Mudge at CanSecWest 2013 - A Farewell to Cyber Fast Track

Transcript

1. Mudge CanSecWest 2013 1 Distribution A: Approved for Public Release,

   Distribution Unlimited.

2. Cyber Fast Track – DARPA-PA-11-52 2 Amendment 4 (posted January

   31, 2013): Closing Date: Proposals will be accepted at any time until 12:00 noon (ET), August 3 April1, 2013 https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html Distribution A: Approved for Public Release, Distribution Unlimited.

3. 1. What is the problem, why is it hard? 2.

   How is it solved today? 3. What is the new technical idea; why can we succeed now? 4. What is the impact if successful? 5. How will the program be organized? 6. How will intermediate results be generated? 7. How will you measure progress? 8. What will it cost? Heilmeyer Questions: 3 When George Heilmeier was the director of DARPA in the mid 1970s, he had a standard set of questions he expected every proposal for a new research program to answer. Distribution A: Approved for Public Release, Distribution Unlimited.

4. 2011 Ground truth… Federal Cyber Incidents fiscal years 2006 –

   2011 [1] GAO Testimony. GAO-12-166T CYBERSECURITY Threats Impacting the Nation 0 5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 45,000 Cyber Incidents Reported to US-CERT [1] by Federal agencies 2006 2007 2008 2009 2010 4 Distribution A: Approved for Public Release, Distribution Unlimited.

5. 2011 Ground truth… Federal Cyber Incidents and Defensive Cyber Spending

   fiscal years 2006 – 2011 [1] GAO Testimony. GAO-12-166T CYBERSECURITY Threats Impacting the Nation [2] INPUT reports 2006 – 2011 Federal Defensive Cyber Spending [2] ($B) 0 5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 45,000 Cyber Incidents Reported to US-CERT [1] by Federal agencies 2006 2007 2008 2009 2010 0.0 2.0 4.0 6.0 8.0 10.0 12.0 5 Distribution A: Approved for Public Release, Distribution Unlimited.

6. Mudge or “Cyber-Heilmeyer” Questions: 6 1. Is the solution tactical

   or strategic in nature? 2. What is the asymmetry for this solution? 3. What unintended consequences will be created? 4. Do attack surfaces shrink, grow, or remain unchanged? 5. How will this solution incentivize the adversary? Distribution A: Approved for Public Release, Distribution Unlimited.

7. Malware: 125 lines of code* Lines of Code 1985 1990

   1995 2000 2005 2010 x x x x DEC Seal Stalker Milky Way Snort Network Flight Recorder Unified Threat Management 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 Security software * Malware lines of code averaged over 9,000 samples x x Are you tactical or strategic; what is the asymmetry? 7 Distribution A: Approved for Public Release, Distribution Unlimited.

8. How do *you* handle passwords? 8 Distribution A: Approved for

   Public Release, Distribution Unlimited.

9. The first CrackMeIfYouCan contest challenged participants to crack 53,000 passwords.

   In 48 hours, the winning team had 38,000*. (*this was not the important take away…) Profile for the winning team, Team Hashcat. Time # Passwords Unintended consequences… 9 Distribution A: Approved for Public Release, Distribution Unlimited.

10. Profile for the winning team, Team Hashcat. Time # Passwords

    Unintended consequences… 10 Distribution A: Approved for Public Release, Distribution Unlimited. The first CrackMeIfYouCan contest challenged participants to crack 53,000 passwords. In 48 hours, the winning team had 38,000*. (*this was not the important take away…)

11. Awaiting Vendor Reply/Confirmation Awaiting CC/S/A use validation Vendor Replied –

    Fix in development Color Code Key: Current vulnerability watch list: Vulnerability Title Fix Avail? Date Added XXXXXXXXXXXX XXXXXXXXXXXX Local Privilege Escalation Vulnerability No 8/25/2010 XXXXXXXXXXXX XXXXXXXXXXXX Denial of Service Vulnerability Yes 8/24/2010 XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability No 8/20/2010 XXXXXXXXXXXX XXXXXXXXXXXX Sanitization Bypass Weakness No 8/18/2010 XXXXXXXXXXXX XXXXXXXXXXXX Security Bypass Vulnerability No 8/17/2010 XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities Yes 8/16/2010 XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability No 8/16/2010 XXXXXXXXXXXX XXXXXXXXXXXX Use-After-Free Memory Corruption Vulnerability No 8/12/2010 XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability No 8/10/2010 XXXXXXXXXXXX XXXXXXXXXXXX Multiple Buffer Overflow Vulnerabilities No 8/10/2010 XXXXXXXXXXXX XXXXXXXXXXXX Stack Buffer Overflow Vulnerability Yes 8/09/2010 XXXXXXXXXXXX XXXXXXXXXXXX Security-Bypass Vulnerability No 8/06/2010 XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities No 8/05/2010 XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability No 7/29/2010 XXXXXXXXXXXX XXXXXXXXXXXX Remote Privilege Escalation Vulnerability No 7/28/2010 XXXXXXXXXXXX XXXXXXXXXXXX Cross Site Request Forgery Vulnerability No 7/26/2010 XXXXXXXXXXXX XXXXXXXXXXXX Multiple Denial Of Service Vulnerabilities No 7/22/2010 Additional security layers often create vulnerabilities… 6 of the vulnerabilities are in security software 11 Distribution A: Approved for Public Release, Distribution Unlimited.

12. Additional security layers often create vulnerabilities… 12 Distribution A: Approved

    for Public Release, Distribution Unlimited. 43% 44% 33% 18% 24% 24% 22% 36% 25% 20% 24% 30% 0% 20% 40% 60% 80% 100%

13. DLLs: run-time environment = more commonality Application specific functions Constant

    surface area available to attack. Regardless of the application size, the system loads the same number of support functions. For every 1,000 lines of code, 1 to 5 bugs are introduced. Identifying attack surfaces… 13 Distribution A: Approved for Public Release, Distribution Unlimited.

14. Understanding them in the context of ‘game theory’ reveals the

    problem. Bot Herder Cost Bot Herder Return Antivirus Cost Antivirus Return Short Long Small High High Low High Small High 0 High Low Traditional C2 Botnet New P2P Botnet Strategy 2: AES* branch Solution exists: weekly patch, kills branch Solution needed: high cost solution, kills tree “Storm” Botnet Strategy 1: XOR‡ branch Bot Herder strategy example: The security layering strategy and antitrust has created cross incentives that contribute to divergence. ‡ = “exclusive or” logical operation * = Advanced Encryption Standard Root Tree Branch How are you incentivizing the adversary? 14 Distribution A: Approved for Public Release, Distribution Unlimited.

15. Mudge Questions (aka “Cyber-Heilmeyer”): 15 1. Is the solution tactical

    or strategic (a)? 2. What is the asymmetry for this solution (a)? 3. Can you forecast the unintended consequences (b)(e)? 4. Do attack surfaces shrink, grow, or remain unchanged? (c)(d)? 5. How does this solution incentivize the adversary (e)? (*) If you had to defeat your own effort, how would you go about it? a b c d e Distribution A: Approved for Public Release, Distribution Unlimited.

16. 16 Creating a vehicle to tackle these issues: Cyber Fast

    Track DARPA-PA-11-52 cft.usma.edu https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html Distribution A: Approved for Public Release, Distribution Unlimited.

17. CFT Mission Statement 17 • Identify aligned areas of interest

    between the DoD and a novel performer community. • Become a resource to that community in a way that encourages mutually beneficial research efforts resulting in prototypes and proofs of concepts in a matter of months • Improve goodwill and understanding in both communities. CFT promotes aligned interests, not the realigning of interests to meet Government needs Distribution A: Approved for Public Release, Distribution Unlimited.

18. • Indirect - Enabling/Promoting: • Commercial • Open Source •

    Other • Direct • Program of Record (POR) • Memorandum of Understanding (MOU) • Memorandum of Agreement (MOA) • Technology Transition Agreement (TTA) The Importance of Transition 18 The objective of technology transition is to make the desired technology available as quickly as possible and at the lowest cost. Distribution A: Approved for Public Release, Distribution Unlimited.

19. The first proof that it might be do-able… 19 NMAPv6

    – CINDER • Advanced IPv6 capabilities • 200 new network scanning and discovery modules (NSE) • Common Platform Enumeration (CPE) output support • Scanner, GUI, and differencing engine performance scaling (1 million target IP addresses) • Adversary Mission Identification System (AMIS) • Transition: Downloads 3,096,277 (5,600 .gov & 5,193 .mil)… and counting… Distribution A: Approved for Public Release, Distribution Unlimited.

20. The two key ingredients to CFT: 20 Programmatics • A

    unique process that allows DARPA to legally do Cyber R&D contracting extremely fast • A framework that anyone can use • Streamline negations • One page commercial contracts • Firm Fixed price • Rapid awards (selection to contract in 10 days or less) Diplomacy • Align the Cyber Fast Track research goals with the goals of the research community • How do your priorities and theirs align? • Engage leaders and influencers • Socialize the effort, take feedback, and modify the program structure accordingly • Ambassador • Speak the language, demonstrate an understanding of both cultures Distribution A: Approved for Public Release, Distribution Unlimited.

21. 0 50 100 150 200 250 300 350 400 350+

    submissions & 90+ awards Submissions Awards Distribution A: Approved for Public Release, Distribution Unlimited.

22. CFT Contract Award Time Average of 6 working days to

    award 100 90 80 70 60 50 40 30 20 10 0 Min. days Avg. days Max. days B A A P R O C E S S CFT 2 6 12 90+ Distribution A: Approved for Public Release, Distribution Unlimited.

23. 23 48 Projects Completed – 44 Projects in Progress (2/13/2013)

    44 programs underway 19 completed programs open-source 29 completed programs closed source 92 Projects awarded to date (as of Feb 13, 2013) 48% 21% 31% Distribution A: Approved for Public Release, Distribution Unlimited.

24. CFT Efforts 24

25. Antenna Detection Truck-Security Framework NAND Exploration Phy-layer Auditing IPMI Security

    BIOS Integrity Logical Bug Detection Binary Defense Obstructing Configurations Side Channel Analysis Anti-Reverse Engineering Virtualization Security Source Code Analysis Distributed Validation Secure Parsers Deobfuscating Malware Android OS Security Baseband Emulation Network Stack Modification Securing Legacy RF Network Visualization Software Hardware A Sampling of Current CFT Programs 25 Distribution A: Approved for Public Release, Distribution Unlimited. Embedded System Vulnerabilities BIOS Implant Analysis Automotive-Security Applications Android Application Forensics Images provided by: Bit Systems

26. 26 Soon to be released…

27. Bunnie’s Routers… 27 Soon to be released… Image provided by:

    Bunnie Huang

28. Bunnie’s Routers… Charlie’s Cars… 28 Image provided by: Charlie Miller

    Soon to be released… Image provided by: Bunnie Huang

29. The beginning of… The end of CFT… 29

30. www.darpa.mil 30 Distribution A: Approved for Public Release, Distribution Unlimited.