System Abuse by Service Composition: Analysis and Prevention

Third International Engineering Systems Symposium

CESUN 2012, Delft University of Technology, 18-20 June 2012

System Abuse by Service Composition:

Analysis and Prevention

Wolter Pieters1_{, Sebastian Banescu}2_{, and Simona Posea}3

1_{Delft University of Technology, Faculty Technology, Policy and Management,} Section Energy & Industry, P.O. Box 5015, 2600 GA Delft, The Netherlands

2_{Eindhoven University of Technology} 3_{Eindhoven University of Technology}

w.pieters@tudelft.nl, s.e.banescu@student.tue.nl, s.posea@student.tue.nl

Abstract. We know that several chemicals can be combined to form explosives.

Therefore, we do not want these to end up in airplanes together. Similarly, in the architecture of complex systems, it is often possible to combine the results of several system services to acquire illegitimate benefits or disrupt operation. For example, in what is called simboxing, telephone services are purchased from different providers, and a composite service is set up which redirects incoming calls to the service purchased from the target provider, bypassing interconnection fees. Due to their complex nature, such attacks are extremely hard to predict and prevent. This paper provides a first systematic description and classification of the phenomenon of system abuse by service composition, as well as an analysis to identify the most common types of attacks in the design phase. We employ attack trees to express ways to achieve the goal of obtaining a service at a cost lower than the regular amount charged. We use the purchase of railway tickets as a running example, where the atomic services are the rights to travel between two directly adjacent stations. These can potentially be composed in various ways to travel cheaper, for example where there are stations A, B, and C on a railway line, and a single ticket from B to A via C is cheaper than a return ticket from B to C. Our method provides the foundations for systematically discovering such issues.

Keywords. Attack trees, security by design, security modeling, service composition,

simboxing.

1 Introduction

Things that are innocent in isolation can be dangerous when combined. This seems rather trivial in the case of chemical substances, which can be mixed to form, say, explosives. To identify whether a particular combination can be dangerous, we need to know the consequences of combining the individual substances. If we have this information, we can change the availability of the components in such a way that the danger is reduced.

Similar concerns have been raised in the domain of composition of services. In particular, one case often referred to by telecommunication providers is the so-called simboxing abuse. Simboxing takes advantage of the large difference between on-network, national and international rates charged by mobile operators. In simboxing, mobile telephone services are purchased from different providers. The different SIM cards are then integrated in one physical device. The device is programmed in such a way that it connects an incoming call to the SIM card of the target provider. In this way, a composite service can be set up that always uses an intra-network call for the target network, bypassing interconnection fees. According to Conrad Tuytte of Meucci Solutions, this kind of devices cost telephone service providers losses of over 100 million euros in 2007, in Europe alone (Betts, 2007). For obvious reasons, existing telecommunication providers try to minimize the impact of such practices, by searching for methods to detect and stop them as soon as possible.

As with the composition of chemical substances, this composition of services constitutes an attack on the system. In this case, the consequences are financial rather than physical. As far as we are aware, there has not been any research discussing the simboxing attack within a general framework of abuse by composition. The problem we address in this paper is how to define and prevent such service composition attacks in a general complex system setting. Whereas detection of misuse is a reactive solution, we aim for a proactive solution here, by assessing potential misuse in the design stage. This requires assessment of composition possibilities as well as their costs in comparison to the “traditional” services offered. We will present the following results:

1. Definitions describing the phenomenon of service composition attacks; 2. A classification of attack types and existing examples;

3. A method for identifying and preventing such attacks based on augmented attack trees.

In section 2, we will discuss related work. In section 3, we define the concepts and the problem of service composition attacks. In section 4, we classify service composition attacks in a systematic ontology. A method for identification and prevention of these attacks is presented in section 5. Finally, in section 6, we discuss conclusions and future work.

2 Related Work

Much research has been done in the area of security analysis regarding the classification of attacks, threats and risks in services (cf. Charfi and Mezini, 2005; Lowis and Accorsi, 2009). The Common Vulnerabilities and Exposures (CVE) database of the MITRE Corporation provides a common namespace for publicly known information security vulnerabilities. The NIST National Vulnerability Database (NVD) offers a web interface that enables users to perform advanced searches that offer filters regarding authentication, confidentiality, integrity and availability levels.

The Web Application Security Consortium, in its effort to develop and promote a standard for industry terminology, has devised a classification of threats to the security of web sites (WASC, 2010). This document also covers some aspects concerning service abuse, like Send-Mail Functions, Password Recovery Flows and Unauthorized Proxy Requests. Unfortunately the only classification done is mentioning that flaws occur in design, implementation or deployment.

Another source of research stems from attempts to extend security modeling to socio-technical systems (Dimkov et al., 2010; Probst and Hansen, 2008), and to economic evaluations. In this context, the question is not only whether attacks are prevented, but also how costly the attacks are, and whether it makes economic sense to invest in countermeasures. Attack trees (Buldas et al., 2006; Mauw and Oostdijk, 2006; Schneier, 1999) and attack-defense trees (Kordy et al., 2010) have been proposed to systematically describe attack opportunities in such systems, and to calculate overall properties of attacks, such as cost or impact, from the properties of the possible steps (annotated nodes in the tree).

While such approaches would in principle be usable to describe the phenomenon of system abuse by service composition, the simboxing phenomenon has up to this day remained isolated, without generalization to a broader class of attacks, and without much attention from the academic community indeed. To the authors' knowledge, no classification has been given regarding threats originating from composition of services. This paper introduces such a classification, as well as a security-by-design approach to prevent the attacks.

3 Problem Definition

We have already discussed one example of system abuse by service composition, namely simboxing. However, many of us will be familiar with other examples as well. (The reader could try to think of some before continuing.)

Suppose a student house wants to subscribe to a newspaper. To attract more clients, newspaper publishers offer to their new customers some discount for the first few months. Considering their low budget, the students purchase short-term special offers instead, for different newspapers subsequently. By composing the cheap services in this way, they obtain the service they want (a daily newspaper) at a much reduced price. Thus, what we call the atomic services (each newspaper delivery can be seen as a separate atomic service) are composed in a different way to obtain a cheaper composite service (a daily newspaper during, say, a year). The fact that the composite service can be purchased at a lower price by a different composition constitutes an instance of system abuse by service composition. Table 1 summarizes the definitions introduced in this example.

Table 1. Definitions for system abuse by service composition.

Term Definition

Atomic service A non-decomposable element of a service. Atomic services can often not be purchased individually.

Composite service A service composed by putting together several atomic services.

Price The price charged for a service by a service provider.

Abuse The purchase (and potentially resale) of a composite service at a lower price than charged for the same service by the service providers.

Another instance, which we use as a running example, can be found in the purchase of railway tickets. The atomic services are the rights to travel between two directly adjacent stations (Fig. 1). Suppose there are stations A, B, … Z on a railway line, and suppose we want to travel from B to Z and back (i.e. a return ticket). The atomic services can potentially be composed in various ways in order to achieve this goal. In particular, any composite service that includes travel rights from B to C, C to D, …, D to Z and vice versa would allow one to travel from B to Z and back. Depending on the pricing scheme, this might allow us to travel cheaper, for example when a single ticket from B to A via Z is cheaper than a return ticket from B to Z. This was the case in the Netherlands earlier.

Fig. 1. The railway example.

Here, the composition of the atomic services (travel rights between two stations) in a different way, representing a different composite service that can actually be purchased from the rail company, allows a service composition attack.

A B … Z

return from B to Z

single from B to A via Z atomic service

Whether system abuse by composition is considered a problem by the service providers depends on several conditions. Often, small-scale individual initiatives are acceptable (because it costs more to prevent them). However, when there is a criminal business case, as in simboxing, concerns may become big enough to take action. What such action can be depends on the applicable legislation. If the abuse is illegal, the service providers may go to court. In any case, they can try to block suspicious access to their services, or adapt their services in such a way that the criminal business case is avoided.

However, in order to do so, the providers must first discover the possibility of abuse. This can be done either by monitoring the use of the services, and mining the data for possible instances of abuse, or by identifying possible forms of abuse by composition in a proactive way, during the design stage. As the first option may cause a significant loss for the service provider before action is being taken, we aim at providing tools for the second approach. The following sections illustrate how this can be achieved.

4 Classification

In order to prevent system abuse by service composition, we first need to develop an understanding of the different classes of abuse that could be possible. We therefore provide some additional instances of system abuse by service composition.

Online advertising has been thoroughly exploited (Ha, 2008) and the results consist in methods of service mixture, often regarded as legal but problematic. In this paper we regard advertising as a method of gaining a higher visibility for products at no cost. This includes efforts to increase the ranking or rating of products. An example of service composition abuse in this area is the multi-identity syndrome, which involves creating several accounts on the same platform in order to increase one's ranking, by providing maximally positive reviews of one’s own products.

Another example originates from composing several social network services (e.g. Facebook, MySpace, Twitter, etc.) and is known as information harvesting. By collecting complementary data found on a person's accounts from different social websites, one can build a more complex profile of the victim and initiate a variety of attacks. A concrete scenario refers to tracking the whereabouts of someone. More precisely, Alice changes her status on Facebook into “At Bob” and Bob has posted his address on LinkedIn. By combining this information, Alice can be easily located and exposes herself to several risks. In this case, the service composition abuse leads to privacy violation, rather than financial losses.

The newspaper example mentioned earlier is an example of composing temporary services over time. Use of temporary services implies subsequently combining services from different service providers, depending on the current promotional offers. The types of the services that can be temporarily used in order to decrease the financial loss of individuals can vary from mass-media services to electronic media services, like using advertising vouchers.

For all these examples, certain attributes can be distinguished:

• Does the abuse benefit or harm the service provider?

• Does the abuse involve other clients?

The classification presented in Fig. 2 integrates all of these examples.

Fig. 2. Simple classification of service composition attacks.

The classification can be extended with semantics regarding goals, methods, characteristics and consequences of attacks. We present an improved classification method based on the concept of augmented attack trees (Ray and Poolsapassit, 2005) that introduces specific semantics. The representation uses elements similar to those of KAOS modeling (Van Lamsweerde et al., 1991), more specifically goal modeling. Our approach is oriented towards attacks, as opposed to KAOS which is used for modeling requirements.

Attack trees were introduced by Schneier (1999) to define a structural description of the vulnerabilities of a system, according to the attacks that can be initiated. This modeling technique can easily help the readers to understand the risks that they assume when using that system. Child nodes are conjunctive or disjunctive conditions that must be satisfied in order to make the parent node true. The root can be viewed as the main goal and inner nodes as subgoals.

Fig. 3 presents the general classification of service composition abuse. The representation uses several augmentations to the traditional attack tree concept. The first difference from attack trees is that nodes may have different semantic values. The root represents the main goal of the service user. The internal nodes are of four types: characteristics, subgoals, means (or methods) and consequences. Each path from the root to a leaf should contain at least one node of each type. Composite nodes can comprise all types of nodes, but they should be listed from top to bottom in the order presented earlier such that they provide a proper semantics to the viewer. Another important difference is that the diagram from Fig. 3 is actually a Directed Acyclic Graph (DAG). This feature is intended for method and consequence type nodes that may be common to attacks from different branches, and may be viewed as

tags. By connecting multiple branches via tags one may detect common vulnerability patterns of different services.

By systematically checking all nodes in the graph for the system to be designed, one may be able to identify potential weaknesses in the design phase. For example, the railway scenario would be an instance of “Overuse of services”, where the client gets to use the service for a lower amount than the provider expects based on her travel intentions.

Fig. 3. Extended classification of service composition attacks as an augmented attack tree.

5 Identification and Prevention

In order to prevent system abuse by service composition, the above classification can be used to identify the relevant scenarios for a concrete system. In this way, attack trees are used to describe different ways of attacking the system by recomposing its services. However, this does not describe the recomposition of services itself.

After potential scenarios have been identified, a second way to use attack trees is to represent how services can be composed to realize a particular type of attack. For example, in the train ticket scenario, the atomic travel rights will be nodes of the tree, and the attack succeeds if all atomic rights for a return ticket have been purchased (Fig. 4). As atomic services are often not sold individually, or, in case of the train ticket, if buying each atomic service separately would be very costly, the tree also needs to represent how these rights can be obtained through a composition that is for sale (in this case the ticket from B to A via Z). In this sense, the diagram is again a graph rather than a tree.

Such attack trees can be used to describe the possible recompositions, and then to calculate the cost of the recomposed service. This is done by associating costs with the different service components, and then calculating the total cost of the composed

service. If this cost is less than the cost as charged by the provider for the composite service, then there is an attack.

Fig. 4. An attack tree representing the concrete service composition attack for the train ticket. Note that the split in the top of the figure is a conjunctive split, where all the subgoals need to be satisfied to achieve the root goal. Also note that, in order to achieve all the goals on the second row, the goal on the third row is sufficient (the fact that the travel right from B to A is also obtained is irrelevant). In reality, there would be many more nodes and arrows, as there are many more tickets one could buy to obtain all the atomic travel rights.

Of course, systematic modeling of these matters requires:

• representations of how results of services can be composed to form other results;

• representations of which services can actually be purchased from providers; and

• representations of the costs of services that can indeed be purchased.

The question to be asked becomes: For any composition of the services offered, is there one that (a) achieves the same result, and (b) costs less than the “official” service? If such a composition is indeed found, risk management methods are needed to decide whether it really constitutes a problem to the provider. The impact is clear (decreasing revenues, unfair benefits to certain clients, privacy problems, etc., depending on the type of composition abuse), but the expected frequency of the attack is the hard part to estimate. From a precautionary point of view, it would be wise to redefine the services such that the attack is no longer feasible. This might, however,

Buy return B-Z Buy travel B-C Buy travel Y-Z Buy travel Z-Y Buy travel C-B Buy B-A via Z … …

conflict with commercial interests such as binding new customers by special offers (as in the newspaper example) or by cheaper intra-network calls (as in simboxing).

6 Conclusions and Future Work

In this paper we have presented a general classification of malicious service composition applications. Depending on the services offered by the providers and their price, services can be recomposed to acquire unintended “discounts”. We have introduced an augmented representation based on the concept of attack trees. Using this structure one could detect composition threats affecting a composite service, the possible means or methods of executing the threats by recomposition, and the possible consequences of these. Attack trees can be used both for identifying the general possibilities for service composition abuse in a system, as well as for analyzing the specific compositions that constitute attacks by offering the same composite service at a cheaper price than the provider itself.

In our future work, we intend to augment existing security models for socio-technical systems with capabilities for analyzing service composition abuse. This may include the introduction of other types of nodes and tags to provide a more complex threat analysis. Requirements and solution nodes are two examples, as are explicit defensive measures to guard against these attacks. Based on tool support for these models, we intend to execute more complex case studies that would validate the utility of the tool. Whereas simboxing seemed to be an isolated case in attacks on systems, this paper showed that it is actually an instance of a much broader class of potential problems. By taking these possibilities into account in the design, service providers will be able to foresee at least some of them, and thereby safeguard their revenues in the face of both small-scale individual and large-scale criminal business cases.

Acknowledgments. The ideas presented here were developed in the context of the course Security of Information Services at the University of Twente, where the first author was a lecturer, and the second and third author students. This research was supported by the research program Sentinels (www.sentinels.nl). Sentinels is being financed by Technology Foundation STW, the Netherlands Organization for Scientific Research (NWO), and the Dutch Ministry of Economic Affairs.

References

Betts, B. (2007), Mobile operators lose millions to SIM boxes. The Register, 12 January 2007, http://www.theregister.co.uk/2007/01/12/mobile_sim_box/ (last accessed on 7

February 2012)

Buldas, A., Laud, P., Priisalu, J., Saarepera, M. and Willemson, J. (2006), Rational Choice of Security Measures Via Multi-parameter Attack Trees. In: Critical Information

Infrastructures Security, First International Workshop, CRITIS 2006, pp. 235-248. Lecture

Charfi, A., Mezini, M. (2005), Using aspects for security engineering of web service compositions. In: 2005 IEEE International Conference on Web Services (ICWS 2005), pp. 59-66.

Dimkov, T. and Pieters, W. and Hartel, P.H. (2010), Portunes: representing attack scenarios spanning through the physical, digital and social domain. In: Proceedings of the Joint

Workshop on Automated Reasoning for Security Protocol Analysis and Issues in the Theory of Security (ARSPA-WITS'10). Revised Selected Papers, pp. 112-129. Lecture Notes in

Computer Science (6186). Springer Verlag.

Ha, L. (2008), Online advertising research in advertising journals: A review. Journal of

Current Issues and Research in Advertising 30(1), 31-48.

Kordy, B., Mauw, S., Radomirovic, S. and Schweitzer, P. (2010), Foundations of attack-defense trees. In: Proc. 7th Workshop on Formal Aspects in Security and Trust, volume 6561 of Lecture Notes in Computer Science, pp. 80-95. Springer-Verlag.

Lowis, L., Accorsi, R. (2009), On a classification approach for SOA vulnerabilities. In: 33rd

Annual IEEE International Computer Software and Applications Conference, 2009. COMPSAC '09, pp. 439-444.

Mauw, S. and Oostdijk, M. (2006), Foundations of attack trees. In: International Conference

on Information Security and Cryptology -- ICISC 2005, LNCS 3935, pp. 186-198.

Springer-Verlag, Berlin.

Milanovic, N., Malek, M. (2004), Current solutions for web service composition. Internet

Computing, 8(6), 51-59.

Oreilly, T. (2007). What is web 2.0: Design patterns and business models for the next generation of software. Social Science Research Network Working Paper Series (August 2007), http://ssrn.com/abstract=1008839

Probst, C.W. and Hansen, R.R. (2008), An extensible analysable system model. Information

security technical report, 13(4), 235–246.

Ray, I., Poolsapassit, N. (2005), Using attack trees to identify malicious attacks from authorized insiders. In: di Vimercati, S.d.C., Syverson, P., Gollmann, D. (eds.) Computer

Security, ESORICS 2005, Lecture Notes in Computer Science, vol. 3679, pp. 231-246.

Springer, Berlin / Heidelberg.

Schneier, B. (1999), Attack Trees - Modeling security threats. Dr. Dobb's Journal (December 1999).

Van Lamsweerde, A., Dardenne, A., Delcourt, B., Dubisy, F. (1991), The KAOS project: knowledge acquisition in automated specification of software. In: Proceedings AAAI Spring

Symposium Series, Design of Composite Systems, Stanford, CA, pp. 59-62.

Web Application Security Consortium (2010), WASC threat classification, version 2.00, http://projects.webappsec.org/w/page/13246978/Threat%20Classification (last accessed on

7 February 2012)

Zou, Y., Hua, X., Nigul, L., Ng, J.: Workshop on automatic service composition. In: CASCON '09: Proceedings of the 2009 Conference of the Center for Advanced Studies on Collaborative Research. pp. 343{344. ACM, New York, NY, USA