Presentation is loading. Please wait.

Presentation is loading. Please wait.

Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop.

Published byNigel McCoy Modified over 9 years ago

Similar presentations

Presentation on theme: "Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop."— Presentation transcript:

1 Choosing SATE Test Cases Based on CVEs Sue Wang suewang_2000@yahoo.com October 1, 2010 The SAMATE Project http://samate.nist.gov/ 1SATE 2010 Workshop

2 Purpose and Motivation Provide test cases with exploitable vulnerabilities In an ideal world a tool detects significant bugs Also provide a fixed version of each test case To confirm low false positive rate Mentioned by SATE organizers and detailed proposal by Paul Anderson (SATE 2009 workshop) Brought up by tool makers and supported by users (SATE 2010 organization meeting) 2

3 Selection Criteria Open source software in C/C++ and Java AND with known security-related bugs AND get older versions AND manually pinpoint the bugs AND find a fixed version AND compile the source code 3

4 Primary Sources Brainstorm and exchange ideas within SAMATE team and with others Search for open sources, for instance –java-source.net –sourceforge.net –Other lists of scanned projects Search for related vulnerabilities –CVE – Common Vulnerabilities and Exposures (cve.mitre.org) –NVD – National Vulnerabilities Database (nvd.nist.gov) –CVE Details – enhanced CVE data (www.cvedetails.com) –OSVDB – The Open Source Vulnerability Database (osvdb.org) 4

5 Selection Process Identify potential SW List of Open Source SW Identify CVEs for each SW List of Relevant CVEs Collect factors for each CVE Analyzed CVEs Determine multi-factor eligibility Selected Candidates Find path & sink of CVE flaws SW with identified CVEs 5 Narrowed down to 12 open source software

6 Additional Selection Criteria multi-factor eligibility Quantity of CVEs Versions with and w/o flaws Versions have similar folder structures Resources to find CVE locations Versions available for Linux 6

7 Pinpointing the CVE Flaw path and sink for the CVE CVE’s description and references patch, bug tracking, & ver. control Follow information across various resources diff based on path and file name Code reviews and analysis 7

8 Selected Test Cases Wireshark C 1.6M LOC3k+ files100 CVEs evaluated 17 CVEs selected (17%) Google Chrome 5 C++ 4.7M LOC32k files103 CVEs evaluated9 CVEs selected (8.7%) Apache Tomcat 5 Java 174k LOC2k+ files91 CVEs evaluated 29 CVEs selected (32%) 8

9 Observations Took far more time and effort than expected –CVEs are not created equal Newer CVEs have higher quality info Some CVEs required large amounts of research –Locating the path and sink is much harder than finding the fix Reasons for low CVE selection rate –Not present in the selected version –Could not locate the source code or could not locate the sink Useful resources and tips –Source’s patches, bug tracking and version control info –Combine information from multiple resources (e.g., version -> bug # -> tracking -> batches) 9

10 Possible Future Work? Re-use the 3 test cases –Pinpoint more CVE flaws –Involve developers for confirming some of the pinpointed flaws –Invite tool makers to map warnings to CVEs –Analyze the warning and CVE mappings amount different tool makers and SATE findings –Store well understood CVE related test cases in SRD Other suggestions? 10

Download ppt "Choosing SATE Test Cases Based on CVEs Sue Wang October 1, 2010 The SAMATE Project 1SATE 2010 Workshop."

Similar presentations

Personalized Navigation in the Semantic Web: An Enhanced Faceted Browser Michal Tvarožek FIIT STU BA.

Personalized Navigation in the Semantic Web: An Enhanced Faceted Browser Michal Tvarožek FIIT STU BA.
SATE 2010 Background Vadim Okun, NIST October 1, 2010 The SAMATE Project

SATE 2010 Background Vadim Okun, NIST October 1, 2010 The SAMATE Project
© Coverity 2010 Coverity Analysis: Improving Quality in the Software Supply Chain Peter Henriksen, Development Manager for Analysis, Coverity October 1,

© Coverity 2010 Coverity Analysis: Improving Quality in the Software Supply Chain Peter Henriksen, Development Manager for Analysis, Coverity October 1,
Using E-Class Managing Documents in the Library. This is a PowerPoint presentation of about five minutes duration. It will explain the principles of document.

Using E-Class Managing Documents in the Library. This is a PowerPoint presentation of about five minutes duration. It will explain the principles of document.
Copyright © 2014 Pearson Education, Inc. 1 Managers from across organizations are involved in developing and acquiring information systems Chapter 5 -

Copyright © 2014 Pearson Education, Inc. 1 Managers from across organizations are involved in developing and acquiring information systems Chapter 5 -
SAFETYCHECK Eric Hatch | David Allen |Bailee Lucas| Austin Rhodes.

SAFETYCHECK Eric Hatch | David Allen |Bailee Lucas| Austin Rhodes.
Chapter 3.5 Debugging Games

Chapter 3.5 Debugging Games
Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.

Using Programmer-Written Compiler Extensions to Catch Security Holes Authors: Ken Ashcraft and Dawson Engler Presented by : Hong Chen CS590F 2/7/2007.
Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.

Improving Static Analysis Results Accuracy Chris Wysopal CTO & Co-founder, Veracode SATE Summit October 1, 2010.
Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.

Software Security Growth Modeling: Examining Vulnerabilities with Reliability Growth Models Andy Ozment Computer Security Group Computer Laboratory University.
Software to Manage EEP Vegetation Plot Data A design proposal Michael Lee January 31, 2011.

Software to Manage EEP Vegetation Plot Data A design proposal Michael Lee January 31, 2011.
WRAP Technical Support System Project Update AoH Call October 19, 2005.

WRAP Technical Support System Project Update AoH Call October 19, 2005.
Vulnerability Assessments

Vulnerability Assessments
Finding and Evaluating Inventions, Prior Art How to Find Inventions, How to Evaluate Inventions, Finding Prior Art.

Finding and Evaluating Inventions, Prior Art How to Find Inventions, How to Evaluate Inventions, Finding Prior Art.
This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.

This is a work of the U.S. Government and is not subject to copyright protection in the United States. The OWASP Foundation OWASP AppSec DC October 2005.
Cis-Regulatory/ Text Mining Interface Discussion.

Cis-Regulatory/ Text Mining Interface Discussion.
Planning for SATE V Paul E. Black National Institute of Standards and Technology

Planning for SATE V Paul E. Black National Institute of Standards and Technology
Chapter 6– Artifacts of the process

Chapter 6– Artifacts of the process
Faculty of Informatics and Information Technologies Slovak University of Technology Personalized Navigation in the Semantic Web Michal Tvarožek Mentor:

Faculty of Informatics and Information Technologies Slovak University of Technology Personalized Navigation in the Semantic Web Michal Tvarožek Mentor:
N By: Md Rezaul Huda Reza n

N By: Md Rezaul Huda Reza n

Similar presentations

Ads by Google