Genetic Algorithm For Tightening Security

(1)

Genetic Algorithm For Tightening Security

The discovery of a secure moving target configuration by the use of an evolutionary algorithm and an investigation into the relation between security and Quality of Service Adam Buji

Master’s Thesis Spring 2017

(2)

(3)

Genetic Algorithm For Tightening Security

Adam Buji May 29, 2017

(4)

(5)

Abstract

Protection against many cyber security threats can be implemented by existing software on the system, with no need for security software. Some operating systems or program parameters can increase the security level and close any vulnerabilities if they are set properly.

This project shows a way to prevent potential attacks with relatively low cost, but this method needs immediate attention. Reconfiguring a machine regularly is a moving target defense which is done by modifying the configuration regularly in the hopes of spoiling an attacker’s reconnaissance efforts, the configurations are changed until they reach the fittest solution, so if the configurations are modified after a potential attacker’s reconnaissance, then the gathered information is no longer effective. Improving security and utilizing the moving target defense can be implemented through the use of a genetic algorithm.

Vulnerabilities can be caused by human misconfiguration or by having the improper chain of parameters, which are impossible to find manually due to the large number of configurations to search through. The genetic algorithm is therefore used to fix this problem by finding the right configuration and the proper chain of parameters until it reaches the fittest configuration possible, which is the main objective of this project.

The GA has been applied successfully and it has shown flexibility in tightening the security solution by evolving the fitness of the configuration through the generations and by maintaining diversity within the generations. This resulted in high quality configurations which are important within the moving target defense strategy.

Investigating the security impact on the Quality of Service (QoS) was an objective of this project. It is believed that maintaining good QoS is as important as having good security and this project shows that the security level has a significant impact on the QoS.

(6)

(7)

Acknowledgement

I would first like to thank my thesis supervisors Hårek Haugen and Anis Yazidi for their efforts. Their offices were always open whenever I had a question about my research or writing. They consistently allowed this paper to be my own work, but steered me in the right direction whenever they thought I needed it.

Finally, I must express my very profound gratitude to my parents and my friends for providing me with unfailing support and continuous encouragement throughout my years of study and through the process of researching and writing this thesis. This accomplishment would not have been possible without them. Thank you.

Author Adam Buji

(8)

(9)

List of Figures

2.1 A firewall at the perimeter of an organization’s network . . . 7

2.2 Packet filtering example . . . 8

2.3 A network using a proxy server . . . 9

2.4 SQL injection query bypass authentication . . . 13

2.5 Result of SQL injection query bypass authentication . . . 13

2.6 SQL injection query bypass authentication with known username . . . 14

2.7 Result of an SQL injection query bypass authentication with known username . . . 14

2.8 SQL injection using union operator . . . 15

2.9 Cross-Site scripting attack . . . 16

2.10 Stealing password by refreshing the browser . . . 18

2.11 Normal situaion vs MITM Attacks . . . 18

2.12 Buffer overflow corrupting data . . . 19

2.13 Buffer overflow executing malicious code . . . 19

2.14 SYN Flood attack . . . 21

2.15 Ping flood attack . . . 22

2.16 General scheme of EAs . . . 23

2.17 Evolutionary Algorithm: Representation . . . 24

2.18 Binary Representation . . . 25

2.19 Integer Representation . . . 25

2.20 Real-Valued Representation . . . 26

2.21 Permutation Representation . . . 26

2.22 Pseudocode for the roulette wheel algorithm [32] . . . 27

2.23 Pseudocode for tournament selection algorithm [32] . . . 28

2.24 Pseudocode for Crossover Algorithm . . . 29

2.25 Illustration of uniform crossover for binary representatives . 29 2.26 Illustration of N-uniform crossover . . . 30

2.27 Illustration of Bit Flip mutation . . . 30

2.28 Illustration of Swap Mutation . . . 31

2.29 Illustration of Scramble Mutation . . . 31

2.30 Illustration of Inversion Mutation . . . 31

2.31 Example of STIG entry . . . 32

2.32 Screenshot of OWASP ZAP interface . . . 34

2.33 Screenshot of Nessus interface . . . 35

4.1 The circle of One Generation . . . 42

4.2 Single-point crossover . . . 48

(12)

4.3 multi-points crossover . . . 48

4.4 Single crossover . . . 49

4.5 Multi-point crossover . . . 50

5.1 Security solution’s evolving . . . 62

5.2 Diversity . . . 62

5.3 Security impact on QoS of webserver . . . 63

(13)

List of Tables

Estimation of Damages Caused by Viruses and Worms . . . 5 The protocols used on the Internet for ISO layers . . . 7 QoS experiment . . . 66

(14)

(15)

Chapter 1 Introduction

1.1 Motivation

Cyber attacks are a big issue for global organisations [1]. Global organizations are more adept than ever at detecting cyber attacks, but they are still struggling with how to deal with the circumstances of the breach.

The losses in the global economy caused by cybercrime and cyber espionage is estimated to be hundreds of billions of dollars. According to the World Bank, the global losses in 2011 were estimated to be $400 billion [2]. In 2015, the British insurance company Lloyd’s estimated the business loss caused by cyber attacks to be $400 billion a year, and the losses are expected to reach $2 trillion by 2019 [3].

The estimated losses caused by malicious cyber activities are within the following criteria [2]:

• Loss of intellectual property and confidential business information.

• Loss of sensitive business information, including possible stock market manipulation.

• Opportunity cost which includes service and employment disrup- tions, and reduced trust for online activities.

• Cost of network security, insurance, and recovery from cyber attacks.

• Loss caused by reputational damage of the hacked businesses.

Many cyber attacks start with a search for vulnerabilities within the network which might be caused by misconfiguration. That threat can be eliminated by applying the correct settings to some combination of parameters in a specific program.

Some operating systems or program parameters give a better solution to close security vulnerabilities. There is a need for a way to configure the parameters in order to prevent and defend against attacks with low cost.

(16)

Genetic Algorithms, which is a search heuristic, is used here to discover new, secure, and diverse computer configurations by modelling a computer configuration as a chromosome and individual configuration settings are traits or alleles. The idea of GA is that good chromosomes will generate better chromosomes through a series of selection, crossover, and mutation processes. These processes incorporate randomly which provides diversity.

To better the protection mechanism against cyber attacks, the attacker can be mislead by a continuous change in the configurations and in the event that the attacker is capable of discovering vulnerabilities in a specific program. The Genetic Algorithm (GA) will then ideally have changed the configurations before the attacker is able to build his attack based on the discovered vulnerabilities.

GA provides better security through diversity by changing the parameters’ configurations by increasing the fitness score of the parameters.

1.2 Problem Statement

It is important to ensure that the configurations have been configured correctly in order to secure the system components, such as computer, network route and applications, and it is important to have the correct configurations’ combination which gives better security. The traditional security methods cannot solve the security problem caused by misconfiguration or by not making the correct combination of the configurations.

This project will solve these problems:

• How to tighten the security vulnerabilities caused by human misconfiguration.

• How to tighten the security vulnerabilities by finding the right configurations’ combinations.

• How to make a moving target in order to mislead reconnaissance.

• What is the relation between improving the security and the Quality of Service?

It is hard to find a secure configuration due to the huge amount of settings to test, and in addition to that, it is hard to find the combination between the configurations which makes the components secure.

An attacker starts his attack by performing reconnaissance and then he plans his attack according to the information he finds, therefore a periodic change in the configuration is a way to make his reconnaissance effort non- effective and would help to prevent an attack.

Security issues are important, but in order to keep the service available and running smoothly, it is equally important to maintain a good Quality of service. This study will therefore also take QoS into consideration.

(17)

For solving this problem statement, this project implemented an evolutionary algorithm using a Virtual Machine Farm, Assessment Server and a Master server with Genetic Algorithm to improve the insecure configurations. The details about this approach have been described in the Approachchapter which breaks down the steps needed to complete this task.

1.3 Thesis Structure

The report is divided into the following chapters:

• Introduction:This chapter describes the problem domain and scopes.

• Background:The theoretical and technological bases are discussed in this chapter.

• Approach: The methodologies and approaches are reflected to answer the problem statement.

• Result: This discusses the expectations and achievements of this project.

• Discussion:This chapter discusses implementation, steps, challenges and future work.

• Conclusion: This chapter gives a summary of this project and the contributions made to this paper.

(18)

(19)

Chapter 2 Background and Literature Review

2.1 Cyber Security

The last two decades of the 20th century experienced an increase in the penetration and expansion of digital technologies. With the decrease in the Internet access’ costs and information processing, more people are using computers and they expect a quality of service (QoS) compatible with the QoS they are used to getting with other utilities [4].

This service is expected to be available continuously, anywhere and anytime, secure, friendly and reliable. People expect to log on the terminal, read mail, make reservations and other activities, and with the wireless technology, people can access the Internet from anywhere [4].

The price of the Internet’s development is paid by the society. In 1981, a program called ELK cloner, which was written for Apple II system, is considered to have been the first computer virus outside a single computer or lab [5]. On November 2nd 1988 a student named Robert Morris launched one of the first computer worms which infected 6,000 UNIX machines [6].

Virus/Worm Year Lost(Billions)

Melissa 1999 1.10$

LoveBug 2000 8.75$

CodeRed 2001 2.75$

Slammer 2003 1.25$

SoBig.F 2007 1.10$

(20)

Many products are available to prevent viruses and worms at the gateway to networks at desktop level, at server level, or at application level.

In addition to these technologies, there is need for monitoring and tracking viruses and worms. There is need for teamwork between management personnel, system administrators and end users [4].

2.2 Cyber Trust

Privacy and trust are issues related to security. From a business standpoint, privacy is influenced by the way the customers’ personal information is collected and stored, therefore it is necessary to find a way to deal with this information in a responsible manner. The way an organization manages this information reflects the organization’s respect for the customers [4].

Trust is another critical issue in Internet communities. Trustworthiness is a concept that overlaps both dependability and security. The attributes of dependability are reliability, availability, integrity, and safety; and the security attributes are confidentiality, availability, and integrity [7].

According to the National Science Foundation [8] cyber trust can be defined by answering these questions:

• Can people securely rely on computer-based systems to perform critical functions?

• Can people securely rely on computer-based systems to process, store, and communicate sensitive information?

• Can people securely rely on a well-trained and diverse workforce to develop, configure, modify, and operate essential computer-based systems?

Normally, when someone uses a computer, there is a trail of records such as HTTP logs and cookies. These records are saved as hidden history files which are a potential threat to an individual’s privacy. This problem cannot be solved by deleting these records and activities or hardening the access to these records. Since users think the trust comes from flexibility of the operation sequence and the transparency of what happens in the background, there is a need to understand how people view different types of the activities’ records [4].

2.3 Network Firewalls

A firewall helps to enforce a security policy in an organization as shown in figure2.1. A firewall works as a machine between two networks which follows the following criteria [9].

• A firewall works as a boundary between two networks.

• All the input/output traffic goes through the firewall.

(21)

• The mechanism in the firewall allows some traffic to pass while blocking other traffic according to rules in accordance with the organization’s policy.

Figure 2.1: A firewall at the perimeter of an organization’s network Different methods have been used to implement firewalls. The methods filter network traffic at one or more of the seven ISO network model layers [10]. The ISO layers model for networking are shown in the following table.

ISO layer Internet Example

Application File Transfer Protocol (FTP) and Telnet Presentation Common Object Request Broker Archi-

tecture (CORBA)

Session No directly corresponding protocol Transport Transmission Control Protocol (TCP) and

User Datagram Protocol (UDP) Network Internet Protocol (IP)

Data Link Ethernet or Asynchronous Transfer Mode (ATM)

Physical Twisted pair or fiber-optic cable

Firewalls were implemented in order to prevent information leaks, but they cannot protect against information leaks caused by an insider intent on getting information, or even by unintentional misconfiguration. This project aims to decrease those vulnerabilities caused by misconfiguration that cannot be protected by a firewall.

(22)

2.3.1 Packet Filtering

In order to decide if the packet is allowed to pass to the destination based on the firewall’s policy, the packet header should be filtered through packet filtering to analyze the headers [10].

Packet filtering is interesting because it does not require the cooperation of a user or any special action on their part which is different from the way proxies work. Packet filter uses one or more of the following information to check if the packet is permitted or not: source address, destination address, options in the network header, transport protocols (like TCP,UDP,ICMP, etc.), flags in the transport header, options in the transport header, source and destination port, the receiver interface, and whether the packet is inbound or outbound as shown in figure2.2 [11].

Figure 2.2: Packet filtering example

2.3.2 Proxies

A proxy is a program which stands between a user and another computer and it receives the traffic going to that computer, as seen in figure2.3.

Proxies verify that the user is authorized to access a resource by requiring user authentication, and then connects to the destination on behalf of the user. This means that the connection to the remote destination comes from the proxy instead of the user machine, and because the connections are generated from the proxy, it makes it easier to differentiate between real and spoofed connections [4].

(23)

Figure 2.3: A network using a proxy server

2.4 Web Application Security

Web technologies have evolved rapidly in the last five years through web-enabled applications where browsers have become the user interface for most of the applications. Critical functions are done through Web applications, such as money transactions, which make web applications attractive targets for hackers [12].

The system can be made more difficult to exploit with better awareness, stronger operating systems and improved security defense. There is a need for a better understanding of web applications’ security since the attackers have moved from attacking the network layer to attacking the application layer [4].

2.4.1 Threats to Web Applications

Web applications use the HTTP protocol over the internet by using a web browser which makes it possible to access web applications from anywhere [13].

Web applications have bugs in their code which makes them vulnerable and can compromise the system. The sequences of these vulnerabilities are greater in web applications than other applications. The following reasons can cause web applications to be insecure [4]:

• Lack of awareness of the threats: Due to the lack of teaching about the security issues within the technology, the language used by the developers to develop an application, or when developers think that the security is an issue only at the infrastructure level with a firewall and encryption.

• No mature testing methods: The built models for testing web applications do not test the security. The security test for web applications will take time to mature as it is evolving.

(24)

• Ease of reverse engineering: HTTP protocol is a plaintext protocol which is used to transport application layer requests and responses, and because it is a plaintext it makes it easy to reverse engineer, or for an attacker to predict vulnerabilities by analyzing the flow of requests and responses.

2.4.2 Vulnerabilities of Web Applications

There are a number of vulnerabilities that make it easier for attackers to abuse and harm web applications:

• Inadequate input validation:

It is an issue if an application accepts input without the content’s validation which can cause unforeseen harmful side effects [4].

• Trusting client-supplied information:

Developers trust data in query string variables, hidden variables, and cookies, as this data was set by the application, so it makes way for the possibility to modify the data coming back from the client.

Therefore, the application must verify the client who sends the data and if that is not done the attacker can manipulate the variables and cause harm [4].

• Insecure cryptography:

Having the highest grade of encryption is not always the solution for every problem because misunderstanding the demerits and merits of cryptography makes unsafe and wrong implementations. For example, a strong one-way hash algorithm is a good solution for storing passwords, but it is not a good idea for log-in processes since it transmits the password from client to server which makes it vulnerable to replay attacks [14].

• Improper page caching:

Unauthorized user might access a sensitive page which has cached on the browser after the page was used by an authorized user. This is possible because the cache controls the tags which are set by the application which in turn controls the lifetime of HTML pages in the client’s browser cache [15].

• Inappropriate HTTP actions and variable types:

The client makes a HTTP request which can be GET or POST [13].

Get and POST methods are used by developers interchangeably;

the server-side programming language understands both methods equally. A GET request is considered to be unsafe since the sent sensitive information is visible in the history of the browser and in the log of the web server’s access. The query string is an unsafe location to place the sensitive information as well, so to avoid that, it is more secure to use hidden variables.

(25)

• Insufficient sanitization of output:

Sometimes the data inserted in HTML does not get checked by the web application because it is assumed that the data is safe since it came from a database or a trusted system. It is therefore possible to supply malicious data in the database by a malicious user [13].

• Insecure web application’s configuration:

Sufficient care of developing an application has not be given to document the safe deployment environment of the application. For example, if there is need to give a write access to users on a file system, they might also be assigned execute permission which makes the system insecure, and that makes the web application vulnerable [4].

• Insecurely designed authentication mechanisms:

They are high risk vulnerabilities caused by poorly designed log-in systems. For example, if three invalid log-in attempts get to block the user out for 24 hours, then an attacker can easily exploit that by making invalid log-in attempts by using a script to keep the user blocked out. If the application does not redirect the browser to a new location after authentication, it is possible to steal the authentication information of the previous user from a logged-out browser window [4].

• Weak forgotten password strategy:

A poor design to reset passwords can be a vulnerability. For example, some of the applications using hint questions like "what is your favourite colour" which has a number of popular guessable colors, and some applications provide the user with the new password by a plaintext password by email [4]. Social-engineering techniques can therefore be used by the attackers to abuse the vulnerability caused by reset-password strategies to steal valid accounts.

• Browser vulnerabilities:

Some vulnerabilities within applications are caused by the browsers’

limitations. For example, in some browsers the variables posted in a session are stored in plaintext in their memory which makes it possible for an attacker to steal the passwords from the browser’s memory [4].

• Insecure host-server:

The web server hosting the web application can be another source of vulnerabilities, so if the web server is compromised, it could give an attacker privileges on the application. The popular web servers have become safer recently, but there is still need to improve their security continuously and fix new holes if they are found [4].

(26)

2.4.3 Techniques to exploit web application’s vulnerabilities Exploiting a vulnerability allows an attack to bypass authentication or to get unauthorized access to sensitive data.

SQL Injection

SQL injection is a known harmful attack on web applications [16]. SQL injection is an exploit technique which uses SQL queries to manipulate the targetted application with crafted inputs.

SQL injection is a strong attack technique to retrieve sensitive data from a database which contains valuable data for an organization. The attacker provides malicious input which interacts with the database by modifying the SQL queries which can then cause damage.

Evaluating the risk can be done by looking at a number of consequences of a successful attack [4]:

• Through SQL injection, the attacker can bypass the authentication process and log-in without a valid username and password.

• SQL injection can allow an unauthorized user to retrieve data which belongs to another person.

• The attacker can modify or delete sensitive data in a database through SQL injection attack.

SQL queries can read data from a database or add data into a database [17]. The selection criteria in the SQL query decides which data to retrieve.

For example, the following SQL query will get all records with user name

"ADAM" from the Customers table:

Select * from Customers where UserNames = ‘ADAM’;

In the previous example, it is dedicated which record will be retrieved through the selection criterion which is the value of "UserNames" field in "Customers" table. This query can be modified by changing the input which changes the selection criterion.

• SQL Injection Bypass Authentication: The first obstacle in compromising an application is the authentication. If the user logs in to an application using his valid username and password. The valid usernames and passwords are stored in a database where the SQL query retrieves them and compares them to the supplied username and password in the input. If we assume a valid UserName =

"Admin" and it’s Password ="Admin", but they are unknown to the attacker, it is still possible to log in by using a combination of some special characters that modify the SQL query, so for example:

(27)

UserName = ’ or 1=1- -

The modified query will be executed as the following query Select UserName, Password from UserLoginDetails where User- Name = ‘ ‘ or 1=1

If we apply it on a vulnerable web application like "AltoroMutual", which is a vulnerable-by-design web application created by Watch- Fire [18], by supplying ( ‘ or 1=1- -) in the username field and any password as shown in figure2.4, it will gain authorized access.

Figure 2.4: SQL injection query bypass authentication

The above SQL query works successfully on the vulnerable web application as the result shows in figure2.5 where the attacker gained access without a valid username and password.

Figure 2.5: Result of SQL injection query bypass authentication

• SQL Injection Bypass Authentication, a Variation: If the username is known and the attacker wants to do a targeted attack of that particular username, for example "jsmith" is a known username in

"Altoromutual", so it is possible to gain access as "jsmith" username with the following:

(28)

UserName =jsmith’- -

the original query would be framed as:

Select UserName, Password from UserLoginDetails where User- Name = jsmith’- - and Pasword="Random"

But the sign "- -" would comment out any query after after it. Thus, the final modified query would be executed as:

Select UserName, Password from UserLoginDetails where User- Name = ’jsmith’

If we apply it on a vulnerable web application like "AltoroMutual"

[18], by supplying (jsmith’- -) in the username field, and any random password in the password field as shown in figure2.6:

Figure 2.6: SQL injection query bypass authentication with known username

The above SQL query works successfully on a vulnerable web application as the result shows in figure2.7 where the attacker gained access as "jsmith" without a valid password.

Figure 2.7: Result of an SQL injection query bypass authentication with known username

(29)

• SQL Injections get unauthorized access to data: In most web applications, it is possible that the user can view account details using SQL query where the account details are stored in tables. In a vulnerable application, it is possible to view details of other users by using SQL injection, for example, if the user supplied this SQL query:

AccountID = ‘ or 1=1- -

That will retrieve all the account ID of other users as it will be executed as the following query:

Select * from AccountDetails where AccountID = ‘ ‘ or 1=1- -’;

• SQL Injections get unauthorized access to data by the use of a union operator: Two or more SQL queries can be combined in one set using a "union" operator. It is possible to use a "union" operator in an SQL injection attack to retrieve data from other tables than the original table. For example, in AltoroMutual, the user can view his own transactions, but it is also possible to modify the SQL query and add this to the "before" field. This process mostly starts with guessing the name of the table and the name of the fields.

2/2/2029 union select username,password,1,1 from users - - That query will cause a review of data from users table union transaction table as shown in figure2.8, but they should have the same number of fields.

Figure 2.8: SQL injection using union operator Cross-Site scripting attack:

The cross-site scripting attack is not a direct attack on a web application, but instead, it targets the users accessing the web application by pieces of codes that are written for specific actions using scripting languages such as VBScript or JavaScript [19].

(30)

The effect of the attack depends on which action the script executes.

For example, the script can be written to steal a valid session ID or user authentication information [20].

The attacker must find a way to send his script to a victim to execute the script on the victim’s browser. There are different techniques to send the malicious script to the victim [21]. For example, the information can be sent via a request that is returned by the server and displayed in the victim’s browser as shown in figure2.9 and as explained in the following sequence of actions:

1. Sending an email with the malicious script to the victim.

2. The script will be sent to a vulnerable web application when the victim clicks on the link in the email.

3. The vulnerable web application reflects the malicious script, and then it is rendered in the browser of the victim.

4. Then the script does what it is designed to do, such as sending cookies that may contain a session ID or authentication’s information to the attacker’s machine.

5. Finally, the attacker has the needed information to log in to the victim’s account in the vulnerable web application.

Figure 2.9: Cross-Site scripting attack

(31)

After the malicious script gets executed, it does the function that it was written to do by the attacker, like for example:

• Stealing session cookies:

If the web application does not validate the user input, then that can be used to send the script through the mail message body. When the victim logs in to the application, and then gets a valid session ID, the malicious script in the mail is rendered in the browser when the victim views mail messages, and it gets executed. If the script is written to read the session ID of the victim and send it to the attacker, the attacker can then access the victim’s account through the valid session ID.

• Steal sensitive information:

In cases where the application uses persistent cookies in order to remember the user when the user comes back and tracks the user’s session, the cookies can contain sensitive information and are vulnerable to theft.

Stealing passwords by refreshing browser

GET and POST methods are the most common way to make a request to a web server. A GET request is used to send information to a server, so it is possible to see it through the history of the browser. Sensitive information such as authentication information should be sent to the web application as a POST request so the links associated with the POST request are not cached in the history of the browser. It is, however, still possible to retrieve the information associated with a POST request by exploiting some of the browser’s features [22].

The recent browsed pages by a user and the variables sent in by a POST request can be tracked by the browser. Through "Back" and "Refresh"

features in the browser, it is possible to retrieve the information that has been POSTED by a former user if the application was not designed correctly [22].

It is possible to prevent this vulnerability by using an intermediate page that does the authentication process but does not send it to the user, as shown in figure2.10. After a successful authentication process, it reaches the next page through a redirection command -sent by an intermediate page- to the browser. This process is explained in the following steps [4]:

1. Making a log-in request on the web application.

2. The log-in page is sent to the user by the server.

3. The user enters the authentication information -username and password-, to an intermediate page.

4. The intermediate page sends a redirect after successful authentication.

(32)

5. The user does a request for intermediate log-in page.

6. The server sends the intermediate log-in page to the user.

1

2

3

4

5

6

Client Server

Figure 2.10: Stealing password by refreshing the browser Variable manipulation attacks

Normally, hidden form fields can be used by web applications to transfer sensitive information to the server, so the users have the option to view their own data such as credit card information. The server uses the identity of the user or his account number, for example, to retrieve his information and send it to the server in a hidden form field. So it is possible that the attacker can modify the user’s identity or his account number in the hidden form field by using a web proxy tool [23] [4] like Achilles [24], so the flow goes through the web proxy tool as shown in figure2.11.

Figure 2.11: Normal situaion vs MITM Attacks

(33)

Hacking a web application with buffer overflow

In buffer overflow, a program puts more data in a buffer which is allocated to hold and because the buffer contains a specific amount of data, the extra data overwrites data in the memory addresses. A buffer is a sequential section of memory allocated to contain variables. Writing outside the boundary of allocated memory can corrupt data and break the program or intentionally execute malicious code as shown in figure2.12 and figure2.13 . Sending a crafted input to a web application can cause a buffer overflow which makes the web application execute malicious code [25].

Figure 2.12: Buffer overflow corrupting data

Figure 2.13: Buffer overflow executing malicious code

Buffer overflow can occur in a web server or application server products. When libraries are used by these application servers, such as a

(34)

graphics library to generate images, it can open the door to potential buffer overflow attacks [25].

Web Application Denial of Service

A Denial-of-service (DoS) attack can make a web application or a web server unavailable to its intended users.

Web applications are vulnerable to DoS attacks. Web applications find it difficult to differentiate between an attack and normal traffic for many reasons such as that there is no reliable way to check where an HTTP request is sent from, so it is hard to block malicious traffic [26].

A web server normally has the ability to handle some hundred queries in the same moment. One attacker can generate enough traffic from one host to overwhelm many applications. It is possible to make it more difficult for these attacks but not to prevent them, especially if sessions are bound to a particular server. This is a reason to make the application’s session data as small as possible, and make it hard to start a new session [27].

DoS attacks prevent legitimate users from using the service by consuming all required resources which are limited such as bandwidth, database connections, threads, memory, CPU, disk storage and application specific resources [27].

The attack can be executed by consuming the target’s resources. For example, if a site only allows authenticated users to request message board traffic, it may start database queries for each HTTP request. That makes it possible to overwhelm the site by sending so many request that the database connection pool will get consumed, and there is no space to service legitimate users. It is possible to target a particular user by this attack by, for example, sending invalid credentials until the system locks out the legitimate user [27].

Many methods can be used to conduct a DoS attack:

• SYN flood attack:

A SYN flood attack conducts a DoS attack on a computer server.

The attacker uses fake IP addresses to send SYN packets repeatedly to every port on a server to attempt to establish communication.

The server has to respond to each attempt with a SYN/ACK packet coming to open ports and sending an RST packet to each attempt sent to closed ports.

TCP packet uses a three-way handshake where the client machine has to confirm that it received a SYN/ACK packet from the server by returning the ACK packet, and then commence the communications.

When using a SYN flood, the attacker doesn’t send an ACK packet, but instead sends a repeated SYN request to all the ports. The SYN requests appear to be valid but since the attacker uses fake IP

(35)

addresses, it makes it impossible for the server to close down the connection by returning RST packets to the client so it keeps the connections open. Another SYN packet reaches the server before a time-out of the previous SYN packet occurs which causes a half-open connection. With this process, the server gets completely occupied by the attacker and communications with legitimate clients get difficult or impossible, as shown in figure2.14. If the purpose of the SYN packet flood is to find open ports in order to follow it by hacking the open ports, then that is called SYN scanning [28].

Figure 2.14: SYN Flood attack

• Ping Flood Attack:

Ping Flood Attack or Ping of Death(PoD) is a type of a DoS attack. In a PoD, the attacker sends malformed or oversized packets to attempt to crash, destabilize, or block the targeted computer or service.

Ping Flood is a type of a PoD attack. In this attack, the attacker sends a flood of ICMP packets rapidly by pinging without waiting for a response. The attacker can easily spoof the identity of the victim which makes the attack effective and the attacker needs only to know the IP address of the victim, as shown in figure2.15.

(36)

Figure 2.15: Ping flood attack

• Teardrop Attack

Teardrop attack is another type of a DoS attack, and it happens on old operating systems like Windows 3.1x, Windows 95, Windows NT and versions of the Linux kernel prior to 2.1.63. The attacker sends fragmented packets to the victim, and due to a bug in TCP/IP fragmentation reassembly, the machine cannot reassemble these packets which causes overlapping between the packets which then crashes the target network device [29].

2.5 The Genetic Algorithm

A Genetic Algorithm (GA) is a version of Evolutionary Strategy (ES) which is a class of algorithms inspired by natural selection [30]. The

(37)

current generation creates a new generation which consists of fit offspring -solutions- and to survive in a specific environment, and the fittest candidates will be new parents for the next generation in order to create even fitter offspring, as shown in figure2.16.

Figure 2.16: General scheme of EAs

The Simple Genetic Algorithm (SGA) was developed by John Holland, and in this algorithm each chromosome is represented as a bit string [31]. A specific fitness function evaluates each chromosome and assigns a fitness score to it according to the test. The goal is that the fitness score of the population of chromosomes moves toward improving its performance.

According to the chromosome’s fitness and probability of selection, a decision will be made whether this chromosome is permitted to produce offspring.

Role of representation and variation operators

Deciding the genetic representation of a potential solution to the problem is the first step of building an evolutionary algorithm. This involves defining the genotype and the mapping from a genotype to a phenotype as shown in figure2.17.

(38)

0 1 0 ……….. 0 locus: the position of a gene

allele= 0 or 1 (what values a gene can have) gene: one element of the array Chromosome

0 1 2 ……….. n

genotype: a set of gene values

phenotype: built/developed based on the genotype

Figure 2.17: Evolutionary Algorithm: Representation

It is important to select the right representation to solve the problem.

Sometimes there will be a range of options and selecting the right representation is one of hardest part of planning a good evolutionary algorithm. Most common representation of genomes:

• Binary.

• Integer.

• RealValued or Floating-Point.

• Permutation.

• Tree.

Binary Representation

The binary is the simplest representation. The genotype for the binary representation consists of the binary digits 0 or 1 as shown in figure2.18.

For a specific application, the length of the string should be decided, and how is will be interpreted to produce the phenotype. In order to select genotype-phenotype mapping, the encoding should allow that all possible bit strings refer to a valid solution to the target problem and the genotype can represent all possible solutions. Binary representation is the representation used in this project [30].

(39)

Figure 2.18: Binary Representation

Integer Representation

Integer representation is used when the problem of finding the optimal values for a set of variables takes the integer value as image processing parameters as shown in figure2.19. The integer value can also represent category values such as the set 0,1,2,3 representing North,East,South,West [30].

Figure 2.19: Integer Representation

Real_Valued or FloatingPoint Representation

RealValued representation is used when values that we want to represent as genes come from a continuous distribution rather than a discrete distribution as shown in figure2.20, for example if we want to represent physical quantities of the design component such as length, width, height and weight [30].

(40)

Figure 2.20: Real-Valued Representation Permutation Representation

The solution for many problems is represented by an order of elements, and in those cases, permutation representation can be used [30].

Figure 2.21: Permutation Representation Tree Representation

Trees represents objects in computing. In general, trees capture expressions represented in formal syntax. In accordance with the problem and the perception of what the solution should look like, which can be a syntax of arithmetic expression, formulas in first-order predicate logic, or programming code [30].

Genetic Algorithms - Population

In this project, the population of chromosomes is hypothetical; where each chromosome consists of a list of the configuration’s parameters.

In the start, an initial population that consists of n chromosomes is generated randomly [32]. The GA evolves a new generation with the same population size n from the previous generation through selection processes of mutation and crossovers. The new generation is then enhanced by one of the Mimetic Algorithms, which is a Local Search Operator, in order to execute a hybridization of evolutionary algorithms with other techniques.

(41)

In this project, the Lamarckian evolution was used, which improves the fitness and the genotype as well as enhances the EA [30].

The selection chooses the fittest chromosomes from the current candidates which means the fittest candidates have a higher chance to survive in the current environment and to become possible parents to the next generation.

In a crossover, some traits of two fit parents’ chromosomes swap with each other in order to exploit a new chromosome for the next generation, which is considered to be exploitative since it makes a big jump to an area somewhere “in between” two (parent) areas. While a mutation is exploitative, since it randomly changes a given trait which makes the GA create something new which is not in the current population or introduce back a trait which has previously been eliminated from the older generations. The aforementioned processes are described with more details in the following section.

Roulette Wheel Selection

In GA, selection is used to select the fittest chromosomes each time before generating the next generation. The selection process is also known as a fitness proportional selection or as a roulette wheel selection [32].

Figure 2.22: Pseudocode for the roulette wheel algorithm [32]

Tournament Selection

Using the tournament selection approach, a number of chromosomes are selected through a roulette wheel selection that pairs the chromosomes up and then selects the fitter one of the pair to move on to the next round [32], and after a number of rounds, the two chromosomes with the highest fitness score will compete against each other in order to select the fittest chromosome of the population.

(42)

Figure 2.23: Pseudocode for tournament selection algorithm [32]

In this project, the roulette wheel selection and tournament selection were used in order to select the best candidates. Therefore, in every itera- tion of the selection process, the algorithm picked up two chromosomes at a time and then applied the tournament selection process to the pair.

Crossover

The crossover process is applied after the selection process in order to exploit the chromosomes. Two chromosomes participate in a crossover process.

There are several ways to implement a crossover process [30]

• Uniform Crossover:

Uniform Crossover uses a number of points K where each chromosome consists of a number of parameters P. The K parameters’ settings are chosen at random from a different chromosome and the parameters between the two chromosomes are swapped, as illustrated in Figure2.25.

(43)

Figure 2.24: Pseudocode for Crossover Algorithm

Figure 2.25: Illustration of uniform crossover for binary representatives

• N-Point Crossover:

In a 1-point crossover, a random point is chosen and used to split the parent chromosomes into two parts which are then swapped in order to generate new solutions. In case of a 2-point crossover, the parent chromosomes are split into three parts and then swapped, as illustrated in figure2.26.

(44)

Parent 1

Parent 2

Child 1

Child 2

Figure 2.26: Illustration of N-uniform crossover

Mutation

Exploring the chromosome space can be done during the mutation process which follows the crossover process [30]. The mutation operator is stochastic, so the output depends on a number of random choices.

Mutation occurs by altering one or more gene values in a chromosome from its current value.

The mutation might change the whole solution from the original one, which might lead to a better solution.

• Bit Flip Mutation

In this mutation, one or more random bits are selected and flipped as shown in figure2.27.

Figure 2.27: Illustration of Bit Flip mutation

• Swap Mutation

Two positions within the chromosomes are selected at random and the values of these positions are swapped as shown in figure2.28 .

(45)

Figure 2.28: Illustration of Swap Mutation

• Scramble MutationThis type is popular within permutation repre- sentations. A subset of genes is selected at random and their values are shuffled randomly as shown in figure2.29.

Figure 2.29: Illustration of Scramble Mutation

• Inversion Mutation

A random subset of genes within a chromosome is selected at random and their values are inverted as shown in figure2.30.

Figure 2.30: Illustration of Inversion Mutation

2.6 Tools Used in the Project Infrastructure and Estab- lishment

2.6.1 Docker Container Technology

Container technology provides a solution to the reliability problem that occurs when running a software while moving it from one computing environment to another such as from a physical machine in a data center to a virtual machine in a private or public cloud [33].

Docker is an open source program and it is the technology that made it possible to enable a Linux application and its dependencies to be containerized. Container-based virtualization makes it possible to separate applications from each other on a shared operating system. Container technology makes it possible to run apps in any Linux environment physically or virtually. Containers are portable among different Linux distributions and they are much smaller than the virtual machine images [34] [33].

(46)

A container image is a lightweight, stand-alone, executable package of a piece of software. A container image contains all which is needed to run it, such as code, runtime, system tools, system libraries and settings [33].

2.6.2 STIG

STIG stands for Security Technical Implementation Guides and was developed by The Defense Information Systems Agency in order to implement configuration guidelines for systems that are deployed across the Department of Defense.

DiSA’s Security Technical Implementation Guides gathers all configuration parameters that contribute to known vulnerability attack paths.

STIG provides a network administrator with an explanation as to how these configurations can contribute to a vulnerability and how it can be fixed [35].

Figure 2.31: Example of STIG entry 2.6.3 CVSS

CVSS stands for Common Vulnerability Scoring System which was developed by the National Infrastructure Advisory Council as an open framework that communicates the effects that a vulnerability may have on a device. This framework has two classes of metrics [36].

(47)

• Exploitability Metrics consists of three submetrics:

– Access Vector, which describes the proximity to the network which an attacker can reach; Local(L), Adjacent Network(A) and Network(N).

– Access Complexity, which describes the level of difficulty to achieve a successful exploit; High(H), Medium(M) and Low(L).

– Authentication, which describes how many authentication steps can be bypassed by the attack; Multiple(M), Single(S), None(N).

• Impact Metrics consists of three submetrics.

– Confidentiality, which describes the level of compromise through the exploit; None(N), Partial(P) and Complete(C).

– Integrity, which describes the level of compromise through the exploit; None(N), Partial(P) and Complete(C).

– Availability, which describes the level of degradation through the exploit; None(N), Partial(P) and Complete(C).

2.6.4 OWASP

OWASP refers to The Open Web Application Security Project which is a non-profit group that cares about the software applications. OWASP’s mission is to educate developers, designers, architects and business owners about security vulnerabilities within web applications and the risks associated with them. OWASP supports open source and commercial security products. The organization has a popular Top Ten list that gives details about the most at-risk web application security vulnerabilities and provides recommendations for ways to deal with them [37].

OWASP Zed Attack Proxy(ZAP) is a tool for using an integrated penetration testing tool in order to find web applications’ vulnerabilities.

It is one of the most popular security tools available, because it can automatically find security vulnerabilities within web applications during the development and testing processes. It can also be used for security testing as shown in figure2.31 [37].

(48)

Figure 2.32: Screenshot of OWASP ZAP interface

OWASP Zed Attack Proxy 2.6 API python client [38] is a tool used to automate OWASP Zed attacks and vulnerability tests by python. It was used in this project to automate the testing of the web server vulnerabilities.

It can be installed using the command:

pip install python-owasp-zap-v2.5

2.6.5 Nessus

Nessus is a vulnerability scanning and security analysis platform, as show in figure2.33. Users can schedule scans across multiple scanners, use wizards to create policies easily and quickly as well as schedule scans and send the results via email. It supports more technologies than other platforms such as operating systems, network devices, hypervisors, databases, tablets, phones, web servers and critical infrastructures [39].

Nessus has these key features; High-Speed Asset Discovery, Vulnerabil- ity Assessment, Malware/Botnet Detection, Configuration & Compliance Auditing, and Scanning & Auditing of Virtualized & Cloud Platforms [39].

(49)

Figure 2.33: Screenshot of Nessus interface

(50)

(51)

Chapter 3 Previous Work

Measurements associated with learning more secure computer configu- ration parameters

This project [40] is based on GA for the moving target strategy of finding secure computer configurations -solutions- over generations. The solutions consist of a combination of machine configuration parameters.

The project enhanced the GA by using a machine learning strategy to make classification strategy deals with grouping data objects into one of several categories based on their similarity to known examples of each category.

Evolutionary strategies for secure moving target configuration discovery Learning secure parameters and moving target defense ideas were implemented in this project [41] through GA, where a computer’s genetic code is described by the settings of all of its parameters. GA evolved more secure configurations which were then used to immunize the machine to attacks.

In this project, beam search based system prototype was developed which was more successful than the genetic algorithm at increasing average configuration fitness while still maintaining a high a mount of diversity.

In this project, a prototype system that made use of these strategies was developed. Experimentation showed that, for a small number of attacks per generation, it was often successful in creating a new generation of chromosomes which was immune to attacks from the previous generation [42].

A moving target environment for computer configurations using genetic algorithms

This project [43] [44] has addressed the idea of using GAs to manage computer configuration for an MT defense. However, this thesis improves upon this research in several key areas. Each configuration is made up of real parameters, with a variety of types reflecting the actual settings

(52)

available when configuring a machine and each associated with possible real attacks which misconfiguration could allow.

The prior research instead used simulated configurations comprised of single bit string, the bits of which notionally represented various parameter settings. Previous research also used identical, completely vulnerable configurations as the initial generation, but even the naive method of random configuration generation creates a significantly more secure and diverse population with which to initialize the GA. The system implemented in the previous papers also accounted for uncertainty in security evaluation by adding a small, random perturbation in the reported fitness score, whereas this thesis directly simulates attackers targeting the system. This approach allows for very large discrepancies between observed and true security values, as would be expected in a real deployment.

Using Genetic Algorithms to detect security related software parameter chains

The configurations of software consists of parameters and through these parameters, it is possible to set control for different aspects of the system.

Misconfigured software gives the ability to exploit the system by using a single parameter setting or a combination of settings. The huge number of parameters makes it hard to identify these settings that can be exploited.

Combination of settings might cause vulnerabilities which complicates the problem.

This project [45] developed a method to detect these security related parameters by exposing the configurations that are vulnerable to the same exploit and compares them in order to narrow it down to the vulnerable configurations causing the exploit, which would show all the parameters causing an exploit in all possible vulnerable configurations.

Genetic Algorithm has been used to generate the vulnerable configurations used for comparison and search for the vulnerable parameters.

Configuration debugging as search: Finding the needle in the haystack Incorrect function of a system can be caused by errors in configuration. This project [46] addresses the problem of diagnosing configuration errors. For example, changing the local firewall policy could cause a network-based application to malfunction.

This approach searches across time for the instant the system transitioned into a failed state, then it is possible to deduce the cause of failure by making comparison between the system state before and after the failure.

(53)

This project presented a troubleshooting tool called Chronus which automates searching for failure-inducing state change to diagnose the configuration error and reduce the need for human expertise. This tool requires a user-written software to find out if the system is currently working, and then searches through the time where the system transitioned from working to non-working, and finds the reason why the system stopped working by using analysis tools like diff, regdiff and log files.

The Chronus tool relies on several components; A time-travel disk which captures the progression of the system’s durable state over time by logging disk block writes. It also uses the mDenali virtual machine monitor to do installation, booting and testing the system’s snapshots. Chronus executes the user-supplied software probe to check if the historical state is working as intended.

EnCore: Exploiting system environment and correlation information for misconfiguration detection

This project [47] presented a tool called Encore which detects software misconfiguration by taking into consideration two factors; the interaction between the configuration settings and the executing environment as well as the rich correlations between configuration entries. EnCore learns configuration rules from a given set of sample configurations, and it enhances the executing context of configurations using training data.

Encore consists of four steps; data collecting, data assembling, rule generator, and anomaly detection, and it learns a broad set of configuration anomalies that span the entire system. Encore detects the injected errors and known real-world problems.

(54)

(55)

Chapter 4 The Approach

This chapter outlines and explains the methodologies, processes and approaches used to solve the problem statement as described:

• How to tighten the security vulnerabilities caused by human misconfiguration.

• How to tighten the security vulnerabilities by finding the right configurations’ combinations.

• How to make a moving target in order to mislead reconnaissance.

• What is the relation between improving the security and the Quality of Service?

4.1 Objectives

This chapter discusses algorithms developed to achieve the objectives of this project. Two algorithms have been developed for the objective; the genetic algorithm and a scoring algorithm, as well as another script that was developed to test the vulnerability of the web server.

The functional specification is described through use cases which describe the components of each step for one generation from generating configurations through genetic algorithm to sending the scores back to the genetic algorithm as illustrated in figure4.1:

(56)

Figure 4.1: The circle of One Generation

4.2 Use Cases

Use Case 1

Generating Configuration’s combination

• Genetic Algorithm Generates Configurations through selection processes.

• GA divides the combinations within the turned on VMs in VM farm.

• GA sends the combinations to the farm’s VM.

Use Case 2

Reconfiguring VMs

• Each VM receives the configurations as a list of numbers.

• The agent script reads the received list from GA and turns it into configurations.

• The agent script reconfigures the settings.

Use Case 3

Security Assessment

• The Assessment server runs scans on the VMs.

• The Assessment server scores the security of each VM.

(57)

• The Assessment server sends the scores to GA for further evaluation and creation of a new generation.

4.3 Apache Configurations

This prototype uses Apache v2.2 configuration parameters as defined in STIG[35], and the scores are based on CVSS scoring system[36] according to the results of test code. In this project, a part of the Apache v2.2 configuration was used as proof of the GA concept and its capability of finding the fittest solution.

STIG ID Parameter

V-13732 FollowSymLinks

V-13734 Multiviews

V-13735 Indexes

V-13738 LimitRequestFieldsize

V-13739 LimitRequestLine

V-13730 MaxClients

V-13737 LimitRequestFields

V-13736 LimitRequestBody

V-26393 AllowOverride

V-26396 LimitExcept

V-26294 info_module

V-26294 status_module

V-2255 htpasswd file owner-

ship and permission

V-13729 MaxSpareServers

V-13728 MinSpareServers

V-13727 StartServer

V-13726 KeepAliveTimeout

V-13725 KeepAlive

V-13724 Timeout

V-6724 ServerTokens

4.4 Design Stage

The system is designed to achieve the objective of the problem statement.

In this design, two algorithms have been developed and in total of four scripts have been used all together to achieve the goal. For the experiments, a number of tools have been deployed. The genetic algorithm will answer the main part of the problem statement How to tighten the security vulnerabilities caused by human misconfiguration or by improper chain of configuration.The component and tools are discussed in this chapter. The second algorithm is to score the fitness of the solutions.

The genetic algorithm will generate security solutions. To start with, it initializes random solutions which then go through the selection processes

(58)

which is described in detail later in this chapter. The genetic algorithm depends on the fitness score of each solution to go further in the selection process which means that it is the fitness score algorithm’s responsibility to give scores for the solutions and send them further to the genetic algorithm.

The fitness score algorithm is responsible for providing the genetic algorithm with the fitness scores of the security solutions. Score system relies on a previous preferences from STIG which provides the vulnerabilities, the parameters responsible for them, and the solutions.

4.5 Components and Tools

The system is designed and developed with a number of components and tools in order to achieve the goal of this project and to solve the problem statement.

4.5.1 Computing Virtual machines

VirtualBox

Oracle VM VirtualBox is a free and open-source hypervisor for x86 computers. It was installed on Windows 10 OS. VirtualBox supports the creation and management of guest Virtual machines. For some guest operating system, a "Guest Additions" package has to be installed to improve the performance of the guest virtual machines, especially the graphics performance.

Ubuntu 14.04 Desktop

Ubuntu 14.04 was used for setting up a Genetic Algorithm server, and another 64-bit machine for a web servers’ farm with Docker installed.

Instance Type Specification

Memory Size 10,9 GiB

Disk size 40,0 GB

CPU speed 2.30GHz × 3

OS type 32-bit, 64-bit

Processor Intel® Core™ i5-

6300HQ CPU @

2.30GHz × 3 Kali Linux

Kali Linux is the most advanced penetration testing platform, and it is available in 32 and 64 bit. In this project, a debian 64-bit kali was used to execute a vulnerability test, and real-life attacks through OWASP.

(59)

Instance Type Specification

Memory Size 10,9 GiB

Disk size 28.26 GB

CPU speed 2.30GHz

OS type 64-bit

Processor Intel® Core™ i5-

6300HQ CPU @

2.30GHz

Docker

For creating webservers on docker containers. The following docker compose "docker-compose.yml" were used to do that purpose.

1 v e r s i o n : ’2 ’ 2

3 s e r v i c e s : 4 w e b s e r v e r 1 : 5 i m a g e : h t t p d

6 c o n t a i n e r _ n a m e : w e b s e r v e r 1

7 p o r t s :

8 - " 8 0 0 0 : 8 0 "

9 w e b s e r v e r 2 : 10 i m a g e : h t t p d

12 p o r t s :

13 - " 8 0 0 1 : 8 0 "

17 p o r t s :

18 - " 8 0 0 2 : 8 0 "

22 p o r t s :

23 - " 8 0 0 3 : 8 0 "

24

28 p o r t s :

29 - " 8 0 0 4 : 8 0 "

33 p o r t s :

34 - " 8 0 0 5 : 8 0 "

38 p o r t s :

Genetic Algorithm For Tightening Security

Genetic Algorithm For Tightening Security

The discovery of a secure moving target configuration by the use of an evolutionary algorithm and an investigation into the relation between security and Quality of Service Adam Buji

Master’s Thesis Spring 2017

Genetic Algorithm For Tightening Security

Abstract

Acknowledgement

Contents

List of Figures

List of Tables

Chapter 1

Introduction

1.1 Motivation

1.2 Problem Statement

1.3 Thesis Structure

Chapter 2

Background and Literature Review

2.1 Cyber Security

2.2 Cyber Trust

2.3 Network Firewalls

2.4 Web Application Security

2.5 The Genetic Algorithm

2.6 Tools Used in the Project Infrastructure and Estab- lishment

Chapter 3

Previous Work

Chapter 4

The Approach

4.1 Objectives

4.2 Use Cases

4.3 Apache Configurations

4.4 Design Stage

4.5 Components and Tools