mostly sunny with a chance of cyber - nist sunny with a chance of cyber david flater...
TRANSCRIPT
![Page 1: Mostly sunny with a chance of cyber - NIST sunny with a chance of cyber David Flater dflater@nist.gov 2016-07-06 with notes added 2016-07-14 1. ... Microsoft Word - SwMM-RSV-aug30-converted.docx](https://reader031.vdocuments.us/reader031/viewer/2022030418/5aa4092d7f8b9a7c1a8b986d/html5/thumbnails/1.jpg)
Mostlysunnywithachanceofcyber1DavidFlater,NIST,2016-05-09
Countingknownvulnerabilitiesandcorrelatingdifferentfactorswiththevulnerabilitytrackrecordsofsoftwareproductsafterthefactisobviouslyfeasible.Theharderchallengeistoproduce“evidencetotellhowvulnerableapieceofsoftwareis”withrespecttovulnerabilitiesandattackvectorsthatarecurrentlyunknown.Thismeansforecastingtheseverityandtherateatwhichcurrentlyunknownvulnerabilitieswillbediscoveredorexploitedinthefuture,givenacandidatesystemanditsenvironment.Meteorologistscanobservethepresentstateofaweathersystemandassumethatthefuturestatemustevolvefromitthroughtheapplicationofknownphysics.Smallfeaturesthatarebelowtheresolutionoftheradararecorrespondinglylimitedintheirimpact,sotheuncertaintycanbebounded.Butforcomputersystemvulnerabilities,therearenoanalogouslimits.High-impactexploitsoftiny,obscurequirksthatwerenotonanyone’s“radar”appearwithregularity.Althoughtheresolutionofthat“radar”iscontinuouslyimproved,thecomplexityofsystemsisincreasingfaster,sotherelevantdetailsareinexorablyrecedingintothebackground.Undertheseconditions,ourbestavailablepredictorsoffuturevulnerabilitiesinsystemsthatwereresponsiblydesignedandimplementedmaybenothingmorethanmetricsofsize,complexity,andtransparency.Unexcitingasitmaybe,thereisrationalitytothisapproach.Todevelopamarketforsmaller,simpler,moreverifiablesystemswouldnotbetoomodestagoalforalargegovernmentefforttoattempt.1Disclaimer:Thisstatementreflectsonlytheviewsoftheauthoronthetopicsdiscussed,anddoesnotnecessarilyreflecttheofficialpositionthatNISTmayhaveaboutthosetopics.
![Page 2: Mostly sunny with a chance of cyber - NIST sunny with a chance of cyber David Flater dflater@nist.gov 2016-07-06 with notes added 2016-07-14 1. ... Microsoft Word - SwMM-RSV-aug30-converted.docx](https://reader031.vdocuments.us/reader031/viewer/2022030418/5aa4092d7f8b9a7c1a8b986d/html5/thumbnails/2.jpg)
Iaddedthesenotesaftertheworkshoptoincludeimportantpointsthatdon'tappearinthetextoftheslides.
Mostlysunnywithachanceofcyber
2016-07-06withnotesadded2016-07-14
1. Thispresentationreflectsonlytheviewsoftheauthoronthetopicsdiscussed,anddoesnotnecessarilyreflecttheofficialpositionthatNISTmayhaveaboutthosetopics.
2. IdentificationofcommercialproductsandentitiesisnotintendedtoimplyrecommendationorendorsementbyNIST,norisitintendedtoimplythattheproductsorentitiesarenecessarilythebestavailableforthepurpose.
Thesis
• Thenatureofthechallengeisnotmeasurement,butprediction• Conditionsareunfavorableformakingarationalprediction• Measuringwhatismeasurableandapplyingempiricismwillmoveusforward• Measuringcost revealsacomplication
![Page 3: Mostly sunny with a chance of cyber - NIST sunny with a chance of cyber David Flater dflater@nist.gov 2016-07-06 with notes added 2016-07-14 1. ... Microsoft Word - SwMM-RSV-aug30-converted.docx](https://reader031.vdocuments.us/reader031/viewer/2022030418/5aa4092d7f8b9a7c1a8b986d/html5/thumbnails/3.jpg)
Themetrologyperspectiveisthatmeasurementisaboutquantities.Aquantitylike5kghasmeaningbecauseitisdefinedas5timesastandardreference,theunit.InmostcasesitwouldbenonsensetosaythatSoftwareAis5timesasvulnerableasSoftwareB.Vulnerabilityisaquality,notaquantity.Atbestwemaymeasuresomequantitythathelpsustocharacterizeitbetter.
Thecountofknownvulnerabilitiesisunsuitableasasurrogatemeasureofvulnerability.Thefuturequestionisthemostinterestingone.
NISTWorkshoponSoftwareMeasuresandMetrics toReduceSecurityVulnerabilities
Challenge:produce“evidencetotellhowvulnerableapieceofsoftwareis”
SoftwareartifactsDevelopmentandmaintenanceprocesses
Otherartifacts
Somemeasurement process Some[surrogate]measureofvulnerability expressedasamagnitudewithmeaningfulunitsandaconfidenceinterval
Measurementvs.forecasting• Past:correlatedifferentfactorswiththevulnerabilitytrackrecordsofsoftwareproducts• Present:countknownvulnerabilities
• Abuseofscale:count=2doesnotmeantwiceasvulnerableascount=1;anycount>0meansgofixyourstuff
• Future:forecasttheseverityandtherateatwhichcurrentlyunknownvulnerabilitieswillbediscoveredorexploited• Nolongerdeterminingfactsbasedonobservations• Notcausal:intheory,today'sCVEcouldbethelast• Predictionmodelscanbebetterorworse
![Page 4: Mostly sunny with a chance of cyber - NIST sunny with a chance of cyber David Flater dflater@nist.gov 2016-07-06 with notes added 2016-07-14 1. ... Microsoft Word - SwMM-RSV-aug30-converted.docx](https://reader031.vdocuments.us/reader031/viewer/2022030418/5aa4092d7f8b9a7c1a8b986d/html5/thumbnails/4.jpg)
Ineveryrespectbutone(controllability),cyberemergenciesarelesspredictablethanweatheremergencies.Iwillfocusonthedifferentimpactofunseendetails.
Wecanobtainanadequatepredictionofimpendingweatheremergencieseventhoughtheradarmissesmanysmalldetails.Thebutterflyeffectsdonotmatteraslongaswecanseethehurricaneonitswaywithampletimetoreact.Butforcyberemergenciesitisexactlytheopposite;itistheunseendetailsthataremostlikelytocreateanemergencywithnowarningatall.
PredictionmodelsAttribute Weatheremergencies Cyber emergenciesPreconditions Known Unknown,randomConditions Taketimetoevolve Alreadyin placeSet ofvariables Fixed Ever-expandingUnseendetails Not important CriticallyimportantGuidance Unguided Precision-guidedUncertainty Frequentist EpistemicDegrees ofcontrol Prepare,mitigate Preventable,inprinciple?
![Page 5: Mostly sunny with a chance of cyber - NIST sunny with a chance of cyber David Flater dflater@nist.gov 2016-07-06 with notes added 2016-07-14 1. ... Microsoft Word - SwMM-RSV-aug30-converted.docx](https://reader031.vdocuments.us/reader031/viewer/2022030418/5aa4092d7f8b9a7c1a8b986d/html5/thumbnails/5.jpg)
Thethreatmodelisoffinitesize.Theunknownuniverseofpotentialattacksmaybeinfinitelylarge.Atleastitislargerthanourimagination,asweareconsistentlycaughtbysurprise.
Theideathatfullyaddressingthetop10ortop25attackvectorswouldcausetheretobefewersuccessfulattacksisanuntestedhypothesis.Pastexperiencesuggeststhatthereisalargereserveofattackvectorsthatdonotappearinthethreatmodel.Perhapsattackerswillsimplymovefartherdownthelistandneverrunoutofattacks.
Differentperspectives,differentmetrics:thesecurityindustryseesprogressinincreasingthecomplexityofattacks,butthetargetseesnoprogressunlessthefrequencyofattacksactuallygoesdown.
Unseendetails=blindsideattackvectors
• Electricalengineers• Memoryintegrityquietlydeclined,enablingrowhammer.js
• Implementationquirk,documentedbutoverlooked• Intelimplementedanx86_64instructioninaslightlydifferentwaythanAMDhad,enablingVMescapeandescalatetohypervisor(XSA-7)
• Unforeseenconsequenceofnewfeature• Memorydeduplicationbecameathing,enablingamuchbiggersidechannelthanwasanticipated(Bosmanetal.2016)
• Forgotaboutthatlegacyfeature• EveryoneforgotaboutAPICregisterrelocationorfailedtoseeitsusefulness,enablinganotherescalationtoSMM(Domas 2015)
• Accidentallyintroducedfault• ArandomCPUerratumwasdiscovered,enablingaremoteexploitthatlookslikeharmlesscode(Kaspersky&Chang2008)
Wheredotheycomefrom?Everywhere.
![Page 6: Mostly sunny with a chance of cyber - NIST sunny with a chance of cyber David Flater dflater@nist.gov 2016-07-06 with notes added 2016-07-14 1. ... Microsoft Word - SwMM-RSV-aug30-converted.docx](https://reader031.vdocuments.us/reader031/viewer/2022030418/5aa4092d7f8b9a7c1a8b986d/html5/thumbnails/6.jpg)
Evenifyouhadcompletevisibilityintothesystemasitstands,thereistheproblemoffuture-proofingtheassurancecase.Weareforcedtoupgradeinordertoclosethebarndooronknownvulnerabilities.Eachupgradecomeswithanexpandedattacksurface,whichleadsdirectlytonewvulnerabilities.
Ariskmodelcannotdojusticetounknownunknowns.Wecannotpossiblyestimatetheprobabilityofsomethingthat,bydefinition,weknowabsolutelynothingabout.Suchanumberisnothingbutanarbitrarilychosensafetymargin.
Thefuturewillnotbemitigated• Anassurancecaseisafixed,closed-formexpression upagainstanevolving,openworld• Theunseenattacksurfaceisvastandgrowing• Noopt-out
Riskmodelsvs.unknownunknowns
• "Risks"• Validtoestimatebasedonhistoricaldata
• "Structuraluncertainties"• Followfromeventsthatarerareornonexistentinthehistoricalrecord
• Frequentistreasoningbreaksdown• "Unknowables"• Followfrominconceivableevents• Bayesianreasoningbreaksdown
Kees vanderHeijden. Scenarios:TheArtofStrategicConversation.JohnWiley&Sons,2ndedition,2005.
![Page 7: Mostly sunny with a chance of cyber - NIST sunny with a chance of cyber David Flater dflater@nist.gov 2016-07-06 with notes added 2016-07-14 1. ... Microsoft Word - SwMM-RSV-aug30-converted.docx](https://reader031.vdocuments.us/reader031/viewer/2022030418/5aa4092d7f8b9a7c1a8b986d/html5/thumbnails/7.jpg)
Securitymaygrowovertimeintightly-controlledsystems,butthemoretypicaltreadmillofvulnerabilitiesandmitigationssuggeststhatitdoesnotgrowovertimeingeneral.(Takingthetarget'sperspectivethatthedifficultyofexploitsisirrelevantiftheyjustkeeponhappening.)
Inventingametricisonlythebeginning.Hypothesesmustbetested.Measurementsmustbevalidated.
Growthmodels• Noevidencethatsecuritygrows/vulnerabilitydecreasesovertime(?)• "Trivialforecasthassome predictiveaccuracy"(TimmGrams,"ReliabilityGrowthModelsCriticized")• Applicabletothefrequencyofvulnerabilitydiscovery
Whatismeasurable?• Knownquantities• Trackrecordoffixedvulnerabilities• Knownunfixedvulnerabilities• Measurablehardnessofcertainkindsofdefenses
• Hypothesizedindicatorsofunknownvulnerabilities• Measuresofdiligence
• Test/analysiscoverage• Hardeningmeasures
• Size&complexity• Areaofattacksurface• "Codesmells"(operationalized)• Transparency(includingamenabilitytoanalysisofwhateverkind)
![Page 8: Mostly sunny with a chance of cyber - NIST sunny with a chance of cyber David Flater dflater@nist.gov 2016-07-06 with notes added 2016-07-14 1. ... Microsoft Word - SwMM-RSV-aug30-converted.docx](https://reader031.vdocuments.us/reader031/viewer/2022030418/5aa4092d7f8b9a7c1a8b986d/html5/thumbnails/8.jpg)
Thisargumentisnotvalidforproductswhoseprimarycustomeristhegovernment,forregulatedindustries,orforlong-lifecyclesoftware.Itappliesonlytothemassmarket.
Wearefamiliarwithstudiesshowingthatthecostofcorrectingdefectsislessiftheyaredetectedandcorrectedearlierintheprocess.Butaslongasthemarkettoleratesfaultysoftware,theproducer'scostcanbeloweredfurtherbyjustnevercorrectingthedefects.Alotofsoftwareisbeingproducedasaconsumable(oraspartofaconsumable)ratherthanadurablegood.Maintenanceisminimized,andafteradatecertaintheproductissimplyabandonedandthenextproductisrolledout.
Withinthemassmarket,thecostofpoorsecuritymayevengonegative:amoresecureproductmaybetoodifficulttoconfigure,resultinginacompetitivedisadvantage.Evenifthecostofbuildingsecurityinisreducedtomarginalasthestrategicplanenvisions,thebusinesscasemayremainbroken.
Thiseconomicproblemmayoverwhelmandobviatethemeasurementproblem.
Onmeasuringcost,andtheproblemthatthisreveals• "Priceofnonconformance"(PhilipCrosby)orCostOfPoorQuality(ASQ)• Post-releasepatchingismuchlesscostlythananautorecall• TheconsequentialcostsofvulnerabilitiesinCOTSsoftwarearealmostentirelypaidbyconsumers,not producers
• "Qualityisfree"—nottrue• "Youcan'taffordnot totest/buildsecurityin"—alsonottrue• Brokeneconomy• Consequence:theremaybenosecurityto'measure'
![Page 9: Mostly sunny with a chance of cyber - NIST sunny with a chance of cyber David Flater dflater@nist.gov 2016-07-06 with notes added 2016-07-14 1. ... Microsoft Word - SwMM-RSV-aug30-converted.docx](https://reader031.vdocuments.us/reader031/viewer/2022030418/5aa4092d7f8b9a7c1a8b986d/html5/thumbnails/9.jpg)
Empiricismisausefulstrategywhenweareoverwhelmedbyunknowns,butitmustbeusedwithgreatcaution.Correlationisnotcausation.Agoodfittopastdatadoesnotensureagoodprediction.Hypothesesmustbetested.Measurementsmustbevalidated.Applyscience.
Notaddressed:wealsoneedsoftwaretobesufficientlyfunctionalrunningatleastprivilegethattrickingusersintograntingexcesspermissionstotrojanswillnolongerwork.
Conclusions
• Thereisvalueincorrelatingdifferentfactorswiththevulnerabilitytrackrecordsofsoftwareproductsafterthefact• Hypothesizedindicators• Programminglanguages• Developmenttechniques• Qualityprocesses• Formalmethods….
• Engineeringwasn'tinvented;itevolved
• Dowhat[apparently]works,butverifyandtrackprogress
• Goal:reliablepredictors,bestpractices
• However,therealsoneedstobeabusinesscase
• Redistributingriskmaybenecessaryto"significantlycurtailsoftwarevulnerabilities"intheCOTSmarket
"Measurewhatismeasurable,andstopyer lyin'abouttherest"
(MisquotingGalileo)
SoftwareMetrologyDavidFlater