Content uploaded by Massimiliano Albanese
Author content
All content in this area was uploaded by Massimiliano Albanese on Mar 13, 2019
Content may be subject to copyright.
Poster: Securing Distributed System Configuration
through Optimization and Reasoning on Graphs
Hamed Soroush
Palo Alto Research Center
hsoroush@parc.com
Shantanu Rane
Palo Alto Research Center
srane@parc.com
Massimiliano Albanese
George Mason University
malbanes@gmu.edu
Abstract—Complex distributed systems are inherently difficult
to secure due to the many interdependencies amongst their
components, vulnerabilities, and configuration parameters. To
address this problem, we present an approach for improving the
security posture of distributed systems by examining the security
impact of configuration changes across their interdependent
components. We construct a graph-based model of the system
and its vulnerabilities and use it to analyze the attack surface and
the impact of attacks. We show how the model can be optimized
using SMT solvers to derive configurations that minimize the
impact of attacks while preserving system functionality.
I. INTRODUCTION
As cyber-systems become more distributed, connected, and
complex, configuration analytics is beginning to play an
increasingly critical role in their correct and secure opera-
tion. Attackers typically rely on unpatched vulnerabilities and
configuration errors to gain unauthorized access to system
resources. Misconfigurations can occur at any level of a sys-
tem’s architecture and correctly configuring systems becomes
increasingly complex when multiple interconnected systems
are involved. Security Misconfiguration was listed by OWASP
amongst the ten most critical web application security risks
in 2017 [1]. Fixing such misconfigurations requires admin-
istrators to take into account the security implications of
configuration changes on the entire system, going beyond
fine-tuning parameters of individual components. Given the
increasingly large scale of cyber-systems, this task must be
automated to the maximum extent possible. Previous work
on handling configuration errors largely ignores the security
impact of configurations of connected components.
To address these challenges we propose (i) a method to
integrate individual configurations into a graph-based model
to capture within-component and between-component depen-
dencies among configuration parameters; (ii) algorithms to
efficiently and automatically identify configurations that mini-
mize the attack surface, and more importantly, potential attack
impact, while maintaining functionality and performance. Our
system also provides visual, human-understandable evidence
for the optimality of the selected configuration set. In the
following, we describe construction of the model and our
reasoning methodology along with preliminary results.
II. SAMPLE SYSTEM
We use the sample system depicted in Figure 1 to describe
our technical approach. The system comprises an Unmanned
Aerial Vehicle (UAV), an Unmanned Ground Vehicle (UGV),
and a backend mission control station. During a mission, the
UAV requires both land and air route processing information
from the mission control unit. The autonomous vehicle only
requires land route processing information to operate.
Process Databu s
Process Databu s
Process Databu s
Gateway (G1)
Gateway (G2)
Sensing &
Plann ing (hA)Control(hT)
Local Pe rsisten ce
Service (hB)
Local Pe rsisten ce
Service (hD)
Sensing &
Plann ing (hC)Control(hS)
Land R oute
Processi ng (hF)
Air Route
Processi ng (hE)
Persist ence
Service (hG)Inte rface(hI)
Mission Co ntrol
Unmann ed Aerial Vehicle (UAV)
Unmann ed Ground Vehicle (UGV)
Fig. 1: Sample system used to illustrate our approach
III. MODEL CONSTRUCTION
Our proposed framework extends [2] by using configuration
information about individual components to construct a three-
layer directed graph encoding all the information needed to
compute optimal configurations. This graph is comprised of
the three interconnected directed subgraphs described below.
The dependency subgraph models the functional depen-
dencies between components of a complex system. In this
subgraph, each vertex represents a functional component, and
is labeled with a utility value and one of several dependency
types. Each edge in the dependency subgraph represents a
functional dependency on another component, as specified by
the dependency label of the parent vertex. The attack subgraph
models the propagation of potential multi-step attacks through
the system. In the attack subgraph, each vertex represents a
vulnerability, and an edge indicates that exploiting the parent
vulnerability would set the stage for the attacker to exploit
the child vulnerability. Each edge is also labeled with the
probability of the attack progressing along that edge. Finally,
the configuration subgraph models the relationships between
configuration parameters, both within individual components
and across components of a complex system. There are two
classes of vertices in this subgraph: Class 1 vertices capture
per-component configuration parameters; Class 2 vertices cap-
ture constraints (or conditions) on configuration parameters.
These constraints are defined by functional system require-
ments and admissibility of configuration settings. Furthermore,
some of these constraints or conditions may enable or disable
preconditions for system vulnerabilities, inducing a particular
attack subgraph for that configuration.
The three subgraphs are connected with 3 types of edges,
giving the complete model of the system, as shown in Figure 2.
A directed edge from a component in the dependency graph
to a Class 1 vertex in the configuration graph defines the
configuration parameters associated with that component. A
directed edge from a Class 2 node in the configuration sub-
graph to a vertex in the attack subgraph (i.e., a vulnerability)
implies that the condition represented by the Class 2 vertex
is a precondition for that vulnerability. A directed edge from
a vertex in the attack subgraph to a vertex in the dependency
subgraph (i.e., a system component) indicates that exploiting
that vulnerability impacts the component by an amount pro-
portional to the exposure factor labeling the edge.
IV. ANALYSI S AND APPROACH
To find configurations that measurably reduce the impact of
attacks, information captured in the three subgraphs discussed
above must be efficiently and jointly analyzed. In fact, globally
optimal security decisions (e.g., deciding which vulnerability
to patch or make unreachable through configuration changes)
cannot be made without dependency information. To illustrate,
consider the 3-layer graph model of our reference system in
Fig. 2. Suppose that an attacker exploits vulnerability vC. This
makes hCcompletely unavailable, as the exposure factor is 1.
As hTstrictly depends on hC,hTalso becomes unavailable,
leading to a marginal impact of 7+ 7 = 14 as a consequence
of exploiting vC. In this example, we assume a simple impact
function, impact(vj)=Ph2H(sj1(h)sj(h))·u(h), where
sj1(h)and sj(h)respectively denote the relative residual
utility of asset hbefore and after exploitation of vulnerability
vjin an attack path P=(v1,...,v
n), and u(h)is the
original utility of h. For a given attack step vj, this impact
function sums the marginal losses for all the components
affected (either directly or indirectly) by the exploitation of vj.
After exploiting vC, the attacker may take one of two steps,
exploiting either vDwith probability 0.7or vFwith probability
0.3. Intuition suggests that, as the attacker is more likely to
exploit vD, that vulnerability should be patched or addressed
before vF. However, this approach turns out to be inefficient,
as we now explain: the additional impact of exploiting vD
would be 0.7·5=3.5, as hCand hTare already unavailable
because of the previous exploit; instead, the additional impact
of exploiting vFwould be 0.7·7 + 8 + 10 = 22.9, as
compromising hFalso makes hAand hSunavailable.
Formally, the impact of the adversary sequentially exploiting
the vulnerabilities v1,...,v
nin a given path P=(v1,...,v
n)
in the attack subgraph can be computed as:
impact(P)=
n
X
j=1
X
h2H
(sj1(h)sj(h)) ·u(h)(1)
hA,fs
8
hE, fs
7
hC, fs
7
hF, fs
7
hG, fs
8
hD, fd
5
hB, fd
5
hS, fs
10
hT, fs
7
hI, fs
8
vD ÚvE ÚvF
vBÚvC
0.7
0.3
0.8
0.2
1
1
1
1
vA
vE
vC
vF
vG
vD
vB
Dependency
Subgraph
Attack
Subgraph
Configuration Subgraph
enable_debug_mode
mysql.allow_persistent
mysql.max_links
mysql.max_persistent
/proc/sys/fs/file-max
max_connections
/proc/sys/fs/file-max >max_connections
<max_connectionsmysql.max_links
>
mysql.max_links mysql.max_persistent
tt
enable_debug_mode =TRUE
tt
mysql.allow_persistent =TRUE
enable_debug_mode
tt
enable_debug_mode =TRUE
0.8
1
0.7
1
0.8
0.7
0.7
Fig. 2: 3-layer directed graph model of system in Fig. 1
We created a reasoning framework that uses an SMT solver
to solve the following problem and find configurations that
minimize the attack impact while preserving functionality and
satisfying configuration constraints:
Find configuration F⇤=(f⇤
1,f⇤
2,...,f⇤
k)such that:
1) Configuration subgraph constraints are satisfied
2) Dependency subgraph constraints are satisfied
3) F⇤= arg min
FPP2A(F)impact(P)
where P=(v1,...,v
n)is any path in the attack subgraph
A(F)induced by the configuration F.
For our example in Fig. 2, the solver determines that
debug mode must be set to false for both hAand hC. If no
solution is found, we relax the constraints starting from the
unsatisfiable core and search again for a limited number of
iterations.
V. C ONCLUSIONS AND FUTURE WORK
We implemented a preliminary prototype of the proposed
framework, using custom procedures in the Neo4j graph
database for modeling and automatically deriving constraints.
We used the Z3 SMT solver to find solutions that satisfy those
constraints. Our preliminary evaluation on several case studies
indicates that our approach is effective, and encourages further
research in this direction. In particular, we plan to extend our
framework to a variety of application domains, such as the
Internet of Things, and to scale the model generation and
reasoning modules to large distributed systems.
REFERENCES
[1] “Owasp top 10 - 2017: The ten most critical web application security
risks,” The OWASP Foundation, Tech. Rep., 2017.
[2] M. Albanese and S. Jajodia, “A graphical model to assess the impact of
multi-step attacks,” Journal of Defense Modeling and Simulation, vol. 15,
no. 1, pp. 79–93, January 2018.
2
ABSTRACT: Evaluating the security impact of configuration changes on a distributed system is
an inherently complex challenge. Existing solutions simplify the problem by optimizing only
individual components while ignoring complex interdependencies amongst components. In
contrast, we construct a graph-based model of the system and its vulnerabilities that captures
such dependencies. Inspired by a model that assesses the impact of multi-step attacks [1], we
show how to reason about security impact of configurations. We employ SMT solvers to derive
configurations that minimize the impact of attacks while preserving system functionality.
EXAMPLE SYSTEM: GRAPH-BASED MODELING APPROACH:
Express dependencies between configuration
parameters, vulnerabilities, and functional
components as a multi-layer graph.
PRELIMINARY RESULTS: We built
configuration, attack and dependency graphs
for the above system in Neo4j, and solved the
following optimization problem in Z3.
ONGOING WORK:
§Automate the construction of configuration
subgraphs from standard operating
procedures and component specifications.
§Examine unsat core and tradeoff security
against functionality.
§Provide evidence and explanation of
secure configurations.
[1] M. Albanese and S. Jajodia, “A graphical model to assess the impact of multi-step attacks,” Journal of Defense
Modeling and Simulation, vol. 15, no. 1, pp. 79–93, January 2018.
Securing Distributed System Configuration through
Optimization and Reasoning on Graphs
Hamed Soroush, Shantanu Rane and Massimiliano Albanese
This work is funded by the US Department of Defense under the DARPA ConSec program. Any opinions, findings, and conclusions expressed in this material
are those of the authors and do not necessarily reflect the views of the DoD or any other agency of the U.S. Government.
Process Databus
Process Databus
Process Databus
Gateway (G1)
Gateway (G2)
Sensing &
Planning (hA)Control(hT)
Local Persistence
Service (hB)
Local Persistence
Service (hD)
Sensing &
Planning (hC)Control(hS)
Land Route
Processing (hF)
Air Route
Processing (hE)
Persistence
Service (hG)Interface(hI)
Mission Control
Unmanned Aerial Vehicle (UAV)
Unmanned Ground Vehicle (UGV)
1
2 3
4
5
Attack
subgraph
A(F)
Dependency
subgraph
D
Configuration
subgraph F
reduces / disables
functionality
functionality
requirements
induces
F* = arg min impact (F)
all F
Configurations that satisfy
within-component and cross-
component relationships and
functional dependencies.
Impact of all attack paths in
A(F) on the composed system
functionality
Globally optimal security decisions cannot be made
without dependency information: dependencies
help in analyzing the cascading impact of both
attacks and configuration changes.
hA,fs
8
hE, fs
7
hC, fs
7
hF, fs
7
hG, fs
8
hD, fd
5
hB, fd
5
hS, fs
10
hT, fs
7
hI, fs
8
vD ÚvE ÚvF
vBÚvC
0.7
0.3
0.8
0.2
1
1
1
1
vA
vE
vC
vF
vG
vD
vB
Dependency
Subgraph
Attack
Subgraph
Configuration Subgraph
enable_debug_mode
mysql.allow_persistent
mysql.max_links
mysql.max_persistent
/proc/sys/fs/file-max
max_connections
/proc/sys/fs/file-max >max_connections
<max_connectionsmysql.max_links
>
mysql.max_links mysql.max_persistent
tt
enable_debug_mode =TRUE
tt
mysql.allow_persistent =TRUE
enable_debug_mode
tt
enable_debug_mode =TRUE
0.8
1
0.7
1
0.8
0.7
0.7
