Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682.

Slides:

Advertisements

Similar presentations

Introduction Describe what panel data is and the reasons for using it in this format Assess the importance of fixed and random effects Examine the Hausman.

Advertisements

Vulnerabilities Reporting What works, and what doesn’t Black Hat Briefings, 1999

1 Deadlock Solutions: Avoidance, Detection, and Recovery CS 241 March 30, 2012 University of Illinois.

By Hiranmayi Pai Neeraj Jain

 Someone who exercises playful ingenuity  Misusers of the internet who try to obtain or corrupt information; people who try to prevent it.

Time Series Building 1. Model Identification

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

Software Quality Assurance Inspection by Ross Simmerman Software developers follow a method of software quality assurance and try to eliminate bugs prior.

1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.

 The hackers is a persons that they have a many knowledge in the area of computer and are capable of deceive the security.

Writing SPSS Reports. Assumptions You have taken 100W You achieved basic competence in writing in 100w You have basic competence using a word processing.

QM Spring 2002 Business Statistics Introduction to Inference: Hypothesis Testing.

F HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL.

Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.

Security Comparisons of Open Source and Closed Source Programs Katherine Wright.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

An Empirical Study of Vulnerability Rewards Programs Matthew Finifter, Devdatta Akhawe, David Wagner UC Berkeley.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Software Testing. Recap Software testing – Why do we do testing? – When it is done? – Who does it? Software testing process / phases in software testing.

Dr Andy Brooks1 FOR0383 Software Quality Assurance Lecture 1 Introduction Forkröfur/prerequisite: FOR0283 Programming II Website:

1. Topics to be discussed Introduction Objectives Testing Life Cycle Verification Vs Validation Testing Methodology Testing Levels 2.

Information Systems Security Computer System Life Cycle Security.

Raven Services Update December 2003 David Wallis Senior Systems Consultant Raven Computers Ltd.

1 ISA&D7‏/8‏/ ISA&D7‏/8‏/2013 Systems Development Life Cycle Phases and Activities in the SDLC Variations of the SDLC models.

Computer Security and Penetration Testing

Oracle Patching and Maintenance A practical guide for System Administrators October 2009.

1 Vulnerability Analysis and Patches Management Using Secure Mobile Agents Presented by: Muhammad Awais Shibli.

1 1 Vulnerability Assessment of Grid Software Jim Kupsch Associate Researcher, Dept. of Computer Sciences University of Wisconsin-Madison Condor Week 2006.

Introduction to Earth Science Section 1- What is Earth Science Section 2- Science as a Process.

Lecture 15 Page 1 Advanced Network Security Perimeter Defense in Networks: Firewalls Configuration and Management Advanced Network Security Peter Reiher.

Testing E001 Access to Computing: Programming. 2 Introduction This presentation is designed to show you the importance of testing, and how it is used.

CERN IT Department CH-1211 Genève 23 Switzerland t Windows Desktop Applications Life-cycle Management Sebastien Dellabella, Rafal Otto Internet.

Cyber vulnerabilities and the threat of attack: Making things better:

1 The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting Andy Ozment Computer Security Group Computer Laboratory University.

1 Vulnerability Assessment of Grid Software James A. Kupsch Computer Sciences Department University of Wisconsin Condor Week 2007 May 2, 2007.

Security - Why Bother? Your projects in this class are not likely to be used for some critical infrastructure or real-world sensitive data. Why should.

CHAPTER 15 Reporting Security Problems. INTRODUCTION There are two choices that can be made when you find a security problem in some software, hardware.

T H O M S O N S C I E N T I F I C ISI Web of Knowledge Q2 Upgrade 11 July 2005.

Chapter 12 Computer Programming. 12 Chapter 12: Computer Programming 2 Chapter Contents  Section A: Programming Basics  Section B: Procedural Programming.

General Security Advice CS5493(7493). 1. Dispel Your Pride Assume there is someone out there that is smarter, more knowledgeable, more capable, and with.

Legitimate Vulnerability Markets By: Jeff Wheeler.

WEIS Economic Analysis of Incentives to Disclose Software Vulnerabilities Dmitri Nizovtsev Washburn University Marie Thursby Georgia Institute of.

Microsoft Security Response Center Presented by Fan Chiang, Chun-Wei( 范姜竣韋 ) 2015/11/14 1 NTUIM.

© Copyright McGraw-Hill 2000

Passport Project Introduction -- Single Sign-on Concept Demo of Passport Behind the Scenes -- Packet Capture Vulnerabilities & Futures Team –Jay Benson,

Web Security Group 5 Adam Swett Brian Marco. Why Web Security? Web sites and web applications constantly growing Complex business applications are now.

Convenience product security Collin Busch. What is a convenience product? A convenience product is a device or application that makes your life easier.

Chapter 12: Computer Programming 1 Computer Programming Chapter 12.

1 Inventory Control with Time-Varying Demand. 2  Week 1Introduction to Production Planning and Inventory Control  Week 2Inventory Control – Deterministic.

+ Moving Targets: Security and Rapid-Release in Firefox Presented by Carlos Bernal-Cárdenas.

NOTES THE BUSINESS CYCLE & INFLATION.  Looking at economic cycles illustrates a pattern of good times and bad times.  The movement of the economy from.

+ The Practice of Statistics, 4 th edition – For AP* STARNES, YATES, MOORE Unit 5: Hypothesis Testing.

Web Security. Introduction Webserver hacking refers to attackers taking advantage of vulnerabilities inherent to the web server software itself These.

Looking at the big picture on vulnerabilities

The Java Open Review Project Brian Chess Founder/Chief Scientist Fortify Software June 14, 2007.

Appendix © 2015 Cengage Learning. All Rights Reserved. May not be scanned, copied or duplicated, or posted to a publicly accessible website, in whole or.

Ethics CSE 591 – Security and Vulnerability Analysis Spring 2015 Adam Doupé Arizona State University

Exploitation Development and Implementation PRESENTER: BRADLEY GREEN.

Zero Day Attacks Jason Kephart. Purpose The purpose of this presentation is to describe Zero-Day attacks, stress the danger they pose for computer security.

Methods of Secure Information System Design

보안 취약점 비교 Linux vs. Windows

Lesson 19: Configuring and Managing Updates

Presented by Rob Carver

Vulnerability Handling – experience from the October Torque issue

5.0 : Windows Operating System

Discussion about 'Shellshock' fixes--Ubuntu and OS X

Software engineering – 1

Chapter 12: Computer Programming

Figure 6-4: Installation and Patching

Vulnerability Reporting Process

Presentation transcript:

Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682

Outline Introduction Vulnerability Lifecycle Cost of Disclosure Finding rate to p r Rate of Vulnerability Discovery Sources of Error

Introduction Assertions 1.It is better for vulnerabilities to be found by good guys than bad guys. 2.Vulnerability finding increases total software quality

The life cycle of a vulnerability Introduction – the vulnerability is first released as part of the software. Discovery – the vulnerability is found. Private Exploitation – the vulnerability is exploited by the discoverer or a small group known to him or her. Disclosure – a description of the vulnerability is published.

The life cycle of a vulnerability Public Exploitation – the vulnerability is exploited by the general community of black hats. Fix Release – a patch or upgrade is released

The life cycle of a vulnerability These events do not occur strictly in this order. –Ex: software manufacture releases disclosure and fix

White Hat Discovery Discovery, Fix, and Disclosure: Best Case –The vulnerability is discovered by a researcher with no interest in exploiting it. –The researcher notifies the vendor –The vendor releases an advisory and a fix –Public exploitation begins at time of disclosure

White Hat Discovery

Black Hat Discovery Discovery, Fix, and Disclosure: Worst Case –The vulnerability is first discovered by someone with an interest in exploiting it. –Black hat community exploitation –Knowledgeable person identifies exploit being used against a system and notifies vendor –The vendor releases an advisory and a fix –Public exploitation begins at time of disclosure

Black Hat Discovery

WHD versus BHD WHD eliminates period of Private Exploitation C BHD – C WHD = C priv Are administrators more likely to patch if they know a vulnerability is being actively exploited? –Total number of vulnerable systems will decline more quickly, minimizing peak exploitation rate

Cost-Benefit Analysis of Disclosure Best Case –White hat discovery, never rediscovered or exploited Worst Case –Black hat discovery C priv + C pub

Cost-Benefit Analysis of Disclosure

From finding rate to p r Assumption: Vulnerability discovery is a stochastic process. –Overall rate of vulnerability discovery in a particular application is a good estimate for p r –P r upper bound current percent discovery

Determining the Vulnerability Discovery Rate Assumption: Software undergoes multiple releases –If we assume patches/releases do not introduce new bugs, only fixes, we can assume overall software quality increases with time How does one determine this rate?

Determining the Vulnerability Discovery Rate ICAT vulnerability metabase –A searchable index of computer vulnerabilities. –Entire database available for public download and analysis Relevant Information –Rate of discovery over time, Program and version effected Data Cleansing

Sources of Error Unknown Versions Bad Version Assignment Announcement Lag Severity of Vulnerabilities Operating System Effects –Packages included with OS, use OS release date instead of package release date Effort Variability Different Vulnerability Classes Data Errors

Is it worth disclosing vulnerabilities? If there is no depletion of vulnerabilities, then disclosing vulnerabilities is always harmful. This implies there is an infinite number of vulnerabilities and p r approaches zero. If we assume the pool of vulnerabilities is depleting, and all vulnerabilities will eventually be discovered, p r =1, and disclosing vulnerabilities makes sense.

Conclusions This research does not provide sufficient evidence that vulnerability finding and disclosure provides in increase in software security sufficient to offset the effort being invested. This research does not provide sufficient evidence that vulnerability finding and disclosure is a bad idea.

Conclusions Prefer continuous white hat discovery with no disclosure until exploitation by black hat? How do we estimate the number of vulnerabilities in an application, both discovered and undiscovered?