Presentation is loading. Please wait.

Presentation is loading. Please wait.

Looking at the big picture on vulnerabilities

Published byLewis Burns Modified over 9 years ago

Similar presentations

Presentation on theme: "Looking at the big picture on vulnerabilities"— Presentation transcript:

1 Looking at the big picture on vulnerabilities
Eric Rescorla Network Resonance, Inc.

2 The big picture All software has bugs
Security relevant software has security bugs Security is a problem in any multi-user system Or any networked computer … and almost all machines now are networked How do we choose appropriate behaviors? Policies? Appropriate levels of investment? The standard tool is cost/benefit analysis But this requires data 11/23/2005 Eric Rescorla

3 Talk Overview Vulnerability life cycle Empirical data on discovery
Empirical data on patching Big unknown questions Looking beyond computer security 11/23/2005 Eric Rescorla

4 Life cycle of a typical vulnerability
Publication/ Fix Release Exploit Creation All Units Fixed Introduction Discovery Latency Fix Dev’t Attacks Patching 11/23/2005 Eric Rescorla

5 Common Assumptions (I)
Initial vulnerability count (Vi) Roughly linear in lines of code (l) Some variability due to programmer quality Rate of discovery (Vd) Somehow related to code quality dVd/dVi > 0 d2Vd/dVi2<0 ??? This relationship not well understood Popularity? Attacker tastes? Closed/open source? 11/23/2005 Eric Rescorla

6 Common Assumptions (II)
Vulnerabilities with exploits (Ve) Some subset of discovered vulnerabilities But who knows what subset? And on what timeframe? Anecdotal evidence indicates it’s getting shorter Vulnerabilities used in attacks (Va) Somehow scales with Ve But again how? And what controls the attack rate (A)? Loss due to attacks (L) Somehow scales with A 11/23/2005 Eric Rescorla

7 The intuitive model Running bad software places you at risk
More latent vulnerabilities means more discovered vulnerabilities means more attacks Vendor quality improvement reduces risk Converse of above Release of vulnerabilities increases risk More attack sites But patching decreases risk Less vulnerabilities means less attacks 11/23/2005 Eric Rescorla

8 Empirical data on discovery
Question: is finding vulns socially useful? Benefits Pre-emption “Find and fix vulnerabilities before the bad guys do” Incentives for vendors Research Costs New tools for attackers Most attacks are based on known problems Cost to develop fixes And costs to install them The research itself is expensive 11/23/2005 Eric Rescorla

9 Two discovery scenarios
White Hat Discovery (WHD) Vulnerability found by a good guy Follows normal disclosure procedure Black Hat Discovery (BHD) Vulnerability found by a bad guy Bad guy exploits it 11/23/2005 Eric Rescorla

10 White Hat Discovery Time Course
11/23/2005 Eric Rescorla

11 Black Hat Discovery Time Course
11/23/2005 Eric Rescorla

12 Cost/benefit analysis
WHD is clearly better than BHD Cost difference CBHD – CWHD = Cpriv If we have a choice between them, choose WHD Say we’ve found a bug Should we disclose? Bug may never be rediscovered Or rediscovered by a white hat … or discovered much later 11/23/2005 Eric Rescorla

13 Finding the best option
Probability of rediscovery = pr Ignore cost of patching Assume that all rediscoveries are BHD (conservative) Disclose Not Disclose Rediscovered N/A Cpub + Cpriv Not Rediscovered Cpub Expected Value pr(Cpub + Cpriv) 11/23/2005 Eric Rescorla

14 Key question: probability of rediscovery
Disclosure pays off if pr (Cpub + Cpriv) > Cpub Disclosure is good if pr is high Disclosure is bad if pr is low Cpub and Cpriv are hard to estimate But we can try to measure pr This gives us bounds for values of Cpub and Cpriv for which disclosure is good 11/23/2005 Eric Rescorla

15 A model for pr Assume a program has N vulnerabilities
F are eventually found And all bugs are equally likely to be found This is a big assumption and probably not entirely true Each bug has an F/N probability of being found Say you find a bug b Probability of rediscovery pr <= F/N This model is easily extended to be time dependent Assuming we know the rate of discovery as a function of time 11/23/2005 Eric Rescorla

16 Outline of the experiment
Collect data on rate of bug discovery Use that data to model rate of bug finding Using standard reliability techniques Estimate pr(t) Increased reliability over time implies high pr(t) 11/23/2005 Eric Rescorla

17 Data source NIST ICAT metabase
Collects data from multiple vulnerability databases Includes CVE Id affected program/version information Bug release time Used the data through May 2003. Need one more data point: introduction time Collected version information for 35 programs 11/23/2005 Eric Rescorla

18 Vulnerability Disclosure by Time
11/23/2005 Eric Rescorla

19 Data issues We only know about discovered bugs
And have to infer stuff about undiscovered bugs Data is heavily censored Right censoring for bugs not yet found Left censoring because not all bugs introduced at same time Lots of noise and errors Some of these removed manually 11/23/2005 Eric Rescorla

20 Approach 1: A Program’s Eye View
Question: do programs improve over time? Take all bugs in Program/Version X For a few selected program/version pairs Genetically somewhat independent Regardless of when they were introduced Plot discovery rate over time Is there a downward trend? 11/23/2005 Eric Rescorla

21 Disclosures over time (selected programs)
Linear regression Significant only for RH 6.2 Exponential regression Laplace factor Only significant depletion at end (except RH 6.2) … but there are censoring issues 11/23/2005 Eric Rescorla

22 Approach 2: A bug’s eye view
Find bug introduction time Introduction date of first program with bug Measure rate of bug discovery From time of first introduction Look for a trend 11/23/2005 Eric Rescorla

23 Disclosures over time (by introduction year)
Linear regression Significant trend only for 1999 Exponential Laplace factor Generally stable 11/23/2005 Eric Rescorla

24 How to think about this Medical standard of care
First do no harm We’re burning a lot of energy here Would be nice to know that it’s worthwhile Answers aren’t confidence inspiring This data isn’t definitive See caveats above Other work in progress [Ozment 05] 11/23/2005 Eric Rescorla

25 Empirical data on patching rate
Rate of patching controls useful lifetime of an exploit So how fast do people actually patch? And what predicts when people will patch? 11/23/2005 Eric Rescorla

26 Overview of the bugs Announced July 30, 2002 by Ben Laurie
Buffer overflows in OpenSSL Allowed remote code execution Affected software Any OpenSSL-based server which supports SSLv2 Essentially everyone leaves SSLv2 on mod_SSL, ApacheSSL, Sendmail/TLS, … Easy to identify such servers Any SSL client that uses OpenSSL * All of OpenSSL was vulnerable, but what programs? * More of a pain to turn off OpenSSL v2 than leave it on * If you were an admin you had to upgrade 11/23/2005 Eric Rescorla

27 OpenSSL flaws: a good case study
A serious bug Remotely exploitable buffer overflow Affects a security package Crypto people care about security, right? In a server Administrators are smarter, right? Remotely detectable …easy to study * function pointers * UNIX admins are smarter * Detectable without damaging the server * Scientists, not vandals 11/23/2005 Eric Rescorla

28 Questions we want to ask
What fraction of users deploy fixes? And on what timescale? What kind of countermeasures are used? Patches Available for all major versions Often supplied by vendors Upgrades Workarounds Turn off SSLv2 What factors predict user behavior? 11/23/2005 Eric Rescorla

29 Methodology Collect a sample of servers that use OpenSSL
Google searches on random words Filter on servers that advertise OpenSSL This means mod_SSL n=892 (890 after complaints) Periodically monitor them for vulnerability * Sources of error Word bias mod_SSL bias Port bias * Monitor daily 11/23/2005 Eric Rescorla

30 Detecting Vulnerability
Take advantage of the SSLv2 flaw Buffer overflow in key_arg Negotiate SSLv2 Use an overlong key_arg The overflow damages the next struct field client_master_key_length client_master_key_length is written before it is read So this is safe This probe is harmless but diagnostic Fixed implementations throw an error Broken implementations complete handshake * Bottom line--attempt to exploit a hole * key_arg used for IV *Longer overflow is still dangerous 11/23/2005 Eric Rescorla

31 Response after bug release
* Look at the initial trend line a little more closely. * Point out three gaps--not weekends 11/23/2005 Eric Rescorla

32 Kinds of fixes deployed
* Our second question: what people do * MEntion uncertainty * First day mostly patches -- availability -- on the caseness * Conversion * Mention uncertainty 11/23/2005 Eric Rescorla

33 Why not use workarounds?
Disabling SSLv2 is complete protection It’s easy But essentially no administrator did it Never more than 8 machines Why not? Guesses… Advisories unclear Not all described SSLv2-disabling as a workaround Some suggested that all OpenSSL-using applications were unsafe It’s fine if you just use it for crypto (OpenSSH, etc.) Pretty easy to install patches Anyone smart enough just used fixes * Notice previous slide didn’t show SSLv2 at all * Better safe than sorry ---- *This answers the second question 11/23/2005 Eric Rescorla

34 Predictors of responsiveness
Big hosting service providers fix faster The bigger the better More on the ball? More money on the line? People who were already up to date fix faster Signal of active maintenance? Or just higher willingness to upgrade * Notice previous slide didn’t show SSLv2 at all * Better safe than sorry ---- *This answers the second question 11/23/2005 Eric Rescorla

35 Response after Slapper release
* Now let’s turn to the response to the worm * HSPs upgraded first so fit looks better * Why another pulse? 11/23/2005 Eric Rescorla

36 Why so much post-worm response?
People didn’t hear the first time? Not likely… published through the same channels Guesses People are interrupt driven People respond when they feel threatened And deliberately ignore potential threats 11/23/2005 Eric Rescorla

37 The zombie problem 60% of servers were vulnerable at worm release
These servers can be turned into zombies … and then DDoS other machines Independent servers are less responsive So they’re harder to turn off Try contacting hundreds of administrators Slapper wasn’t so bad Since Linux/Apache isn’t a monoculture And the worm was kind of clumsy * A more stealthy worm could exploit a lot of servers and be very dangerous 11/23/2005 Eric Rescorla

38 Overall fix deployment by time
* Three things (1) Starts fast (2) Levels off (3) Starts up again after the worm 11/23/2005 Eric Rescorla

39 Have things changed? Automatic patching more common
Threat environment more hostile Answer: not much [Eschelbeck ‘05] Externally-visible systems: half-life = 19 days (30 days in 2003) Internally-visible systems: half-life = 48 days (62 days in 2005) 11/23/2005 Eric Rescorla

40 The big open question How much do vulnerabilities cost us?
How much would various defenses cost us? How well do they work? Where should we be spending our money? 11/23/2005 Eric Rescorla

41 Steps along the way What are the predictors of discovered vulnerability rate? Software quality? Popularity?Access to source code? Hacker attitudes? What is the marginal impact of a new vulnerability? Number of total attacks? Cost of attacks? What is the marginal impact of faster patching? How much does it reduce risk? Balanced against patch quality [Beattie ‘02, Rescorla ‘03] Does diversity really work? Targeted vs. untargeted attacks What about bad diversity [Shacham ‘04] 11/23/2005 Eric Rescorla

42 Thinking outside CS: Bioweapons
Same as software but with much worse parameters Vulnerabilities are long-standing Exploits are hard to create But there are plenty of old ones available Smallpox, anthrax, ebola, etc. And technology is making it easier Fixes are hard to create Where’s my HIV vaccine? And easy to counter Influenza Mousepox [Jackson ‘01] Patching is painfully slow 11/23/2005 Eric Rescorla

43 Case study: 1918 Influenza Complete sequence has been reconstructed
Published in Science and Nature ‘05 Includes diffs from ordinary flu And explanations Usual controversy [Joy and Kurzweil ‘05] But what’s the marginal cost? Smallpox has already been fully sequenced Current vaccination levels are low And vaccine has bad side effects And compare the mousepox work Possible to de novo synthesize the virus? What’s the impact of a new virus? 11/23/2005 Eric Rescorla

44 Final slide Questions? Interested in working on this stuff?
Reach me at 11/23/2005 Eric Rescorla

Download ppt "Looking at the big picture on vulnerabilities"

Similar presentations

Data Mining Methodology 1. Why have a Methodology  Don’t want to learn things that aren’t true May not represent any underlying reality ○ Spurious correlation.

Data Mining Methodology 1. Why have a Methodology  Don’t want to learn things that aren’t true May not represent any underlying reality ○ Spurious correlation.
G. Alonso, D. Kossmann Systems Group

G. Alonso, D. Kossmann Systems Group
Honeypot 서울과학기술대학교 Jeilyn Molina 121336101. Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.

Honeypot 서울과학기술대학교 Jeilyn Molina Honeypot is the software or set of computers that are intended to attract attackers, pretending to be weak.
INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)

INDEX  Ethical Hacking Terminology.  What is Ethical hacking?  Who are Ethical hacker?  How many types of hackers?  White Hats (Ethical hackers)
Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.

Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.
Swami NatarajanJune 17, 2015 RIT Software Engineering Reliability Engineering.

Swami NatarajanJune 17, 2015 RIT Software Engineering Reliability Engineering.
SE 450 Software Processes & Product Metrics Reliability Engineering.

SE 450 Software Processes & Product Metrics Reliability Engineering.
1 Estimating the Cost and Benefits of Software Assurance Investments Thomas P. Frazier November 9, 2006.

1 Estimating the Cost and Benefits of Software Assurance Investments Thomas P. Frazier November 9, 2006.
Software Defect Modeling at JPL John N. Spagnuolo Jr. and John D. Powell 19th International Forum on COCOMO and Software Cost Modeling 10/27/2004.

Software Defect Modeling at JPL John N. Spagnuolo Jr. and John D. Powell 19th International Forum on COCOMO and Software Cost Modeling 10/27/2004.
Lecture 11 Reliability and Security in IT infrastructure.

Lecture 11 Reliability and Security in IT infrastructure.
Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.

Software Testing. “Software and Cathedrals are much the same: First we build them, then we pray!!!” -Sam Redwine, Jr.
Web server security Dr Jim Briggs WEBP security1.

Web server security Dr Jim Briggs WEBP security1.
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.

1 Securing Passwords Against Dictionary Attacks Base on an article by Benny Pinkas & Tomas Sander 2002 Presented by Tomer Conforti.
Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.

Internet Quarantine: Requirements for Containing Self-Propagating Code David Moore et. al. University of California, San Diego.
1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.
Introduction to Network Defense

Introduction to Network Defense
Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.

Cloud Computing How secure is it? Author: Marziyeh Arabnejad Revised/Edited: James Childress April 2014 Tandy School of Computer Science.
Large-scale application security Charlie Eriksen.

Large-scale application security Charlie Eriksen.
RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

RFC6520 defines SSL Heartbeats - What are they? 1. SSL Heartbeats are used to keep a connection alive without the need to constantly renegotiate the SSL.

Similar presentations

Ads by Google