toward a field study on the impact of hacking
play

Toward a Field Study on the Impact of Hacking Competitions on Secure - PowerPoint PPT Presentation

Apr 08, 2023 •161 likes •565 views

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka , Hongyi Hu, Bryan Eastes, and Michelle L. Mazurek 12 Aug 2018 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE

  1. Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka , Hongyi Hu, Bryan Eastes, and Michelle L. Mazurek 12 Aug 2018

  2. SECURE DEVELOPMENT � 2

  3. SECURE DEVELOPMENT � 2

  4. SECURE DEVELOPMENT � 2

  5. SECURE DEVELOPMENT � 2

  6. SECURE DEVELOPMENT • Non-experts lack experience • Experts learn through CTFs [Votipka et al., 2018] � 2

  7. CAPTURE THE FLAG (CTF) • Attack-oriented competitions ‣ Goal: find and exploit vulnerabilities • Simple, vulnerable programs • Expose competitors to several classes of vulnerabilities � 3

  8. CAPTURE THE FLAG (CTF) • Attack-oriented competitions ‣ Goal: find and exploit vulnerabilities • Simple, vulnerable programs • Expose competitors to several classes of vulnerabilities Do these help in practice? � 3

  9. RESEARCH QUESTIONS 1. Do CTFs improve prevention of security issues? 2. Do CTFs improve recognition of security issues? � 4

  10. PILOT STUDY OVERVIEW (1 week) Dropbox Capture- Time the-Flag � 5

  11. PILOT STUDY OVERVIEW (10 mins: 6 weeks, 2x/week, 1x/day) (1 week) Diary Surveys Diary Study Dropbox Capture- Time the-Flag � 5

  12. PILOT STUDY OVERVIEW (10 mins: 6 weeks, 2x/week, 1x/day) (1 week) Diary Surveys Diary Study Dropbox Capture- Time the-Flag Knowledge Assessment Pre-CTF Post-CTF Assessment Assessment (60 mins) (60 mins) � 5

  13. (10 mins: 6 weeks, 2x/week, 1x/day) (1 week) Diary Surveys Time Dropbox Capture- the-Flag DIARY SURVEYS Pre-CTF Post-CTF Assessment Assessment (60 mins) (60 mins) • Survey regarding recent commit ‣ Issues considered ‣ Reasons for considering each issue ‣ Actions taken to resolve • Not security specific • Open to all Dropbox developers � 6

  14. (10 mins: 6 weeks, 2x/week, 1x/day) (1 week) Diary Surveys Time Dropbox Capture- the-Flag DIARY SURVEYS Pre-CTF Post-CTF Assessment Assessment (60 mins) (60 mins) • Survey regarding recent commit ‣ Issues considered ‣ Reasons for considering each issue ‣ Actions taken to resolve Measure impact of CTF on day-to-day decisions • Not security specific • Open to all Dropbox developers � 6

  15. (10 mins: 6 weeks, KNOWLEDGE 2x/week, 1x/day) (1 week) Diary Surveys Time Dropbox Capture- the-Flag ASSESSMENT Pre-CTF Post-CTF Assessment Assessment (60 mins) (60 mins) •Part 1: Find vulnerabilities in insecure code ‣ Copy of the Dropbox codebase ‣ 4 known vulnerabilities •Part 2: Write a secure program •Only CTF participants � 7

  16. (10 mins: 6 weeks, KNOWLEDGE 2x/week, 1x/day) (1 week) Diary Surveys Time Dropbox Capture- the-Flag ASSESSMENT Pre-CTF Post-CTF Assessment Assessment (60 mins) (60 mins) •Part 1: Find vulnerabilities in insecure code ‣ Copy of the Dropbox codebase ‣ 4 known vulnerabilities •Part 2: Write a secure program •Only CTF participants Measure improvements to secure development in a controlled setting � 7

  17. ADDITIONAL METRICS • Number of flagged commits • Communication with the Dropbox security team � 8

  18. PILOT PARTICIPATION • Diary Surveys ‣ 28 participants (12 CTF) ‣ 169 surveys • Knowledge Assessment ‣ 7 participants � 9

  19. PILOT PARTICIPATION • Diary Surveys ‣ 28 participants (12 CTF) • Small sample • Methodological ‣ 169 surveys issues addressed in future iterations • Knowledge Assessment ‣ 7 participants � 9

  20. DIARY SURVEYS • Security considered in 17/124 functionality changes ‣ 19% CTF, 13% non-CTF � 10

  21. DIARY SURVEYS • Security considered in 17/124 functionality changes ‣ 19% CTF, 13% non-CTF CTF participants considered security more often � 10

  22. VULNERABILITIES CONSIDERED XSS XSS CSRF SSRF SQLi SQLi Non-CTF Privacy Privacy CTF Logic Logic Local File Local File Disclosure Disclosure Auth Bug Auth Bug 0 20 40 60 Percentage of functionality changes � 11

  23. VULNERABILITIES CONSIDERED XSS XSS CSRF SSRF SQLi SQLi Non-CTF Privacy Privacy CTF Logic Logic Local File Local File Disclosure Disclosure Everyone considered logic- based vulnerabilities Auth Bug Auth Bug 0 20 40 60 Percentage of functionality changes � 11

  24. VULNERABILITIES CONSIDERED CTF participants considered non- XSS XSS functionality vulnerabilities from the CTF CSRF SSRF SQLi SQLi Non-CTF Privacy Privacy CTF Logic Logic Local File Local File Disclosure Disclosure Everyone considered logic- based vulnerabilities Auth Bug Auth Bug 0 20 40 60 Percentage of functionality changes � 11

  25. REASONS FOR CONSIDERING ISSUES Tool ool Teammate eammate Standard Standard Practice Practice Non-CTF CTF Similar Exp. Similar Sensitive Sensitive Data Data Hacker Hacker 0 20 40 60 80 Percentage of functionality changes � 12

  26. REASONS FOR CONSIDERING ISSUES Tool ool Teammate eammate Standard Standard Practice Practice Non-CTF CTF Similar Exp. Similar Sensitive CTF participants adopted Sensitive Data Data an adversarial mindset Hacker Hacker 0 20 40 60 80 Percentage of functionality changes � 12

  27. ACTIONS TAKEN Teammate eammate System System Doc Doc Previous Previous Experience Exp. Non-CTF Later CTF Later Review Review External External Doc Doc Expert Expert 0 10 20 30 40 50 0 10 20 30 40 50 Percentage of functionality changes � 13

  28. ACTIONS TAKEN Teammate eammate System System Doc Doc Previous Previous Experience Exp. Non-CTF Later CTF Later Review Review External CTF participants sought External Doc Doc help outside of their team Expert Expert 0 10 20 30 40 50 0 10 20 30 40 50 Percentage of functionality changes � 13

  29. KNOWLEDGE ASSESSMENT Change in Assessment Score 5 5.0 2.5 2.5 0.0 0 0 2000 4000 6000 CTF Scores � 14

  30. KNOWLEDGE ASSESSMENT Change in Assessment Score Average CTF Score 1306 5 5.0 2.5 2.5 0.0 0 0 2000 4000 6000 CTF Scores � 15

  31. KNOWLEDGE ASSESSMENT Change in Assessment Score 5 5.0 Average Change in Assessment Score 2.5 2.5 1.36 0.0 0 0 2000 4000 6000 CTF Scores � 16

  32. KNOWLEDGE ASSESSMENT Change in Assessment Score 5 5.0 2.5 2.5 0.0 0 0 2000 4000 6000 CTF Scores � 17

  33. Participants with higher than average CTF scores also had KNOWLEDGE ASSESSMENT higher than average changes in assessment scores Change in Assessment Score 5 5.0 2.5 2.5 0.0 0 0 2000 4000 6000 CTF Scores � 17

  34. Participants with higher than average CTF scores also had KNOWLEDGE ASSESSMENT higher than average changes in assessment scores Change in Assessment Score 5 5.0 2.5 2.5 0.0 0 0 2000 4000 6000 Perfect score on CTF Scores both assessments � 17

  35. ADDITIONAL METRICS • Non-CTF participants’ commits were flagged slightly more often ‣ 2/17 Non-CTF participants flagged ‣ 1/18 CTF participants flagged • 4 CTF participants alerted security team to potential vulnerability � 18

  36. SUMMARY 1. Do CTFs improve prevention of security issues? 2. Do CTFs improve recognition of security issues? � 19

  37. SUMMARY 1. Do CTFs improve prevention of security issues? • Participants who solved more challenges improved in the knowledge assessment • Exposure to non-functionality vulnerabilities 2. Do CTFs improve recognition of security issues? � 19

  38. SUMMARY 1. Do CTFs improve prevention of security issues? • Participants who solved more challenges improved in the knowledge assessment • Exposure to non-functionality vulnerabilities 2. Do CTFs improve recognition of security issues? • Increased consideration of security • Improved security team engagement � 19

  39. Questions : dvotipka@cs.umd.edu SUMMARY vulnstudy.cs.umd.edu 1. Do CTFs improve prevention of security issues? • Participants who solved more challenges improved in the knowledge assessment • Exposure to non-functionality vulnerabilities 2. Do CTFs improve recognition of security issues? • Increased consideration of security • Improved security team engagement � 19

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE HACKING TEAM CASE STUDY Friday 2 nd June, 2017

ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE HACKING TEAM CASE STUDY Friday 2 nd June, 2017

ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE HACKING TEAM CASE STUDY Friday 2 nd June, 2017 Stanislav paek Pavel eleda, Martin Draar, Martin Vizvry Introduction Hacking Team Story Began as a security services provider in 2003

324 views • 17 slides
Impact on wide-field optical astr Impact on wide-field optical astronom onomy Tony Tyson

Impact on wide-field optical astr Impact on wide-field optical astronom onomy Tony Tyson

Impact on wide-field optical astr Impact on wide-field optical astronom onomy Tony Tyson University of California, Davis Chief Scientist, Vera C. Rubin Observatory Space on the Hill March 11, 2020 Rubin Observatory will execute the Legacy

322 views • 17 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
iSchool Field Study Information Session Spring 2016 Inform. Engage. Equalize. Lead. Outline

iSchool Field Study Information Session Spring 2016 Inform. Engage. Equalize. Lead. Outline

iSchool Field Study Information Session Spring 2016 Inform. Engage. Equalize. Lead. Outline Goals and Objectives of Field Study General Overview and Context Specifics Regarding Field Study Field Study Database Inform. Engage.

434 views • 14 slides
Texas Energy Efficiency Field Study 1 TECCC February 25, 2015 Richard Morgan The Field Study

Texas Energy Efficiency Field Study 1 TECCC February 25, 2015 Richard Morgan The Field Study

Texas Energy Efficiency Field Study 1 TECCC February 25, 2015 Richard Morgan The Field Study is: 2 A joint project of SPEER and NASEO in collaboration with SECO and funded by DOE to determine whether an investment in building energy code

463 views • 17 slides
OpenOakland Impact OpenOaklands impact has grown significantly since we were founded as an open

OpenOakland Impact OpenOaklands impact has grown significantly since we were founded as an open

OpenOakland Impact OpenOaklands impact has grown significantly since we were founded as an open government innovation and civic hacking group in mid-2012. Since then, weve: Created an engaging, inspiring, (free) and safe space for

261 views • 3 slides
Case Study: Hacking the Lego Mindstorms EV3 Andreas Grapentin Operating Systems and Middleware

Case Study: Hacking the Lego Mindstorms EV3 Andreas Grapentin Operating Systems and Middleware

1 Case Study: Hacking the Lego Mindstorms EV3 Andreas Grapentin Operating Systems and Middleware Group 2018-11-28 2 The Mission Control a simple real-time task on the Lego Mindstorms EV3 > without using the installed Operating System 3

267 views • 16 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

485 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
DUNGEONS & DRAGONS As a Drupal project Hacking and slashing our way through real-world

DUNGEONS & DRAGONS As a Drupal project Hacking and slashing our way through real-world

DUNGEONS & DRAGONS As a Drupal project Hacking and slashing our way through real-world content management problems Exploring New Technology With Familiar Problems C/C++ JavaScript and jQuery Perl Drupal 6, 7, 8, Field

500 views • 37 slides
Tips for Successful Field Experiences Send a letter home explaining your study and include

Tips for Successful Field Experiences Send a letter home explaining your study and include

Tips for Successful Field Experiences Send a letter home explaining your study and include tentative dates for field work Prepare your field site- check for any hazards. Make sure all students visit the restroom before leaving Practice data

538 views • 22 slides
P Past, Present and Future of t P t d F t f AIM Impact Study AIM Impact Study Hideo

P Past, Present and Future of t P t d F t f AIM Impact Study AIM Impact Study Hideo

AIM22, 9-10 Dec. 2016 P Past, Present and Future of t P t d F t f AIM Impact Study AIM Impact Study Hideo Harasawa Hideo Harasawa ( No 657 ( No.657 1 History

144 views • 13 slides
Evaluation of No Wrong Door - Evaluation Design Overview October 12, 2016 Danielle Varda,

Evaluation of No Wrong Door - Evaluation Design Overview October 12, 2016 Danielle Varda,

Evaluation of No Wrong Door - Evaluation Design Overview October 12, 2016 Danielle Varda, PhD, Director Jessica Haxton Retrum, PhD Christine Martel, PhD Sara Sprong, MPA Ben Rector, MPA Graduate Student Purpose of Todays Call

358 views • 12 slides
Analysis in Student Learning Ji Min-Ting 1 Wu Jing 1 He Yan-Bin 2 Ren Shan-Xun 2 1 @ Yunnan

Analysis in Student Learning Ji Min-Ting 1 Wu Jing 1 He Yan-Bin 2 Ren Shan-Xun 2 1 @ Yunnan

A Pilot Study in the Use of Learning Analysis in Student Learning Ji Min-Ting 1 Wu Jing 1 He Yan-Bin 2 Ren Shan-Xun 2 1 @ Yunnan University, Network Information Center, Kunming, Yunnan, China 2 @ Yunnan University, Modern Education Technology

476 views • 24 slides
(CSEE&T 2013) - San Francisco - USA Usability and Software Engineering Group Motivation

(CSEE&T 2013) - San Francisco - USA Usability and Software Engineering Group Motivation

Luiz Leandro Fortaleza, Srgio R. C. Vieira, Olavo O. Matos Jr, Rafael Prikladnicki, and Tayana Conte 26th Conference on Software Engineering Education and Training (CSEE&T 2013) - San Francisco - USA Usability and Software Engineering

616 views • 34 slides
A Pilot Study on Argument Simplification in Stance-Based Opinions Pavithra Rajendran, Danushka

A Pilot Study on Argument Simplification in Stance-Based Opinions Pavithra Rajendran, Danushka

A Pilot Study on Argument Simplification in Stance-Based Opinions Pavithra Rajendran, Danushka Bollegala and Simon Parsons October 6, 2019 Introduction Argument mining is a relatively new field combining concepts drawn from natural language

460 views • 21 slides
Applying the Patient Demographic Data Quality (PDDQ) Framework to Reduce Duplicate Patient

Applying the Patient Demographic Data Quality (PDDQ) Framework to Reduce Duplicate Patient

Applying the Patient Demographic Data Quality (PDDQ) Framework to Reduce Duplicate Patient Records: Findings From A Pilot Study. Presented by: Dea Papajorgji-Taylor, MPH, Project Manager Suzanne Gillespie, MS, Project Director Acknowledgement

357 views • 19 slides
Piloting and Sizing Sequential Multiple Assignment Randomized Trials in Dynamic Treatment Regime

Piloting and Sizing Sequential Multiple Assignment Randomized Trials in Dynamic Treatment Regime

Piloting and Sizing Sequential Multiple Assignment Randomized Trials in Dynamic Treatment Regime Development Advances in Interdisciplinary Statistics and Combinatorics October 6, 2012University of North Carolina Greensboro Daniel Almirall

553 views • 24 slides
Governance ITechLaw - 17 May 2018 Overview Intro Benoit Van Asbroeck Is there a

Governance ITechLaw - 17 May 2018 Overview Intro Benoit Van Asbroeck Is there a

Data Based Business Models Legal and Regulatory Governance ITechLaw - 17 May 2018 Overview Intro Benoit Van Asbroeck Is there a need for "data ownership"? Emily Jones Data Sharing and Pooling

519 views • 8 slides
Improving Node-level MapReduce Performance using Processing-in-Memory Technologies Mahzabeen

Improving Node-level MapReduce Performance using Processing-in-Memory Technologies Mahzabeen

Improving Node-level MapReduce Performance using Processing-in-Memory Technologies Mahzabeen Islam, Marko Scrbak and Krishna M. Kavi Computer Systems Research Laboratory Department of Computer Science & Engineering University of North

963 views • 21 slides

More recommend