Presentation is loading. Please wait.

Presentation is loading. Please wait.

Crispin Cowan, PhD CTO, Immunix Relative Vulnerability: An Empirical Assurance Metric.

Published byShanna Davis Modified over 8 years ago

Similar presentations

Presentation on theme: "Crispin Cowan, PhD CTO, Immunix Relative Vulnerability: An Empirical Assurance Metric."— Presentation transcript:

1 Crispin Cowan, PhD CTO, Immunix Relative Vulnerability: An Empirical Assurance Metric

2 The Problem With Current Security Assesments On one end: highly formal assurance – Common Criteria: Extremely expensive: about $1M for initial assessment Meaningless answer: – 3 bits: EAL0-7 – A “high assurance” OS can be rooted the next day by a buffer overflow – So how much of this is “enough”? On the other end: Bugtraq Whack-a-mole – Chronic chain of “gotcha” vulnerability disclosures – Each disclosure tells you that you are not secure, but when you are secure is undecided – Not very helpful :)

3 Assessing the Assurance of Retro-Fit Security Commodity systems (UNIX, Linux, Windows) are all highly vulnerable – Have to retrofit them to enhance security But there are lots of retrofit solutions – Are any of them effective? – Which one is best? – For my situation? Instead of “How much security is enough for this purpose?”, we get “Among the systems I can actually deploy, which is most secure?” – Consumer says “We are only considering solutions on FooOS and BarOS” – Relative figure of merit helps customer make informed, realistic choice

4 Proposed Benchmark: Relative Vulnerability Compare a “base” system against a system protected with retrofits – E.g. Red Hat enhanced with Immunix, SELinux, etc. – Windows enhanced with Entercept, Okena, etc. Count the number of known vulnerabilities stopped by the technology “Relative Invulnerability”: % of vulnerabilities stopped

5 Can You Test Security? Traditionally: no – Trying to test the negative proposition that “this software won’t do anything funny under arbitrary input”, I.e. no surprising “something else’s” Relative Vulnerability transforms this into a positive proposition: – Candidate security enhancing software stops at least foo% of unanticipated vulnerabilities over time

6 Vulnerability Categories Local/remote: whether the attacker can attack from the network, or has to have a login shell first Impact: using classic integrity/privacy/availability Penetration: raise privilege, or obtain a shell from the network Disclosure: reveal information that should not be revealed DoS: degrade or destroy service

7 Impact Lower barriers to entry – Anyone can play -> more systems certified Real-valued result – Instead of boolean certified/not-certified Easy to interpret – Can partially or totally order systems Empirical measurement – Measure results instead of adherence to process Implementation measurement – CC can’t measure most of the Immunix defenses (StackGuard, FormatGuard, RaceGuard) – RV can measure their efficacy

8 Issues Does not measure vulnerabilities introduced by the enhancing technology – Actually happened to Sun/Cobalt when they applied StackGuard poorly Counting vulnerabilities: – When l33t d00d reports “th1s proggie has zilli0ns of bugs” and supplies a patch, is that one vulnerability, or many? Dependence on exploits – Many vulnerabilities are revealed without exploits Should the RV test lab create exploits? Should the RV test lab fix broken exploits? – Probably yes Exploit success criteria – Depends on the test model – Defcon “capture the flag” would not regard Slammer as a successful exploit because payload was not very malicious

9 Work-factor View Assume that well-funded attacker can penetrate almost any system eventually The question is “How long can these defensive measures resist?” RV may probabilistically approximate the work factor to crack a system – foo% of native vulnerabilities are not actually exploitable – Therefore foo% of the time a well-funded attacker can’t get in that way – Attacker takes foo% longer to get in???

10 Lessons Learned the Hard Way Security advisories lie – often incomplete, or wrong Published exploits are mostly broken, deliberately Compiled-in intrusion prevention like StackGuard makes it expensive to determine whether the defense is really working, or if it is just an incompatibility – Also true of diversity defenses

11 Technology Transfer ICSA Labs – traditionally certify security products (firewalls, AV, IDS, etc.) – no history of certifying secure operating systems – interested in RV for evaluating OS security ICSA issues – ICSA needs a pass/fail criteria – ICSA will not create exploits

Download ppt "Crispin Cowan, PhD CTO, Immunix Relative Vulnerability: An Empirical Assurance Metric."

Similar presentations

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.

Vulnerability Analysis. Formal verification Formally (mathematically) prove certain characteristics Proves the absence of flaws in a program or design.
Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.

Security and Open Source: the 2-Edged Sword Crispin Cowan, Ph.D WireX Communications, Inc wirex.com.
A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.

A Complete Tool For System Penetration Testing Presented By:- Mahesh Kumar Sharma B.Tech IV Year Computer Science Roll No. :- CS09047.
Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.

Stack-Based Buffer Overflows Attacker – Can take over a system remotely across a network. local malicious users – To elevate their privileges and gain.
Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.

Lecture 2 Page 1 CS 236, Spring 2008 Security Principles and Policies CS 236 On-Line MS Program Networks and Systems Security Peter Reiher Spring, 2008.
CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.

CMSC 414 Computer and Network Security Lecture 9 Jonathan Katz.
Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.

Lesson 13-Intrusion Detection. Overview Define the types of Intrusion Detection Systems (IDS). Set up an IDS. Manage an IDS. Understand intrusion prevention.
Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.

Achieving Trusted Systems by Providing Security and Reliability Ravishankar K. Iyer, Zbigniew Kalbarczyk, Jun Xu, Shuo Chen, Nithin Nakka and Karthik Pattabiraman.
Building Secure Software Chapter 9 Race Conditions.

Building Secure Software Chapter 9 Race Conditions.
Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.
Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.

Information Networking Security and Assurance Lab National Chung Cheng University Introduction to Software Security Jared 2004/03/17.
Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )

Information Networking Security and Assurance Lab National Chung Cheng University 2004/03/031 A Real World Attack: wu-ftp Cao er kai ( 曹爾凱 )
Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.

Assessing the Threat How much money is lost due to cyber crimes? –Estimates range from $100 million to $100s billions –Why the discrepancy? Companies don’t.
1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research

1 Security and Software Engineering Steven M. Bellovin AT&T Labs – Research
Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.

Intrusion Prevention System Group 6 Mu-Hsin Wei Renaud Moussounda Group 6 Mu-Hsin Wei Renaud Moussounda.
Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.

Buffer Overflow Attacks. Memory plays a key part in many computer system functions. It’s a critical component to many internal operations. From mother.
Security Comparisons of Open Source and Closed Source Programs Katherine Wright.

Security Comparisons of Open Source and Closed Source Programs Katherine Wright.
Capture The Flag Review Fall 2003 Giovanni Vigna University of California Santa Barbara

Capture The Flag Review Fall 2003 Giovanni Vigna University of California Santa Barbara
Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec

Security Risk Management Marcus Murray, CISSP, MVP (Security) Senior Security Advisor, Truesec
Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.

Mitigating DoS Attacks against Broadcast Authentication in Wireless Sensor Networks Peng Ning, An Liu North Carolina State University and Wenliang Du Syracuse.

Similar presentations

Ads by Google