Computational Vulnerability Analysis for Information Survivability

  • Howard Shrobe


The infrastructure of modern society is controlled by software systems. These systems are vulnerable to attacks; several such attacks, launched by "recreation hackers," have already led to severe disruption. However, a concerted and planned attack whose goal is to reap harm could lead to catastrophic results (for example, by disabling the computers that control the electrical power grid for a sustained period of time). The survivability of such information systems in the face of attacks is therefore an area of extreme importance to society. This article is set in the context of self-adaptive survivable systems: software that judges the trustworthiness of the computational resources in its environment and that chooses how to achieve its goals in light of this trust model. Each self-adaptive survivable system detects and diagnoses compromises of its resources, taking whatever actions are necessary to recover from attack. In addition, a long-term monitoring system collects evidence from intrusion detectors, firewalls, and all the selfadaptive components, building a composite trust model used by each component. Self-adaptive survivable systems contain models of their intended behavior; models of the required computational resources; models of the ways in which these resources can be compromised; and finally, models of the ways in which a system can be attacked and how such attacks can lead to compromises of the computational resources. In this article, I focus on computational vulnerability analysis: a system that, given a description of a computational environment, deduces all the attacks that are possible. In particular, its goal is to develop multistage attack models in which the compromise of one resource is used to facilitate the compromise of other, more valuable resources. Although the ultimate aim is to use these models online as part of a self-adaptive system, there are other offline uses as well that we are deploying first to help system administrators assess the vulnerabilities of their computing environment.