mudge
DESCRIPTION
Mudge. CanSecWest 2013. Distribution A: Approved for Public Release, Distribution Unlimited. Cyber Fast Track – DARPA-PA-11-52. Amendment 4 (posted January 31, 2013) :. Closing Date: Proposals will be accepted at any time until 12:00 noon (ET), August 3 April1, 2013. - PowerPoint PPT PresentationTRANSCRIPT
Mudge
CanSecWest 2013
1Distribution A: Approved for Public Release, Distribution Unlimited.
Cyber Fast Track – DARPA-PA-11-52
2
Amendment 4 (posted January 31, 2013):
Closing Date: Proposals will be accepted at any time until 12:00 noon (ET), August 3 April1, 2013
https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html
Distribution A: Approved for Public Release, Distribution Unlimited.
1. What is the problem, why is it hard?2. How is it solved today? 3. What is the new technical idea; why can we succeed now? 4. What is the impact if successful?5. How will the program be organized?6. How will intermediate results be generated? 7. How will you measure progress? 8. What will it cost?
Heilmeyer Questions:
3
When George Heilmeier was the director of DARPA in the mid 1970s, he had a standard set of questions he expected every proposal for a new research program to answer.
Distribution A: Approved for Public Release, Distribution Unlimited.
2011
Ground truth…
Federal Cyber Incidents fiscal years 2006 – 2011
[1] GAO Testimony. GAO-12-166T CYBERSECURITY Threats Impacting the Nation
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
Cyber Incidents Reported to US-CERT [1]
by Federal agencies
2006 2007 2008 2009 2010
4Distribution A: Approved for Public Release, Distribution Unlimited.
2011
Ground truth…
Federal Cyber Incidents and Defensive Cyber Spending
fiscal years 2006 – 2011
[1] GAO Testimony. GAO-12-166T CYBERSECURITY Threats Impacting the Nation
[2] INPUT reports 2006 – 2011
Fede
ral
Defe
nsiv
e Cy
ber
Spen
ding
[2]
($B)
0
5,000
10,000
15,000
20,000
25,000
30,000
35,000
40,000
45,000
Cyber Incidents Reported to US-CERT [1]
by Federal agencies
2006 2007 2008 2009 20100.0
2.0
4.0
6.0
8.0
10.0
12.0
5Distribution A: Approved for Public Release, Distribution Unlimited.
Mudge or “Cyber-Heilmeyer” Questions:
6
1. Is the solution tactical or strategic in nature?2. What is the asymmetry for this solution?3. What unintended consequences will be created?4. Do attack surfaces shrink, grow, or remain unchanged?5. How will this solution incentivize the adversary?
Distribution A: Approved for Public Release, Distribution Unlimited.
Malware:125 lines of code*
Lines
of C
ode
1985 1990 1995 2000 2005 2010
xxxxDEC Seal Stalker
Milky WaySnort
Network Flight Recorder
Unified Threat Management10,000,000
8,000,000
6,000,000
4,000,000
2,000,000
0
Security software
* Malware lines of code averaged over 9,000 samples
x
x
Are you tactical or strategic; what is the asymmetry?
7Distribution A: Approved for Public Release, Distribution Unlimited.
How do *you* handle passwords?
8Distribution A: Approved for Public Release, Distribution Unlimited.
The first CrackMeIfYouCan contest challenged participants to crack 53,000 passwords. In 48 hours, the winning team had 38,000*.
(*this was not the important take away…)
Profile for the winning team, Team Hashcat.
Time
# Pa
sswo
rds
Unintended consequences…
9Distribution A: Approved for Public Release, Distribution Unlimited.
Profile for the winning team, Team Hashcat.
Time
# Pa
sswo
rds
Unintended consequences…
10Distribution A: Approved for Public Release, Distribution Unlimited.
The first CrackMeIfYouCan contest challenged participants to crack 53,000 passwords. In 48 hours, the winning team had 38,000*.
(*this was not the important take away…)
Awaiting Vendor Reply/Confirmation
Awaiting CC/S/A use validation Vendor Replied – Fix in developmentColor Code Key:
Current vulnerability watch list:Vulnerability Title Fix Avail? Date AddedXXXXXXXXXXXX XXXXXXXXXXXX Local Privilege Escalation Vulnerability No 8/25/2010
XXXXXXXXXXXX XXXXXXXXXXXX Denial of Service Vulnerability Yes 8/24/2010
XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability No 8/20/2010
XXXXXXXXXXXX XXXXXXXXXXXX Sanitization Bypass Weakness No 8/18/2010
XXXXXXXXXXXX XXXXXXXXXXXX Security Bypass Vulnerability No 8/17/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities Yes 8/16/2010
XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability No 8/16/2010
XXXXXXXXXXXX XXXXXXXXXXXX Use-After-Free Memory Corruption Vulnerability No 8/12/2010
XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability No 8/10/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Buffer Overflow Vulnerabilities No 8/10/2010
XXXXXXXXXXXX XXXXXXXXXXXX Stack Buffer Overflow Vulnerability Yes 8/09/2010
XXXXXXXXXXXX XXXXXXXXXXXX Security-Bypass Vulnerability No 8/06/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities No 8/05/2010
XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability No 7/29/2010
XXXXXXXXXXXX XXXXXXXXXXXX Remote Privilege Escalation Vulnerability No 7/28/2010
XXXXXXXXXXXX XXXXXXXXXXXX Cross Site Request Forgery Vulnerability No 7/26/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Denial Of Service Vulnerabilities No 7/22/2010
Additional security layers often create vulnerabilities…
6 of the vulnerabiliti
es are in security software
11Distribution A: Approved for Public Release, Distribution Unlimited.
Additional security layers often create vulnerabilities…
12
1/25/20137/20
1/14/20135/21
1/2/20135/20
12/28/20125/20
12/14/20128/22
12/3/20124/18
11/30/20124/17
11/15/20124/17
11/1/20122/11
10/31/20121/9
10/15/20124/9
10/1/20126/14
Distribution A: Approved for Public Release, Distribution Unlimited.10/1/2012
10/15/201210/31/2012
11/1/201211/15/2012
11/30/201212/3/2012
12/14/201212/28/2012
1/2/20131/14/2013
1/25/20130%
10%20%30%40%50%60%70%80%90%
100%
43% 44%
33%18%
24% 24%
22%
36%25%
20%
24% 30%
DLLs: run-time environment = more
commonality
Application specific functions
Constant surface area available to
attack.
Regardless of the application
size, the system loads the same
number of support
functions.For every 1,000
lines of code, 1 to 5 bugs are
introduced.
Identifying attack surfaces…
13Distribution A: Approved for Public Release, Distribution Unlimited.
Understanding them in the context of ‘game theory’ reveals the problem.
Bot Herder Cost
Bot Herder Return Antiviru
s Cost
Antivirus Return
Short Long
Small High High Low High
Small High 0 High Low
Traditional C2 Botnet
New P2P Botnet
Strategy 2: AES* branch
Solution exists: weekly patch, kills branchSolution needed: high cost solution, kills tree
“Storm”Botnet
Strategy 1: XOR‡ branch
Bot Herder strategy example:
The security layering strategy and antitrust has created cross incentives that contribute to divergence.‡ = “exclusive or” logical operation
* = Advanced Encryption Standard
Root Tree Branch
How are you incentivizing the adversary?
14Distribution A: Approved for Public Release, Distribution Unlimited.
Mudge Questions (aka “Cyber-Heilmeyer”):
15
1. Is the solution tactical or strategic (a)?2. What is the asymmetry for this solution (a)?3. Can you forecast the unintended consequences (b)(e)?4. Do attack surfaces shrink, grow, or remain unchanged? (c)(d)?5. How does this solution incentivize the adversary (e)?
(*) If you had to defeat your own effort, how would you go about it?
a b c d e
Distribution A: Approved for Public Release, Distribution Unlimited.
16
Creating a vehicle to tackle these issues:
Cyber Fast Track
DARPA-PA-11-52
cft.usma.edu
https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html
Distribution A: Approved for Public Release, Distribution Unlimited.
CFT Mission Statement
17
• Identify aligned areas of interest between the DoD and a novel performer community.
• Become a resource to that community in a way that encourages mutually beneficial research efforts resulting in prototypes and proofs of concepts in a matter of months
• Improve goodwill and understanding in both communities.
CFT promotes aligned interests, not the realigning of interests to meet Government needs
Distribution A: Approved for Public Release, Distribution Unlimited.
• Indirect - Enabling/Promoting:• Commercial• Open Source• Other
• Direct• Program of Record (POR)• Memorandum of Understanding
(MOU)• Memorandum of Agreement
(MOA)• Technology Transition Agreement
(TTA)
The Importance of Transition
18
The objective of technology transition is to make the desired technology available as quickly as possible and at the lowest cost.
Distribution A: Approved for Public Release, Distribution Unlimited.
The first proof that it might be do-able…
19
NMAPv6 – CINDER
•Advanced IPv6 capabilities•200 new network scanning and discovery modules (NSE)•Common Platform Enumeration (CPE) output support •Scanner, GUI, and differencing engine performance scaling (1 million target IP addresses)•Adversary Mission Identification System (AMIS)
•Transition:Downloads 3,096,277 (5,600 .gov & 5,193 .mil)… and counting…
Distribution A: Approved for Public Release, Distribution Unlimited.
The two key ingredients to CFT:
20
Programmatics•A unique process that allows DARPA to legally do Cyber R&D contracting extremely fast• A framework that anyone can
use• Streamline negations• One page commercial contracts• Firm Fixed price• Rapid awards (selection to
contract in 10 days or less)
Diplomacy• Align the Cyber Fast Track
research goals with the goals of the research community
• How do your priorities and theirs align?
• Engage leaders and influencers• Socialize the effort, take
feedback, and modify the program structure accordingly
• Ambassador• Speak the language,
demonstrate an understanding of both cultures
Distribution A: Approved for Public Release, Distribution Unlimited.
Aug-11 Sep-11 Oct-11 Nov-11 Dec-11 Jan-12 Feb-12 Mar-12 Apr-12 May-12 Jun-12 Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12 Jan-130
50
100
150
200
250
300
350
400
350+ submissions & 90+ awards
Submissions
Awards
Distribution A: Approved for Public Release, Distribution Unlimited.
CFT Contract Award Time
Average of 6 working days to award
100
90
80
70
60
50
40
30
20
10
0 Min. days Avg. days Max. days
BAA
PROCESS
CFT
26
12
90+
Distribution A: Approved for Public Release, Distribution Unlimited.
2348 Projects Completed – 44 Projects in Progress (2/13/2013)
44 programs underway
19 completed programsopen-source
29 completed programs closed source
92 Projects awarded to date (as of Feb 13, 2013)
48%21%
31%
Distribution A: Approved for Public Release, Distribution Unlimited.
CFT Efforts
24
Antenna Detection
Truck-SecurityFramework NAND Exploration Phy-layer Auditing IPMI Security
BIOS Integrity Logical BugDetection Binary DefenseObstructing
ConfigurationsSide Channel
AnalysisAnti-ReverseEngineering
VirtualizationSecurity
Source CodeAnalysis
DistributedValidation
Secure Parsers
DeobfuscatingMalware
Android OSSecurity
BasebandEmulation
Network StackModification
Securing Legacy RF
NetworkVisualization
Software
Hardware
A Sampling of Current CFT Programs
25Distribution A: Approved for Public Release, Distribution Unlimited.
Embedded SystemVulnerabilities
BIOS ImplantAnalysis
Automotive-SecurityApplications
Android ApplicationForensics
Images provided by: Bit Systems
26
Soon to be released…
Bunnie’s Routers…
27
Soon to be released…
Image provided by: Bunnie Huang
Bunnie’s Routers… Charlie’s Cars…
28
Image provided by: Charlie Miller
Soon to be released…
Image provided by: Bunnie Huang
The beginning of…
The end of CFT…
29
www.darpa.mil
30Distribution A: Approved for Public Release, Distribution Unlimited.