410 likes | 635 Views
Gray, the New Black. Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011. Gray-Box Web Vulnerability Testing. T odo. Define gray-box testing Why black-box is insufficient What we built Examples Haters club. Definitions. Black-box testing
E N D
Gray, the New Black Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011 Gray-Box Web Vulnerability Testing
Todo • Define gray-box testing • Why black-box is insufficient • What we built • Examples • Haters club
Definitions • Black-box testing • System-level tests • No assumptions about implementation
Definitions • White-box testing • Examine implementation • Test components in isolation
Definitions • Gray-box testing • System-level tests (like black-box) • Examine implementation (like white-box)
The Software Security Game • Objective • Rules vs. Strategy • Playing Field
OBJECTIVE: Protect everything OBJECTIVE: Exploit one vulnerability
Rules for the Defender • Don’t attack the attacker
Rules vs. Strategy Rules • Don’t attack the attacker Strategy • Emulate attacker’s techniques
Who wins? • Technology • Expertise
Who wins? • Technology • Expertise • Time
Who wins? • Technology • Expertise • Time
The Defender’s Advantage • Time • Technology • Expertise • InsideAccess
Prior Art • 2005: Concolic testing: Sen, University of Illinois • 2008: Microsoft SAGE: Godefroid, MSR • 2008: Test Gen for Web Apps: Shay et al, U. Washington • 2008: Accunetix: Accusensor
Access to the Software Allows for ‘Hybrid’ analysis Dynamic Analysis Static Analysis Black-box Approach White-box Approach
‘Hybrid’ Analysis Dynamic Analysis Static Analysis Correlation Engine
The ‘Real-Time Hybrid’ Approach Real-Time Analysis Dynamic Analysis Static Analysis Correlation Engine
Evolving to Integrated Analysis Application Dynamic Analysis Real-Time Analysis Real-time link • Find More • Fix Faster
Find More • Reduce false negatives • Automatic attack surface identification • Understand effects of attacks • Detect new types of vulnerabilities • Privacy violation, Log Forging
Attack surface identification /login.jsp /pages/account.jsp /pages/balance.jsp /admin/admin.jsp • File system • Configuration-driven • Programmatic
Understand effects of attacks ✗ /admin/admin.jsp ✔ sysadmin$./sh Command Injection
Fix Faster • Reduce False Positives • Confirm vulnerabilities • Provide Actionable Details • Stack trace • Line of code • Collapse Duplicate Issues • Tie to root cause
Reduce FalsePositives /admin/admin.jsp SQLi? ✔
Actionable Details /login.jsp
Collapse Duplicate Issues /login.jsp /pages/account.jsp /pages/balance.jsp 1 3 1 2 Cross-Site Scripting
JavaBB – Case Study • Open Source Bulletin Board • Additional Vulnerabilities • Finds18 SQL Injection results • Root cause analysis • 18 SQL injection results have 1 root cause
Vulnerability Diagnosis Confirmed SQL Injection
Actionable Details Parameters Line of Code Stack Trace
Yazd – Case Study • Open Source Forum • Additional Attack Surface • Discovers hidden ‘admin’ area • 3 Additional Cross-Site Scripting results • Root cause analysis • Collapses 34 XSS into 24 root-cause vulnerabilities
Attack surface identification Hidden ‘admin’ area
Future • Automated anti-anti automation
The Case Against “Hybrid” • Hard to find attack surface with static analysis • Static/dynamic correlation doesn’t work • Doesn’t help with false positives / false negatives • Nobody will run a software monitor (cheating!)
The Case for Gray-Box Testing • Black-box is a losing game • Find more • Attack surface • Vulnerability diagnosis • Fix faster • Root cause analysis • Collapse duplicates
Gray, the New Black Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011 Gray-Box Web Vulnerability Testing