Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.

Slides:

Advertisements

Similar presentations

Personalized Navigation in the Semantic Web: An Enhanced Faceted Browser Michal Tvarožek FIIT STU BA.

Advertisements

SATE 2010 Background Vadim Okun, NIST October 1, 2010 The SAMATE Project

© Coverity 2010 Coverity Analysis: Improving Quality in the Software Supply Chain Peter Henriksen, Development Manager for Analysis, Coverity October 1,

Using E-Class Managing Documents in the Library. This is a PowerPoint presentation of about five minutes duration. It will explain the principles of document.

Copyright © 2014 Pearson Education, Inc. 1 Managers from across organizations are involved in developing and acquiring information systems Chapter 5 -

SAFETYCHECK Eric Hatch | David Allen |Bailee Lucas| Austin Rhodes.

Chapter 3.5 Debugging Games

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.

Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.

Software to Manage EEP Vegetation Plot Data A design proposal Michael Lee January 31, 2011.

WRAP Technical Support System Project Update AoH Call October 19, 2005.

Vulnerability Assessments

Finding and Evaluating Inventions, Prior Art How to Find Inventions, How to Evaluate Inventions, Finding Prior Art.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

Cis-Regulatory/ Text Mining Interface Discussion.

Planning for SATE V Paul E. Black National Institute of Standards and Technology

Chapter 6– Artifacts of the process

Faculty of Informatics and Information Technologies Slovak University of Technology Personalized Navigation in the Semantic Web Michal Tvarožek Mentor:

N By: Md Rezaul Huda Reza n

Tablet PC Capstone CSE 481b Richard Anderson Craig Prince.

CSCE 548 Code Review. CSCE Farkas2 Reading This lecture: – McGraw: Chapter 4 – Recommended: Best Practices for Peer Code Review,

Installation of IPT2 Chien-Wen CHEN Taiwan Forestry Research Institute 2012,Jun,26.

 To explain the importance of software configuration management (CM)  To describe key CM activities namely CM planning, change management, version management.

Hipikat: A Project Memory for Software Development The CISC 864 Analysis By Lionel Marks.

Software Project Documentation. Types of Project Documents  Project Charter  Requirements  Mockups and Prototypes  Test Cases  Architecture / Design.

OWASP Dependency-Check

SATE 2010 Analysis Aurélien Delaitre, NIST October 1, 2010 The SAMATE Project

Component Based SW Development and Domain Engineering 1 Component Based Software Development and Domain Engineering.

Alattin: Mining Alternative Patterns for Detecting Neglected Conditions Suresh Thummalapenta and Tao Xie Department of Computer Science North Carolina.

Facilitating Document Annotation using Content and Querying Value.

1 Vulnerability Assessment Elisa Heymann Computer Architecture and Operating Systems Department Universitat Autònoma de Barcelona

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

CISB113 Fundamentals of Information Systems IS Development.

Module 5 – Vulnerability Identification  Phase II  Controls Assessment  Scheduling ○ Information Gathering ○ Network Mapping ○ Vulnerability Identification.

Firmware - 1 CMS Upgrade Workshop October SLHC CMS Firmware SLHC CMS Firmware Organization, Validation, and Commissioning M. Schulte, University.

1 MSTE Visual SourceSafe For more information, see:

+ Moving Targets: Security and Rapid-Release in Firefox Presented by Carlos Bernal-Cárdenas.

Department of Computer Science, Graduate School of Information Science & Technology, Osaka University An Empirical Study of Out-dated Third-party Code.

Elizabeth Pullen, CIH.  Basic Characterization - main elements  Issues in Batch operations  Clariant (newer) method for EHWA ◦ Examples in different.

Improvements in Skill of CPC Outlooks Ed O’Lenic and Ken Pelman, NOAA-NWS-Climate Prediction Center 33rd Climate Diagnostics and Prediction Workshop, October.

ROCS Web Based Reporting Tool Using SNS Relational Database By Katia Danilova, Ernest L. Williams Jr. Control Systems group, ASD, SNS.

SwA Co-Chair and Task Lead Strategy Session Agenda Technology, Tools and Product Evaluation Working Group Status Briefing Co-Chair(s) Michael Kass (NIST),

Web Security. Introduction Webserver hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself These.

Recent Enhancements to Quality Assurance and Case Management within the Emissions Modeling Framework Alison Eyth, R. Partheepan, Q. He Carolina Environmental.

Ethnographic Interviews: Interviewing and Observing Users Project: Investigating Sakai 3 Capabilities to Support Learning Activities Jacqueline Mai 10/20/09.

Application Communities Phase 2 (AC2) Project Overview Nov. 20, 2008 Greg Sullivan BAE Systems Advanced Information Technologies (AIT)

ESSoS: February Leuven, Belgium1 Measuring the Effect of Code Complexity on Static Analysis Results James Walden, Adam Messer, Alex Kuhl Northern.

Objective ICT : Internet of Services, Software & Virtualisation FLOSSEvo some preliminary ideas.

Chapter 8: Maintenance and Software Evolution Ronald J. Leach Copyright Ronald J. Leach, 1997, 2009, 2014,

Part 1 The Basics of Information Systems. Purpose of Information Systems Information systems ◦ Collects, stores and organizes information ◦ Retrieves.

1 Lecture 3a Source of idea. 2 Externally: lead users, experts, product association, patents, etc Internally: focus of this lecture to improve your creativity.

Cofax Scalability Document Version Scaling Cofax in General The scalability of Cofax is directly related to the system software, hardware and network.

Software Engineering Laboratory, Department of Computer Science, Graduate School of Information Science and Technology, Osaka University Software Ingredients:

Three steps to prevent Malware infection

Web Routing Designing an Interface

The Use of AMET and Automated Scripts for Model Evaluation

Overview – SOE PatchTT November 2015.

Supplementary Table 1. PRISMA checklist

Software Documentation

Maintaining software solutions

Easy-Bash: Designing a Metasearch Engine for Bash Command Queries

MHS FORMS October 8, 2008.

Stratford University Restaurant Reservations System

Figure 6-4: Installation and Patching

Authors: Helen J. Wang, Chuanxiong Guo, Daniel R

CULLEN ACHESON Samuel Garcia Zachary Blum

Overview Activities from additional UP disciplines are needed to bring a system into being Implementation Testing Deployment Configuration and change management.

Work Plan For 6LoWPAN Platform

Presentation transcript:

Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop

Purpose and Motivation Provide test cases with exploitable vulnerabilities In an ideal world a tool detects significant bugs Also provide a fixed version of each test case To confirm low false positive rate Mentioned by SATE organizers and detailed proposal by Paul Anderson (SATE 2009 workshop) Brought up by tool makers and supported by users (SATE 2010 organization meeting) 2

Selection Criteria Open source software in C/C++ and Java AND with known security-related bugs AND get older versions AND manually pinpoint the bugs AND find a fixed version AND compile the source code 3

Primary Sources Brainstorm and exchange ideas within SAMATE team and with others Search for open sources, for instance –java-source.net –sourceforge.net –Other lists of scanned projects Search for related vulnerabilities –CVE – Common Vulnerabilities and Exposures (cve.mitre.org) –NVD – National Vulnerabilities Database (nvd.nist.gov) –CVE Details – enhanced CVE data ( –OSVDB – The Open Source Vulnerability Database (osvdb.org) 4

Selection Process Identify potential SW List of Open Source SW Identify CVEs for each SW List of Relevant CVEs Collect factors for each CVE Analyzed CVEs Determine multi-factor eligibility Selected Candidates Find path & sink of CVE flaws SW with identified CVEs 5 Narrowed down to 12 open source software

Additional Selection Criteria multi-factor eligibility Quantity of CVEs Versions with and w/o flaws Versions have similar folder structures Resources to find CVE locations Versions available for Linux 6

Pinpointing the CVE Flaw path and sink for the CVE CVE’s description and references patch, bug tracking, & ver. control Follow information across various resources diff based on path and file name Code reviews and analysis 7

Selected Test Cases Wireshark C 1.6M LOC3k+ files100 CVEs evaluated 17 CVEs selected (17%) Google Chrome 5 C++ 4.7M LOC32k files103 CVEs evaluated9 CVEs selected (8.7%) Apache Tomcat 5 Java 174k LOC2k+ files91 CVEs evaluated 29 CVEs selected (32%) 8

Observations Took far more time and effort than expected –CVEs are not created equal Newer CVEs have higher quality info Some CVEs required large amounts of research –Locating the path and sink is much harder than finding the fix Reasons for low CVE selection rate –Not present in the selected version –Could not locate the source code or could not locate the sink Useful resources and tips –Source’s patches, bug tracking and version control info –Combine information from multiple resources (e.g., version -> bug # -> tracking -> batches) 9

Possible Future Work? Re-use the 3 test cases –Pinpoint more CVE flaws –Involve developers for confirming some of the pinpointed flaws –Invite tool makers to map warnings to CVEs –Analyze the warning and CVE mappings amount different tool makers and SATE findings –Store well understood CVE related test cases in SRD Other suggestions? 10