toward a field study on the impact of hacking
play

Toward a Field Study on the Impact of Hacking Competitions on Secure - PowerPoint PPT Presentation

Apr 08, 2023 •161 likes •565 views

Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka , Hongyi Hu, Bryan Eastes, and Michelle L. Mazurek 12 Aug 2018 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE DEVELOPMENT 2 SECURE

  1. Toward a Field Study on the Impact of Hacking Competitions on Secure Development Daniel Votipka , Hongyi Hu, Bryan Eastes, and Michelle L. Mazurek 12 Aug 2018

  2. SECURE DEVELOPMENT � 2

  3. SECURE DEVELOPMENT � 2

  4. SECURE DEVELOPMENT � 2

  5. SECURE DEVELOPMENT � 2

  6. SECURE DEVELOPMENT • Non-experts lack experience • Experts learn through CTFs [Votipka et al., 2018] � 2

  7. CAPTURE THE FLAG (CTF) • Attack-oriented competitions ‣ Goal: find and exploit vulnerabilities • Simple, vulnerable programs • Expose competitors to several classes of vulnerabilities � 3

  8. CAPTURE THE FLAG (CTF) • Attack-oriented competitions ‣ Goal: find and exploit vulnerabilities • Simple, vulnerable programs • Expose competitors to several classes of vulnerabilities Do these help in practice? � 3

  9. RESEARCH QUESTIONS 1. Do CTFs improve prevention of security issues? 2. Do CTFs improve recognition of security issues? � 4

  10. PILOT STUDY OVERVIEW (1 week) Dropbox Capture- Time the-Flag � 5

  11. PILOT STUDY OVERVIEW (10 mins: 6 weeks, 2x/week, 1x/day) (1 week) Diary Surveys Diary Study Dropbox Capture- Time the-Flag � 5

  12. PILOT STUDY OVERVIEW (10 mins: 6 weeks, 2x/week, 1x/day) (1 week) Diary Surveys Diary Study Dropbox Capture- Time the-Flag Knowledge Assessment Pre-CTF Post-CTF Assessment Assessment (60 mins) (60 mins) � 5

  13. (10 mins: 6 weeks, 2x/week, 1x/day) (1 week) Diary Surveys Time Dropbox Capture- the-Flag DIARY SURVEYS Pre-CTF Post-CTF Assessment Assessment (60 mins) (60 mins) • Survey regarding recent commit ‣ Issues considered ‣ Reasons for considering each issue ‣ Actions taken to resolve • Not security specific • Open to all Dropbox developers � 6

  14. (10 mins: 6 weeks, 2x/week, 1x/day) (1 week) Diary Surveys Time Dropbox Capture- the-Flag DIARY SURVEYS Pre-CTF Post-CTF Assessment Assessment (60 mins) (60 mins) • Survey regarding recent commit ‣ Issues considered ‣ Reasons for considering each issue ‣ Actions taken to resolve Measure impact of CTF on day-to-day decisions • Not security specific • Open to all Dropbox developers � 6

  15. (10 mins: 6 weeks, KNOWLEDGE 2x/week, 1x/day) (1 week) Diary Surveys Time Dropbox Capture- the-Flag ASSESSMENT Pre-CTF Post-CTF Assessment Assessment (60 mins) (60 mins) •Part 1: Find vulnerabilities in insecure code ‣ Copy of the Dropbox codebase ‣ 4 known vulnerabilities •Part 2: Write a secure program •Only CTF participants � 7

  16. (10 mins: 6 weeks, KNOWLEDGE 2x/week, 1x/day) (1 week) Diary Surveys Time Dropbox Capture- the-Flag ASSESSMENT Pre-CTF Post-CTF Assessment Assessment (60 mins) (60 mins) •Part 1: Find vulnerabilities in insecure code ‣ Copy of the Dropbox codebase ‣ 4 known vulnerabilities •Part 2: Write a secure program •Only CTF participants Measure improvements to secure development in a controlled setting � 7

  17. ADDITIONAL METRICS • Number of flagged commits • Communication with the Dropbox security team � 8

  18. PILOT PARTICIPATION • Diary Surveys ‣ 28 participants (12 CTF) ‣ 169 surveys • Knowledge Assessment ‣ 7 participants � 9

  19. PILOT PARTICIPATION • Diary Surveys ‣ 28 participants (12 CTF) • Small sample • Methodological ‣ 169 surveys issues addressed in future iterations • Knowledge Assessment ‣ 7 participants � 9

  20. DIARY SURVEYS • Security considered in 17/124 functionality changes ‣ 19% CTF, 13% non-CTF � 10

  21. DIARY SURVEYS • Security considered in 17/124 functionality changes ‣ 19% CTF, 13% non-CTF CTF participants considered security more often � 10

  22. VULNERABILITIES CONSIDERED XSS XSS CSRF SSRF SQLi SQLi Non-CTF Privacy Privacy CTF Logic Logic Local File Local File Disclosure Disclosure Auth Bug Auth Bug 0 20 40 60 Percentage of functionality changes � 11

  23. VULNERABILITIES CONSIDERED XSS XSS CSRF SSRF SQLi SQLi Non-CTF Privacy Privacy CTF Logic Logic Local File Local File Disclosure Disclosure Everyone considered logic- based vulnerabilities Auth Bug Auth Bug 0 20 40 60 Percentage of functionality changes � 11

  24. VULNERABILITIES CONSIDERED CTF participants considered non- XSS XSS functionality vulnerabilities from the CTF CSRF SSRF SQLi SQLi Non-CTF Privacy Privacy CTF Logic Logic Local File Local File Disclosure Disclosure Everyone considered logic- based vulnerabilities Auth Bug Auth Bug 0 20 40 60 Percentage of functionality changes � 11

  25. REASONS FOR CONSIDERING ISSUES Tool ool Teammate eammate Standard Standard Practice Practice Non-CTF CTF Similar Exp. Similar Sensitive Sensitive Data Data Hacker Hacker 0 20 40 60 80 Percentage of functionality changes � 12

  26. REASONS FOR CONSIDERING ISSUES Tool ool Teammate eammate Standard Standard Practice Practice Non-CTF CTF Similar Exp. Similar Sensitive CTF participants adopted Sensitive Data Data an adversarial mindset Hacker Hacker 0 20 40 60 80 Percentage of functionality changes � 12

  27. ACTIONS TAKEN Teammate eammate System System Doc Doc Previous Previous Experience Exp. Non-CTF Later CTF Later Review Review External External Doc Doc Expert Expert 0 10 20 30 40 50 0 10 20 30 40 50 Percentage of functionality changes � 13

  28. ACTIONS TAKEN Teammate eammate System System Doc Doc Previous Previous Experience Exp. Non-CTF Later CTF Later Review Review External CTF participants sought External Doc Doc help outside of their team Expert Expert 0 10 20 30 40 50 0 10 20 30 40 50 Percentage of functionality changes � 13

  29. KNOWLEDGE ASSESSMENT Change in Assessment Score 5 5.0 2.5 2.5 0.0 0 0 2000 4000 6000 CTF Scores � 14

  30. KNOWLEDGE ASSESSMENT Change in Assessment Score Average CTF Score 1306 5 5.0 2.5 2.5 0.0 0 0 2000 4000 6000 CTF Scores � 15

  31. KNOWLEDGE ASSESSMENT Change in Assessment Score 5 5.0 Average Change in Assessment Score 2.5 2.5 1.36 0.0 0 0 2000 4000 6000 CTF Scores � 16

  32. KNOWLEDGE ASSESSMENT Change in Assessment Score 5 5.0 2.5 2.5 0.0 0 0 2000 4000 6000 CTF Scores � 17

  33. Participants with higher than average CTF scores also had KNOWLEDGE ASSESSMENT higher than average changes in assessment scores Change in Assessment Score 5 5.0 2.5 2.5 0.0 0 0 2000 4000 6000 CTF Scores � 17

  34. Participants with higher than average CTF scores also had KNOWLEDGE ASSESSMENT higher than average changes in assessment scores Change in Assessment Score 5 5.0 2.5 2.5 0.0 0 0 2000 4000 6000 Perfect score on CTF Scores both assessments � 17

  35. ADDITIONAL METRICS • Non-CTF participants’ commits were flagged slightly more often ‣ 2/17 Non-CTF participants flagged ‣ 1/18 CTF participants flagged • 4 CTF participants alerted security team to potential vulnerability � 18

  36. SUMMARY 1. Do CTFs improve prevention of security issues? 2. Do CTFs improve recognition of security issues? � 19

  37. SUMMARY 1. Do CTFs improve prevention of security issues? • Participants who solved more challenges improved in the knowledge assessment • Exposure to non-functionality vulnerabilities 2. Do CTFs improve recognition of security issues? � 19

  38. SUMMARY 1. Do CTFs improve prevention of security issues? • Participants who solved more challenges improved in the knowledge assessment • Exposure to non-functionality vulnerabilities 2. Do CTFs improve recognition of security issues? • Increased consideration of security • Improved security team engagement � 19

  39. Questions : dvotipka@cs.umd.edu SUMMARY vulnstudy.cs.umd.edu 1. Do CTFs improve prevention of security issues? • Participants who solved more challenges improved in the knowledge assessment • Exposure to non-functionality vulnerabilities 2. Do CTFs improve recognition of security issues? • Increased consideration of security • Improved security team engagement � 19

Recommend

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical?

ETHICAL HACKING Daniel Cloherty CAN HACKING BE ETHICAL? What makes hacking ethical? Legality VS Ethics State Sanctioned hacking BLACK HAT - Stereotypical Hacker -Stealing data for personal gain -Obviously not ethical -Using

1.17k views • 10 slides
ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE HACKING TEAM CASE STUDY Friday 2 nd June, 2017

ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE HACKING TEAM CASE STUDY Friday 2 nd June, 2017

ANALYZING AN OFF-THE-SHELF SURVEILLANCE SOFTWARE HACKING TEAM CASE STUDY Friday 2 nd June, 2017 Stanislav paek Pavel eleda, Martin Draar, Martin Vizvry Introduction Hacking Team Story Began as a security services provider in 2003

324 views • 17 slides
Impact on wide-field optical astr Impact on wide-field optical astronom onomy Tony Tyson

Impact on wide-field optical astr Impact on wide-field optical astronom onomy Tony Tyson

Impact on wide-field optical astr Impact on wide-field optical astronom onomy Tony Tyson University of California, Davis Chief Scientist, Vera C. Rubin Observatory Space on the Hill March 11, 2020 Rubin Observatory will execute the Legacy

322 views • 17 slides
Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking

Hacking Reinforcement Learning Guillem Duran Ballester Guillemdb @Miau_DB A tale about hacking AI-Corp Hacking RL 1. Information gathering 2. Scanning 3. Exploitation & privilege escalation 4. Maintaining access & covering tracks

960 views • 62 slides
iSchool Field Study Information Session Spring 2016 Inform. Engage. Equalize. Lead. Outline

iSchool Field Study Information Session Spring 2016 Inform. Engage. Equalize. Lead. Outline

iSchool Field Study Information Session Spring 2016 Inform. Engage. Equalize. Lead. Outline Goals and Objectives of Field Study General Overview and Context Specifics Regarding Field Study Field Study Database Inform. Engage.

434 views • 14 slides
Texas Energy Efficiency Field Study 1 TECCC February 25, 2015 Richard Morgan The Field Study

Texas Energy Efficiency Field Study 1 TECCC February 25, 2015 Richard Morgan The Field Study

Texas Energy Efficiency Field Study 1 TECCC February 25, 2015 Richard Morgan The Field Study is: 2 A joint project of SPEER and NASEO in collaboration with SECO and funded by DOE to determine whether an investment in building energy code

463 views • 17 slides
OpenOakland Impact OpenOaklands impact has grown significantly since we were founded as an open

OpenOakland Impact OpenOaklands impact has grown significantly since we were founded as an open

OpenOakland Impact OpenOaklands impact has grown significantly since we were founded as an open government innovation and civic hacking group in mid-2012. Since then, weve: Created an engaging, inspiring, (free) and safe space for

261 views • 3 slides
Case Study: Hacking the Lego Mindstorms EV3 Andreas Grapentin Operating Systems and Middleware

Case Study: Hacking the Lego Mindstorms EV3 Andreas Grapentin Operating Systems and Middleware

1 Case Study: Hacking the Lego Mindstorms EV3 Andreas Grapentin Operating Systems and Middleware Group 2018-11-28 2 The Mission Control a simple real-time task on the Lego Mindstorms EV3 > without using the installed Operating System 3

267 views • 16 slides
Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1

Hacking SecondLife Michael Thumann Hacking SecondLife by Michael Thumann 2/24/08 1 Disclaimer Everything you are about to see, hear, read and experience is for educational purposes only. No warranties or guarantees implied or

692 views • 47 slides
Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June

Drone Hacking Basics Intro to UAS Architectures, Attack Vectors and RF Hacking Matt Koskela June 15, 2017 Outline Drone Architectures RF Basics Information Gathering RF Hacking Tools Exploits & Demos Q&A Why? Wrights Law

486 views • 27 slides
Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by

Hacking, Hacktivism, and Counterhacking April 22, 2015 Outline Vocabulary Hacking motivated by benign purposes Hacktivism Counterhacking Case Studies Site defacement Network exploration / Port scanning / SQL injection / . . .

522 views • 18 slides
Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in)

ECF gratefully acknowledges financial support from the European Commission. Hacking Copenhagen ITS World Congress, Copenhagen 2018 Hacking Copenhagen Digitalising (life in) the city of Copenhagen using bicycles. Bicycle-as-a-Sensor 1.

278 views • 11 slides
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 10 Hacking Web Servers Objectives After reading this chapter and completing the exercises, you will be able to: Describe Web applications Explain Web application

530 views • 9 slides
DUNGEONS & DRAGONS As a Drupal project Hacking and slashing our way through real-world

DUNGEONS & DRAGONS As a Drupal project Hacking and slashing our way through real-world

DUNGEONS & DRAGONS As a Drupal project Hacking and slashing our way through real-world content management problems Exploring New Technology With Familiar Problems C/C++ JavaScript and jQuery Perl Drupal 6, 7, 8, Field

500 views • 37 slides
Tips for Successful Field Experiences Send a letter home explaining your study and include

Tips for Successful Field Experiences Send a letter home explaining your study and include

Tips for Successful Field Experiences Send a letter home explaining your study and include tentative dates for field work Prepare your field site- check for any hazards. Make sure all students visit the restroom before leaving Practice data

538 views • 22 slides
P Past, Present and Future of t P t d F t f AIM Impact Study AIM Impact Study Hideo

P Past, Present and Future of t P t d F t f AIM Impact Study AIM Impact Study Hideo

AIM22, 9-10 Dec. 2016 P Past, Present and Future of t P t d F t f AIM Impact Study AIM Impact Study Hideo Harasawa Hideo Harasawa ( No 657 ( No.657 1 History

144 views • 13 slides
Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat

Pulp Google Hacking The Next Generation Search Engine Hacking Arsenal 3 August 2011 Black Hat 2011 Las Vegas, NV Presen sented ed b by: Francis Brown Rob Ragan Stach & Liu, LLC www.stachliu.com Agenda O V E R V I E W

1.07k views • 72 slides
Impact Fee Study Update City Council May 5, 2020 Consider the adoption of impact fees

Impact Fee Study Update City Council May 5, 2020 Consider the adoption of impact fees

Impact Fee Study Update City Council May 5, 2020 Consider the adoption of impact fees as a means of ensuring new development pays an equitable share of the costs associated with the construction and expansion of public infrastructure

703 views • 22 slides
Innovation: more than a buzzword Innovating to Create Impact Bringing ideas to the field Product

Innovation: more than a buzzword Innovating to Create Impact Bringing ideas to the field Product

Innovation: more than a buzzword Innovating to Create Impact Bringing ideas to the field Product Innovation is about procurement of fit for purpose and value for money supplies that have impact on our programmes and emergencies. UNICEF Supply

324 views • 18 slides
AHDB CP107b Field Lab impact of digestates on soil health 29 June 2017 Agenda 10.00

AHDB CP107b Field Lab impact of digestates on soil health 29 June 2017 Agenda 10.00

AHDB CP107b Field Lab impact of digestates on soil health 29 June 2017 Agenda 10.00 Arrival, tea and coffee 10.20 Welcome, brief introduction to the GREAT soils project and the Field Lab at Mid Coul 10.30 Preliminary results from soil

284 views • 24 slides
Edinburgh Festivals Impact Study Research and Knowledge Exchange in the Creative Economy:

Edinburgh Festivals Impact Study Research and Knowledge Exchange in the Creative Economy:

Edinburgh Festivals Impact Study Research and Knowledge Exchange in the Creative Economy: Impact and Effect Impact and Effect 30 September 2011 What we were asked to do Commissioned to conduct an impact assessment of the twelve

406 views • 17 slides
THE IMPACT OF DIGITALIZATION OF SCAL ON FIELD DEVELOPMENT Presented at the National IOR

THE IMPACT OF DIGITALIZATION OF SCAL ON FIELD DEVELOPMENT Presented at the National IOR

THE IMPACT OF DIGITALIZATION OF SCAL ON FIELD DEVELOPMENT Presented at the National IOR Conference Stavanger, Norway 2018-04-23 Lesley A. James, Christopher D. Langdon, Maziyar Mahmoodi, Daniel J. Sivira www.mun.ca Acknow ledgements

856 views • 38 slides
nhc Study overview Literature Stormwater Loading Field BMP Review Simulations Survey 2 nhc

nhc Study overview Literature Stormwater Loading Field BMP Review Simulations Survey 2 nhc

Infiltration BMP Design and Maintenance Optimization Preliminary Results Lake Tahoe Basin Science Conference May 23, 2012 nhc Study overview Literature Stormwater Loading Field BMP Review Simulations Survey 2 nhc Field data collection

444 views • 16 slides
EMIT ELECTRO MAGNETIC IMPACT TREATMENT Market Analysis & Impact Milky Way Magnetic Field

EMIT ELECTRO MAGNETIC IMPACT TREATMENT Market Analysis & Impact Milky Way Magnetic Field

EMIT ELECTRO MAGNETIC IMPACT TREATMENT Market Analysis & Impact Milky Way Magnetic Field Captured by Plank Spacecraft Wh What at is is E EMIT Electro-Magnetic Impact Treatment (EMIT) is an innovative surface treatment process

433 views • 14 slides

More recommend