CSCI 262

Fall 2012

Lab #1
Date : 22/09/2013

Last First Student Signature

name Name ID

Attacks , Attack trees

Learning outcomes:
a) Examples of attacks, and countermeasures
b) Explain the role of attack tree in information security
c) Build an attack tree

1
1. A case of impersonation attack- from: Charles Pfleeger, Analyzing computer
security, Pearson, 2011

Questions
Why did this attack succeed? What protection measures would you suggest?

2
2. Facebook pages answer security questions
from: Charles Pfleeger, Analyzing computer security, Pearson, 2011

Why did this attack succeed? What advices would you give to Facebook users? To facebook?

3
3. Attack trees: definition and role.
From : Andreas L. Opdahl, Experimental comparison of attack trees and misuse cases for security threat
identification, Information and Software Technology 51 (2009) 916–932

Attack trees is a technique used to model potential security attacks against any kind of
system. At the root of the tree is the top level attack, then this one has children nodes
indicating various ways that the attack can be achieved.
There are two possible ways of decomposing an attack into lower level attacks:
a. AND-decomposition:
All the children attacks must succeed for the parent attack to succeed. AND-
decompositions will be explicitly marked with an arc between the lines and the
word ‘‘AND”
b. OR-decomposition:
At least one of the child attacks must succeed for the parent attack to succeed.
OR-decompositions are not marked in any specific way, i.e., those
decompositions that are not marked as AND-decompositions will be OR-
decompositions.
Attack trees can be written both as diagrams and textually. The attack tree modeling
process consists of the following steps:
a) Identify top level attacks against the system in question.
b) Brainstorm for different ways these attack can be achieved and specify children
attacks recursively, until the way of performing each attack is obvious so that further
decomposition not useful.
Two examples of attack trees are provided below.

4
Attack tree- example 1
The first one represents a partial attack for opening a safe. A textual diagram is also
provided (figure 1).

Figure 1: Attack tree of a Safe.

Source: B. Schneier, Secrets and Lies: Digital Security in a Networked World, Wiley, Indianapolis, 2000.

5
Attack tree- example 2

In the second example (figure 2), the diagram shows an (incomplete)example of

some attack trees related to an ATM. As can be seen, it is not necessary to have all
the attacks gathered in one connected tree – although three of the top level attacks
could be joined in a more general ‘‘Steal money”, the fourth which is pure vandalism
with no gain for the perpetrator would be more difficult to connect to the others.

Figure 2Attack tree for attacking an ATM machine.

Source : Andreas L. Opdahl, Experimental comparison of attack trees and misuse cases for security
threat identification, Information and Software Technology 51 (2009) 916–932

The same diagram could be written textually as

1. Get cash from customer’s card account (AND)
1.1. Get PIN code (OR)
1.1.1 Look over shoulder
1.1.2 Find PIN in wallet
1.2. Get card (OR)
1.2.1 Steal card
1.2.1 Clone card
1.3 Use card
2. Rob cash from customer
3. Steal ATM’s cash stack
3.1 Steal entire ATM
3.2 Break ATM open
Textual specification apparently has no advantage in this particular example, but can be
useful if longer explanations are needed than the limited space within each square in the
diagram.

6
4. Problem ( Attacking University XYZ server).
In this scenario, we consider the attack of the information server of university XYZ.
Which assets could be damaged if this happens? Construct an attack tree for this threat.
Assume that the information server of XYZ university provides different services to
different communities:
- academic staff,
- students,
- administrative staff,
- and executive staff.
The services include: email, internet access, intranet applications for each community.
An example of software applications for students would be the use of different software
applications and programming languages by the student communities.
Data is divided into three categories: administrative data, teaching, research.
A closer look at the information server of xyz, shows that:
- There is a firewall that controls access to the information server. The firewall is linux
based. The Linux version has not been patched for the last 4 months.
- A frontend machine plays the role of a proxy server. It accepts requests from users,
and according to the request type, dispatch the request to either a data server or a
service server. This front end machine runs IIS 8, which is known to have a php
vulnerability, allowing the user to get control of the machine.
- The data server consists of three database servers:
a) A database server for administration. This server provides three distinct views;
- A student view
- A faculty view
- An administration view
b) A database server for teaching. This server provides two main views:
- A student ‘s view , allowing access to lectures notes the student is registered
in, as well as any information provided by the lecturers or the administration tp
the students.

7
 - A faculty’s view, allowing faculty to post lecture notes, tutorials, and to store
exam questions securely.
c) A database server for research. This server provides two main views;
- A faculty view, allowing individual faculty to store their individual research
articles, as well as their individual lab reports.
- Faculty group view allowing faculty groups to share common results amongs
the member of the group.
- The service server is a proxy server that consists of three servers:
o An email server
o An internet server
o An application server.
According to the university security policy:
- Each student, faculty or administrative staff is assigned a distinct login and
password known only to him/her.
- Access to any database is subject to proper authentication.
- Once a subject is authenticated, he/she will be prompted access the resources
he/she is authorized to.
You may assume that the authorization policy is sound.
Your task:
You have been asked to analyse the security of the information server of this university,
using the attack tree approach.
When building your attack tree, assume that the university information server can be
compromise by the following attacks:
a) Accessing confidential information about a student
b) Accessing confidential information about a faculty
c) Accessing confidential information about an admin staff
d) Deleting the lecture notes of a given lecturer
e) Accessing or Modifying the exam questions for a given exam
f) Blocking the access to the email server
g) Deleting C++ from the application server
h) Stealing lab reports from a researcher

8
 i) Stealing the draft articles from a researcher.
Each attack calls for a series of servers to be compromised. You need to think about the
different ways you may succeed in compromising a server.