Ronald W. Ritchey

Using model checking to analyze network vulnerabilities

Even well administered networks are vulnerable to attacks due to the security ramifications of offering a variety of combined services. That is, services that are secure when offered in isolation nonetheless provide an attacker with a vulnerability to exploit when offered simultaneously. Many current tools address vulnerabilities in the context of a single host. We address vulnerabilities due to the configuration of various hosts in a network. In a different line of research, formal methods are often useful for generating test cases, and model checkers are particularly adept at this task due to their ability to generate counterexamples. We address the network vulnerabilities problem with test cases, which amount to attack scenarios, generated by a model checker. We encode the vulnerabilities in a state machine description suitable for a model checker and then assert that an attacker cannot acquire a given privilege on a given host. The model checker either offers assurance that the assertion is true on the actual network or provides a counterexample detailing each step of a successful attack.

A policy driven approach to email services

The primary original design goal for email was to provide best-effort message delivery. Unfortunately, as the ever increasing uproar over SPAM demonstrates, the existing email infrastructure is no longer well suited to the worldwide set of email users - particularly email receivers. Rather than propose yet another band-aid solution to SPAM, this paper rethinks email from the requirements perspective, albeit with the constraint of designing a system suitable for incremental adoption in the current environment. Our result to this exercise is a policy driven email service in which the interests of each principal can be articulated and accommodated. Our scheme rewards faithful senders with better quality of service and discourages misbehavior. Our scheme provides receivers with policy-driven control over whether and how a given message appears in the recipients mailbox.

A framework for establishing, assessing, and managing trust in inter-organizational relationships

In this paper, we present an efficient, novel framework for establishing, assessing, and managing trust in inter-organizational relationships, in terms of allowable network sharing, that is based on analyzing an invariance property of a computer network environment. Our goal is to answer the following two questions: (1) From any given host in one network, what level of access, direct or indirect, is implied to each host in another network? This addresses the consequences of connecting two networks on access levels between networks. (2) What are the effects, in terms of access internal to a given network, of connecting to another network? This addresses the consequences of connecting two networks on access levels internal to a given network. Answers to these questions allow an informed business decision to be made as to whether the proposed network sharing should be allowed, and, if so, what the consequences of this network sharing are. We utilize the host-centric model in the design of our model to compactly represent and efficiently analyze the access graphs of shared network environments. We present an efficient algorithm for computing the highest achievable accesses between host pairs that are within a network and that are accessible between the shared networks due to an interconnecting edge. We use the algorithm to assess the consequences of the proposed network sharing accesses.

Mutating network models to generate network security test cases

Security testing is normally limited to the scanning of individual hosts with the goal of locating vulnerabilities that can be exploited to gain some improper level of access on the target network. Scanning is a successful approach for discovering security problems, but it suffers from two major problems, but it suffers form two major problems. First, it ignores security issues that can arise due to interactions of systems on a network. Second, it does not provide any concept of test coverage other than the obvious criteria of attempting all known exploitation techniques on every system on the network. In this paper, I present a new method for generating security test cases for a network. This method extends my previous work in model checking network security by defining mutant operators to apply to my previously defined network security model. The resulting mutant models are fed into a model checker to produce counterexamples. These counterexamples represent attack scenarios (test cases) that can be run against the network. I also define a new coverage criterion for network security that requires a much smaller set of exploits to be run against the network to verify the networks security.