Working Together to Build Confidence The OMG System Assurance Ecosystem: Applying Methodical Analysis to Trusted So;ware Dr. Nikolai Mansourov, CTO KDM Analy/cs 25 September 2013 10/16/13 KDM Analy/cs Proprietary 1 The Yin and Yang of Assurance Confidence Mine paMern Build assurance case Define paMern Evaluate facts Normalize data Evaluate confidence Collect data Find new argument Find data source Define vocabulary Collect evidence Facts 10/16/13 KDM Analy/cs Proprietary 2 Defini4on of Risk “Risk” is singular; “threats” are plural “Threat” is an family of iden/fiable scenarios together with the measure of their level. A threat includes an undesired event and one or more threat scenarios. The threat level is a func/on of the severity of the undesired event and the likelihood of the threat scenarios. Risk = ∫ (severity, likelihood) Threats 10/16/13 KDM Analy/cs Proprietary O[en term “(individual) risk” (from plural “risks”) is used as a synonym of an “(individual) threat” 3 Assurance through vulnerability detec4on 10/16/13 KDM Analy/cs Proprietary 4 Approxima4ng risk by vulnerability (1 of 2) Capabili/es Opera/ons Technical Architecture Dynamic Analysis Tool (penetra/on tes/ng) Design Sta/c Analysis Tool 10/16/13 Code (source or binary) Configura/on, Pla]orm Libraries KDM Analy/cs Proprietary 5 Approxima4ng risk by vulnerability (2 of 2) Capabili/es Opera/ons Technical Architecture Dynamic Analysis Tool (penetra/on tes/ng) Design Sta/c Analysis Tool 10/16/13 Code (source or binary) Configura/on, Pla]orm Libraries KDM Analy/cs Proprietary 6 Failing to understand ALL threats … 10/16/13 KDM Analy/cs Proprietary 7 What is the risk if tools did NOT find anything ? Tools generate large reports, 1000s of poten/al vulnerabili/es -­‐ Some findings are false posi/ves -­‐ Some real vulnerabili/es are not reported -­‐ Significant work is required to review the reports -­‐ Does NOT address assurance 10/16/13 KDM Analy/cs Proprietary 8 End-­‐to-­‐end risk mi4ga4on assurance 10/16/13 KDM Analy/cs Proprietary 9 Top-­‐down risk analysis and boMom-­‐up evidence analysis Capabili/es Risks Opera/ons Technical Architecture Design Code (source or binary) Configura/on, Pla]orm Libraries Evidence 10/16/13 KDM Analy/cs Proprietary 10 Top-­‐down risk analysis and boMom-­‐up evidence analysis Capabili/es Risks Opera/ons Technical Architecture Dynamic Analysis Tool (penetra/on tes/ng) Design Sta/c Analysis Tool Code (source or binary) Configura/on, Pla]orm Libraries Evidence 10/16/13 KDM Analy/cs Proprietary 11 Top-­‐down risk analysis and boMom-­‐up evidence analysis Capabili/es Architecture Analysis Tool Risks Opera/ons Technical Architecture Dynamic Analysis Tool (penetra/on tes/ng) Design Sta/c Analysis Tool Code (source or binary) Configura/on, Pla]orm Libraries Code Analysis Tool Evidence 10/16/13 KDM Analy/cs Proprietary 12 WHY the findings jus4fy risk claims ? Capabili/ es Risks Opera/o ns Technical Architecture Des ign Code (source or binary) Configura/on, Pla]orm Libraries Evidence Build an argument, connec/ng nega/ve findings to “no risk” claim; Gather addi/onal evidence; Provide addi/onal jus/fica/on; Evaluate confidence Provide readable explana/ons connec/ng evidence to claims 10/16/13 KDM Analy/cs Proprietary 13 Security Assurance Case (top) CG1.1 Security criteria are defined CG1.4 Concept of operations G1 System is acceptably secure Context Context Goal CG1.2 Assessment scope is defined Context G2 All threats are identified and adequately mitigated CG1.3 Assessment rigor is defined CG1.5 Subject to declared assumptions and limitations Context Goal Context S1 Argument based on end-to-end risk mitigation analysis Strategy M1 Integrated system model Model G3 All threats to the system are identified Goal 10/16/13 G4 Identified threats are adequately mitigated Goal G5 Residual risk is acceptable Goal KDM Analy/cs Proprietary 14 Elements of the FORSA methodology Assurance Case is related to risk level Assurance Case is structured according to System Model System Model constrains evidence Assurance Case is structured according to Risk Metamodel Risk Metamodel describes evidence Risk Metamodel Assurance Case Assurance Case structures report Evidence jus/fies claims Assurance Process defines the steps to collect evidence Assurance Process delivers assurance case (argument + evidence) Assurance Process Generic guidance & tool Assurance Case provides guidance on how to collect evidence Assurance Process Risk Metamodel provides guidance on how to collect evidence Data specific to system 10/16/13 KDM Analy/cs Proprietary 15 Towards systema4c enumera4on of threats Threat/Hazard Ini>a>ng Mechanism Hazardous Element Passive failure Ac4ve failure by threat source Asset/ Injury Threat/Hazard Components Threat/Hazard Worker could be electrocuted by touching exposed contacts in electrical panel containing high voltage. 10/16/13 Worker Asset could be electrocuted Injury by touching IM exposed contacts in electrical panel IM containing high voltage HE KDM Analy/cs Proprietary outcome Causal factors 16 Enumerate components to systema4cally iden4fy risks Incident Mishap Threat Hazard Risk Level 1 Threat/Hazard components Level 2 Threat Scenario Categories Level 3 Specific causes 10/16/13 Hardware Energy Chemical Material HE IM Hardware So[ware Human Interface Func/on Environment Failure mode Human error So[ware error Design error Timing error etc. KDM Analy/cs Proprietary A/I Human Hardware System Environment Proximity Exposure etc. Level 2 A/I or Undesired Event categories 17 FORSA STEPS 1. Opera/onal Context Iden/fica/on 2. System Facts 3. Asset Iden/fica/on 4. Undesired Event Iden/fica/on 5. Threat Scenario Iden/fica/on 6. Threat Scenario Analysis 7. Risk Iden/fica/on 8. Safeguard Iden/fica/on 9. Vulnerability Analysis 10. Risk Analysis 10/16/13 KDM Analy/cs Proprietary Analy/cs, when possible Valida/on & verifica/on Valida/on & verifica/on Valida/on & verifica/on Valida/on & verifica/on Valida/on & verifica/on Valida/on & verifica/on Valida/on & verifica/on analy/cs 18 18 WIRESHARK 10/16/13 KDM Analy/cs Proprietary 19 Wireshark • What is Wireshark? – Wireshark is a network packet analyzer. A network packet analyzer will try to capture network packets and tries to display that packet data as detailed as possible. • Some intended purposes – – – – – network administrators use it to troubleshoot network problems network security engineers use it to examine security problems developers use it to debug protocol implementa/ons people use it to learn network protocol internals beside these examples, Wireshark can be helpful in many other situa/ons too. • Key Features – – – – – – – – Capture live packet data from a network interface. Display packets with very detailed protocol informa/on. Open and Save packet data captured. Import and Export packet data from and to a lot of other capture programs. Filter packets on many criteria. Search for packets on many criteria. Colorize packet display based on filters. Create various sta/s/cs. 10/16/13 KDM Analy/cs Proprietary 20 Wireshark CONOPS Network monitored with Wireshark Exchange network packets Network user Manage network Capture network packets Admin Local user Network interface Analyze & display network packets Analyst Law enforcement 10/16/13 Export and import network packets KDM Analy/cs Proprietary Stored network packets 21 Performers of Wireshark Performer is a terminology from DoDAF. Performer is any en/ty -­‐ human, automated, or any aggrega/on of human and/or automated -­‐ that performs an ac/vity and provides a capability. 10/16/13 KDM Analy/cs Proprietary 22 Technical architecture of Wireshark from documenta4on 10/16/13 KDM Analy/cs Proprietary 23 Technical Architecture of Wireshark extracted from code 10/16/13 KDM Analy/cs Proprietary 24 Opera4onal ac4vi4es of Wireshark 10/16/13 KDM Analy/cs Proprietary 25 Opera4onal ac4vi4es vs Performers 10/16/13 KDM Analy/cs Proprietary 26 FORSA STEPS 1. Opera/onal Context Iden/fica/on 2. System Facts 3. Asset Iden/fica/on 4. Undesired Event Iden/fica/on 5. Threat Scenario Iden/fica/on 6. Threat Scenario Analysis 7. Risk Iden/fica/on 8. Safeguard Iden/fica/on 9. Vulnerability Analysis 10. Risk Analysis 10/16/13 KDM Analy/cs Proprietary 27 27 Results of jus4fiable risk analysis (1 of 2) ID Descrip>on Severity Likeli-­‐ hood Level Residu al Confi-­‐ dence R1 Hacker gains access to confiden/al assets by informa/on gathering on stored files high high high low 80% R2 Targeted virus or /mebomb affects integrity or availability of network by aMacking wireshark executable high high high low 80% R3 Hacker subverts wireshark node by remote aMack exploi/ng vulnerabili/es in Wireshark code high mediu m high low 80% R4 Hacker subverts wireshark node by remote aMack exploi/ng vulnerabili/es in system so[ware on wireshark node high mediu m mediu m low 80% R5 Criminal leans about forensic ac/vity by aMacking wireshark executable medium high mediu m low 80% R6 Targeted virus or /mebomb affects availability of other assets by aMacking wireshark executable medium high mediu m low 80% R7 Malicious user subverts wireshark node by locally aMacking wireshark code medium low mediu m low 70% R8 Malicious user subverts wireshark node by locally aMacking system so[ware on wireshark node medium low mediu m low 70% R9 Criminal forces wireshark to miss packets by aMacking wireshark executable medium high mediu m low 70% 10/16/13 KDM Analy/cs Proprietary 28 Results of jus4fiable risk analysis (2 of 2) ID Descrip>on Severity Likeli-­‐ hood Level R10 Criminal forces wireshark to miss packets by remotely exploi/ng vulnerabili/es in wireshark or system code medium mediu m mediu m low 70% R11 Criminal removes evidence by aMacking stored files medium low low low 60% R12 Criminal removes evidence by corrup/ng stored files low low low low 60% R13 Analyst ac/ng by mistake removes evidence by dele/ng low low low low 60% R14 Criminal removes or corrupts evidence by remotely low low low low 60% R15 Criminal remotely removes or corrupts evidence by low mediu m low low 60% R16 Malicious user learns confiden/al informa/on by medium low low low 60% R17 Malicious user learns confiden/al informa/on by locally low low low low 60% or corrup/ng stored files exploi/ng vulnerabili/es in wireshark code remotely exploi/ng vulnerabili/es in system code informa/on gathering from stored files aMacking wireshark code 10/16/13 KDM Analy/cs Proprietary Confi-­‐ dence 29 Impact Ra>ng Risk and confidence rankings High Med Low Med High High Med Med High Low Med Med Risk Low Med High High Med Low L L M L M M H H H confidence Claims Ra>ng Likelihood Ra>ng Low Med High Evidence Ra>ng Confidence = ∫(Importance of Claim, Strength of Evidence) 10/16/13 KDM Analy/cs Proprietary 30 Evalua4on of evidence for risk R1 10/16/13 KDM Analy/cs Proprietary 31 Evalua4on of evidence for risk R1 (cont’d) 10/16/13 KDM Analy/cs Proprietary 32 Evalua4on of evidence for risk R2 10/16/13 KDM Analy/cs Proprietary 33 Evalua4on of evidence for risk R2 (cont’d) 10/16/13 KDM Analy/cs Proprietary 34 FROM RISK TO EVIDENCE THROUGH PATTERNS 10/16/13 KDM Analy/cs Proprietary 35 FORSA STEPS 1. Opera/onal Context Iden/fica/on 2. System Facts 3. Asset Iden/fica/on 4. Undesired Event Iden/fica/on 5. Threat Scenario Iden/fica/on 6. Threat Scenario Analysis 7. Risk Iden/fica/on 8. Safeguard Iden/fica/on 9. Vulnerability Analysis 10. Risk Analysis 10/16/13 KDM Analy/cs Proprietary paMerns Findings 36 36 FORSA STEPS 1. Opera/onal Context Iden/fica/on 2. System Facts 3. Asset Iden/fica/on 4. Undesired Event Iden/fica/on 5. Threat Scenario Iden/fica/on 6. Threat Scenario Analysis 7. Risk Iden/fica/on 8. Safeguard Iden/fica/on 9. Vulnerability Analysis 10. Risk Analysis 11. Evidence Analysis 10/16/13 KDM Analy/cs Proprietary paMerns Findings 37 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Opera/onal Context Iden/fica/on System Facts Asset Iden/fica/on Undesired Event Iden/fica/on Threat Scenario Iden/fica/on Threat Scenario Analysis Risk Iden/fica/on Safeguard Iden/fica/on Vulnerability Analysis Risk Analysis Evidence Analysis risks Evidence 10/16/13 KDM Analy/cs Proprietary paMerns Findings 38 1. 2. 3. 4. 5. 6. 7. 8. 9. 10. 11. Opera/onal Context Iden/fica/on System Facts Asset Iden/fica/on Undesired Event Iden/fica/on Threat Scenario Iden/fica/on Threat Scenario Analysis Risk Iden/fica/on Safeguard Iden/fica/on Vulnerability Analysis Risk Analysis Evidence Analysis paMerns risks Dynamic Analysis Tool (penetra/on tes/ng) Architecture Analysis Tool Findings Evidence Code Analysis Tool Suppor/ng evidence & assurance 10/16/13 Sta/c Analysis Tool Vulnerability findings linked to specific risks via undesired events KDM Analy/cs Proprietary 39 Associa4ng vulnerability paMerns with undesired events 10/16/13 KDM Analy/cs Proprietary 40 Undesired Events to Vulnerability PaMerns (cont’d) 10/16/13 KDM Analy/cs Proprietary 41 Applica4on-­‐specific paMerns 10/16/13 KDM Analy/cs Proprietary 42 FORSA STEPS 1. Opera/onal Context Iden/fica/on 2. System Facts 3. Asset Iden/fica/on 4. Undesired Event Iden/fica/on 5. Threat Scenario Iden/fica/on 6. Threat Scenario Analysis 7. Risk Iden/fica/on 8. Safeguard Iden/fica/on 9. Vulnerability Analysis 10. Risk Analysis 10/16/13 KDM Analy/cs Proprietary 43 43 Vulnerability findings Vulnerability detection tools CPPcheck FindBugs Build environment Code JLint 10/16/13 Vulnerability findings RATS Splint KDM Analy/cs Proprietary 44 Case Study: Wireshark • Statistics • Wireshark ~ 2MLOC • Total files analyzed: 1519 • Run 3 open source tools: cppcheck, splint and RATS- number of findings: 18949 • Cppcheck reported 7051 issues • Splint reported 10917 issues • RATS reported 981 issues • How to make sense out of it? • Identify overlaps and unique findings • Focus on the findings that matter • Prioritizing findings 10/16/13 KDM Analy/cs Proprietary 45 Examples of findings Source: 1150 1151 1152 1153 fputs(“%% the page title\n”, output->fh); ps_clean_string(psbuffer, filename, MAX_PS_LINE_LENGTH); fprintf(output->fh, “/ws pagetitle (%s – Wireshark “ VERSION “%s) def \n”, psbuffer, wireshark_svnversion); fputs(“\n”, output->fh); RATS report on line # 1152: “Check to make sure that the non-constant format string passed as argument 2 to this function call does not come from an untrusted source.“ SFP-24; CWE-134 SPLINT report on line # 1152 : “Format argument 1 to fprintf (%s) expects char * gets unsigned char [256]: psbuffer“ SFP-1; CWE-681 Same line number, different weakness SFP-24; CWE-134 SFP-1; CWE-681 10/16/13 KDM Analy/cs Proprietary 46 Normaliza4on of findings Vulnerability detection tools Build environment Code JLint 10/16/13 RATS Splint TOIF XMI (normalization) FindBugs TOIF adapters CPPcheck KDM Analy/cs Proprietary 47 Seman4c Integra4on Vulnerability detection tools Build environment Code JLint RATS Splint Seman4c Integra4on TOIF XMI (normalization) FindBugs TOIF adapters CPPcheck Standard protocol Integrated vulnerability report Finding Data Element Statemen t Location 10/16/13 KDM Analy/cs Proprietary File Weakness Description CWE id Tool Name Weight Description 48 Seman4c integra4on focuses on facts Vulnerability detection tools Build environment Code JLint 10/16/13 RATS Splint TOIF XMI (normalization) FindBugs TOIF adapters CPPcheck • Finding • Code Loca/on • File • Line Number • Name • Directory • CWE id • SFP id • Fault Cluster id • Statement • Data Element • Finding references Code Loca/on • Finding has CWE id • Code Loca/on references File • Code Loca/on references Line Number • File has Name • Finding involves Statement KDM Analy/cs Proprietary 49 New possibili4es Vulnerability detection tools Build environment Code JLint RATS Splint TOIF XMI (normalization) FindBugs TOIF adapters CPPcheck Standard protocol Integrated vulnerability report Finding Data Element Statemen t Location 10/16/13 KDM Analy/cs Proprietary File Weakness Description CWE id Tool Name Weight Description 50 Adding more views Vulnerability detection tools Splint KDM XMI Fact Oriented Interface RATS Build environment Code JLint TOIF XMI (normalization) FindBugs TOIF adapters CPPcheck Standard protocol Integrated vulnerability report KDM XMI Finding Data Element Statemen t Weakness Description CWE id Tool Weight ISO/IEC 19506 Knowledge Discovery Metamodel 10/16/13 Location KDM Analy/cs Proprietary File Name Description 51 Mul4-­‐phase integra4ons Vulnerability detection tools Splint KDM XMI Fact Oriented Interface RATS Build environment Code JLint TOIF XMI (normalization) FindBugs TOIF adapters CPPcheck Integrated facts Standard protocol KDM XMI Integrated vulnerability report Finding Data Element Statemen t Weakness Description CWE id Tool Weight Knowledge mining tools Location 10/16/13 KDM Analy/cs Proprietary File Name Description 52 TOIF Analyzer Vulnerability detection tools CPPcheck KDM XMI Fact Oriented Interface Splint TOIF XMI (normalization) RATS Build environment Code JLint TOIF analyzer TOIF adapters FindBugs (unification, correlation and confidence) Integrated facts Standard protocol KDM XMI Integrated vulnerability report Finding Data Element Statemen t Weakness Description CWE id Tool Weight Knowledge mining tools Location 10/16/13 KDM Analy/cs Proprietary File Name Description 53 Current TOIF Architecture Vulnerability detection tools CPPcheck KDM XMI Fact Oriented Interface Splint TOIF XMI (normalization) RATS Build environment Code JLint TOIF analyzer TOIF adapters FindBugs (unification, correlation and confidence) Third party integra/ons Blade Integrated facts KDM Analytics Architecture risk analysis report Standard protocol Architecture risk factors Integrated vulnerability report KDM XMI Finding Data Element Statement Weakness Description CWE id Tool Weight Knowledge mining tools Location 10/16/13 KDM Analy/cs Proprietary File Name Description 54 10/16/13 KDM Analy/cs Proprietary 55 10/16/13 KDM Analy/cs Proprietary 56 Wireshark entry points 10/16/13 KDM Analy/cs Proprietary 57 Weakness impact analysis 10/16/13 KDM Analy/cs Proprietary 58 QUESTIONS ? 10/16/13 KDM Analy/cs Proprietary 59 Dr. Nikolai Mansourov KDM Analy/cs www.kdmanaly/cs.com 10/16/13 KDM A10/16/13 naly/cs Proprietary KDM Analy/cs Proprietary 60 60