of disjunctive form of the function.
Example 3. Define all the derivatives of first order by cubic form of logical function
f(x) = x2x3 v x1x2x3
x1 X2 X3 Y
X 0 0 1
1 1 1 1
X 0 1 0
X 1 0 0
0 1 X 0
R&I, 2012, №4
69
x2x3 00 01 11 10
x1
0 1 0 0 0
1 1 0 1 0
x1 x2 x3 Y
0 0 0 1
0 0 1 0
0 1 0 0
0 1 1 0
1 0 0 1
1 0 1 0
1 1 0 0
1 1 1 1
f(x) = x2x3 v xix2x3 =
x1 x2 x3 Y x1 x2 x3 Y
X 0 0 1 X 0 0 1
1 1 1 1 1 1 1 1
X 0 1 0 X 0 1 0
X 1 0 0 X 1 0 0
0 1 X 0 0 1 1 0
The process model for calculating the derivative by the variable xi for the function, given in tabular form, includes the following steps: 1) Simulating of input patterns by the truth table (cubic coverage), to determine the column Y^, where the variable x i , has only zero value for all rows of the truth table. The number of such patterns is always q = 2n-1, n - a number of variables. 2) Calculating coordinates of the column Y1, with unit value of variable
i
xi for all rows of the table. 3) Calculating the column Y© = Y0 © y1 subject to rule 0 © X v1 © X = X. 4) Forming disjunctive form of function derivative by unit values of the column Y© without the variable xi, at which
i i ’
the derivative is taken. Otherwise, the table rows, corresponding to unit values of the column Y® , defining
the derivative of the function, are fixed. The analytical model of taking the derivative of the function, represented in tabular form, is as follows:
•7— = f(x1,x2,...,xi = 0,..xn) ©f(x1,x2,...xi =1,...xn);
dxi
Y© =[Y0 = f(xbx2,...x = 0,...xn)]©[Yi1 = f(x1,x2,..xi =1,.xn)].
Lemma of non-intersection cubes. The possibility of correct taking the derivative for obtaining activation test on the variable x i is limited by minimum structure of cubic coverage or analytical disjunctive (conjunctive) normal form, where intersection of any cubes (rows of the truth table), or terms of DNF (CNF) gives empty set:
IP
7- = f(5x,x2,-xi = 0,..tO ©f(x,x2,...x =l,...xn)eT 0 dx
Vi,j(Ci оCj = 0); i, j = 1,n; i * j.
In fact, if the coverage described above, to define according the rules of non-intersection cubes, all derivatives will be valid for test synthesis without additional check:
To get the cubic coverage it is necessary to perform minimization by all the existing methods (maps Karnaugh, Quine, essential variables, undetermined coefficients, binary graph) subject to the rule: coverage of zero and unit coordinates of the truth table should not be intersected during minimization. In the present case, when the functionality is rewritten subject to this rule, even the total number of cubes is not changed, while the coverage acquired the quality of non-intersection (as a truth table) for synthesizing test of activation variables:
df
dx1
x1 x2 x3 Y Y0 2 Y1 2 Y© 2
X 0 0 1 1 1 0
1 1 1 1 0 1 1
X 0 1 0 0 0 0
X 1 0 0 0 0 0
0 1 1 0 0 0 0
df
dx1
x1 x2 x3 Y Y0 2 Y1 2 Y© 2
0 0 0 1 1 1 0
0 0 1 0 0 0 0
0 1 0 0 0 0 0
0 1 1 0 0 1 1
1 0 0 1 1 1 0
1 0 1 0 0 0 0
1 1 0 0 0 0 0
1 1 1 1 0 1 1
Calculation of derivatives in all input variables makes it possible to construct an activation test for functionality, defined by not truth table, but a cubic coverage that can considerably reduce the time of test synthesis.
Thus, all the results of calculating the derivatives by using three forms of function definition are identical. The method for taking the derivative by the truth table is the most technological. But the use of a cubic coverage has lower computational complexity because of compact representation of the functionality when introducing redundancy (symbol X) in a binary alphabet. Using the analytical form leads to significant increase in the complexity of the algorithms associated with application the laws of Boolean algebra and function minimization, which limits its application when solving practical problems.
The process model for obtaining the test T = [Tij ], i = 1,k; j = 1,n of combinational function is:
xx
2^3
= xx
23
70
R&I, 2012, №4
1) f'(xi) = f(xi,X2,...,xi = 0,...,xn) © f(xi,X2,...,Xi = 1,...,xn);
n
2) T = U[f'(x;)*(x; = 0) v(xi = 1)];
3) Tij = Ti-i,j ^ Tij = X;Tij = 1 ^ Tij = X;
4) T = T\Ti ^ Ti = Ti-r, r = 1,i-1,i = 2,n.
1) Calculating the derivatives for all n variables of the functionality by using one of the forms: analytical, tabular, or cubic. 2) Combining all conditions (vectors) of activation in a table, where each vector is associated by means of concatenation (*) with change of the variable on which the derivative was taken, which means doubling the number of test patterns with respect to the total quantity (k) of activation conditions. 3) Extending the definition of the symbol X = {0,1} of the coordinate by assigning a binary value of the same coordinate in the previous vector for obtaining the test of the minimum length. 4) Minimization of test vectors by removing repeated input sequences.
Fig. 2 illustrates the tables for test obtaining the in accordance with items 2-4 of the algorithm for the functionality f = x2x3 v x^2x3 provided by the circuit structure.
vector, for one iteration of processing the structure. The aim of deductive analysis is to determine the quality of the synthesized test concerning the completeness of vulnerability coverage, and build a table for checking by test patterns all detected vulnerabilities of CS to perform the diagnosis procedures. This model is based on solving the equation:
L = T © F, (1)
where F = (Fm+1,Fm+2,...,F;,...Fn)(i = m + 1,n) is a set of vulnerability-free (correct) behavior functions CS; m is a number of inputs; Y; = F;(X;1,...,X;j,...,X;n;) - n;-input i-
th circuit element that realizes F; to determine the state of the line (output) Y; on test vector Tt; here X;j - j-th input i-th element; test T = (T1,T2,...,Tt,...,Tk) is an ordered set of binary vectors, extended during vulnerability-free simulation on a set of input, internal and output lines, combined in the matrix
T = [Tti] =
t11,t12,...,t1;,...,ti1i Tt1,Tt2,..,Tti ,.,Ttn
(2)
Fig. 2. Test tables and circuit structure of Boolean function
_Tk1,Tk2,...,Tki,...,Tkn not input coordinates of which is defined by simulating the function Tti = Y; = F;(X;b...,X;j,...,X;I1;) on the test vector Tt ;
L = (L1,L2,...,Lt,...,Lk) is a set of deductive circuits or models, which are defined by expression (3), where Lt = (Lt1 ,Lt2,...,Lti,.. ,Ltn);
The resulting test is identical by quality and quantity with the input patterns, previously synthesized by the method F © L , therefore, it is characterized by the same properties of fault coverage and depth of vulnerability detection.
The proposed process model for synthesizing tests when testing and diagnosing vulnerabilities can be used as an embedded component of CS infrastructure IP.
III. Deductive method for vulnerabilities in CS
DETECTION
Lt; = Tt © F; (3)
- deductive function (DF) of parallel vulnerability simulation on test vector Tt , corresponding vulnerability-free element Fi , which makes it possible to calculate the list of input penetrations transported to the output of the element F; [8].
The concept of synchronism of the proposed model (1) is defined by the following condition: At = (t j+1 -1 j) >> т >> t; , when time interval between
The main idea of the deductive method is to analyze the mapping of input and output data of cybersystem in order to detect destructive penetrations or vulnerabilities by performing comparison between well-known (functional) modes and situations which cause suspicion. For the implementation of the method in the infrastructure of protective services it is necessary to have graph model of cybersystem functional logic, which simply can be transformed to a system of logical equations, suitable for deductive analysis. Further, it is proposed a model for deductively parallel synchronous analyzing vulnerabilities (penetrations) in cybersystem (object), which allows calculating all destructive components, detectable by a test
changing of the input vectors (t j+1 - tj) much greater than
the maximum delay of the system т and element t; . This makes it possible to exclude time as insignificant parameter [8], which is used in the technologies of simulation and test synthesis.
In general, when a function of CS is represented by the truth table, the application of the formula (1) allows obtaining for a given test vector Tt a vulnerability (penetration) transportation table, on which we can write DF for simulating destructiveness. Examples for such functions are presented in the following form (the first term is a test vector, the second one and the result - a truth table and vulnerability transportation table):
R&I, 2012, №4
71
X1 X2 Y1
0 1 0
X1 X2 Y1 X1 X2 L1
0 0 0 0 1 0
© 0 1 0 = 0 0 0
1 0 1 1 1 1
1 1 1 1 0 1
L = XjX2 V XjX2;
X1 X2 Y2
11 1
X1 X2 Y2 X1 X2 L2
0 0 0 1 1 1
© 0 1 0 = 1 0 1
1 0 0 0 1 1
1 1 1 0 0 0
L2 = XjX2 v XjX2 V X1X2.
Here the deductive functions Li,L2 are written in a disjunctive normal form by constituents of “1” of destructiveness transportation table. Whereas division of the test on vector components the equation (1) for obtaining DF for Tt e T takes the form: Lt = Tt © F. If functional
input set for vulnerabilities transportation. It transforms into a repeater. So this function does not appear on the outputs of deductive elements. Joint hardware implementation of DF for the remaining two-input elements And, Or on exhaustive test is represented by universal functional primitive (Fig. 3) for deductive-parallel vulnerability analysis.
description of CS is represented by components (primitives), which form the states of all lines (connections) of CS, the following expression is used as transformation formula of vulnerability-free model for the primitive Fi on the test vector Tt to the deductive function Lt;:
Lti = Tt ©Fi = fti[(Xii © Tti),(Xi2 © Tt2),...,
(Xij © Tt)),...,(Xini © Ttni)]© Tti, (4)
which is the basis of deductive analyzing the destructive violations of CS [3, 6].
Example 4. Get the deductive functions of parallel simulating vulnerabilities on an exhaustive test for the basis of the functional elements And, Or, Not.
Subject to expression (4) the following obvious transformations of the function And are performed:
Land [T = (00,01,10,11), F = (Xi л X2)] =
Fig. 3. Simulator of vulnerable primitives
In the simulator there are Boolean (x1, x2) and register (X1, X2) inputs for coding vulnerabilities, the variable for choosing the type of vulnerability-free function (AND, OR), output register variable Y. The states of binary inputs x1, x2 and a variable for choosing the element determine one of four deductive functions for vector Y of testable vulnerabilities.
To illustrate parallel simulation of input 8-bit vectors of vulnerabilities in order to obtain a set of detectable destructive components for logic elements 2And, 2Or on the output Y the following table is used:
(V,x1,x2) = 000 100 011 111 010 110
X1(RG) 01110001 01110001 10110110 00111011 00101010 10111001
X 2(RG ) 01111000 01111000 10110101 00110100 10111001 00101010
Y(RG) 01110000 01111001 10110111 00110000 10010001 10010001
= L{(x1x2 V x1x2 v x1 x 2 V x1x2) л [(X1 © Tt1 л X2 © Tt2) © Tt3)]} =
= (T1T2){[(X1 © 0) л (X2 © 0)] © 0} V (xix2){[( X1 © 0) л (X2 © 1)] © 0} v v (x1^2){[(X1 © 1) л (X2 © 0)] © 0} v (x1x2){[( X1 © 1) л (X2 © 1)] © 1} =
= (x1x2)(X1 л X2) V (x1x2)(X1 л X2) V (x1x2)(X1 л X2) V (x1x2)(X1 V X2).
Similarly calculations are performed for the function Or:
L or [T = (00,01,10,11), F = (X1 v X 2)] =
= L{(x1x2 V x1x2 v x 1 x 2 V x1x2) л [(X1 © Tt1 V X2 © Tt2) © Tt3)]} =
= (^1^2){[( X1 © 0) v (X2 © 0)] © 0} v (^1x2){[( X1 © 0) v (X2 © 1)] © 1} v V (x1x_2){[( X1 © 1) v (X2 © 0)] © 1} v (x1x2){[( X1 © 1) v (X2 © 1)] © 1} =
= (x1 x2 )(X1 v X2) v (x 1x 2)(X1 л X2) v (x1 x 2 )(X 1 л X2) v (x1x2)(X1 л X2).
Here Tt = (Tt1,Tt2,Tt3),(t = 1,4) is test vector, having 3 coordinates, where the last one defines an output state of two-input element And (Or). In the next transformation
Tt = (Tt1,Tt2),(t = 1,2) is test vector, having 2 coordinates, where the second one defines a state of the inverter output: Lnot[T = (0,1),F = X1] = L{(x1 v x1)[X©T t1) ©Tt2]} =
= x1[(X1 © 0) ©1] v x1[(X1 ©1) © 0] = x1X1 v x1X1 = x1X1 v x1X1. The last expression shows the inversion invariance to the
The use of this simulator allows transforming a functional model F of correct behavior CS to deductive model L, which is invariant in the sense of generality of test sets, and it is not focused on use model F during simulation. Therefore the simulator as hardware model of DF is effective engine for deductive parallel simulation of CS, which increases the speed of cybersystems analysis in 10-1000 times in comparison with the software implementation. But the ratio of model volumes for correct modeling and vulnerability analysis is 1:10. The approach of hardware analysis of destructive components is focused to enhancing the functionality of embedded simulation tools, which can be stored in the clouds, and constantly be used to verify infrastructure of CS protective services. The computational complexity of processing project, consisting of n components, is equal to
Q = (2n t) / W, where т is time for executing the register operation (And, Or, Not); W - the register width.
72
R&I, 2012, №4
Thus, method for deductive parallel simulating allows estimating the quality (coverage) of proposed tests, and determining all potential places of existence vulnerabilities and their subsequent elimination.
III. Conclusion
1. Improved methods for test synthesis of functionalities, defined by the matrix form of description of CS component behavior, which differ by parallelism of vector operations on tables that makes it possible to considerably (x2) improve the performance of computational procedures, are developed.
2. Process models and methods for test synthesis of functionality and diagnosing FV can be used as embedded components of the infrastructure IP based on the testability standards.
3. Method for FV deductive parallel simulation allows estimating the quality (coverage) of proposed tests, and determining all potential places of existence vulnerabilities and their subsequent elimination.
4. The feasibility of proposed investigation is to create a formal model for subsequent significant time reduction of existing test methods of diagnosing and fixing vulnerabilities corporate cybernetic system.
References
[1] Bondarenko M.F. Hahanov V.I., E.I. Litvinova Structure of logic associative multiprocessor. Automation and Remote Control. 2012. No 10. P. 71-92.
[2] Hahanov V., Wajeb Gharibi, Litvinova E., Chumachenko S. Information analysis infrastructure for diagnosis // Information an international interdisciplinary journal. 2011. Japan. Vol.14. № 7. Р. 2419-2433.
[3] Bishop M. About Penetration Testing // IEEE Security & Privacy. 2007. Vol. 5, Iss. 6. P. 84 - 87.
[4] Mainka C., Somorovsky J., Schwenk J. Penetration Testing Tool for Web Services Security // 2012 IEEE Eighth World Congress on Services. 2012. P.: 163 - 170.
[5] Salas P.A.P., Padmanabhan Krishnan, Ross K.J. Model-based Security Vulnerability Testing // 18th Australian Software Engineering Conference. 2007. P. 284 - 296.
[6] Bau Jason, Bursztein Elie, Gupta Divij, Mitchell John. State of the Art: Automated Black-Box Web Application Vulnerability Testing // 2010 IEEE Symposium on Security and Privacy. 2010. P. 332 - 345.
[7] Shahriar H., Zulkernine M. Automatic Testing of Program Security Vulnerabilities // 33rd Annual IEEE International Computer Software and Applications Conference. 2009.Vol. 2. P. 550 - 555.
[8] Sedaghat S., Adibniya F., Sarram M.-A. The investigation of vulnerability test in application software // International Conference on the Current Trends in Information Technology (CTIT). 2009. P.1-5.
[9] Wilhelm T. Professional Penetration Testing.- Syngress.2009. 524 p.
[10] Shakeel A., Heriyanto T. BackTrack 4: Assuring Security by Penetration Testing.- Packt Publishing.- 2011.- 392 p.
Hahanova Irina Vitalyevna, Dr.Sc., professor of Computer Aided Design Department of Kharkov National University of Radioelectronics. Research fields: design and testing of digital systems and networks on chips Address: Ukraine, 61166, Kharkov, Lenin ave. 14, Phone. 70-21-326. Email: [email protected].
R&I, 2012, №4
73