Host

Purpose

A Host object is used to represent the kernel of a running operating system. The particular operating system release/software/distribution is defined by connecting a SoftwareProduct object to the Host object. Network related applications that are not part of the operating system kernel shall be modeled using either Clients or Services.

Connections

Host and Neighboring Objects
Host and Neighboring Objects

 

ObjectConnectionDescriptionFunction
Access controlAuthorizationProvides login prompt for the Host.A missing AccessControl association leads to instant PrivilegeEscalation and Compromise.
ServiceRoot Application ExecutionThe Service run by the Host is run as root/administrator/superuser but provides no remote operating system login functionality. If a general purpose application is also capable of offering some "shell escape" functionality to the user, please consider it being a "shell application" instead.A missing service can reduce the risk of UserAccess and Compromise.
ServiceRoot Shell ExecutionThe Service run by the Host is run as root/administrator/superuser and provides remote operating system login functionality.A missing service can reduce the risk of UserAccess and Compromise.
ServiceNon-Root Application ExecutionSame as with Root Application Execution, but the Service is run on the Host by a non-privileged user.A missing service can reduce the risk of UserAccess and Compromise.
ServiceNon-Root Shell ExecutionSame as with Root Shell Execution, but the Service is run on the Host by a non-privileged user.A missing service can reduce the risk of UserAccess and Compromise.
Vulnerability ScannerAuthenticated ScanA VulnerabilityScanner with a Authenticated Scan connection has login credentials to the Host and can perform an internal scan for known vulnerabilities.A missing Vulnerability Scanner increases the risk of finding an UnknownService, as well as unpatched software on the Host.
Vulnerability ScannerUnauthenticated ScanA VulnerabilityScanner (e.g., Nessus, Qualys Guard) with an Unauthenticated Scan can only perform an external scan without logging in.A missing Vulnerability Scanner increases the risk of finding an UnknownService, as well as unpatched software on the Host.
Vulnerability ScannerExcluded From ScanA VulnerabilityScanner can be connected to a Network stating that all hosts connected to that Network is being monitored by the VulnerabilityScanner. However, if there are exceptions to this (all Hosts in a Network zone are scanned except for a few non-compatible ones), making an Excluded From Scan connection between the VulnerabilityScanner and the Host will show this.A missing Vulnerability Scanner increases the risk of finding an UnknownService, as well as unpatched software on the Host.
ClientNon-Root Client ExecutionA Client is run by a non-privileged/standard user on the Host.A missing Client can reduce the risk of Compromise, UserAccess and client side attacks.
ClientRoot Client ExecutionA Client is run by a privileged/root/administrator user on the Host.A missing Client can reduce the risk of Compromise, UserAccess and client side attacks.
DatastoreDatabase ExecutionRepresents a database, directory or any data located on or accessible data through the host.A Datastore has no impact on Host security.
IDSHIDS ExecutionProvides protection on the Host through intrusion detection which attempts to recognize unauthorized or malicious use of resources.A missing IDS enables direct bypass of the IDS via exploits or USB.
NetworkConnectionAssociation to a Network denotes that the host has an IP address on that Network.A missing network association reduces the risk of an attacker finding unknown services or getting access to services, client, access control on the host.
Physical zonePhysical AccessConnection to a Physical Zone means that an attacker can obtain physical access to the Host.Reduces the risk of UIAccess.
KeystoreKeystore ExecutionA connection to a Keystore object denotes that the Keystore is hosted by the Host.A missing connection to a Keystore prevents Read access on a Keystore through Hosts.
Software productSoftware PropertiesA Host always needs to be connected to a Software Product which denotes what operating system it is running e.g. Windows 10.This association is mandatory.

Attack Steps and Defenses

Host Attack Steps and Defenses
Host Attack Steps and Defenses

 

Attack StepDescriptionLeads to
ARPCachePoisoningThe possibility to inject false information to the Address Resolution Protocol information list. Tricking the host to communicate with unintended hosts.Service: Dataflow.Access
Client: Dataflow.Access
BypassAntiMalwareThe possibility for malware to pass the anti-malware software undiscovered. It also includes the possibility to trick the user into disabling the anti-malware software.Host: Compromise
BypassIDSSame as above but for the host’s Intrusion Detection System.Host: BypassAntiMalware
CompromiseThe possibility to control/own it.Network: Compromise
Host: DenialOfService
Client: Compromise
Service: Compromise
AccessControl: Access
Datastore: Write
Datastore: Read
Keystore: Read
Keystore: Delete
DenialOfServiceThe possibility to block the host.Service: DenialOfService
Client: DenialOfService
DeployExploitThe possibility to introduce and use a vulnerability.Host: BypassIDS
FindExploitThe possibility to find an exploitable vulnerability.Host: DeployExploit
PhysicalAccessThe possibility to access the host's login prompt via physical access.Host: Compromise
PrivilegeEscalationA regular non-privileged user bypassing the AccessControl to become a privileged root/admin user.Host: Compromise
USBAccessThe possibility to access the host using USB/portable media related attacks.Host: BypassIDS
UserAccessUsing normal user operations. Qualified user credentials are being used to access the Host.AccessControl: Access \newline Host: FindExploit
Host: PrivilegeEscalation

 

DefenseDescriptionImpactDefault
ASLRAddress space layout randomization (ASLR) is used to fortify hosts against buffer overflow attacks by introducing address space randomization.DeployExploit can be delayed with ASLR enabled.On
AntiMalwareAntimalware software is an effective way to detect, remove and deter malware attacks.An enabled Antimalware reduces the risk of it being bypassed from 100% to 90%Off
DEPData execution prevention (DEP) is a Host based defense against buffer overflow attacks to make the buffer areas non-executable.DeployExploit can be delayed with DEPenabled.On
HardenedHardening involves procedures e.g. disabling unused ports, services and hardware outlets which is often recommended practice. This defense denotes the presence of such procedures on Hosts.Hardened prevents the attacker from finding Unknown (to the user) Services on the Host.Off
HostFirewallA Host level (or personal) firewall aims to block or allow certain services and data flows between hosts on the same Network e.g. the Windows firewall.The probability of identifying an UnknownService can be lowered with Host firewall enabled.Off
PatchedDenotes whether the Host has all applicable software security patches implemented.Prevents an attacker from obtaining exploits to patchable vulnerabilities in the host software.0.5
StaticARPTablesAn ARP table maps IP addresses to physical MAC addresses. Static ARP Tables have static mappings which prevents ARP spoofing.Prevents ARP cache poisoning.Off

UnknownService

A system which has not been hardened has a certain probability of having unknown services, not known to the system administrator and/or modeler. In securiLang this is modeled by adding one unknown service for each network the host is connected to, given that the host defense Hardened is set to Off. (Additionally, there is a 50% probability that a host with a vulnerability scanner is classified as Hardened given that the administrator is made aware of extraneous services via reports).

The unknown service also includes an unknown access control and an unknown software product (with the default settings of the unknown service).