1 / 40

Gray, the New Black

Gray, the New Black. Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011. Gray-Box Web Vulnerability Testing. T odo. Define gray-box testing Why black-box is insufficient What we built Examples Haters club. Definitions. Black-box testing

mauve
Download Presentation

Gray, the New Black

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Gray, the New Black Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011 Gray-Box Web Vulnerability Testing

  2. Todo • Define gray-box testing • Why black-box is insufficient • What we built • Examples • Haters club

  3. Definitions • Black-box testing • System-level tests • No assumptions about implementation

  4. Definitions • White-box testing • Examine implementation • Test components in isolation

  5. Definitions • Gray-box testing • System-level tests (like black-box) • Examine implementation (like white-box)

  6. The Software Security Game • Objective • Rules vs. Strategy • Playing Field

  7. OBJECTIVE: Protect everything OBJECTIVE: Exploit one vulnerability

  8. Rules for the Defender • Don’t attack the attacker

  9. Rules vs. Strategy Rules • Don’t attack the attacker Strategy • Emulate attacker’s techniques

  10. Who wins? • Technology • Expertise

  11. Who wins? • Technology • Expertise • Time

  12. Who wins? • Technology • Expertise • Time

  13. Changing the odds

  14. The Defender’s Advantage • Time • Technology • Expertise • InsideAccess

  15. Prior Art • 2005: Concolic testing: Sen, University of Illinois • 2008: Microsoft SAGE: Godefroid, MSR • 2008: Test Gen for Web Apps: Shay et al, U. Washington • 2008: Accunetix: Accusensor

  16. Access to the Software Allows for ‘Hybrid’ analysis Dynamic Analysis Static Analysis Black-box Approach White-box Approach

  17. ‘Hybrid’ Analysis Dynamic Analysis Static Analysis Correlation Engine

  18. The ‘Real-Time Hybrid’ Approach Real-Time Analysis Dynamic Analysis Static Analysis Correlation Engine

  19. Evolving to Integrated Analysis Application Dynamic Analysis Real-Time Analysis Real-time link • Find More • Fix Faster

  20. Find More • Reduce false negatives • Automatic attack surface identification • Understand effects of attacks • Detect new types of vulnerabilities • Privacy violation, Log Forging

  21. Attack surface identification /login.jsp /pages/account.jsp /pages/balance.jsp /admin/admin.jsp • File system • Configuration-driven • Programmatic

  22. Understand effects of attacks ✗ /admin/admin.jsp ✔ sysadmin$./sh Command Injection

  23. Fix Faster • Reduce False Positives • Confirm vulnerabilities • Provide Actionable Details • Stack trace • Line of code • Collapse Duplicate Issues • Tie to root cause

  24. Reduce FalsePositives /admin/admin.jsp SQLi? ✔

  25. Actionable Details /login.jsp

  26. Collapse Duplicate Issues /login.jsp /pages/account.jsp /pages/balance.jsp 1 3 1 2 Cross-Site Scripting

  27. JavaBB – Case Study • Open Source Bulletin Board • Additional Vulnerabilities • Finds18 SQL Injection results • Root cause analysis • 18 SQL injection results have 1 root cause

  28. Vulnerability Diagnosis Confirmed SQL Injection

  29. Actionable Details Parameters Line of Code Stack Trace

  30. Yazd – Case Study • Open Source Forum • Additional Attack Surface • Discovers hidden ‘admin’ area • 3 Additional Cross-Site Scripting results • Root cause analysis • Collapses 34 XSS into 24 root-cause vulnerabilities

  31. Attack surface identification Hidden ‘admin’ area

  32. Collapse Duplicate Issues

  33. One More Case Study

  34. Future • Automated anti-anti automation

  35. The Case Against “Hybrid” • Hard to find attack surface with static analysis • Static/dynamic correlation doesn’t work • Doesn’t help with false positives / false negatives • Nobody will run a software monitor (cheating!)

  36. The Case for Gray-Box Testing • Black-box is a losing game • Find more • Attack surface • Vulnerability diagnosis • Fix faster • Root cause analysis • Collapse duplicates

  37. Gray, the New Black Brian Chess Founder / Chief Scientist Fortify Software, an HP Company June 22, 2011 Gray-Box Web Vulnerability Testing

More Related