CHESS Computers and Humans Exploring Software Security Mr. Dustin Fraze 4/19/2018 1 Approved for public release; distribution is unlimited.
CHESS Develop computer-human systems to rapidly discover all classes of vulnerability in complex software 2 Approved for public release; distribution is unlimited.
Limits of Current Approaches Vulnerability Vulnerability Representative Approach Discovery Discovery Software Speed Accuracy Complexity Human Low Low Web Browser Computer High Low Small Test Corpora Computer-Human High Moderate Small Test Corpora Experiments 1,2 CHESS High High Web Browser 1 Muntean et al. “Automated Detection of Information Flow Vulnerabilities in UML State Charts and C Code”, http://ieeexplore.ieee.org/document/7322134/, 2015 2 Shoshitaishvili et al. “Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance”, https://arxiv.org/abs/1708.02749, 2017 3 Approved for public release; distribution is unlimited.
Today’s Approach to Vulnerability Discovery Vulnerabilities 1,000,000+ Complexity Human Data/Code Source Automation Injection Code 1,000+ FTE hrs Data Misuse Expert Hackers Logic Errors Binary Authentication Issues Input Validation Access Control Errors Cryptographic Issues Path Traversal Resource Mgmt Errors Information Disclosure Memory Corruption Arithmetic Errors Ablon, Lily “Zero Days, Thousands of Nights”, https://www.rand.org/pubs/research_reports/RR1751.html, 2017 Muntean et al. “Automated Detection of Information Flow Vulnerabilities in UML State Charts and C Code”, http://ieeexplore.ieee.org/document/7322134/, 2015 Shoshitaishvili et al. “Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance”, https://arxiv.org/abs/1708.02749, 2017 4 Approved for public release; distribution is unlimited.
Vulnerability Discovery with CGC Vulnerabilities Human Automation Cyber Reasoning System 1,000+ Complexity Static Fuzzing Analysis Binary Information Disclosure Symbolic SAT/SMT Memory Execution Solvers Corruption Arithmetic Errors Ablon, Lily “Zero Days, Thousands of Nights”, https://www.rand.org/pubs/research_reports/RR1751.html, 2017 Muntean et al. “Automated Detection of Information Flow Vulnerabilities in UML State Charts and C Code”, http://ieeexplore.ieee.org/document/7322134/, 2015 Shoshitaishvili et al. “Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance”, https://arxiv.org/abs/1708.02749, 2017 5 Approved for public release; distribution is unlimited.
Experimental Vulnerability Discovery with Novice Hackers Vulnerabilities Human Automation Vulnerability 1,000+ Complexity Discovery < 1 FTE hrs Access Control Accuracy Source Errors UML Novice UML 0% → 94% Code Generation Hackers Analysis Cryptographic Issues UML: Unified Modeling Language Ablon, Lily “Zero Days, Thousands of Nights”, https://www.rand.org/pubs/research_reports/RR1751.html, 2017 Muntean et al. “Automated Detection of Information Flow Vulnerabilities in UML State Charts and C Code”, http://ieeexplore.ieee.org/document/7322134/, 2015 Shoshitaishvili et al. “Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance”, https://arxiv.org/abs/1708.02749, 2017 6 Approved for public release; distribution is unlimited.
Experimental Vulnerability Discovery with Non-Experts Vulnerabilities Human Automation Vulnerability 1,000+ Complexity Discovery < 1 FTE hrs Access Control Accuracy Source Errors UML Novice UML 0% → 94% Code Generation Hackers Analysis Cryptographic Issues UML: Unified Modeling Language 335 FTE hrs Cyber Reasoning System 1,000+ Complexity Non- Hackers Static Vulnerability Fuzzing Analysis Binary Information Discovery Disclosure Accuracy Symbolic SAT/SMT 42% → 66% Memory Execution Solvers Corruption Arithmetic Errors Ablon, Lily “Zero Days, Thousands of Nights”, https://www.rand.org/pubs/research_reports/RR1751.html, 2017 Muntean et al. “Automated Detection of Information Flow Vulnerabilities in UML State Charts and C Code”, http://ieeexplore.ieee.org/document/7322134/, 2015 Shoshitaishvili et al. “Rise of the HaCRS: Augmenting Autonomous Cyber Reasoning Systems with Human Assistance”, https://arxiv.org/abs/1708.02749, 2017 7 Approved for public release; distribution is unlimited.
Collaborative Vulnerability Discovery with CHESS Vulnerabilities TA5 TA1 TA4 Annotated Representation Integration, Data/Code Control Team Human Representation For Humans Injection Test and Collaboration Expert Evaluation Hackers Data Misuse Context Processor Logic Errors Authentication Issues Expert Human Hackers Input Validation Automation Novice Representation Hackers Generator Access Control Errors Non- Cryptographic Hackers Issues TA3 Voice of Path Traversal TA2 the Vulnerability Discovery Resource Mgmt Offense Errors Info Gap Source Information Detector Code Disclosure Cyber Reasoning System Memory Vulnerability Corruption Detector Binary Proof of Arithmetic Errors Vulnerability 8 Approved for public release; distribution is unlimited.
TA1 Human Collaboration Challenges Possible Approaches • UML Diagrams (Class, Activity, etc.) Identify and generate representations that • Control Flow Graphs communicate information gaps to humans • Hilbert Curves for Cyclic Activity • Annotation/Label Sets Capture and process the insights humans generate • Instrumented Program Interaction by reasoning over the representations • Human Mental Model Analysis Annotated Representation Representation For Humans 1. Process identified information gaps into Context human-understandable representations Processor 2. Summarize and minimize software artifact data 3. Interact with human teammates using Expert generated representations Hackers 4. Capture contextual insights from human Novice Representation Hackers Generator 5. Process human feedback into machine- ingestible formats Non- Hackers 9 Approved for public release; distribution is unlimited.
TA1 Human Collaboration Strong Proposals will: • Reduce the cognitive load and effort required by human collaborators • Explore new representations and methods of human-computer interaction for capturing human insights • Empower non-expert collaborators (novice hackers, non-hackers) • Scale from single computer-human collaboration to N:N team collaboration • Address any relevant HSR issues (data collection, data anonymization, test subject recruitment, etc.) Strong Proposals will NOT: • Involve invasive medical technology • Only improve performance of expert hackers 10 Approved for public release; distribution is unlimited.
TA2 Vulnerability Discovery Challenges Possible Approaches • Type Usage Identify information required to discover classes of • Semantic Metadata vulnerabilities not addressed by automation • Complexity Inference Extend CRS technology to scale up and reason • Compilation Instrumentation over new and existing representations • Type Chain Analysis • Object/Data Type Classification Develop new vulnerability detection techniques to • Function Call Context leverage human-provided insights • Semantic Concreteness/Clustering 1. Analyze source code and related software artifacts for potential Source vulnerabilities Info Gap Code Detector Cyber 2. Identify regions of uncertainty and other PoV Reasoning obstacles to automated analysis in System Vulnerability source code and related software Binary Detector artifacts 3. Identify vulnerabilities in target categories 4. Generate Proofs of Vulnerability (PoV) and patches 11 Approved for public release; distribution is unlimited.
TA2 Vulnerability Discovery Strong Proposals will: • Identify vulnerability discovery techniques that may benefit from human collaborator insights • Address vulnerability classes in a thorough and scalable manner • Generate patches that address underlying vulnerabilities completely and specifically • Scale from single computer-human collaboration to N:N team collaboration Strong Proposals will NOT: • Identify vulnerabilities inserted in challenge sets via diffing • Focus only on memory corruption and arithmetic errors • Rely primarily on fuzzing for vulnerability discovery 12 Approved for public release; distribution is unlimited.
TA3 Voice of the Offense Challenges Possible Approaches Develop challenge problems scaling to • Large-scale Automated Vulnerability 1M+ complexity Addition (LAVA) • Vulnerability test corpora (Juliet, CGC, Ensure challenge problems are representative of OSS-FUZZ, etc.) required vulnerability classes • Public n-day databases 1. Develop challenge problems with Vulnerable Patched vulnerabilities across all required classes Vulnerability Source Source and scaling from 10K to 1M+ complexity Injection Code Code 2. Develop a source code patch for each challenge problem vulnerability Source Source Binary Binary 3. Develop a binary patch for each challenge Code Code problem vulnerability PoV 4. Create a proof of vulnerability (PoV) PoV Spec. specification for each vulnerability class 5. Develop a PoV for each challenge problem vulnerability 13 Approved for public release; distribution is unlimited.
Recommend
More recommend