MulVAL stands for “Multi-host, multi-stage Vulnerability Analysis Language”. It is a research tool for security practitioners and system administrators to better manage the configuration of an enterprise network such that the security risks are appropriately controlled. Our goal is to design technologies for building a security knowledge base which can be utilized by various automated tools to enhance the quality and reduce the costs of enterprise network security management.
To determine the security impact software vulnerabilities have on a particular network, one must consider interactions among multiple network elements. For a vulnerability analysis tool to be useful in practice, two features are crucial.
MulVAL, an end-to-end framework and reasoning system conducts multihost, multistage vulnerability analysis on a network. MulVAL adopts Datalog as the modeling language for the elements in the analysis (bug specification, configuration description, reasoning rules, operating-system permission and privilege model, etc.). We easily leverage existing vulnerability-database and scanning tools by expressing their output in Datalog and feeding it to our MulVAL reasoning engine. Once the information is collected, the analysis can be performed in seconds for networks with thousands of machines.
MulVAL (Multihost, multistage Vulnerability Analysis) is a framework for modeling the interaction of software bugs with system and network configurations. MulVAL uses Datalog as its modeling language. The information in the vulnerability database provided by the bug-reporting community, the configuration information of each machine and the network, and other relevant information are all encoded as Datalog facts.
The reasoning engine consists of a collection of Datalog rules that captures the operating system behavior and the interaction of various components in the network. Thus integrating information from the bug-reporting community and off-the-shelf scanning tools in the reasoning model is straightforward. The reasoning engine in MulVAL scales well with the size of the network. Once all the information is collected, the analysis can be performed in seconds for networks with thousands of machines.
The inputs to MulVAL’s analysis are:
What vulnerabilities have been reported and do they exist on my machines?
What software and services are running on my hosts, and how are they con- figured?
How are my network routers and firewalls configured?
Who are the users of my network?
What is the model of how all these components interact?
What accesses do I want to permit?
The current version of MulVAL has been tested on the Linux and Mac OS X operating systems.
To run MulVAL, you need to have the following software installed and make sure both the program “xsb” and “dot” reside in your PATH.
The environmental variable MULVALROOT should point to this package’s root folder. Include $MULVALROOT/bin and $MULVALROOT/utils in PATH.
Type “make” to compile everything.