Section: New Results

Configuration security automation

Participants : Rémi Badonnel [contact] , Martin Barrere, Olivier Festor.

The main research challenge addressed in this work has focused on enabling configuration security automation in autonomic networks and services. In particular our objective has been to increase vulnerability awareness in the autonomic management plane in order to prevent configuration vulnerabilities. The continuous growth of networking significantly increases the complexity of management. It requires autonomic networks and services, which are capable of taking in charge their own management by optimizing their parameters, adapting their configurations and ensuring their protection against security attacks. However, the operations and changes they execute during these management activities may generate vulnerable configurations. A first part of our work has therefore consisted in consolidating a security automation strategy for preventing vulnerabilities and maintaining safe configurations in autonomic infrastructures [7] . This solution relies on the integration of configuration vulnerability descriptions into the management plane [8] . The OVAL language, part of the SCAP protocol, has become the de-facto standard for specifying configuration vulnerabilities in a technical viewpoint. We have refined a mathematical modeling for mapping OVAL descriptions into policy rules which can be interpreted by the autonomic Cfengine configuration system. These policies enable the Cfengine system to assess and detect vulnerabilities. We have designed a functional architecture and formalized a translation algorithm for supporting this security automation. We have also prototyped an OVAL-to-Cfengine translation module, called Ovalyzer, and analyzed its interactions with the components of the Cfengine system. Based on vulnerability descriptions extracted from the official OVAL repository, we have performed an extensive set of experiments to quantify the performance and coverage of the Ovalyzer module. A second part of our work has consisted in investigating how our security automation solution can be extended to distributed configuration vulnerabilities. In SCAP-based traditional approaches, a distributed vulnerability is typically understood as the aggregation of individual configuration vulnerabilities which are spread in the network and might allow a multi-step attack. We have shown through the analysis of a case study that this definition does not offer a complete outlook of the problem. In particular, each network device can individually present a secure configuration, but when combined across the network, a global vulnerable configuration may be produced. In that context, we have introduced in [27] a mathematical definition for distributed vulnerabilities and have specified the DOVAL language (Distributed OVAL), on top of OVAL, as a means for describing these vulnerabilities in a machine readable manner. A case study in the area of VoIP networks and services has been considered for demonstrating the instantiation of DOVAL main constructs. The DOVAL descriptions constitute useful security definitions that in turn can be exploited for security automation. We have built a framework for supporting these distributed configuration vulnerabilities based on the Cfengine system. In particular, we have proposed and evaluated collaborative strategies and optimized algorithms for performing the assessment of DOVAL descriptions.