science of security industry day - october 2015
TRANSCRIPT
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Automated Attack Surface
Approximation
Christopher TheisenGraduate Assistant
Fall 2015
Community Forum
October 29, 2015
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Attack Surface
• The paths in and out of a system
• the data that travels those paths
• the code that protects both
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
The goal of this research is to aid your
security engineers in prioritizing security
efforts by approximating the attack surface of
your software systems via crash dump
stack trace analysis.
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Stack Traces - what happened?
Crashes - system under stress!
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Catalog all code that appears on stack traces
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
[1] C. Theisen, K. Herzig, P. Morrison, B. Murphy, and L. Williams, “Approximating Attack Surfaces with Stack Traces,” in Companion
Proceedings of the 37th International Conference on Software Engineering, 2015
Windows 8 [1] User Crashes
%binaries 48.4%
%vulnerabilities 94.6%
Stack traces highlighted where
security vulnerabilities were.
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Mozilla Firefox User Crashes
%files 8.4%
%vulnerabilities 72.1%
Stack traces highlighted where
security vulnerabilities were.
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
More stack traces, less files, higher flaw density!
Lose coverage as you increase stack trace cutoff
Priority: Bottom up
Files Flaws %Files %Vuln
>= 1 4998 282 8.4% 72.1%
>= 30 1853 210 3.1% 53.7%
>= 140 969 162 1.6% 41.4%
All 59437 391 - -
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Initial attack surface approximation
...old nodes removed, new nodes added
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Few to Many Many to Many Many to Few
What are the security impact of
these shapes?
A AA
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
Security Metrics-Driven Evaluation,
Design, Development, & Deployment
Science of Security
Lablet
foo!foobarDeviceQueueRequest+0x68
foo!fooDeviceSetup+0x72
foo!fooAllDone+0xA8
bar!barDeviceQueueRequest+0xB6
bar!barDeviceSetup+0x08
bar!barAllDone+0xFF
center!processAction+0x1034
center!dontDoAnything+0x1030
@theisencr