Slashdot Mirror

← Back to Stories (view on slashdot.org)

MIT Working On Network Vulnerability Analysis

Posted by ScuttleMonkey on from the script-kiddies-rejoice dept.

An anonymous reader writes "Researchers at MIT have created a method for analyzing networks to detect exploitable vulnerabilities using attack graph analysis which can be done in near real time. The new Lincoln Labs tool will allow admins of large networks to detect their most vulnerable areas and also model zero day attacks. 'NetSPA (for Network Security Planning Architecture) uses information about networks and the individual machines and programs running on them to create a graph that shows how hackers could infiltrate them. System administrators can examine visualizations of the graph themselves to decide what action to take, but NetSPA also analyzes the graph and offers recommendations about how to quickly fix the most important weaknesses. NetSPA relies on vulnerability scanners to identify known weaknesses in network-accessible programs that might allow an unauthorized person access to a machine. But simply being aware of vulnerabilities is not sufficient; NetSPA also has to analyze complex firewall and router rules to determine which vulnerabilities can actually be reached and exploited by attackers and how attackers can spread through a network by jumping from one vulnerable host to another.'"

25 comments

  1. Hacker Tool by Nom+du+Keyboard · · Score: 3, Interesting

    How long before there's a hacker tool version of this to spot vulnerabilities that exist because the sys admin isn't using it to defend his network?

    --
    "It's the height of ridiculousness to say for those 9 lines you get hundreds of millions."
    1. Re:Hacker Tool by BitterOldGUy · · Score: 5, Funny

      How long before there's a hacker tool version of this to spot vulnerabilities that exist because the sys admin isn't using it to defend his network?

      Done!

      Next question.

    2. Re:Hacker Tool by fuzzyfuzzyfungus · · Score: 2, Funny

      I nominate you for director of marketing for whatever company ends up commercializing this.

    3. Re:Hacker Tool by Anonymous Coward · · Score: 0

      What do you think they based their code on?

    4. Re:Hacker Tool by Deanalator · · Score: 1

      There have been tons of projects like this in the past, and I don't think there will be any serious traction until people start releasing code.

      By the way, shameless plug for my current project (as seen in my sig). It's a security visualization framework designed to make it very easy for security auditors to write data gathering modules, and visualization experts to write modules for visualizing data.

      I will be giving a demo of my project at vizsec in a couple weeks (http://www.vizsec.org/workshop2008/), so if you are in the Cambridge area, I encourage you to stop by.

    5. Re:Hacker Tool by Anonymous Coward · · Score: 0

      Time to change your sig, buddy. Don't worry, I wanted the two old white guys too.

  2. Charts by nickswitzer · · Score: 4, Funny

    Will it also create a powerpoint presentation so they can show it off to their boss about how they probably need a raise?

    --
    Anything and Everything about the Net
    1. Re:Charts by Deanalator · · Score: 1

      You laugh now, but most modern security analysis systems have this feature. Especially the expensive ones designed for large corporate networks.

  3. Old news by Anonymous Coward · · Score: 1, Funny

    MIT Professors have been giving guest lectures on this for over two years. Not news

  4. Bragging rights? by knarfling · · Score: 4, Insightful

    The software sound sweet. But there are a few details missing.

    1. Is it available for public use?
    2. When will it be available?
    3. What does it cost?
    4. What platform(s) does it run on?
    5. Where can I get it?

    Or was this just bragging rights to say, "Look! We did something really, really cool, but you can't have it."

    --
    Great civilizations have lived and died on false theories. Don't mess up mine with a few facts.
    1. Re:Bragging rights? by Yvanhoe · · Score: 4, Insightful

      Or was this just bragging rights to say, "Look! We did something really, really cool, but you can't have it."

      The MIT does that a lot. And /. likes to be used as a PR agency.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    2. Re:Bragging rights? by Anonymous Coward · · Score: 0

      /., used, never!

    3. Re:Bragging rights? by Anonymous Coward · · Score: 0

      As MIT Lincoln Laboratory is an FFRDC, I imagine that the DoD (specifically the Air Force) will get first dibs on it.

    4. Re:Bragging rights? by electrojoker · · Score: 1

      http://www.cyberanalytix.com/

    5. Re:Bragging rights? by electrojoker · · Score: 1

      As far as availability and the comercialization concerns brought up there are a few articles referring to cyberanalytix and dev. of netspa in a platform http://www.masshightech.com/stories/2008/05/05/story11-CyberAnalytix-takes-a-7-year-path-to-$100K.html http://www.outlookseries.com/news/Science/3420.htm

  5. astalavista by Anonymous Coward · · Score: 0

    script kiddies the world over have tools to create vulnerability maps and visualize networks. these kids end up at MIT and write master's theses about their custom visualizers and then sell them to government types for your tax dollars. The MIT guy spends this money on the kinds of services advertised on astalavista, which is incidentally where the government guy could have found this sort of thing for free.

    This article sounds like it is 25 years ago and we might want to map vulnerabilities on the internet, I guess you'd only really need to visualize them if you wanted a GUI for point-and-click pwning

    1. Re:astalavista by Anonymous Coward · · Score: 0

      these kids end up at MIT and write master's theses

      No they don't.

  6. Not long by Crazy+Taco · · Score: 2, Informative

    How long before there's a hacker tool version of this to spot vulnerabilities that exist because the sys admin isn't using it to defend his network?

    Probably not that long. This technology isn't overly groundbreaking or original. I don't want to take anything away from those who worked on this, because I'm sure they did a great job, but they weren't the only ones who thought of this. I was working on a similar project at Iowa State three years ago. I haven't followed the project since I left the university, so I don't know where they are at, but it does prove that MIT wasn't the only place to think about this. It's quite possible that hackers also thought of this and have been working on something similar.

    In addition, when it comes to the visualization portion of this, I know from my experience at Iowa State that there are multiple open source graph display frameworks they can use for this that would speed their development. And of course, there are freely obtainable network scanners such as nmap, freely obtainable vulnerability tools like nessus, packet capture tools like wireshark, etc. Such a program as MIT's could largely be done by integrating several F/OSS peices of software together, and while I'm sure that wouldn't be trivial, a lot of the base technologies already exist to for hackers to take advantage of. Again, though, I don't want to take away too much from MIT, because as someone who makes his living assembling systems out of other systems developed by other groups, I know that the integration part is often the hardest of all. But, the hackers do have the tools should they choose to use them.

    --
    Beware of bugs in the above code; I have only proved it correct, not tried it.
  7. Automated Tools Cannot Fix the Stupid User Problem by Anonymous Coward · · Score: 0

    Automated tools to find security vulnerabilities is ok. However, until automated tools are created to find stupid users and stop them then the battle will never be over. You can fully patch a system, reduce system privledges, etc but if that stupid user clicks on a link, visits a bad website, or opens trojanized attachment because it said "open me" the same effect will take place and the end result will still be the same. The battle of good vs evil will still continue on while stupid users are around and I'm pretty sure those are a lot harder to get rid of.

  8. Same old same old. by the_pete · · Score: 1

    How is this different from what is already being done with vuln scanners? How does this find 0-days? The test comes from a particular vector which finds KNOWN vulnerabilities. This will only find Access problems if the limitations of the systems is known. It does nothing to determine trust problems like spoofing, MITM attacks, and attacks from other vectors. What they needed to do is look at it in a new way like in the SCARE project (Source Code Analysis Risk Evaluation) from ISECOM which determines all interactive points, how they are interactive (memory, user, disk), and what controls are there. Since every interactive point will have risk of some sort (like a potential real 0-day), this will tell you not only the Access problems but the Trust ones as well. Take the same methodology in SCARE and apply it to a scanner to look at all interactive points in a network per vector (run it inside, outside, and each perimeter side) and then have a program correlate where the interactive points match. You can get fancy and draw maps of this but really what you want to know is the priority of what you need to close, separate, and add missing controls to. All of this is already outlined in OSSTMM 3 already. I just don't see how MIT can get away with announcing a tool that is not innovative and leads people down the false path of endless patching.