det detect ecting ng the he 1 1 gr grow owing ng the he
play

Det Detect ecting ng the he 1% 1%: Gr Grow owing ng the he - PowerPoint PPT Presentation

Dec 15, 2022 •114 likes •810 views

Det Detect ecting ng the he 1% 1%: Gr Grow owing ng the he Sci Science ence of of Vul Vulner nerabi ability y Di Discover scovery Laurie Williams laurie_williams@ncsu.edu Real people Real Projects Real Impact 1 2 3

  1. Det Detect ecting ng the he 1% 1%: Gr Grow owing ng the he Sci Science ence of of Vul Vulner nerabi ability y Di Discover scovery Laurie Williams laurie_williams@ncsu.edu Real people – Real Projects – Real Impact 1

  2. 2

  3. 3

  4. Meet the “fishy” vulnerability characters Edwin the Exploitable Adam the Attack-prone Larry the Latent David the Detected 4

  5. The goal is to aid software practitioners in efficiently detecting exploitable vulnerabilities through empirical study of the characteristics of vulnerabilities and through the development of vulnerability prediction models. 5

  6. The goal is to aid software practitioners in efficiently detecting exploitable vulnerabilities through empirical study of the characteristics of vulnerabilities and through the development of vulnerability prediction models. ? 6

  7. The goal is to aid software practitioners in efficiently detecting exploitable vulnerabilities through empirical study of the characteristics of vulnerabilities and through the development of vulnerability prediction models. 7

  8. The goal is to aid software practitioners in efficiently detecting exploitable vulnerabilities through empirical study of the characteristics of vulnerabilities and through the development of vulnerability prediction models. 8

  9. Collaborators In cooperation: Funded by: 9

  10. Where are we going? • Setting the stage • Complications in vulnerability research • The real questions … • Where shall we look? • How shall we look? • Which vulnerabilities are likely to be exploited? • Future directions Stage Complications Where How Exploited Future 10

  11. Design flaws and implementation bugs Stage Complications Where How Exploited Future 11

  12. Vulnerabilities are rare events (Firefox 2.0) Neutral (8721) 78.9% Faulty but not vulnerable (1967) 17.8% Vulnerable but not Faulty and faulty (69) vulnerable (294) 0.6% 2.7% Stage Complications Where How Exploited Future 12

  13. Getting, creating, and cleaning the data 😴 Stage Complications Where How Exploited Future 13

  14. Where shall we look? David the Detected Larry the Latent Stage Complications Where How Exploited Future 14

  15. Unfiltered Static Analysis Alerts as Predictor If a developer has such poor coding practices that he/she causes lots of (unfiltered) static analysis alerts, you should look carefully in that area for other implementation bugs and larger design flaws. Stage Complications Where How Exploited Future 15

  16. Correlations between static analysis alerts and vulnerability count (all statistically significant) Case study 1 Case study 3 Case study 2 (component- (component- Metric level) (file-level) level) All SA alerts 0.2 0.2 0.2 Security SA alerts 0.2 0.2 0.2 Stage Complications Where How Exploited Future

  17. Complexity as Predictor Security experts say: • Bruce Schneier • “Complexity is the worst enemy of security.” • Dan Geer • “Complexity provides both opportunity and hiding places for attackers.” • Gary McGraw • “A ... trend impacting software security is unbridled growth in ... complexity ...” 17/38 Stage Complications Where How Exploited Future

  18. Complexity and Other Metrics • 14 code complexity metrics • Lines of code, cyclomatic complexity, fan-in/fan-out, coupling, comment density and others • 3 code churn metrics • Frequency of file changes, lines of code changed, and new lines of code • 11 developer metrics • Number of developers and other network analysis-inspired metrics (e.g. betweenness, closeness) 18/38 Stage Complications Where How Exploited Future

  19. Results: Predictability (11 releases Firefox) 19/38 Stage Complications Where How Exploited Future

  20. Results: Predictability (RHEL) 20/38 Stage Complications Where How Exploited Future

  21. Developer Metrics as Predictor “ Given a large enough beta-tester and co-developer base, almost every problem will be characterized quickly and the fix obvious to someone . […] Many eyes make all bugs shallow.” -Linus’ Law Eric Raymond 21 Stage Complications Where How Exploited Future

  22. How Many Developers? • Metric: NumDevs The number of distinct developers who changed a given source code file In all three case studies… Vulnerable files had more developers than neutral files (p<0.001) Files changed by 6 or more developers were 4 times more likely to have a vulnerability, (p<0.001) (…not quite what Linus’ Law says…) 22 Stage Complications Where How Exploited Future

  23. Unfocused Contributions Examined files changed by many developers who were working on many other files at the time (an “ unfocused contribution ”) … … … … … … … Used contribution network centrality ( CNBetweenness ) Vulnerable files had a higher CNBetweenness /fs/exec.c (p<0.001) than neutral files. Unfocused Contribution 23 Stage Complications Where How Exploited Future

  24. Traditional Code Metrics as Predictor 24 Stage Complications Where How Exploited Future

  25. Windows Vista What you look at will likely be a vulnerability … … But many vulnerabilities will be missing. ! 25 Stage Complications Where How Exploited Future

  26. Vulnerability prediction modeling by others • Without much better results when tested with similar vulnerability scarcity: • Dependency structure • Text mining • Design churn • More code metrics • Neural networks and deep learners Stage Complications Where How Exploited Future 26

  27. Infrastructure as Code Security Smells $power_username=‘admin’ Admin by default Empty password password=>‘’ Hard-coded secret $power_password=‘admin’ $bind_host=‘0.0.0.0’ Invalid IP address binding #FIXME(bogdando) remove these hacks Suspicious comment after switched to systemd service.units Use of HTTP without TLS $quantum_auth_url = ‘http://127.0.0.1:35357/v2.0’ Use of weak cryptography algorithm password => ht_md5($power_password) 27 Stage Complications Where How Exploited Future

  28. Frequency of Security Smells 30 25 Proportion of Script (%) 20 15 10 5 0 GitHub Mozilla Openstack Wikimedia AdminByDefault EmptyPassword HardCodedSecret InvalidIPAddressBinding SuspiciousComments HTTPWithoutTLS WeakCryptoAlgorithm 28 Stage Complications Where How Exploited Future

  29. Actionable and/or Predictive Heuristics • Static Analysis Alerts • Predictive: Static analysis alerts are indicative of all security vulnerabilities. • No pre-processing to determine true positive necessary. • Code complexity • Actionable and predictive: Complex code is less secure 29 Stage Complications Where How Exploited Future

  30. Actionable and/or Predictive Heuristics - 2 • Developer activity metrics • Actionable and predictive • Don’t allow too many people to change same (critical) file • Watch for the “hummingbirds” that change many files. • Traditional code metrics • Predictive: Traditional code metrics can be used to find vulnerabilities • Support that vulnerabilities have the same characteristics as faults • Infrastructure as code smells • Actionable: Identify and mitigate code smells 30 Stage Complications Where How Exploited Future

  31. Vulnerability prediction models are not yet practical … but patterns of what to watch for have been identified. 31

  32. How shall we look? Stage Complications Where How Exploited Future 32

  33. Comparison of Vulnerability Discovery Techniques Vulnerabilities Per Hour Discovery Technique Tolven eCHR OpenEMR PatientOS Exploratory Manual 0.00 0.40 .07 Penetration Testing Systematic Manual 0.94 0.55 0.55 Penetration Testing Automated Penetration 22.00 71.00 N/A Testing Static Analysis 2.78 32.40 11.15 Stage Complications Where How Exploited Future 33

  34. Other observations No single technique discovered every type of vulnerability. Very few individual vulnerabilities discovered with multiple discovery techniques . 34 Stage Complications Where How Exploited Future

  35. Which technique? Automated penetration testing and static analysis Systematic manual and exploratory penetration testing Implementation bug Design flaw Stage Complications Where How Exploited Future 35

  36. One technique is not enough. 36

  37. What will be exploited? Edwin the Adam the Exploitable Attack-prone Stage Complications Where How Exploited Future 37

  38. Risk-based Attack Surface Approximation Code artifacts that appear in crash dump stack traces from a software system are more likely to have exploitable vulnerabilities than code artifacts that do not appear in crash dump stack traces. Stage Complications Where How Exploited Future 38

  39. Stage Complications Where How Exploited Future 39

  40. Stage Complications Where How Exploited Future 40

  41. Stage Complications Where How Exploited Future 41

  42. Stage Complications Where How Exploited Future 42

  43. Where the Exploitable Vulnerabilities Lie Code Vulnerability Coverage Coverage Windows (Binaries) 48.4% 94.8% Firefox (Source Code Files) 14.8% 85.6% Fedora (Packages) 8.9% 63.3% 43 Stage Complications Where How Exploited Future

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Gr Grow owing ing Cl Clos oser er to to Go God they keep saying that they love me

Gr Grow owing ing Cl Clos oser er to to Go God they keep saying that they love me

Gr Grow owing ing Cl Clos oser er to to Go God they keep saying that they love me and want to marry me. But how can they love me when they dont even know who I am? Catherine Zeta Jones, 1997 Gr Grow owing ing Cl Clos

362 views • 24 slides
Grow owing ng Bik Bike Shar Share in Detroit t Wh Why B y Bike S Share? Legitimize

Grow owing ng Bik Bike Shar Share in Detroit t Wh Why B y Bike S Share? Legitimize

Grow owing ng Bik Bike Shar Share in Detroit t Wh Why B y Bike S Share? Legitimize biking as a means of transportation Use ridership data to help inform policy and decision making around infrastructure Breakdown stereotypes of

138 views • 13 slides
Gr Grow owing ing Cl Clos oser er to to Go God Trus ust t My St y Strength ength I

Gr Grow owing ing Cl Clos oser er to to Go God Trus ust t My St y Strength ength I

Gr Grow owing ing Cl Clos oser er to to Go God Trus ust t My St y Strength ength I Need to Get Closer to God: Jacob The Nature of the Distance Between Jacob and God Am I going to trust that God will take care of me? I want

843 views • 26 slides
Fo Fore reca cast sting and and De Deflecting ecting the Opi the Opioid Epidem Epidemic ic

Fo Fore reca cast sting and and De Deflecting ecting the Opi the Opioid Epidem Epidemic ic

Fo Fore reca cast sting and and De Deflecting ecting the Opi the Opioid Epidem Epidemic ic Cur Curve Donald S. Burke MD, Dean, Graduate School of Public Health, University of Pittsburgh 19 July 2017 Allegheny County Overdose Prevention

871 views • 73 slides
Detecting ecting Chan ange ge in in Mult ltivar ivariate iate Dat ata a Strea eams ms

Detecting ecting Chan ange ge in in Mult ltivar ivariate iate Dat ata a Strea eams ms

Detecting ecting Chan ange ge in in Mult ltivar ivariate iate Dat ata a Strea eams ms Using g Minimum mum Subgra graphs phs Robert bert Koyak Op Opera ration tions s Research rch Dept. Na Nava val l Postgradua graduate

441 views • 43 slides
HY HYPE PERL RLOOP OOP: : CONN NNECTING ECTING THE HE GRE GREAT T LAK AKES ES ME

HY HYPE PERL RLOOP OOP: : CONN NNECTING ECTING THE HE GRE GREAT T LAK AKES ES ME

HY HYPE PERL RLOOP OOP: : CONN NNECTING ECTING THE HE GRE GREAT T LAK AKES ES ME MEGAR GAREGION EGION Lawrence Hall, Northeast Ohio Areawide Coordinating Agency (NOACA) Ohio Freight Conference August, 2018 ABOUT NOACA

475 views • 24 slides
Res esear earch ch D Disrupted: Prot otec ecting F Fed eder eral R Res esear arch I

Res esear earch ch D Disrupted: Prot otec ecting F Fed eder eral R Res esear arch I

Res esear earch ch D Disrupted: Prot otec ecting F Fed eder eral R Res esear arch I Investments an and t the U.S. Research ch W Workforce ce from C COVID-19 I 9 Impac pacts Briefing Senate Labor, Health and Human

400 views • 22 slides
ISSUES SUES AFFECT ECTING ING OUR R COMMUNIT MUNITY Napa V a Valley V Vintner ntners

ISSUES SUES AFFECT ECTING ING OUR R COMMUNIT MUNITY Napa V a Valley V Vintner ntners

ISSUES SUES AFFECT ECTING ING OUR R COMMUNIT MUNITY Napa V a Valley V Vintner ntners Fall M Member ershi hip M Meeti eting ng Octo ctober 28, 28, 201 2014 TOURISM IS IMPORTANT TO LOCAL CITIES City TOT 2011 Rank Napa

306 views • 12 slides
How How Should Should the the US US Ta Tax Syste System Re Respond to to the the Gr Growing owing

How How Should Should the the US US Ta Tax Syste System Re Respond to to the the Gr Growing owing

How How Should Should the the US US Ta Tax Syste System Re Respond to to the the Gr Growing owing We Wealth Gap: Gap: The Continuing Debate over Wealth Taxes and Other Tax Proposals to Narrow the Gap Between Rich and Poor Moderator/Panelist: Other

214 views • 7 slides
PQR QRS S Selecting ecting 2015 5 Meas asure res 7 Oc October 2015 Presented by: Sarah

PQR QRS S Selecting ecting 2015 5 Meas asure res 7 Oc October 2015 Presented by: Sarah

PQR QRS S Selecting ecting 2015 5 Meas asure res 7 Oc October 2015 Presented by: Sarah Leake MBA, CPEHR QR/PR Specialist Co-Host: Patty Kosednar PMP, CPEHR HTS/QI Consultant 1 Thank you for spending your valuable time with us

690 views • 40 slides
The Ins and Outs Of Owing and Managing a Preschool in South Africa What Is

The Ins and Outs Of Owing and Managing a Preschool in South Africa What Is

The original information hub for leading and managing Early Childhood Care and Education Centre The Ins and Outs Of Owing and Managing a Preschool in South Africa What Is www.toolsforschool.net Andrea, exposed to the field since 1994

115 views • 8 slides
Detect ctor Charact cterization fo for the underground gr gravitational-wave detect ctor,

Detect ctor Charact cterization fo for the underground gr gravitational-wave detect ctor,

Detect ctor Charact cterization fo for the underground gr gravitational-wave detect ctor, KAGRA Keiko Kokeyama, Takahiro Yamamoto, Taka-aki Yokozawa, Chihiro Kozakai, Yuta Fujikawa, Shoichi Oshino, Tatsuki Washimi, Alex Urban, Siddharth

400 views • 14 slides
GROW &amp; FORTIFY Ag Commission Update 6/13/18 Kelly Dudeck Grow &amp; Fortify GROW &amp;

GROW &amp; FORTIFY Ag Commission Update 6/13/18 Kelly Dudeck Grow &amp; Fortify GROW &amp;

GROW &amp; FORTIFY Ag Commission Update 6/13/18 Kelly Dudeck Grow &amp; Fortify GROW &amp; FORTIFY MISSION To cultivate an environment where value- added agricultural producers, operators and growers innovate and thrive. WHAT IS

173 views • 14 slides
PRIVATE REFUGEE SPONSORSHIP A Refugee is defined as: A person who owing to a well-founded fear

PRIVATE REFUGEE SPONSORSHIP A Refugee is defined as: A person who owing to a well-founded fear

Information Session - September 2015 PRIVATE REFUGEE SPONSORSHIP A Refugee is defined as: A person who owing to a well-founded fear of being persecuted for reasons of race, religion, nationality, membership of a particular social group or

534 views • 28 slides
Bl Blowi owing Sm Smok oke: e: The curious case of the mangled metric Clarkson University 26

Bl Blowi owing Sm Smok oke: e: The curious case of the mangled metric Clarkson University 26

Bl Blowi owing Sm Smok oke: e: The curious case of the mangled metric Clarkson University 26 September 2014 Crispin Pemberton Pigott SeTAR Centre Department of Geography Environmental Management and Energy Studies University of Johannesburg

157 views • 12 slides
The Projected Growth in Private Health Insurance Premiums Owing to the Means Testing of the

The Projected Growth in Private Health Insurance Premiums Owing to the Means Testing of the

The Projected Growth in Private Health Insurance Premiums Owing to the Means Testing of the Rebate Deloitte Report (2011), Deloitte analysis of ANOP / Newspoll survey results Additional Separations and Costs Expected in the Public Hospital

442 views • 10 slides
IOPin: Runtime Profiling of Parallel I/ O in HPC S ystems Seong Jo (Shawn) Kim * , S on + ,

IOPin: Runtime Profiling of Parallel I/ O in HPC S ystems Seong Jo (Shawn) Kim * , S on + ,

IOPin: Runtime Profiling of Parallel I/ O in HPC S ystems Seong Jo (Shawn) Kim * , S on + , Wei-keng Liao + , eung Woo S Mahmut Kandemir*, Raj eev Thakur # , and Alok Choudhary + * : Pennsylvania S tate University + : Northwestern University # :

451 views • 16 slides
EFFICIENT SYMBOL-LEVEL TRANSMISSION IN ERROR- PRONE WIRELESS NETWORKS Pouya Ostovari, Jie Wu,

EFFICIENT SYMBOL-LEVEL TRANSMISSION IN ERROR- PRONE WIRELESS NETWORKS Pouya Ostovari, Jie Wu,

EFFICIENT SYMBOL-LEVEL TRANSMISSION IN ERROR- PRONE WIRELESS NETWORKS Pouya Ostovari, Jie Wu, and Abdallah Khreishah Center for Networked Computing http://www.cnc.temple.edu Agenda 2 Introduction Motivation Setting Proposed

555 views • 21 slides
Best Practices for the Consolidated Plan and Action Plan May 2019 Housekeeping Logistics:

Best Practices for the Consolidated Plan and Action Plan May 2019 Housekeeping Logistics:

Best Practices for the Consolidated Plan and Action Plan May 2019 Housekeeping Logistics: 90-minute webinar All lines are muted Submit technical issues through Question function Asking questions: There will be periodic

914 views • 54 slides
Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies

Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies

Extension Breakdown: Security Analysis of Browsers Extension Resources Control Policies Iskander Sanchez-Rola, Igor Santos, Davide Balzarotti Extensions Browser extensions are the most popular technique currently available to extend the

722 views • 38 slides
Using Multi-System Monitoring Time Series to Predict Performance Events Andreas Schrgenhumer

Using Multi-System Monitoring Time Series to Predict Performance Events Andreas Schrgenhumer

Using Multi-System Monitoring Time Series to Predict Performance Events Andreas Schrgenhumer Mario Kahlhofer Peter Chalupar Hanspeter Mssenbck Paul Grnbacher 09.11.2018 Motivation t 2 Motivation t 2 Motivation t Train ML 2

1.09k views • 42 slides
CS 188: Artificial Intelligence Lecture 7: Utility Theory Pieter Abbeel UC Berkeley Many

CS 188: Artificial Intelligence Lecture 7: Utility Theory Pieter Abbeel UC Berkeley Many

CS 188: Artificial Intelligence Lecture 7: Utility Theory Pieter Abbeel UC Berkeley Many slides adapted from Dan Klein 1 Maximum Expected Utility Why should we average utilities? Why not minimax? Principle of maximum expected

303 views • 7 slides
Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML

Adversarial Examples Hanxiao Liu April 2, 2018 1 / 22 Adversarial Examples Inputs to ML models that an attacker has intentionally designed to cause the model to make a mistake 1 Why this is interesting: Safety. Interpretability.

881 views • 22 slides
a DSL for Configuring a Fieldbus Mathijs Schuts &amp; Jozef Hooman Philips &amp; ESI TNO

a DSL for Configuring a Fieldbus Mathijs Schuts &amp; Jozef Hooman Philips &amp; ESI TNO

Improving Maintenance by Creating a DSL for Configuring a Fieldbus Mathijs Schuts &amp; Jozef Hooman Philips &amp; ESI TNO October, 2016 1 Software Life Cycle Different component in a high-tech system have different life cycle

451 views • 16 slides

More recommend