This document discusses developing a systematic approach for vulnerability analysis. It argues that the Common Criteria provides too generic of classifications and no methodology. A proper analysis requires attack patterns to think like attackers and a systematic, repeatable methodology. This involves using tools like vulnerability scanners, debuggers, and disassemblers along predefined test procedures and penetration testing agendas. An example analysis of a sample system is provided to demonstrate this approach. The lesson is that motivation and creativity are needed along with attack patterns and a well-defined methodology to achieve comprehensive vulnerability analysis.

1. Vulnerability Analysis Taxonomy
Achieving completeness in a systematic way
Javier Tallón Guerri
10ICCC - Norway

2. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
2

3. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
3

4. 1. Vulnerability Analysis according to CEM
The evaluator vulnerability analysis is to determine that the TOE is
resistant to penetration attacks performed by an attacker
possessing a Basic (for AVA_VAN.1 and AVA_VAN.2), Enhanced-
Basic (for AVA_VAN.3), Moderate (for AVA_VAN.4) or High (for
AVA_VAN.5) attack potential.
Independent vulnerability analysis should consider generic potential
vulnerabilities under each of the following headings
• Bypassing
• Tampering
• Direct attacks
• Monitoring
• Misuse
4

5. 1. Vulnerability Analisys according to CEM
Due to the generic nature of the Common
Criteria, this classification is too abstract
and does not help to achieve the required
completeness to the evaluator’s work.
CEM classification is useless by itself
5

6. 1. Vulnerability Analisys according to CEM
From AVA_VAN.4, vulnerability analysis should be METHODICAL:
“This method requires the evaluator to specify the structure and form the
analysis will take”
CEM ask for a methodical analysis but does not provide any method.
Every method would be acceptable
6

7. 1. Vulnerability Analisys according to CEM
Very generic
+ =
Poor
vulnerability Undefined Vulnerability
classification methodology Analisys
7

8. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
8

9. 2. Pieces for a correct Vulnerability Analysis
Here is the question…
How to achieve completeness in a systematic
way?
We will focus in software assessment
9

10. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
10

11. 2.1 Attack Patterns
Vs
Very generic
vulnerability Attack Patterns
classification
Thinking like bad guys
11

12. 2.1 Attack Patterns
Attack Pattern: an attack pattern describes
the approach used by attackers to generate
an exploit against software.
For example: MITRE provides CAPEC
(Common Attack Pattern Enumeration and
Classification)
12

13. 2.1 Attack Patterns
13

14. 2.1 Attack Patterns
CAPEC provides a free collection of attack
patterns
CAPEC is not the panacea
Each lab should manage its own attack
pattern collection
14

15. 2.1 Attack Patterns
Lab Street
Know How work
Attack
Patterns
15

16. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
16

17. 2.2 Systematic and Repeatable Methodology
Systematic and
Undefined
Methodology
Vs Repeatable
Methodology
17

18. ADV_ARC
AGD ASE_SPD
ALC ATE ADV_TDS
Misuse Deliv. Vuln. Malfunction Attack Path
Vulnerability scanners
Forensic analysis
Disassemblers
Debuggers
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
Systematic and
+ Bespoke
Lab Tools + Lab
Know How = Repeatable
Methodology

19. 2.2 Systematic and Repeatable Methodology
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
19

20. 2.2 Systematic and Repeatable Methodology
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
20

21. 2.2 Systematic and Repeatable Methodology
ASE
ADV
AGD
ATE
ALC
AVA
21

22. 2.2 Systematic and Repeatable Methodology
AGD ALC ATE ADV_ARC
ASE_SPD
ADV_TDS
Misuse Deliv. Vuln. Malfunction
Attack Flow
Vulnerability
Analysis
method
22

23. 2.2 Systematic and Repeatable Methodology
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
23

24. 2.2 Systematic and Repeatable Methodology
“Forensic analysis” techniques
Debuggers Lab T&T Disassemblers
Vulnerability scanners
24

25. 2.2 Systematic and Repeatable Methodology
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
25

26. 2.2 Systematic and Repeatable Methodology
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
Bespoke
Lab
+ Lab
Tools + Know How
26

27. 2.2 Systematic and Repeatable Methodology
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
Bespoke
Lab
+ Lab
Tools + Know How
27

28. ADV_ARC
AGD ASE_SPD
ALC ATE ADV_TDS
Misuse Deliv. Vuln. Malfunction Attack Path
Vulnerability scanners
Forensic analysis
Disassemblers
Debuggers
Attack
Patterns x Vulnerability
Analysis
method x Lab
T&T
Penetration testing agenda
Systematic and
+ Bespoke
Lab Tools + Lab
Know How = Repeatable
Methodology

29. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
29

30. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
30

31. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
Sniffing Attacks
Man in the Middle
Denial of Service through Resource Depletion
31

32. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
Detect Unpublicized Web Services
Web Services Protocol Manipulation
32

33. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
XML Routing Detour Attacks Oversized Payloads Sent to XML Parsers
XEE (XML Entity Expansion) XML Ping of Death XML Schema Poisoning
XML Attribute Blowup XML Injection
Recursive Payloads Sent to XML Parsers 33

34. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
Authentication Bypass Password Brute Forcing
Authentication Abuse
Try Common (default) Usernames and Passwords
Reflection Attack in Authentication Protocol
Exploitation of Session Variables, Resource IDs and other Dictionary-based Password Attack
Trusted Credentials 34

35. 3. Example
TOE
Auth
Database
SQL
Access SQL
XML Web XML Resource
Network Control
Service Parser Database
Module
SQL Injection
Blind SQL Injection
35

36. 1.Vulnerability Analysis according to CEM
2.Pieces for a correct vulnerability analysis
1.Attack Patterns
2.Systematic and repeatable
methodology
3.Example
4.Lessons learned
36

37. 4. Lessons learned
Motivation
Creativity
+ =
Systematic and Wonderful
Attack Patterns Repeatable Vulnerability
Methodology Analysis
37

38. Thanks for your attention!
Javier Tallón
Epoche & Espri, S.L.
Avda. de la Vega, 1
28108, Alcobendas,
Madrid, Spain.
eval@epoche.es
38