|
LISA 2000 Abstract
NOOSE - Networked Object-Oriented Security Examiner
Bruce Barnett, General Electric Corporate Research &
Development
Abstract
NOOSE (Networked Object-Oriented Security Examiner) is a
distributed vulnerability analysis system based on object modeling. It
merges the functionality of host-based and network-based scanners,
storing the results into several object classes. The remote agents are
implemented as dynamically extended PERL agents. NOOSE is able to
collect vulnerabilities from a variety of sources, including outputs
from other vulnerability analysis programs (e.g., Muffet's CRACK),
collecting information from systems that may or may not have
cooperative agents on them. Communication is based on a secure,
reliable datagram protocol implemented as a set of PERL object
classes. Unlike some vulnerability systems, NOOSE presents the
vulnerability information as an integrated database, showing how
vulnerabilities may be combined into chains across multiple accounts
and systems. It understands unconditional vulnerabilities (i.e.,
stack-overflow, password guessing) along with conditional (Trojan
horse, rlogin, and NFS access). Conditional vulnerabilities gain
limited or privileges if conditions exist, such as access to specific
accounts. The information is presented as an object-oriented
"spreadsheet" format, allowing the security manager to explore
vulnerabilities at whim. Once complete, the vulnerability analysis can
move both forwards and backwards interactively, showing both what a
selected account can attack, as well as showing who can attack a
selected account. Besides vulnerability analysis, the system can
intelligently verify the installation of security patches, dynamically
installing missing patches. NOOSE is therefore a flexible prototype,
able to provide a subset of the functionality of COPS, SATAN and
TRIPWIRE, yet because of the object model, be used for developing new
paradigms, such as reacting to intrusions, information warfare, and
survivability management systems.
|
Need help? Use our Contacts page.
