gray, the new black
DESCRIPTION
Gray, the New Black. Gray-Box Vulnerability Testing. Brian Chess, Ph.D. Distinguished Technologist, HP Founder and Chief Scientist, HP Fortify. Brian Chess. Founder/Chief Scientist Fortify Software Ph.D. from University of California 2002 Started Fortify Software 2003 - PowerPoint PPT PresentationTRANSCRIPT
HP_Angle_Light_16x9_EB Green
Gray, the New BlackBrian Chess, Ph.D.Distinguished Technologist, HPFounder and Chief Scientist, HP FortifyGray-Box Vulnerability Testing2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice
Brian ChessFounder/Chief Scientist Fortify SoftwarePh.D. from University of California 2002Started Fortify Software 2003Fortify acquired by HP 2010Loves:Success is foreseeing failureHates:The only way to stop the bad guysis to hunt them down and sue themuntil they stop.TodoWhy automated security testingPopular testing techniquesCombining analysis approachesEmpirical results
Automated Security Testing is CriticalVulnerability-finding robots vs. hackers and better educationThe supply of legacy code is never-endingDont invest in security until youve created valueSecure today, hacked tomorrow A constant and consistent need for re-testingSecurity cant be tested like a feature Explore all corners of the application for all vulnerabilities
We need thorough and consistent vulnerability detection over enormous amounts of code 1.1 Legacy code: We will always be playing catch-up because people build something of value before they try to protect it. Doing otherwise would be silly. 1.2 Even new code needs to be verified 1.3 Software security can't be tested as a feature--we need to explore the whole app. This makes typical feature-based testing methods not so useful.22 August 2011HP Confidential4Perfect Security AutomationFinds all the vulnerabilities (no false negatives)Never wrong (no false positives)Runs fastEasy to useEasy to know youre using it correctlyCheap
Black-Box TestingSystem-level testsNo assumptions about implementationExample: fuzzingGood: concrete resultsBad: a losing gameThe Software Security GameObjectiveRules vs. StrategyPlaying Field
OBJECTIVE:Protect everythingOBJECTIVE:Exploit one vulnerabilityRules for the DefenderDont attack the attacker
Rules vs. StrategyRulesDont attack the attacker
StrategyEmulate attackers techniques
Who wins?
TechnologyExpertiseWho wins?
TimeTechnologyExpertise12Who wins?
TechnologyExpertiseTimeChanging the odds
The Defenders Advantage
TimeInsideAccessTechnologyExpertiseWhite-Box Testing
Examine implementationTest components in isolationExample: static analysisGood: thoroughBad: too thoroughBad: no show me exploitsGray-Box TestingSystem-level tests (like black-box)Examine implementation (like white-box)
Prior Art2005: Concolic testing: Sen, University of Illinois2008: SAGE: Godefroid, MSR2008: Test Gen for Web Apps: Shay et al, U. Washington2008: Accunetix: AccusensorHybrid AnalysisDynamic AnalysisStatic AnalysisCorrelation EngineApplicationCorrelation is GoodA single reportNo more comparing apples and orangesPoints out problems with analyzers & configurationsHaters club: Static/Dynamic Hybrid doesnt work because Detecting attack surface statically doesnt workDynamic and late-binding frameworksCorrelating results doesnt workNot enough information in results to match them upDoesnt help with false positives and false negativesMultiplies analysis weaknesses by over-emphasizing overlapImproving HybridDynamic AnalysisStatic AnalysisCorrelation EngineApplicationMonitorLining Up an Attack with the CodeDynamicStaticMonitorID: 234File: MyCode.csLine: 27ID: 234File: MyCode.csLine: 27http://www.sales.xyz.com?n= Source trace: Generation 3: Integrated AnalysisDynamic AnalysisApplicationReal-Time AnalysisReal-time linkFind MoreFix FasterFind MoreDetect new types of vulnerabilitiesPrivacy violation, Log ForgingFind more of all kinds of vulnerabilitiesAutomatic attack surface identificationUnderstand effects of attacks
Attack surface identification/login.jsp/pages/account.jsp/pages/balance.jsp/backdoor.jspFile systemConfiguration-drivenProgrammaticUnderstand effects of attacks/backdoor.jspCommand Injectionsysadmin$./sh Fix FasterProvide Actionable DetailsStack traceLine of codeGroup Symptoms with a Common CauseActionable Details
/login.jsp
Grouping Symptoms with a Common Cause/login.jsp/pages/account.jsp/pages/balance.jsp1 Cross-Site Scripting Symptom 2 Cross-Site Scripting Symptoms 3 Cross-Site Scripting Symptoms 1 Cross-Site Scripting Cause JavaBB Case StudyOpen Source Bulletin BoardAdditional VulnerabilitiesFinds18 SQL Injection resultsRoot cause analysis18 SQL injection results have 1 root causeVulnerability Diagnosis & Actionable Details
Confirmed SQL Injection
Line of CodeParametersStack TraceYazd Case StudyOpen Source ForumAdditional Attack SurfaceDiscovers hidden admin area3 Additional Cross-Site Scripting resultsRoot cause analysisCollapses 34 XSS into 24 root-cause vulnerabilitiesAttack surface identification
Hidden admin area
Group Common-Cause Issues
More to come:Automated anti-anti automation
Haters ClubDetecting attack surface statically doesnt workCorrelating results doesnt workDoesnt help with false positives and false negativesNobody will monitor the execution of the softwareThe Case for Gray-Box TestingAutomated security testing is criticalBlack-box is a losing game, white-box is incompleteIntegrated analysis finds moreAttack surfaceTypes of vulnerabilitiesVulnerability diagnosisIntegrated analysis enables faster fixesRoot cause analysisGroup symptoms with a common cause
The Evolution of Software SecurityBrian Chess, Ph.D.Distinguished Technologist, HPFounder and Chief Scientist, HP FortifyFind More, Fix Faster2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice