230 likes | 236 Views
This presentation by Jeff Wheeler explores the importance of finding security vulnerabilities in software and the potential impact on software security. It examines the vulnerability lifecycle, cost of disclosure, rate of vulnerability discovery, and sources of error. The research aims to provide evidence on the effectiveness of vulnerability finding and disclosure in improving software security.
E N D
Is finding security holes a good idea? Presented By: Jeff Wheeler CSC 682
Outline • Introduction • Vulnerability Lifecycle • Cost of Disclosure • Finding rate to pr • Rate of Vulnerability Discovery • Sources of Error
Introduction • Assertions • It is better for vulnerabilities to be found by good guys than bad guys. • Vulnerability finding increases total software quality
The life cycle of a vulnerability • Introduction – the vulnerability is first released as part of the software. • Discovery – the vulnerability is found. • Private Exploitation – the vulnerability is exploited by the discoverer or a small group known to him or her. • Disclosure – a description of the vulnerability is published.
The life cycle of a vulnerability • Public Exploitation – the vulnerability is exploited by the general community of black hats. • Fix Release – a patch or upgrade is released
The life cycle of a vulnerability • These events do not occur strictly in this order. • Ex: software manufacture releases disclosure and fix
White Hat Discovery • Discovery, Fix, and Disclosure: Best Case • The vulnerability is discovered by a researcher with no interest in exploiting it. • The researcher notifies the vendor • The vendor releases an advisory and a fix • Public exploitation begins at time of disclosure
Black Hat Discovery • Discovery, Fix, and Disclosure: Worst Case • The vulnerability is first discovered by someone with an interest in exploiting it. • Black hat community exploitation • Knowledgeable person identifies exploit being used against a system and notifies vendor • The vendor releases an advisory and a fix • Public exploitation begins at time of disclosure
WHD versus BHD • WHD eliminates period of Private Exploitation • CBHD – CWHD = Cpriv • Are administrators more likely to patch if they know a vulnerability is being actively exploited? • Total number of vulnerable systems will decline more quickly, minimizing peak exploitation rate
Cost-Benefit Analysis of Disclosure • Best Case • White hat discovery, never rediscovered or exploited • Worst Case • Black hat discovery • Cpriv + Cpub
From finding rate to pr • Assumption: Vulnerability discovery is a stochastic process. • Overall rate of vulnerability discovery in a particular application is a good estimate for pr • Pr upper bound current percent discovery
Determining the Vulnerability Discovery Rate • Assumption: Software undergoes multiple releases • If we assume patches/releases do not introduce new bugs, only fixes, we can assume overall software quality increases with time • How does one determine this rate?
Determining the Vulnerability Discovery Rate • ICAT vulnerability metabase • A searchable index of computer vulnerabilities. • Entire database available for public download and analysis • Relevant Information • Rate of discovery over time, Program and version effected • Data Cleansing
Sources of Error • Unknown Versions • Bad Version Assignment • Announcement Lag • Severity of Vulnerabilities • Operating System Effects • Packages included with OS, use OS release date instead of package release date • Effort Variability • Different Vulnerability Classes • Data Errors
Is it worth disclosing vulnerabilities? • If there is no depletion of vulnerabilities, then disclosing vulnerabilities is always harmful. This implies there is an infinite number of vulnerabilities and pr approaches zero. • If we assume the pool of vulnerabilities is depleting, and all vulnerabilities will eventually be discovered, pr=1, and disclosing vulnerabilities makes sense.
Conclusions • This research does not provide sufficient evidence that vulnerability finding and disclosure provides in increase in software security sufficient to offset the effort being invested. • This research does not provide sufficient evidence that vulnerability finding and disclosure is a bad idea.
Conclusions • Prefer continuous white hat discovery with no disclosure until exploitation by black hat? • How do we estimate the number of vulnerabilities in an application, both discovered and undiscovered?