STIF [Security Tools Integration Framework] STIF-WARE EVOLUTION Fyodor YarochkinMeder Kydyraliev [email protected]@o0o.nu HackInTheBox, Kuala Lumpur -

STIF

[Security Tools Integration Framework]

STIF-WARE

EVOLUTIONFyodor Yarochkin Meder Kydyraliev

[email protected] [email protected]

HackInTheBox, Kuala Lumpur - 2005

Agenda(best question gets an “Industry Slave” HITB

T-shirt)

• Introduction to STIF-ware concepts• First generation of STIF (automation,

integration, unification)• Demonstration• Problems with the first generation of STIF• STIF2 – wider coverage of knowledge

representation format, functionality decoupling, distributed multi-agent system, open system architecture

• STIF2 prototypehttp://o0o.nu/

Introduction

Security Tools Integration Framework (STIF) is aimed to provide a unified environment and data exchange platform for automated security assessments in heterogeneous environments.

In simple words it is a platform for “hacking” automation, where STIF emulates the “brain” of a security analyst to perform repetitive tasks.

http://o0o.nu/

Why automation?

• machine-based knowledge processing • automate routine tasks, spend more time on tasks that require brain power• create intrusion scenarios, and let machine probe them (nIDS testing)• ‘human’ error mitigation• reduce human labor involvement in modern corporate pen-testing sweatshop

http://o0o.nu/

Why integration?

• Various security tools, written in different languages, are available, but no unified format for data exchange and representation;

• No machine data analysis, aggregation and correlation possibilities;

• Handling large-scale assessments w/ disintegrated tools is a nightmare;

• No possibilities to automate distributed attacks

http://o0o.nu/

Typical scenario for security analyst

Security tools (network mappers, fingerprinters, vulnerability scanners)

Joe the analyst

Analyst analyzes the results/output of security tools that he/she ran and decides what tools/exploits to launch next

Tools/exploits perform requested

actions and provide analysts

with food for thought

http://o0o.nu/

Want to see what happened to Joe the

analyst after one month?

http://o0o.nu/

Look what repetitive and boring “hacking” has done to him…

Poor Joe…

http://o0o.nu/

Why not let machine do the boring part???

http://o0o.nu/

Of course, you can ...

• script it: `ls –al ~/code/scripts/`

• (ab)use security scanners (nessus);

• (ab)use exploit toolkits (e.g metasploit);

• hire a full room of pen-testing monkeys, that will do the boring part (sweatshop production);

http://o0o.nu/

Scanners vs. STIF

Problems with scanners:

• hardcoded sequence of execution;

• vendor-specific integration (e.g. NASL, plug-in APIs), requires rewrite or code hacking;

• vendor-specific data representation/storage (hard to integrate into existing solutions, e.g. custom DBs);

http://o0o.nu/

STIF solution

STIF is designed to solve the problems outlined earlier, by introducing the common format for data representation and by providing a platform for data exchange among tools.

http://o0o.nu/

First generation STIF provides:• Highly customizable rule-based

inference engine, which enables analyst to script out ANY scenario based on the data that was returned by tools;

• Unified data exchange and representation format;

• Generic database publishing module (save data from tools in DB w/ any scheme);

• IRC BOT interface: data publisher and importer

http://o0o.nu/

STIF Features (continued)

• Distributed architecture

•ready to use DB schema

•STIF is written in Java

• the reason for that decision is simple: quicker development cycle, cross-platform compatibility;

http://o0o.nu/

Data representation unification

STIF encapsulates data in a set of XML messages (STIF-Message)

Input data, provided in XML format, converted by Exec module into the form, which could be understood by the tool

The results of tools execution are converted to STIF and are fed back into the Inference Engine.

http://o0o.nu/

STIF-Message

Sample STIF-Message:<STIF-Message created="2004-09-02T15:03:01+6">

<Port number="80" state="open" protocol="tcp">

<Address type="ipv4-addr">192.168.1.1</Address>

<Protocol>HTTP<Application>

Apache/1.3.27 (Unix) PHP/4.3.1

</Application></Protocol>

</Port></STIF-Message> http://o0o.nu/

Inference engine

• responsible for data interflow between various tools;

• makes decisions on which tools to be executed, when new data appears• provides data aggregation and correlation facilities (including regular expressions based matching to theknowledge base facts);• maintains execution flow using rule-based scenarios;

http://o0o.nu/

Data Publishing facility

Publishing in STIF environment means providing the Publisher with newly arrived facts (STIF-Messages from tools).

STIF is able to execute several data/fact publishing modules simultaneously (e.g. database publishing, IRC publishing).

http://o0o.nu/

SQL PublisherSTIF comes with SQL publishing module, which can publish/store data received from tools in a form of a STIF-Message, in databases of arbitrary scheme.<message type="Target"> <query>

INSERT INTO ip_address VALUES(NULL,'%h');</query> </message><message type="Port"><query>

SELECT id FROM ip_address WHERE ip_address='%h'; </query><query>

INSERT INTO port VALUES(NULL, $1, '%n', '%P', '%S', '%p', '%a'); </query></message>

http://o0o.nu/

IRC Importer/Publisher

STIF supports command input over IRC and can publish new facts to an IRC channel or using private messages.

Other software tools can act as STIF “nodes” embedding the IRC importer/publisher functionality

http://o0o.nu/

Your favorite tools integration to support STIF?

STIF provides several means to import data into STIF inference engine:

•Generic2STIFConverter, extracts data from output using regular expressions to form STIF-Message;

• Tool-specific wrappers

http://o0o.nu/

Integration using STIF Generic2STIF Converter

Define rules in parser.xml:<?xml version="1.0"?><Config> <Tool name="nmap-syn-version"> <Group name="target address"> <Delimeter>Interesting</Delimeter> <Regex name="address" required="true"> .*ports on .*\(([\d\.]+)\):.+ </Regex> <Group name="port" generate="port"> <Delimeter> newline </Delimeter> <Regex name="portNumber" required="true"> ^(\d+)/(?:tcp|udp).+ </Regex> … http://o0o.nu/

• <Regex name="portProtocol" required="true">• ^\d+/(tcp|udp).+• </Regex>• <Regex name="portState" required="true">• ^\d+/(?:tcp|udp)\s+(open|closed|filtered).+• </Regex>• <Regex name="portService" required="true">• ^\d+/(?:tcp|udp)\s+(?:open|closed|filtered)\s+([\w-]+).*• </Regex>• <Regex name="portApplication" required="false">• ^\d+/(?:tcp|udp)\s+(?:open|closed|filtered)\s+[\w-]+\s+(.+)• </Regex>• </Group>• </Group>• </Tool>• </Config>

http://o0o.nu/

How can you help?You can do several things to contribute

to our efforts:

• Try it!!!

• Ask your favorite tool’s author to become STIF-compliant;

• Write regular expressions to parse output for Generic2STIFConverter;

• Patch you favorite tools to be STIF-compliant;

• or.. wait until STIF2 is out http://o0o.nu/

STIF-compliant?

First generation STIF Demonstation

http://o0o.nu/

Problems with current STIF implementation

• Complexity: massive coupled piece of code

• Centralized system: limited support for task distribution

• Non-dynamic (fixed at startup) inference engine rules

• Knowledge interchange format needs to be extended

http://o0o.nu/

STIF2 Concepts

Functionality decoupling

http://o0o.nu/

STIF2 Concepts

• Platform independent• Composed of independent agents• Agents communicate with each other

using messaging protocol• Agent capability service exists to

provide agent capability lookup and matching facility

http://o0o.nu/

STIF2 Multi-Agent Architecture

• Multi-agent architecture– Tool wrapper Agents

• Scanning, connection forwarding, attack launching

– Logic Execution Agents– User Interface Agents– And more

http://o0o.nu/

Message Exchange Framework

• Provides facilities for agent communication

• Provides facilities for communication channel selection (covert channels, tunneling, stenography)

http://o0o.nu/

Goal-Driven execution

• Goal-driven execution flow– Each agent describes its functionality

with a set of capabilities. Each capability can be executed on certain type of data object (network, host, user, URL)

– Each agent is given task to execute the capability, which becomes agent goal. Agent may have different plans to execute the same capability. Plans are scored based on execution success rate

http://o0o.nu/

Goal Driven execution

• Each also plan may be assigned with qualifiers: – Stealth-ness– LatencyWhich can be matched to current

‘environment’ settings

http://o0o.nu/

Event-driven execution

• Event-driven execution flow– Each agent may subscribe to ‘interests’,

expressing its interest to certain types of data objects, which agent is interested in (network, host, open port, URL, a valid user)

– When an agent discovers a new data. The “interests” list is queried for the list of interested agents. The agent is responsible to forward the data to interested partners.

http://o0o.nu/

Agent Data Cache (beliefs)

• Agent caches data locally (local data Cache, beliefs)

• Agent may query other agents or KB for missing data

http://o0o.nu/

Current Implementation prototype

• Based on Java/JADE framework• The communication protocol: in progress• The knowledge interchange format:

reviewing current standards (KIF, DAML)• Once the communication framework is

finalized, JADE messaging framework to be replaced with home-brewed implementations (ports for different languages)

http://o0o.nu/

Questions (remember we give out T-shirt for best

question)?

Suggestions [email protected]

[email protected]

http://o0o.nu/sec/STIF/

http://o0o.nu/

Thanks!!!!

http://o0o.nu/