Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Mudge at CanSecWest 2013 - A Farewell to Cyber Fast Track

Mudge at CanSecWest 2013 - A Farewell to Cyber Fast Track

Duo Security

March 06, 2013
Tweet

More Decks by Duo Security

Other Decks in Technology

Transcript

  1. Mudge
    CanSecWest 2013
    1
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  2. Cyber Fast Track – DARPA-PA-11-52
    2
    Amendment 4 (posted January 31, 2013):
    Closing Date: Proposals will be accepted at any time
    until 12:00 noon (ET), August 3 April1, 2013
    https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  3. 1. What is the problem, why is it hard?
    2. How is it solved today?
    3. What is the new technical idea; why can we succeed now?
    4. What is the impact if successful?
    5. How will the program be organized?
    6. How will intermediate results be generated?
    7. How will you measure progress?
    8. What will it cost?
    Heilmeyer Questions:
    3
    When George Heilmeier was the director of DARPA in the mid 1970s, he had a standard
    set of questions he expected every proposal for a new research program to answer.
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  4. 2011
    Ground truth…
    Federal Cyber Incidents
    fiscal years 2006 – 2011
    [1] GAO Testimony. GAO-12-166T CYBERSECURITY
    Threats Impacting the Nation
    0
    5,000
    10,000
    15,000
    20,000
    25,000
    30,000
    35,000
    40,000
    45,000
    Cyber Incidents
    Reported to
    US-CERT [1]
    by Federal
    agencies
    2006 2007 2008 2009 2010
    4
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  5. 2011
    Ground truth…
    Federal Cyber Incidents and Defensive Cyber Spending
    fiscal years 2006 – 2011
    [1] GAO Testimony. GAO-12-166T CYBERSECURITY
    Threats Impacting the Nation
    [2] INPUT reports 2006 – 2011
    Federal Defensive
    Cyber Spending [2]
    ($B)
    0
    5,000
    10,000
    15,000
    20,000
    25,000
    30,000
    35,000
    40,000
    45,000
    Cyber Incidents
    Reported to
    US-CERT [1]
    by Federal
    agencies
    2006 2007 2008 2009 2010
    0.0
    2.0
    4.0
    6.0
    8.0
    10.0
    12.0
    5
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  6. Mudge or “Cyber-Heilmeyer” Questions:
    6
    1. Is the solution tactical or strategic in nature?
    2. What is the asymmetry for this solution?
    3. What unintended consequences will be created?
    4. Do attack surfaces shrink, grow, or remain unchanged?
    5. How will this solution incentivize the adversary?
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  7. Malware:
    125 lines of code*
    Lines of Code
    1985 1990 1995 2000 2005 2010
    x
    x
    x
    x
    DEC Seal Stalker
    Milky Way
    Snort
    Network Flight
    Recorder
    Unified Threat
    Management
    10,000,000
    8,000,000
    6,000,000
    4,000,000
    2,000,000
    0
    Security software
    * Malware lines of code averaged over 9,000 samples
    x
    x
    Are you tactical or strategic; what is the asymmetry?
    7
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  8. How do *you* handle passwords?
    8
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  9. The first CrackMeIfYouCan contest challenged participants to crack 53,000
    passwords. In 48 hours, the winning team had 38,000*.
    (*this was not the important take away…)
    Profile for the
    winning team,
    Team Hashcat.
    Time
    # Passwords
    Unintended consequences…
    9
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  10. Profile for the
    winning team,
    Team Hashcat.
    Time
    # Passwords
    Unintended consequences…
    10
    Distribution A: Approved for Public Release, Distribution Unlimited.
    The first CrackMeIfYouCan contest challenged participants to crack 53,000
    passwords. In 48 hours, the winning team had 38,000*.
    (*this was not the important take away…)

    View full-size slide

  11. Awaiting Vendor Reply/Confirmation Awaiting CC/S/A use validation
    Vendor Replied – Fix in development
    Color Code Key:
    Current vulnerability watch list:
    Vulnerability Title Fix Avail? Date Added
    XXXXXXXXXXXX XXXXXXXXXXXX Local Privilege Escalation Vulnerability No 8/25/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Denial of Service Vulnerability Yes 8/24/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability No 8/20/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Sanitization Bypass Weakness No 8/18/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Security Bypass Vulnerability No 8/17/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities Yes 8/16/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability No 8/16/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Use-After-Free Memory Corruption Vulnerability No 8/12/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability No 8/10/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Multiple Buffer Overflow Vulnerabilities No 8/10/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Stack Buffer Overflow Vulnerability Yes 8/09/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Security-Bypass Vulnerability No 8/06/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities No 8/05/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability No 7/29/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Remote Privilege Escalation Vulnerability No 7/28/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Cross Site Request Forgery Vulnerability No 7/26/2010
    XXXXXXXXXXXX XXXXXXXXXXXX Multiple Denial Of Service Vulnerabilities No 7/22/2010
    Additional security layers often create vulnerabilities…
    6 of the
    vulnerabilities
    are in security
    software
    11
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  12. Additional security layers often create vulnerabilities…
    12
    Distribution A: Approved for Public Release, Distribution Unlimited.
    43% 44%
    33%
    18%
    24% 24%
    22%
    36%
    25%
    20%
    24% 30%
    0%
    20%
    40%
    60%
    80%
    100%

    View full-size slide

  13. DLLs: run-time environment
    = more commonality
    Application specific functions
    Constant surface area
    available to attack.
    Regardless of the
    application size,
    the system loads
    the same number
    of support
    functions.
    For every 1,000 lines
    of code, 1 to 5 bugs
    are introduced.
    Identifying attack surfaces…
    13
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  14. Understanding them in the context of ‘game theory’ reveals the
    problem.
    Bot Herder
    Cost
    Bot Herder
    Return Antivirus
    Cost
    Antivirus
    Return
    Short Long
    Small High High Low High
    Small High 0 High Low
    Traditional
    C2 Botnet
    New
    P2P Botnet
    Strategy 2:
    AES* branch
    Solution exists:
    weekly patch,
    kills branch
    Solution needed:
    high cost solution,
    kills tree
    “Storm”
    Botnet
    Strategy 1:
    XOR‡ branch
    Bot Herder strategy example:
    The security layering strategy and antitrust has created cross
    incentives that contribute to divergence.
    ‡ = “exclusive or” logical operation
    * = Advanced Encryption Standard
    Root Tree Branch
    How are you incentivizing the adversary?
    14
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  15. Mudge Questions (aka “Cyber-Heilmeyer”):
    15
    1. Is the solution tactical or strategic (a)?
    2. What is the asymmetry for this solution (a)?
    3. Can you forecast the unintended consequences (b)(e)?
    4. Do attack surfaces shrink, grow, or remain unchanged? (c)(d)?
    5. How does this solution incentivize the adversary (e)?
    (*) If you had to defeat your own effort, how would you go about it?
    a b c d e
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  16. 16
    Creating a vehicle to tackle these issues:
    Cyber Fast Track
    DARPA-PA-11-52
    cft.usma.edu
    https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  17. CFT Mission Statement
    17
    • Identify aligned areas of interest between the DoD and a novel performer
    community.
    • Become a resource to that community in a way that encourages mutually
    beneficial research efforts resulting in prototypes and proofs of concepts in a
    matter of months
    • Improve goodwill and understanding in both communities.
    CFT promotes aligned interests, not the realigning of interests to meet Government needs
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  18. • Indirect - Enabling/Promoting:
    • Commercial
    • Open Source
    • Other
    • Direct
    • Program of Record (POR)
    • Memorandum of Understanding (MOU)
    • Memorandum of Agreement (MOA)
    • Technology Transition Agreement
    (TTA)
    The Importance of Transition
    18
    The objective of technology transition is to make the desired technology
    available as quickly as possible and at the lowest cost.
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  19. The first proof that it might be do-able…
    19
    NMAPv6 – CINDER
    • Advanced IPv6 capabilities
    • 200 new network scanning and discovery modules (NSE)
    • Common Platform Enumeration (CPE) output support
    • Scanner, GUI, and differencing engine performance scaling (1 million target IP addresses)
    • Adversary Mission Identification System (AMIS)
    • Transition:
    Downloads 3,096,277 (5,600 .gov & 5,193 .mil)… and counting…
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  20. The two key ingredients to CFT:
    20
    Programmatics
    • A unique process that allows DARPA
    to legally do Cyber R&D contracting
    extremely fast
    • A framework that anyone can use
    • Streamline negations
    • One page commercial contracts
    • Firm Fixed price
    • Rapid awards (selection to contract
    in 10 days or less)
    Diplomacy
    • Align the Cyber Fast Track research
    goals with the goals of the
    research community
    • How do your priorities and
    theirs align?
    • Engage leaders and influencers
    • Socialize the effort, take
    feedback, and modify the
    program structure accordingly
    • Ambassador
    • Speak the language,
    demonstrate an understanding
    of both cultures
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  21. 0
    50
    100
    150
    200
    250
    300
    350
    400
    350+ submissions & 90+ awards
    Submissions
    Awards
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  22. CFT Contract Award Time
    Average of 6 working days to award
    100
    90
    80
    70
    60
    50
    40
    30
    20
    10
    0
    Min. days Avg. days Max. days
    B
    A
    A
    P
    R
    O
    C
    E
    S
    S
    CFT
    2
    6
    12
    90+
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  23. 23
    48 Projects Completed – 44 Projects in Progress (2/13/2013)
    44 programs underway 19 completed programs
    open-source
    29 completed programs
    closed source
    92 Projects awarded to date (as of Feb 13, 2013)
    48%
    21%
    31%
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide

  24. CFT Efforts
    24

    View full-size slide

  25. Antenna Detection
    Truck-Security
    Framework
    NAND Exploration Phy-layer Auditing IPMI Security
    BIOS Integrity Logical Bug
    Detection Binary Defense
    Obstructing
    Configurations
    Side Channel
    Analysis
    Anti-Reverse
    Engineering
    Virtualization
    Security
    Source Code
    Analysis
    Distributed
    Validation
    Secure Parsers
    Deobfuscating
    Malware
    Android OS
    Security
    Baseband
    Emulation
    Network Stack
    Modification
    Securing Legacy RF
    Network
    Visualization
    Software
    Hardware
    A Sampling of Current CFT Programs
    25
    Distribution A: Approved for Public Release, Distribution Unlimited.
    Embedded System
    Vulnerabilities
    BIOS Implant
    Analysis
    Automotive-Security
    Applications
    Android Application
    Forensics
    Images provided by: Bit Systems

    View full-size slide

  26. 26
    Soon to be released…

    View full-size slide

  27. Bunnie’s Routers…
    27
    Soon to be released…
    Image provided by: Bunnie Huang

    View full-size slide

  28. Bunnie’s Routers… Charlie’s Cars…
    28
    Image provided by: Charlie Miller
    Soon to be released…
    Image provided by: Bunnie Huang

    View full-size slide

  29. The beginning of…
    The end of CFT…
    29

    View full-size slide

  30. www.darpa.mil
    30
    Distribution A: Approved for Public Release, Distribution Unlimited.

    View full-size slide