software assurance tool status and gaps - sysa home page
TRANSCRIPT
Outline
ThreatScope/FocusPreventionDetectionReaction
The Threat
There is ample opportunity to implant malicious codeMalicious coder could be anyone, anywhereAdversaries can have a lot of patience and canchange over timeMalicious implant may be only one part of an attackSoftware can be attacked or exploited at any point inits life-cycle: development, distribution, operationaluse, maintenanceSoftware can be attacked cheaply and with a low levelof risk
Goal: Eliminate malicious codeand reduce softwarevulnerabilitiesλ Trojans/back doorsλ Time and logic bombsλ Exfiltration
Software Assurance: “The level of confidence that software isfree of vulnerabilities, either intentionally or unintentionallydesigned or inserted during software development and/or theentire software lifecycle.”
Software Assurance (SwA)
SwA scope is the red andyellow areas
● Not all defects are exploitable vulnerabilities and not all vulnerabilities are defects
Defective Software Defect FreeSoftware
FocusFocus started with intentional vulnerabilitiesλ Hardest of a hard problemλ Vulnerability could be disguised
λ as a featureλ as an unintentional vulnerabilityλ anywhere in the code
λ not just security featuresλ time bomb/logic bomb
Could be inserted at any point in the lifecycleCompany could be the instigator or could bea victim also
Principal GoalsMaintain system availability and predictabilityλ No DOSλ Timely and reliable access to systems
Protect Intellectual Propertyλ No exfiltrationλ Information not disclosed to anyone unauthorized
Ensure data integrityλ Protection against unauthorized modification or
destruction of dataλ Lose this and the data is worthless
Past Solution
Air-gapped systemsλ Doesn’t fully protect against data alteration
or system availabilityλ Hard to work in a vacuum – but connectivity
to other organizations leads to potentialproblems
λ Everyone wants to and needs to beinterconnected
λ Except in very rare instances, not a solutionanymore
Prevention
Best way to fix problemsHave known how to prevent for along time, yet developers still makemistakesLittle control or access into globallyproduced software
Prevention NeedsAwarenessTruly trustworthy computing baseNeed a business case to sell preventionNew standards to protect developers
from themselvesCompose secure systems from
independent secure componentsDevelop more cost-effective methods for highassurance software development (and in general for lowand medium assurance)Input Validation StandardsImproved compilers
Improved Security throughCompilers - Specifics
Microsoft – deprecation of the some ofthe roots of buffer overflows in C andC++ in Visual Studio 2005λ string.hλ Need to phase out or make
_CRT_SECURE_NO_DEPRECATE morepainful to use
λ Need this trend in other compilers
Detection
Looking for a needle in a haystackGray area between features and vulnerabilitiesTrust, but verifyImportant defense for
malicious vulnerabilitiesDon’t always want to
“tip your hand” that you’reexamining a particularproduct
Detection NeedsNeed to move past evaluations measured inman-months as in “I had someone look at it forthree months straight, so it must be good”Move toward very predictable/recreatableanalysisQuick and scalable analysis - we can buysupercomputers if neededMetrics to measure “assuredness”Evaluations for software being used in specificapplications
Detection Needs
Improved binary and source scanning toolsDynamic vs. static analysisAll tool categories have valuePerfect tools?λ Value of tools can be rapidly diminished by too
many false positivesλ Would prefer easy to use tools with near zero false
positives so developers will use the toolsλ Don’t need to be “perfect”λ Incremental approachNeed to independently verify claims
Reaction
Looking for a needle in a hayfieldCurrently overwhelming adminsDiscovery is too
late – damage isdone
Forensics takes a lotof resources – almost aluxury in a resource constrained
environment
Reaction Needs
Methods to minimize/control thefunctionality of productsMechanisms to detect or counter runtimeexploitsReaction, by human nature, has goodmarket demandDamage control
Summary
Considerable opportunities to insertvulnerabilitiesSoftware assurance is a hard andchallenging problemPerfection is not needed initiallyIncremental improvementsNeed predictable and scalable analysistools that increase trust in software
Backup
The Farewell DossierSoviets were stealing large amounts ofWestern technology in the late 1970's/early1980'sCIA and DoD modified products were “madeavailable”λ Contrived computer chips found their way into
Soviet military equipmentλ Defective plans disrupted the output of chemical
plants and a tractor factoryλ Flawed turbines were installed on a gas pipeline
Soviets were left to wonder what else was“customized”