Identifying unauthorized privilege escalations

US 20090271863A1
Filed: 01/30/2007
Published: 10/29/2009
Est. Priority Date: 01/30/2006
Status: Abandoned Application

First Claim

Patent Images

1. A method of determining potential privilege escalations in a network comprising of one or more hosts, comprising:

performing configuration scanning in a first time period;

conducting vulnerability scanning in said first time period;

determining transitive closure of all security attacks on the networkproviding an user interface that renders said potential privilege escalations;

storing a first set of results of said network configuration process in said central server for said first time period;

authenticating said first state of results for said first time period by said security administrator;

performing said network configuration process and said vulnerability analysis for a second time period to generate a second results set further comprising configuration scanning result and second vulnerability scanning result; and

comparing said second set of results with the first set of results and identifying new potential privilege escalations, wherein said new potential privilege escalations potentially compromise security.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed herein is a method and system of determining and/or managing potential privilege escalation attacks in a system or network comprising one or more potentially heterogeneous hosts. The step of configuration scanning optionally includes making a list of operating system specific protection mechanism on each host. Vulnerability scanning optionally includes the step of identifying the vulnerability position of each identified program. Transitive closure of all security attacks on the network and potential privilege escalations can be determined. A user interface optionally renders the potential privilege escalations as an appropriate representation. The method may include none or one or more of several pre-emptive mechanisms and reactive mechanisms. Further, the method may optionally include a mechanism for a periodic safety check on the system ensuring continued security on the network.

181 Citations

54 Claims

1. A method of determining potential privilege escalations in a network comprising of one or more hosts, comprising:
- performing configuration scanning in a first time period;
  
  conducting vulnerability scanning in said first time period;
  
  determining transitive closure of all security attacks on the networkproviding an user interface that renders said potential privilege escalations;
  
  storing a first set of results of said network configuration process in said central server for said first time period;
  
  authenticating said first state of results for said first time period by said security administrator;
  
  performing said network configuration process and said vulnerability analysis for a second time period to generate a second results set further comprising configuration scanning result and second vulnerability scanning result; and
  
  comparing said second set of results with the first set of results and identifying new potential privilege escalations, wherein said new potential privilege escalations potentially compromise security.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, 46, 47, 48)
- - 2. The method of claim 1, wherein said hosts may run different versions of the same operating system.
  - 3. The method of claim 1, wherein said hosts may run different operating systems.
  - 4. The method of claim 1, wherein said hosts may run different software, inclusive of any of database servers, mail servers.
  - 5. The method of claim 1, wherein said networks containing other networking components such as switches, wireless access points, routers, hubs, and firewalls.
  - 6. The method of claim 1, further comprising providing a storage for the results of said network configuration scanning and said vulnerability scanning for a second time period to generate a second set of results, and further comprising configuration scanning result, second vulnerability scanning result and second user interface output, and comparing said second set of results with the first set of results and identifying new potential privilege escalation attacks that compromise the security of the network.
  - 7. The method of claim 1, wherein said step of performing configuration scanning in a network further comprise the steps of:
    - making a list of one or multiple of files, services and registry keys, WMI keys, processes, network sockets, interprocess communication channels such as shared memory, named pipes, message queues, semaphores, waitable timers, mailslots, network ports, program services, network shares, and other operating system or hardware resources, and their meta data;
      
      obtaining a list of authorized users who have access to one or more of said files, services and registry keys, WMI keys, processes, network sockets, interprocess communicaton channels such as shared memory, named pipes, message queues, semaphores, waitable timers, mailslots, network ports, operating system and program services;
      
      classifying said authorized users in groups; and
      
      identifying all programs that automatically accept input from the network.
  - 8. The method of claim 1, wherein said first set of results comprises a listing of files, services, registry keys, authorized users, groups and programs, their meta data, and the results of said vulnerability scanning that comprises said vulnerability position of identified programs, potential privilege escalations, and first user interface output.
  - 9. The method of claim 1, wherein a historical database of the results of configuration scanning and vulnerability scanning are stored in the central server.
  - 10. The method of claim 1, wherein when a vulnerability advisory is released, vulnerability scanning is performed.
  - 11. The method of claim 9, a what if analysis is performed to determine adverse actions an adversary entity could pursue after a host is compromised.
  - 12. The method of claim 1, wherein the first set of results and the second set of results comprise program vulnerabilities that are security lapses within said hosts.
  - 13. The method of claim 1, wherein the first set of results and the second set of results comprise configuration vulnerabilities that affect all users and programs of a host.
  - 14. The method of claim 1, wherein vulnerability scanning is performed by using information on the identity of users who are allowed to modify a program, identity of users using the program, the vulnerability advisories that apply to the vulnerability analysis and the formal semantics of said vulnerability advisories.
  - 15. The method of claim 1, wherein said network comprises a plurality of operating systems, a plurality of types of databases and web-server products.
  - 16. The method of claim 1, wherein said vulnerability scanning models network properties that includes vulnerabilities, exploit propagation, user and data binding, user binding, user behavior, host configuration and security policy.
  - 17. The method of claim 1, wherein vulnerability scanning comprises the application of vulnerability rules, further comprising the steps of determining the identity of the vulnerability, the path of a vulnerable program, the identity of the host comprising said vulnerable program, whether the vulnerability can be exploited locally or remotely, consequences of the vulnerability being exploited and capturing transitive dependencies.
  - 18. The method of claim 1, wherein said transitive closure determines all the paths by which an adversary can launch a multi-stage multi-host attack on the network.
  - 19. The method of claim 6, wherein said new potential privilege escalations are remote privilege escalations, wherein a vulnerable program is receptive to messages from a network and the adversary who is not necessarily on the same system as the program but is able to send messages to the program across a network, and further wherein said adversary can exploit said vulnerability to achieve privilege escalation.
  - 20. The method of claim 1, wherein said potential privilege escalations are potential local privilege escalations that occur when a program is vulnerable to an adversary and the vulnerability can be exploited by an adversary who is on the same system as the program.
  - 21. The method of claim 1, wherein in said potential privilege escalation attack, an adversary has the ability to send input to the network server programs identified vulnerable, thereby having access to the user account running the server process.
  - 22. The method of claim 1, wherein an operation system kernel of a host is modeled as both a network service running as root and a local privileged program, and wherein the consequence of exploiting a privilege escalation bug in said operation system kernel will result in a compromise of the system administrative account of the host machine and therefore a compromise of the security of the entire network.
  - 23. The method of claim 1, wherein access control permission to an object in an operating system of a host comprises read, write and execute operations.
  - 24. The method of claim 1, wherein in a network file system, if the adversary can access files residing on the client system of the network file system, then the adversary can access files residing on the file server of the network file system.
  - 25. The method of claim 1, wherein a system administrator specifies permitted activities of principals through a security policy, wherein said security policy specifies the data each principal can access.
  - 26. The method of claim 25, wherein said security policy further comprises binding information specifying principal binding that maps a principal symbol to its user accounts on the hosts.
  - 27. The method of claim 25, wherein said security policy further comprises binding information specifying data binding that assigns a data symbol to a data or hardware resource represented by an access path.
  - 28. The method of claim 1, wherein said step of computing transitive closure comprises attack simulation phase and policy checking phase, wherein in said attack simulation phase, all possible data accesses that can result from multistage, multi-host attacks are derived, and wherein in said policy checking phase, the data output tuples from the attack simulation phase are compared with a given security policy.
  - 29. The method of claim 1, wherein the step of vulnerability scanning further comprises the step of hypothetical analysis, further comprising the steps of representing hypothetical software bugs by logic predicates and determining whether or not said hypothetical software bug can cause the security policy to be violated, and thereafter reporting violations.
  - 30. The method of claim 1, wherein said step of configuration scanning may require the collection of privileged information
  - 31. The method of claim 1, wherein said step of vulnerability scanning further comprises the step of scanning the entire registry and identifying registry keys whose data contain the name or location of an executable file or library, and further analyzing the security descriptor for said identified registry keys to determine if the registry key'"'"'s content can be overwritten by an entity that does not have the authority to do so.
  - 32. The method of claim 1, further comprising the step of determining if the potential privilege escalation results in a compromise of the whole network or just certain parts of the network such as a user account or a set of programs.
  - 33. The method of claim 10, further comprising the step of estimating the risk based on said potential privilege escalation, and whether potential privilege escalation will affect the whole computer system or just some parts of the system
  - 34. The method of claim 1, further comprising the step of determining whether a new vulnerability impacts business critical users or files or servers, and further determining whether said cyber security managers should be paged or informed about said vulnerability based on said impact of vulnerability.
  - 35. The method of claim 1, further comprising the step of prioritizing the response actions given a large number of security vulnerabilities, wherein network wide privilege escalations are assigned higher priorities, and localized privilege escalations are assigned lower priorities.
  - 36. The method of claim 1, further comprising the step of determining the users and groups that have to be trusted to guarantee the host'"'"'s integrity, by determining whether the paths from said users or groups to the system exist in the pictographic representation of the privilege escalations.
  - 37. The method of claim 1, further comprising the step of determining whether the addition of a particular user to a particular group is safe by performing said vulnerability analysis and determining if an escalation from said group to the system node is possible.
  - 38. The method of claim 1, further comprising the step of determining multiple vulnerabilities that can be exploited in tandem to get a level of access that is not possible with just a single vulnerability.
  - 39. The method of claim 1, further comprising the step of determining how adversaries can escalate their privileges on a single host, using misconfigurations or vulnerabilities in one or more of files, services and registry keys.
  - 40. The method of claim 1, further comprising the step of determining all the places that an adversary can compromise because of a reported security vulnerability.
  - 41. The method of claim 25, wherein said security policy of a network is determined by the cyber security manager specifying accesses that are permitted and that are not disallowed.
  - 42. The method of claim 1, wherein different network server programs that accept input from the network are considered exploitable over the heterogeneous network if the step of vulnerability scanning reports that said server programs have known bugs.
  - 43. The method of claim 1, wherein transitive dependencies are computed between various users or principals in the network.
  - 44. The method of claim 1, wherein in the absence of a security policy, a raw trace of which user can access what program or resource of the heterogeneous network is provided.
  - 45. The method of claim 1, wherein the data binding information of the network is determined by querying files and servers in the network.
  - 46. The method of claim 1, wherein the step of configuration collection if performed before vulnerability is reported, determines that the configuration data collected is trustworthy.
  - 47. The method of claim 1, further comprising the step of determining that a program should not be installed if said program can lead to a potential privilege escalation.
  - 48. The method of claim 1, further comprising the step of creating new access control specifications for a program that has a dangerous configuration, whereby said program can be installed without the danger of privilege escalations.

49. A method of determining potential privilege escalations in a network comprising of one or more hosts, comprising the steps of:
- performing configuration scanning;
  
  conducting vulnerability scanning;
  
  determining transitive closure of all privilege escalations on said network;
  
  providing a user interface output that renders said privilege escalations; and
  
  ,presenting said user interface output to said cyber security managers.

50. A system for determining potential privilege escalations in a network comprising a plurality of hosts and operating systems managed by one or more administrators, further comprising:
- a configuration scanning module for performing a configuration scan on said network at predetermined time periods;
  
  a vulnerability scanning module for conducting a vulnerability scan on the result of said configuration scan at said predetermined time periods;
  
  a timing module for scheduling the predetermined time periods;
  
  a database for storing the configuration scan results of the configuration scanning module and the vulnerability scan results of the vulnerability scanning module;
  
  a user interface module to present the results in a suitable interface to one or more administrators and help understand the results;
  
  a state differential module for comparing the states of two subsequent configuration scans of the configuration scanning module and the vulnerability scan module;
  
  said administrator providing administrative privileges for the configuration scanning module and providing a security policy, wherein said security policy specifies the data each principal can access; and
  
  ,a graphical user interface for rendering potential privilege escalations derived from the configuration scan results and vulnerability scan results.
- View Dependent Claims (51, 52, 53)
- - 51. The system of claim 50, wherein said configuration scan module runs with or without said administrative privileges.
  - 52. The system of claim 50, wherein the configuration scanning module and the vulnerability scanning module may run on the same or separate computing platforms, and wherein the vulnerability scanning module does not require to be a part of the trusted computing base.
  - 53. The system of claim 50, wherein said vulnerability scanning module determines network configuration vulnerabilities as well as single host configuration vulnerabilities.

54. A computer program product comprising computer executable instructions embodied in a computer-readable medium, in a network of hosts comprising a server and a plurality of hosts in the domain of an administrator, said computer program product including:
- a first computer parsable program code for performing a configuration scan on said network at predetermined time periods;
  
  a second computer parsable program code for conducting a vulnerability scan on the result of said configuration scan at said predetermined time periods;
  
  a third computer parsable program code for scheduling the predetermined time periods;
  
  a fourth computer parsable program code for storing the configuration scan results and the vulnerability scan results;
  
  a fifth computer parsable program code for comparing the states of two subsequent configuration scans and the vulnerability scans; and
  
  a sixth computer parsable program code for rendering potential privilege escalations derived from the configuration scan results and vulnerability scan results.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Andrew W.S. Appel, Sudhakar Govindavajhala
Original Assignee
Andrew W.S. Appel, Sudhakar Govindavajhala
Inventors
Govindavajhala, Sudhakar, Appel, Andrew W.s

Application Number

US11/699,607
Publication Number

US 20090271863A1
Time in Patent Office

Days
Field of Search
US Class Current

726/23
CPC Class Codes

G06F 21/577 Assessing vulnerabilities a...

H04L 63/1433 Vulnerability analysis

Identifying unauthorized privilege escalations

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

181 Citations

54 Claims

Specification

Solutions

Use Cases

Quick Links

Identifying unauthorized privilege escalations

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

181 Citations

54 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links