A microfiche appendix is part of the specification, which includes one microfiche of 27 frames.
A portion of the disclosure of this patent document contains material which is subject to copyright protection. The copyright owner has no objection to the facsimile reproduction by anyone of the patent document or the patent disclosure as it appears in the Patent and Trademark Office patent file or records, but otherwise reserves all copyright rights whatsoever.
The present invention relates generally to computer networks and, more particularly, to system and methods for facilitating the task of simulating attacks against computer networks.
The first personal computers were largely stand-alone units with no direct connection to other computers or computer networks. Data exchanges between computers were mainly accomplished by exchanging magnetic or optical media such as floppy disks. Over time, more and more computers were connected to each other using Local Area Networks or xe2x80x9cLANs.xe2x80x9d In both cases, maintaining security and controlling what information a user of a personal computer can access was relatively simple because the overall computing environment was limited and clearly defined.
With the ever-increasing popularity of the Internet, particularly the World Wide Web (xe2x80x9cWebxe2x80x9d) portion of the Internet, however, more and more personal computers are connected to larger networks. Providing access to vast stores of information, the Internet is typically accessed by users through Web xe2x80x9cbrowsersxe2x80x9d (e.g., Microsoft Internet Explorer or Netscape Navigator) or other xe2x80x9cInternet applications.xe2x80x9d Browsers and other Internet applications include the ability to access a URL (Universal Resource Locator) or xe2x80x9cWebxe2x80x9d site. The explosive growth of the Internet had a dramatic effect on the LANs of many businesses and other organizations. More and more employees need direct access through their corporate LAN to the Internet in order to facilitate research, competitive analysis, communication between branch offices, and send e-mail, to name just a few.
As a result, corporate IS (Information Systems) departments now face unprecedented challenges. Specifically, such departments, which have to date operated largely in a clearly defined and friendly environment, are now confronted with a far more complicated and hostile situation. As more and more computers are now connected to the Internet, either directly (e.g., over a dial-up connection with an Internet Service Provider or xe2x80x9cISPxe2x80x9d) or through a gateway between a LAN and the Internet, a whole new set of challenges face LAN administrators and individual users alike: these previously-closed computing environments are now opened to a worldwide network of computer systems. In particular, systems today are vulnerable to attacks by practically any perpetrators (hackers) having access to the Internet
Many security holes are conceptually simple and are, therefore, easily explained. Consider, for example, the following scenario: xe2x80x9csend two IP packet fragments, one of which overlaps the other.xe2x80x9d This corresponds to the notorious xe2x80x9cteardropxe2x80x9d bug, which crashes Linux and Windows NT. Although the foregoing is easy to describe in English, the programming task of actually sending two IP fragments that overlap each other can be extraordinarily tricky using commonly-available programming languages (e.g., the xe2x80x9cCxe2x80x9d programming language), and virtually impossible to implement in high-level languages like Perl.
Some security issues may not be xe2x80x9cbugsxe2x80x9d, per se, but rather techniques used by attackers to gain information about or subvert the security of networked hosts. For instance, a popular trick used by hackers to almost-undetectably see what programs are running on a machine is the xe2x80x9cstealth port scanxe2x80x9d: several TCP protocol tricks allow attackers to see if a connection can be made to a port, without actually opening a connection. The actual programs required to perform such a feat tend to be long, complex, and OS-specific. As a result, security professionals are forced to spend valuable time fishing through hacker-exploit code to find poorly-written Linux programs that do not even compile. This time could be better spent quickly writing the equivalent in portable, simple CASL code, which will not only run on the machines they need to run on, but also work exactly how they need to work.
Attempting to write these programs using existing programming languages, such as the xe2x80x9cCxe2x80x9d programming language, is not practical. While security tools may certainly run a bit faster if hand-coded in xe2x80x9cCxe2x80x9d, the runtime speed benefits are probably not outweighed by the development speed costs. A xe2x80x9cCxe2x80x9d programmer needs to worry about memory allocation, portable network I/O, and several other issues ranging from error handling to byte ordering.
What is needed is a system that allows the system administrator or the programmer to focus on network security programsxe2x80x94what is happening on the networkxe2x80x94and not worry about issues attendant to conventional programming environments, such as C. Such a system should facilitate the task of testing network security by providing methodology that allows a user (administrator) to develop test programs without having to build network packets (i.e., communication-protocol packets) or otherwise write raw network code. The present invention fulfills this and other needs.
A development system providing a Custom Attack Simulation Language (CASL) for testing networks is described. In particular, the development system implements methodology for facilitating development of network attack simulations. The system includes an editor or authoring system for creating a source code description or Scripts (i.e., CASL-syntax Script) of the simulation program under development. The Scripts, in turn, are xe2x80x9ccompiledxe2x80x9d by a CASL compiler into a compiled CASL program, that may then be used to simulate attacks against a network.
CASL makes it easier for users, particularly network and system administrators, to experiment with and learn about the way their networks operate. Since networks work by exchanging packets (i.e., communication-protocol packets) of information, CASL focuses on allowing users to read and write packets directly to and from the network. CASL functions as a scripting languagexe2x80x94a high level programming language, like Perl, Python, or Tcl. Unlike general-purpose scripting languages, CASL is designed specifically to make it easy to construct, read, and write raw network packets. CASL is intended primarily for security auditing applications; that is to say, CASL is intended to simulate attacks against hosts in order to see if those hosts are vulnerable to attacks of a given nature. CASL is particularly oriented towards low-level network attacks which require packet forgery.
The major difficulty in writing raw network code is not the actual act-of sending a packet across the network, but rather the complexity of building the packets themselves. To address that problem, CASL includes facilities specifically designed to make it easy to build packets for arbitrary protocols (not just IP, UDP, and TCP). By making it easy to write programs that deal with raw IP packets, CASL allows users to easily simulate protocol-level bugs, including allowing them to test their machines for potential vulnerability to such bugs.
A method of the present invention for creating programs that simulate attacks against a computer network, embodied in a computer system, includes the following method steps. At the outset, a language specification providing native support for custom attack simulations is specified; the language specification provides primitives facilitating simulation of an attack against a computer network. A run-time library (stand-alone or embedded, as desired) is provided that includes built-in routines facilitating simulation of an attack against a computer network, where the built-in routines are capable of being invoked through the primitives. Next, a program script is created that specifies program instructions for simulating an attack against a computer network. The program script employs at least some of the primitives for simulating an attack against a computer network. Finally, the program script is compiled into a compiled program, with the compiled program being deployed together with the run-time library to simulate an attack against a computer network.
An embodiment of the present invention provides a system and method for building an executable script for performing a network security audit. A source program expressed in a network packet simulation language is stored. The same program includes a plurality of statements encoding logic to simulate an exchange of network protocol compliant-packets. Each statement is scanned into a sequence of individual tokens. Each token is parsed into grammatical phrases comprising at least one of an expression and a control construct. Each expression evaluates a data value. Each control construct defines a process flow. The grammatical phrases are compiled into program instructions to execute the logic on a target machine.
A further embodiment provides a system and method for directly exchanging packets over a network using scripted instructions. A packet in accordance with a network protocol is built by executing program instructions compiled from a source program expressed in a network packet simulation language. The packet is written directly onto the network.
A further embodiment provides a system and method for implementing a language specification for simulating network protocol-compliant packets. A language specification providing a grammar for constructing statements encoding logic to simulate an exchange of network protocol compliant-packets is defined. Variables under the language specification are specified. Each variable includes an identifier referencing a memory location within which to store a data object. Statements under the language specification are expressed. Each statement includes at least one of control constructs determining control flow through the encoded logic and expressions evaluating to at least one such data object.
All told, CASL provides an extremely flexible and general way to manipulate networks. Its presentation as a programming language allows it to accomplish a virtually limitless number of tasks, and its protocol spoofing capabilities provide a means to do tasks that typically require hundreds of lines of code using conventional programming language environments (e.g., xe2x80x9cCxe2x80x9d language code) in just a few lines (e.g., 10) of CASL code.