Presentation is loading. Please wait.

Presentation is loading. Please wait.

Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682.

Published bySabina Webb Modified over 8 years ago

Similar presentations

Presentation on theme: "Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682."— Presentation transcript:

1 Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682

2 Outline Introduction Vulnerability Lifecycle Cost of Disclosure Finding rate to p r Rate of Vulnerability Discovery Sources of Error

3 Introduction Assertions 1.It is better for vulnerabilities to be found by good guys than bad guys. 2.Vulnerability finding increases total software quality

4 The life cycle of a vulnerability Introduction – the vulnerability is first released as part of the software. Discovery – the vulnerability is found. Private Exploitation – the vulnerability is exploited by the discoverer or a small group known to him or her. Disclosure – a description of the vulnerability is published.

5 The life cycle of a vulnerability Public Exploitation – the vulnerability is exploited by the general community of black hats. Fix Release – a patch or upgrade is released

6 The life cycle of a vulnerability These events do not occur strictly in this order. –Ex: software manufacture releases disclosure and fix

7 White Hat Discovery Discovery, Fix, and Disclosure: Best Case –The vulnerability is discovered by a researcher with no interest in exploiting it. –The researcher notifies the vendor –The vendor releases an advisory and a fix –Public exploitation begins at time of disclosure

8 White Hat Discovery

9 Black Hat Discovery Discovery, Fix, and Disclosure: Worst Case –The vulnerability is first discovered by someone with an interest in exploiting it. –Black hat community exploitation –Knowledgeable person identifies exploit being used against a system and notifies vendor –The vendor releases an advisory and a fix –Public exploitation begins at time of disclosure

10 Black Hat Discovery

11 WHD versus BHD WHD eliminates period of Private Exploitation C BHD – C WHD = C priv Are administrators more likely to patch if they know a vulnerability is being actively exploited? –Total number of vulnerable systems will decline more quickly, minimizing peak exploitation rate

12 Cost-Benefit Analysis of Disclosure Best Case –White hat discovery, never rediscovered or exploited Worst Case –Black hat discovery C priv + C pub

13 Cost-Benefit Analysis of Disclosure

14 From finding rate to p r Assumption: Vulnerability discovery is a stochastic process. –Overall rate of vulnerability discovery in a particular application is a good estimate for p r –P r upper bound current percent discovery

15 Determining the Vulnerability Discovery Rate Assumption: Software undergoes multiple releases –If we assume patches/releases do not introduce new bugs, only fixes, we can assume overall software quality increases with time How does one determine this rate?

16 Determining the Vulnerability Discovery Rate ICAT vulnerability metabase –A searchable index of computer vulnerabilities. –Entire database available for public download and analysis Relevant Information –Rate of discovery over time, Program and version effected Data Cleansing

17

18

19

20 Sources of Error Unknown Versions Bad Version Assignment Announcement Lag Severity of Vulnerabilities Operating System Effects –Packages included with OS, use OS release date instead of package release date Effort Variability Different Vulnerability Classes Data Errors

21 Is it worth disclosing vulnerabilities? If there is no depletion of vulnerabilities, then disclosing vulnerabilities is always harmful. This implies there is an infinite number of vulnerabilities and p r approaches zero. If we assume the pool of vulnerabilities is depleting, and all vulnerabilities will eventually be discovered, p r =1, and disclosing vulnerabilities makes sense.

22 Conclusions This research does not provide sufficient evidence that vulnerability finding and disclosure provides in increase in software security sufficient to offset the effort being invested. This research does not provide sufficient evidence that vulnerability finding and disclosure is a bad idea.

23 Conclusions Prefer continuous white hat discovery with no disclosure until exploitation by black hat? How do we estimate the number of vulnerabilities in an application, both discovered and undiscovered?

Download ppt "Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682."

Similar presentations

Introduction Describe what panel data is and the reasons for using it in this format Assess the importance of fixed and random effects Examine the Hausman.

Introduction Describe what panel data is and the reasons for using it in this format Assess the importance of fixed and random effects Examine the Hausman.
Vulnerabilities Reporting What works, and what doesn’t Black Hat Briefings, 1999

Vulnerabilities Reporting What works, and what doesn’t Black Hat Briefings, 1999
1 Deadlock Solutions: Avoidance, Detection, and Recovery CS 241 March 30, 2012 University of Illinois.

1 Deadlock Solutions: Avoidance, Detection, and Recovery CS 241 March 30, 2012 University of Illinois.
By Hiranmayi Pai Neeraj Jain

By Hiranmayi Pai Neeraj Jain
 Someone who exercises playful ingenuity  Misusers of the internet who try to obtain or corrupt information; people who try to prevent it.

 Someone who exercises playful ingenuity  Misusers of the internet who try to obtain or corrupt information; people who try to prevent it.
Time Series Building 1. Model Identification

Time Series Building 1. Model Identification
CSCE 522 Building Secure Software. CSCE 548 - Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,

CSCE 522 Building Secure Software. CSCE Farkas2 Reading This lecture – McGraw: Ch. 3 – G. McGraw, Software Security,
Software Quality Assurance Inspection by Ross Simmerman Software developers follow a method of software quality assurance and try to eliminate bugs prior.

Software Quality Assurance Inspection by Ross Simmerman Software developers follow a method of software quality assurance and try to eliminate bugs prior.
1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.

1 CHAPTER 1 POLITICS. 2 Definitions Of The Word Hacker Hacker – someone who has achieved some level of expertise with a computer Hacker – someone who.
 The hackers is a persons that they have a many knowledge in the area of ​​ computer and are capable of deceive the security.

 The hackers is a persons that they have a many knowledge in the area of ​​ computer and are capable of deceive the security.
Writing SPSS Reports. Assumptions You have taken 100W You achieved basic competence in writing in 100w You have basic competence using a word processing.

Writing SPSS Reports. Assumptions You have taken 100W You achieved basic competence in writing in 100w You have basic competence using a word processing.
QM 2113 - Spring 2002 Business Statistics Introduction to Inference: Hypothesis Testing.

QM Spring 2002 Business Statistics Introduction to Inference: Hypothesis Testing.
F HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL.

F HEPNT/HEPIX Sept, 1999 Use of SPQuery and STAT At FNAL.
Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.

Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.
Security Comparisons of Open Source and Closed Source Programs Katherine Wright.

Security Comparisons of Open Source and Closed Source Programs Katherine Wright.
1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.

1 An Empirical Analysis of Vendor Response to Vulnerability Disclosure Ashish Arora, Ramayya Krishnan, Rahul Telang, Yubao Yang Carnegie Mellon University.
An Empirical Study of Vulnerability Rewards Programs Matthew Finifter, Devdatta Akhawe, David Wagner UC Berkeley.

An Empirical Study of Vulnerability Rewards Programs Matthew Finifter, Devdatta Akhawe, David Wagner UC Berkeley.
Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.

Vulnerabilities. flaws in systems that allow them to be exploited provide means for attackers to compromise hosts, servers and networks.
Software Testing. Recap Software testing – Why do we do testing? – When it is done? – Who does it? Software testing process / phases in software testing.

Software Testing. Recap Software testing – Why do we do testing? – When it is done? – Who does it? Software testing process / phases in software testing.
10.9.2015Dr Andy Brooks1 FOR0383 Software Quality Assurance Lecture 1 Introduction Forkröfur/prerequisite: FOR0283 Programming II Website:

Dr Andy Brooks1 FOR0383 Software Quality Assurance Lecture 1 Introduction Forkröfur/prerequisite: FOR0283 Programming II Website:

Similar presentations

Ads by Google