Formally Reasoning about the Cost and Efficacy of Securing the Email Infrastructure

Speicher, Patrick; Steinmetz, Marcel; Künnemann, Robert; Simeonovski, Milivoj; Pellegrino, Giancarlo; Hoffmann, Jörg; Backes, Michael

doi:10.1109/eurosp.2018.00014

Cited by 13 publications

(26 citation statements)

References 31 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…A weak point of this methodology was the lack of justification for their attacker model. Symbolic soundness and completeness can bridge this gap, as we will demonstrate for a subset of the email model [52]. As we argued in Section III, to justify the correctness of the Stackelberg planning problem, it is sufficient to show the symbolic soundness/correctness for the attacker planning problem, but for arbitrary initial states.…”

Section: Applicationsmentioning

confidence: 86%

“…1: Relation between different levels of abstraction JavaScript. More recently, Speicher et al [52] introduced the first deployment analysis on a global level, evaluating various measures to secure the email infrastructure against large-scale attacks. They employ Stackelberg planning [53], which is a twostage planning technique that computes all defender plans that are Pareto-optimal with respect to their cost and the worst-case impact of an attacker.…”

Section: Related Workmentioning

confidence: 99%

“…This technique has been applied to email [52] and the web [54], comparing solutions at the routing layer, resolution layer and application layer. A weak point of this methodology was the lack of justification for their attacker model.…”

Section: Applicationsmentioning

confidence: 99%

“…We show that soundness can be proven by verifying safety properties, and correctness by verifying liveness properties. 2) We apply this definition to an IA model for email communication [52] and establish its soundness (barring some minor flaws).…”

Section: Introductionmentioning

confidence: 99%

See 3 more Smart Citations

On the Soundness of Infrastructure Adversaries

Dax¹,

Künnemann²

2021

Preprint

View full text Add to dashboard Cite

Companies and network operators perform risk assessment to inform policy-making, guide infrastructure investments or to comply with security standards such as ISO 27001. Due to the size and complexity of these networks, risk assessment techniques such as attack graphs or trees describe the attacker with a finite set of rules. This characterization of the attacker can easily miss attack vectors or overstate them, potentially leading to incorrect risk estimation.In this work, we propose the first methodology to justify a rule-based attacker model. Conceptually, we add another layer of abstraction on top of the symbolic model of cryptography, which reasons about protocols and abstracts cryptographic primitives. This new layer reasons about Internet-scale networks and abstracts protocols.We show, in general, how the soundness and completeness of a rule-based model can be ensured by verifying trace properties, linking soundness to safety properties and completeness to liveness properties. We then demonstrate the approach for a recently proposed threat model that quantifies the confidentiality of email communication on the Internet, including DNS, DNSSEC, and SMTP. Using off-the-shelf protocol verification tools, we discover two flaws in their threat model. After fixing them, we show that it provides symbolic soundness.1 For other techniques, consider the study by Wang et al. [55].

show abstract

Section: Applicationsmentioning

confidence: 86%

Section: Related Workmentioning

confidence: 99%

Section: Applicationsmentioning

confidence: 99%

Section: Introductionmentioning

confidence: 99%

See 2 more Smart Citations

On the Soundness of Infrastructure Adversaries

Dax¹,

Künnemann²

2021

Preprint

View full text Add to dashboard Cite

show abstract

“…MulVAL [35], [34] was the first attack graph tool providing automatic end-to-end attack graph generation and analysis. Specifically, MulVAL can be used to derive the attack surface and quantify the risk of the system; based on the attack surface generated, various methods can be applied in order to automatically find the optimal mitigation strategy [43], [41], [42], [22], [21], [13].…”

Section: Introductionmentioning

confidence: 99%

An Automated, End-to-End Framework for Modeling Attacks From Vulnerability Descriptions

Binyamini,

Bitton,

Inokuchi

et al. 2020

Preprint

View full text Add to dashboard Cite

Attack graphs are one of the main techniques used to automate the risk assessment process. In order to derive a relevant attack graph, up-to-date information on known attack techniques should be represented as interaction rules. Designing and creating new interaction rules is not a trivial task and currently performed manually by security experts. However, since the number of new security vulnerabilities and attack techniques continuously and rapidly grows, there is a need to frequently update the rule set of attack graph tools with new attack techniques to ensure that the set of interaction rules is always upto-date. We present a novel, end-to-end, automated framework for modeling new attack techniques from textual description of a security vulnerability. Given a description of a security vulnerability, the proposed framework first extracts the relevant attack entities required to model the attack, completes missing information on the vulnerability, and derives a new interaction rule that models the attack; this new rule is integrated within MulVAL attack graph tool. The proposed framework implements a novel pipeline that includes a dedicated cybersecurity linguistic model trained on the the NVD repository, a recurrent neural network model used for attack entity extraction, a logistic regression model used for completing the missing information, and a novel machine learning-based approach for automatically modeling the attacks as MulVAL's interaction rule. We evaluated the performance of each of the individual algorithms, as well as the complete framework and demonstrated its effectiveness.

show abstract