Presentation is loading. Please wait.

Presentation is loading. Please wait.

1 The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting Andy Ozment Computer Security Group Computer Laboratory University.

Published byApril Henry Modified over 9 years ago

Similar presentations

Presentation on theme: "1 The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting Andy Ozment Computer Security Group Computer Laboratory University."— Presentation transcript:

1 1 The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting Andy Ozment Computer Security Group Computer Laboratory University of Cambridge

2 2 Overview Overview of previous work: Eric Rescorla. “Is finding security holes a good idea?” WEIS 2004 Security growth modeling: using reliability growth models on a carefully collected data set Real-world examples of vulnerability rediscovery

3 3 Value Proposition for Vuln Hunting Vulnerability hunting: looking for vulnerabilities without the intent to exploit them in an attack Possible social benefits 1.Motivate vendors to produce more secure software 2.Improve the security of existing software 3.Find vulnerabilities and repair them before the bad guys (attackers) can find and exploit them Rescorla dismisses 1 and argues that 2 and 3 are also not achieved

4 4 Is finding security holes a good idea? (Rescorla 2004) Vulnerability data from the ICAT database of all CVE labeled vulnerabilities Employs reliability growth modeling literature Tests whether the vulnerability data can be characterized by linear, exponential, or Weibull distributions

5 5 Rescorla’s results Looks at data from three perspectives 1.Software: Four operating systems Linear and exponential models do not fit 2.Vulnerability age cohorts Four years: 1997-2000, inclusive Only 1999 shows trend 3.All vulnerabilities Half life of 2.5 years

6 6 (Rescorla 2004)

7 7 Rescorla concludes Vuln hunting does not significantly increase product quality –The pool of vulns in products is so large that it is not diminished during the product’s life span Therefore, the likelihood that multiple individuals will independently discover the same vuln is slight Vulnerability hunting is thus not socially beneficial –Good guys do not find vulns that would later be identified by bad guys –Patch releases inform the bad guys of vulns, and they exploit the unpatched systems Caveat: Rescorla notes that his data is noisy

8 8 Problems with ICAT data Inaccurate birth dates Inaccurate death dates Not comprehensive So… the OpenBSD 2.2 data set Use CVS to obtain birth and death dates Consider any vuln listed by OpenBSD, ICAT, or Bugtraq

9 9 Results of OpenBSD 2.2 analysis 44 vulns in a 30 month period encompassing the release of 5 versions 39 of those vulns originated in, or prior to, version 2.2 Two models work –Acceptable fit (Chi square) –Good accuracy (prequential likelihood) Brooke’s & Motley’s Discrete SR Model (Binomial) –Estimates 49.63 total vulns Yamada’s S-Shaped Reliability Growth Model –Estimates 43.08 (lower 95%: 39.0 and upper 95%: 57.31) Suggestive, but not conclusive –Other distributions that do not show increasing security could also fit

10 10 Brooke’s & Motley ModelYamada’s S-Shaped Model

11 11 Key concern: independent rediscovery Real world experience and intuition suggest that it should not be ruled out MS security bulletins (patch announcements) provide coarse info Often credit multiple entities for reporting the same vuln –But is this credit for ind. rediscovery or collaboration? Small window of time for rediscovery

12 12 Data set Examine those vulns for which multiple entities are credited in MS bulletins –Individual reporters’ security bulletins –Contact individuals credited by MS Considered the vuln to have been ind. rediscovered –If confirmed by 1 of the 2 entities listed –If confirmed by 2 of the 3 entities listed When are two closely related vulns considered the same vuln? –I let MS decide Not scientifically rigorous, but it provides info to feed an intuitive understanding Likely to be an undercount

13 13 Independent Rediscovery of Vulns 7.69 %212168106Total 8.47 %2354222004 8.51 %0443222003 6.58 %0471622002 % of credited 3 Ind.2 Ind.1 No Credit Year

14 14 Future work Major shortcoming of security growth modeling: data is not normalized for effort –Number of people hunting for vulns –Skill of vuln hunters Security growth modeling as a measurement tool –Comparison between different products –Comparison of different portions of code base Is there an ROI on secure coding training? How does the likelihood of ind. rediscovery change over time?

15 15 Conclusion Success (fit and accuracy) in using reliability growth models for security growth modeling –In contrast to prior work, vuln depletion cannot be ruled out Non-trivial real-world evidence of ind. rediscovery –Undercounts the real occurrences The evidence of independent rediscovery –Suggests a more complicated value case for vulnerability hunting than shown in previous work –Should be considered when modeling vulnerability disclosure policies –Even using the rough 8% rediscovery figure might alter the models’ calculations of how rapidly patches should be released (or if at all)

Download ppt "1 The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting Andy Ozment Computer Security Group Computer Laboratory University."

Similar presentations

Inferential Statistics and t - tests

Inferential Statistics and t - tests
Design of Experiments Lecture I

Design of Experiments Lecture I
Comparing Two Proportions (p1 vs. p2)

Comparing Two Proportions (p1 vs. p2)
1 Chi-Square Test -- X 2 Test of Goodness of Fit.

1 Chi-Square Test -- X 2 Test of Goodness of Fit.
Empirical Evaluation of Defect Projection Models for Widely-deployed Production Software Systems FSE 2004 Paul Li, Mary Shaw, Jim Herbsleb Institute for.

Empirical Evaluation of Defect Projection Models for Widely-deployed Production Software Systems FSE 2004 Paul Li, Mary Shaw, Jim Herbsleb Institute for.
Copyright 2002 David M. Hassenzahl Using r and  2 Statistics for Risk Analysis.

Copyright 2002 David M. Hassenzahl Using r and  2 Statistics for Risk Analysis.
Copyright © D2Hawkeye, Inc. All rights reserved Clinical applications of a medical rules-based predictive modeling system Surya Singh, M.D. Chief Medical.

Copyright © D2Hawkeye, Inc. All rights reserved Clinical applications of a medical rules-based predictive modeling system Surya Singh, M.D. Chief Medical.
1 1 Slide IS 310 – Business Statistics IS 310 Business Statistics CSU Long Beach.

1 1 Slide IS 310 – Business Statistics IS 310 Business Statistics CSU Long Beach.
Chapter 6 Sampling and Sampling Distributions

Chapter 6 Sampling and Sampling Distributions
BPS - 5th Ed. Chapter 241 One-Way Analysis of Variance: Comparing Several Means.

BPS - 5th Ed. Chapter 241 One-Way Analysis of Variance: Comparing Several Means.
Chi Squared Tests. Introduction Two statistical techniques are presented. Both are used to analyze nominal data. –A goodness-of-fit test for a multinomial.

Chi Squared Tests. Introduction Two statistical techniques are presented. Both are used to analyze nominal data. –A goodness-of-fit test for a multinomial.
CHAPTER 2 Building Empirical Model. Basic Statistical Concepts Consider this situation: The tension bond strength of portland cement mortar is an important.

CHAPTER 2 Building Empirical Model. Basic Statistical Concepts Consider this situation: The tension bond strength of portland cement mortar is an important.
David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.

David Brumley, Pongsin Poosankam, Dawn Song and Jiang Zheng Presented by Nimrod Partush.
Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.

Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.
Two Sample Hypothesis Testing for Proportions

Two Sample Hypothesis Testing for Proportions
ENVS 355 Data, data, data Models, models, models.

ENVS 355 Data, data, data Models, models, models.
Software Quality Control Methods. Introduction Quality control methods have received a world wide surge of interest within the past couple of decades.

Software Quality Control Methods. Introduction Quality control methods have received a world wide surge of interest within the past couple of decades.
Statistics Are Fun! Analysis of Variance

Statistics Are Fun! Analysis of Variance
The Experimental Approach September 15, 2009Introduction to Cognitive Science Lecture 3: The Experimental Approach.

The Experimental Approach September 15, 2009Introduction to Cognitive Science Lecture 3: The Experimental Approach.
SE is not like other projects. l The project is intangible. l There is no standardized solution process. l New projects may have little or no relationship.

SE is not like other projects. l The project is intangible. l There is no standardized solution process. l New projects may have little or no relationship.

Similar presentations

Ads by Google