1 The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting Andy Ozment Computer Security Group Computer Laboratory University.

Slides:

Advertisements

Similar presentations

Inferential Statistics and t - tests

Advertisements

Design of Experiments Lecture I

Comparing Two Proportions (p1 vs. p2)

1 Chi-Square Test -- X 2 Test of Goodness of Fit.

Empirical Evaluation of Defect Projection Models for Widely-deployed Production Software Systems FSE 2004 Paul Li, Mary Shaw, Jim Herbsleb Institute for.

Copyright 2002 David M. Hassenzahl Using r and  2 Statistics for Risk Analysis.

Copyright © D2Hawkeye, Inc. All rights reserved Clinical applications of a medical rules-based predictive modeling system Surya Singh, M.D. Chief Medical.

1 1 Slide IS 310 – Business Statistics IS 310 Business Statistics CSU Long Beach.

Chapter 6 Sampling and Sampling Distributions

BPS - 5th Ed. Chapter 241 One-Way Analysis of Variance: Comparing Several Means.

Chi Squared Tests. Introduction Two statistical techniques are presented. Both are used to analyze nominal data. –A goodness-of-fit test for a multinomial.

CHAPTER 2 Building Empirical Model. Basic Statistical Concepts Consider this situation: The tension bond strength of portland cement mortar is an important.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.

Two Sample Hypothesis Testing for Proportions

ENVS 355 Data, data, data Models, models, models.

Software Quality Control Methods. Introduction Quality control methods have received a world wide surge of interest within the past couple of decades.

Statistics Are Fun! Analysis of Variance

The Experimental Approach September 15, 2009Introduction to Cognitive Science Lecture 3: The Experimental Approach.

SE is not like other projects. l The project is intangible. l There is no standardized solution process. l New projects may have little or no relationship.

Experimental Evaluation

The Analysis of Variance

1 Finding Predictors of Field Defects for Open Source Software Systems in Commonly Available Data Sources: a Case Study of OpenBSD Paul Luo Li Jim Herbsleb.

Introduction, Acquiring Knowledge, and the Scientific Method

1 TRAINING SESSION ACCEPTANCE SAMPLING CONFIDENCE INTERVALS.

Keystone Problems… Keystone Problems… next Set 19 © 2007 Herbert I. Gross.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

DOES MEDICARE SAVE LIVES?

P REDICTING ZERO - DAY SOFTWARE VULNERABILITIES THROUGH DATA - MINING --T HIRD P RESENTATION Su Zhang 1.

1 Forecasting Field Defect Rates Using a Combined Time-based and Metrics-based Approach: a Case Study of OpenBSD Paul Luo Li Jim Herbsleb Mary Shaw Carnegie.

McGraw-Hill/IrwinCopyright © 2009 by The McGraw-Hill Companies, Inc. All Rights Reserved. Chapter 9 Hypothesis Testing.

Copyright © Cengage Learning. All rights reserved. 13 Linear Correlation and Regression Analysis.

Copyright © Cengage Learning. All rights reserved. 3 Exponential and Logarithmic Functions.

Managing Software Projects Analysis and Evaluation of Data - Reliable, Accurate, and Valid Data - Distribution of Data - Centrality and Dispersion - Data.

Statistical Analysis A Quick Overview. The Scientific Method Establishing a hypothesis (idea) Collecting evidence (often in the form of numerical data)

8.1 Inference for a Single Proportion

Random Sampling, Point Estimation and Maximum Likelihood.

Perceptions of Medicaid Beneficiaries Regarding the Usefulness of Accessing Personal Health Information and Services through a Patient Internet Portal.

PHYSICS WORKSHOP Demystifying 9188/4 Yours truly T.V Madziva or

Using the Dun & Bradstreet (D&B) Database as a Sampling Frame for Company Surveys Sarah Cotton, Anil Bamezai.

Scientific Inquiry & Skills

Steps of the Scientific Method.

Audit Strategy and Audit Program

Let the Pirates Patch? An Economic Analysis of Software Security Patch Restrictions Terrence August *Joint work with Tunay I. Tunca.

Scientific Inquiry involves a process or series of steps that are used to investigate a natural occurrence.

Measuring Relative Attack Surfaces Michael Howard, Jon Pincus & Jeannette Wing Presented by Bert Bruce.

CHAPTER 15 Reporting Security Problems. INTRODUCTION There are two choices that can be made when you find a security problem in some software, hardware.

CEN st Lecture CEN 4021 Software Engineering II Instructor: Masoud Sadjadi Monitoring (POMA)

Chapter 23 Process Capability. Objectives Define, select, and calculate process capability. Define, select, and calculate process performance.

Introduction to Measurement. According to Lord Kelvin “When you can measure what you are speaking about and express it in numbers, you know something.

Fall 2002Biostat Statistical Inference - Proportions One sample Confidence intervals Hypothesis tests Two Sample Confidence intervals Hypothesis.

+ Moving Targets: Security and Rapid-Release in Firefox Presented by Carlos Bernal-Cárdenas.

FAQs for Placements When does the placement process begin and who is involved? Why is there a MMU student in the school down the road from me but I have.

Example x y We wish to check for a non zero correlation.

Looking at the big picture on vulnerabilities

Project Management effects on software dependability Brendan Murphy Microsoft Research Cambridge, UK.

Copyright © Cengage Learning. All rights reserved. 3 Exponential and Logarithmic Functions.

Writing Security Alerts tbird Last modified 2/25/2016 8:55 PM.

Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682.

Calculating ‘g’ practical

Collaborative learning for security and repair in application communities MIT site visit April 10, 2007 Conclusion.

The Chicago Guide to Writing about Multivariate Analysis, 2 nd edition. Resolving the Goldilocks problem: Model specification Jane E. Miller, PhD.

Zero Day Attacks Jason Kephart. Purpose The purpose of this presentation is to describe Zero-Day attacks, stress the danger they pose for computer security.

The Scientific Method involves a series of steps that are used to investigate a natural occurrence.

Basic Practice of Statistics - 5th Edition

Elementary Statistics

Rachel Greenstadt January 23, 2018

Presentation transcript:

1 The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting Andy Ozment Computer Security Group Computer Laboratory University of Cambridge

2 Overview Overview of previous work: Eric Rescorla. “Is finding security holes a good idea?” WEIS 2004 Security growth modeling: using reliability growth models on a carefully collected data set Real-world examples of vulnerability rediscovery

3 Value Proposition for Vuln Hunting Vulnerability hunting: looking for vulnerabilities without the intent to exploit them in an attack Possible social benefits 1.Motivate vendors to produce more secure software 2.Improve the security of existing software 3.Find vulnerabilities and repair them before the bad guys (attackers) can find and exploit them Rescorla dismisses 1 and argues that 2 and 3 are also not achieved

4 Is finding security holes a good idea? (Rescorla 2004) Vulnerability data from the ICAT database of all CVE labeled vulnerabilities Employs reliability growth modeling literature Tests whether the vulnerability data can be characterized by linear, exponential, or Weibull distributions

5 Rescorla’s results Looks at data from three perspectives 1.Software: Four operating systems Linear and exponential models do not fit 2.Vulnerability age cohorts Four years: , inclusive Only 1999 shows trend 3.All vulnerabilities Half life of 2.5 years

6 (Rescorla 2004)

7 Rescorla concludes Vuln hunting does not significantly increase product quality –The pool of vulns in products is so large that it is not diminished during the product’s life span Therefore, the likelihood that multiple individuals will independently discover the same vuln is slight Vulnerability hunting is thus not socially beneficial –Good guys do not find vulns that would later be identified by bad guys –Patch releases inform the bad guys of vulns, and they exploit the unpatched systems Caveat: Rescorla notes that his data is noisy

8 Problems with ICAT data Inaccurate birth dates Inaccurate death dates Not comprehensive So… the OpenBSD 2.2 data set Use CVS to obtain birth and death dates Consider any vuln listed by OpenBSD, ICAT, or Bugtraq

9 Results of OpenBSD 2.2 analysis 44 vulns in a 30 month period encompassing the release of 5 versions 39 of those vulns originated in, or prior to, version 2.2 Two models work –Acceptable fit (Chi square) –Good accuracy (prequential likelihood) Brooke’s & Motley’s Discrete SR Model (Binomial) –Estimates total vulns Yamada’s S-Shaped Reliability Growth Model –Estimates (lower 95%: 39.0 and upper 95%: 57.31) Suggestive, but not conclusive –Other distributions that do not show increasing security could also fit

10 Brooke’s & Motley ModelYamada’s S-Shaped Model

11 Key concern: independent rediscovery Real world experience and intuition suggest that it should not be ruled out MS security bulletins (patch announcements) provide coarse info Often credit multiple entities for reporting the same vuln –But is this credit for ind. rediscovery or collaboration? Small window of time for rediscovery

12 Data set Examine those vulns for which multiple entities are credited in MS bulletins –Individual reporters’ security bulletins –Contact individuals credited by MS Considered the vuln to have been ind. rediscovered –If confirmed by 1 of the 2 entities listed –If confirmed by 2 of the 3 entities listed When are two closely related vulns considered the same vuln? –I let MS decide Not scientifically rigorous, but it provides info to feed an intuitive understanding Likely to be an undercount

13 Independent Rediscovery of Vulns 7.69 % Total 8.47 % % % % of credited 3 Ind.2 Ind.1 No Credit Year

14 Future work Major shortcoming of security growth modeling: data is not normalized for effort –Number of people hunting for vulns –Skill of vuln hunters Security growth modeling as a measurement tool –Comparison between different products –Comparison of different portions of code base Is there an ROI on secure coding training? How does the likelihood of ind. rediscovery change over time?

15 Conclusion Success (fit and accuracy) in using reliability growth models for security growth modeling –In contrast to prior work, vuln depletion cannot be ruled out Non-trivial real-world evidence of ind. rediscovery –Undercounts the real occurrences The evidence of independent rediscovery –Suggests a more complicated value case for vulnerability hunting than shown in previous work –Should be considered when modeling vulnerability disclosure policies –Even using the rough 8% rediscovery figure might alter the models’ calculations of how rapidly patches should be released (or if at all)