Keynote - DARPA`s Peiter "mudge"

advertisement
Mudge
CanSecWest 2013
1
Distribution A: Approved for Public Release, Distribution Unlimited.
Cyber Fast Track – DARPA-PA-11-52
Amendment 4 (posted January 31, 2013):
Closing Date: Proposals will be accepted at any time
until 12:00 noon (ET), August 3 April1, 2013
https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html
2
Distribution A: Approved for Public Release, Distribution Unlimited.
Heilmeyer Questions:
When George Heilmeier was the director of DARPA in the mid 1970s, he had a standard
set of questions he expected every proposal for a new research program to answer.
1. What is the problem, why is it hard?
2. How is it solved today?
3. What is the new technical idea; why can we succeed now?
4. What is the impact if successful?
5. How will the program be organized?
6. How will intermediate results be generated?
7. How will you measure progress?
8. What will it cost?
3
Distribution A: Approved for Public Release, Distribution Unlimited.
Ground truth…
Federal Cyber Incidents
fiscal years 2006 – 2011
45,000
40,000
35,000
Cyber Incidents
Reported to
US-CERT [1]
by Federal
agencies
30,000
25,000
20,000
15,000
10,000
5,000
0
2006
2007
2008
2009
2010
2011
[1] GAO Testimony. GAO-12-166T CYBERSECURITY
Threats Impacting the Nation
Distribution A: Approved for Public Release, Distribution Unlimited.
4
Ground truth…
Federal Cyber Incidents and Defensive Cyber Spending
fiscal years 2006 – 2011
45,000
40,000
Cyber Incidents
Reported to
US-CERT [1]
by Federal
agencies
30,000
10.0
25,000
8.0
20,000
6.0
15,000
4.0
Federal Defensive
Cyber Spending [2]
($B)
12.0
35,000
10,000
2.0
5,000
0
2006
2007
2008
2009
2010
2011
0.0
[1] GAO Testimony. GAO-12-166T CYBERSECURITY
Threats Impacting the Nation
[2] INPUT reports 2006 – 2011
Distribution A: Approved for Public Release, Distribution Unlimited.
5
Mudge or “Cyber-Heilmeyer” Questions:
1. Is the solution tactical or strategic in nature?
2. What is the asymmetry for this solution?
3. What unintended consequences will be created?
4. Do attack surfaces shrink, grow, or remain unchanged?
5. How will this solution incentivize the adversary?
6
Distribution A: Approved for Public Release, Distribution Unlimited.
Are you tactical or strategic; what is the asymmetry?
x
Lines of Code
10,000,000
Unified Threat
Management
8,000,000
Security software
6,000,000
4,000,000
x
2,000,000
Milky Way
DEC Seal
0
1985
x
Stalker
x
1990
x
1995
x
Network Flight
Recorder
Malware:
125 lines of code*
Snort
2000
2005
2010
* Malware lines of code averaged over 9,000 samples
7
Distribution A: Approved for Public Release, Distribution Unlimited.
How do *you* handle passwords?
8
Distribution A: Approved for Public Release, Distribution Unlimited.
Unintended consequences…
The first CrackMeIfYouCan contest challenged participants to crack 53,000
passwords. In 48 hours, the winning team had 38,000*.
# Passwords
(*this was not the important take away…)
Profile for the
winning team,
Team Hashcat.
Time
9
Distribution A: Approved for Public Release, Distribution Unlimited.
Unintended consequences…
The first CrackMeIfYouCan contest challenged participants to crack 53,000
passwords. In 48 hours, the winning team had 38,000*.
# Passwords
(*this was not the important take away…)
Profile for the
winning team,
Team Hashcat.
Time
10
Distribution A: Approved for Public Release, Distribution Unlimited.
Additional security layers often create vulnerabilities…
Current vulnerability watch list:
Vulnerability Title
Fix Avail?
Date Added
XXXXXXXXXXXX XXXXXXXXXXXX Local Privilege Escalation Vulnerability
No
8/25/2010
XXXXXXXXXXXX XXXXXXXXXXXX Denial of Service Vulnerability
Yes
8/24/2010
XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability
No
8/20/2010
XXXXXXXXXXXX XXXXXXXXXXXX Sanitization Bypass Weakness
No
8/18/2010
XXXXXXXXXXXX XXXXXXXXXXXX Security Bypass Vulnerability
No
8/17/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities
Yes
8/16/2010
XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability
No
8/16/2010
XXXXXXXXXXXX XXXXXXXXXXXX Use-After-Free Memory Corruption Vulnerability
No
8/12/2010
XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability
No
8/10/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Buffer Overflow Vulnerabilities
No
8/10/2010
XXXXXXXXXXXX XXXXXXXXXXXX Stack Buffer Overflow Vulnerability
Yes
XXXXXXXXXXXX XXXXXXXXXXXX Security-Bypass Vulnerability
No
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities
No
6 of the
8/09/2010
vulnerabilities
8/06/2010
are in security
8/05/2010
software
XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability
No
7/29/2010
XXXXXXXXXXXX XXXXXXXXXXXX Remote Privilege Escalation Vulnerability
No
7/28/2010
XXXXXXXXXXXX XXXXXXXXXXXX Cross Site Request Forgery Vulnerability
No
7/26/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Denial Of Service Vulnerabilities
No
7/22/2010
Color Code Key:
Vendor Replied – Fix in development
Awaiting Vendor Reply/Confirmation
Awaiting CC/S/A use validation
11
Distribution A: Approved for Public Release, Distribution Unlimited.
Additional security layers often create vulnerabilities…
100%
80%
60%
43%
44%
36%
40%
20%
24%
33%
18%
24%
25%
24%
22%
30%
20%
0%
Distribution A: Approved for Public Release, Distribution Unlimited.
12
Identifying attack surfaces…
Constant surface area
available to attack.
Regardless of the
application size,
the system loads
the same number
of support
functions.
DLLs: run-time environment
= more commonality
For every 1,000 lines
of code, 1 to 5 bugs
are introduced.
Application specific functions
13
Distribution A: Approved for Public Release, Distribution Unlimited.
How are you incentivizing the adversary?
Understanding them in the context of ‘game theory’ reveals the
problem.
Bot Herder strategy example:
Traditional
C2 Botnet
Bot Herder
Cost
Strategy 1:
XOR‡ branch
“Storm”
Botnet
New
P2P Botnet
Strategy 2:
AES* branch
Root
Tree
Bot Herder
Return
Solution exists:
weekly patch,
kills branch
Solution needed:
high cost solution,
kills tree
Antivirus
Cost
Antivirus
Return
Short
Long
Small
High
High
Low
High
Small
High
0
High
Low
Branch
The security layering strategy and antitrust has created cross
incentives that contribute to divergence. ‡ = “exclusive or” logical operation
* = Advanced Encryption Standard
14
Distribution A: Approved for Public Release, Distribution Unlimited.
Mudge Questions (aka “Cyber-Heilmeyer”):
1. Is the solution tactical or strategic (a)?
2. What is the asymmetry for this solution (a)?
3. Can you forecast the unintended consequences (b)(e)?
4. Do attack surfaces shrink, grow, or remain unchanged? (c)(d)?
5. How does this solution incentivize the adversary (e)?
(*) If you had to defeat your own effort, how would you go about it?
a
b
c
d
e
15
Distribution A: Approved for Public Release, Distribution Unlimited.
Creating a vehicle to tackle these issues:
Cyber Fast Track
DARPA-PA-11-52
cft.usma.edu
https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html
16
Distribution A: Approved for Public Release, Distribution Unlimited.
CFT Mission Statement
• Identify aligned areas of interest between the DoD and a novel performer
community.
• Become a resource to that community in a way that encourages mutually
beneficial research efforts resulting in prototypes and proofs of concepts in a
matter of months
• Improve goodwill and understanding in both communities.
CFT promotes aligned interests, not the realigning of interests to meet Government needs
17
Distribution A: Approved for Public Release, Distribution Unlimited.
The Importance of Transition
The objective of technology transition is to make the desired technology
available as quickly as possible and at the lowest cost.
• Direct
• Indirect - Enabling/Promoting:
• Program of Record (POR)
• Commercial
• Memorandum of Understanding (MOU)
• Open Source
• Memorandum of Agreement (MOA)
• Other
• Technology Transition Agreement
(TTA)
18
Distribution A: Approved for Public Release, Distribution Unlimited.
The first proof that it might be do-able…
NMAPv6 – CINDER
•
Advanced IPv6 capabilities
•
200 new network scanning and discovery modules (NSE)
•
Common Platform Enumeration (CPE) output support
•
Scanner, GUI, and differencing engine performance scaling (1 million target IP addresses)
•
Adversary Mission Identification System (AMIS)
•
Transition:
Downloads 3,096,277 (5,600 .gov & 5,193 .mil)… and counting…
19
Distribution A: Approved for Public Release, Distribution Unlimited.
The two key ingredients to CFT:
Programmatics
• A unique process that allows DARPA
to legally do Cyber R&D contracting
extremely fast
• A framework that anyone can use
• Streamline negations
• One page commercial contracts
• Firm Fixed price
• Rapid awards (selection to contract
in 10 days or less)
Diplomacy
• Align the Cyber Fast Track research
goals with the goals of the
research community
• How do your priorities and
theirs align?
• Engage leaders and influencers
• Socialize the effort, take
feedback, and modify the
program structure accordingly
• Ambassador
• Speak the language,
demonstrate an understanding
of both cultures
20
Distribution A: Approved for Public Release, Distribution Unlimited.
350+ submissions & 90+ awards
400
350
300
250
Submissions
200
150
100
Awards
50
0
Distribution A: Approved for Public Release, Distribution Unlimited.
CFT Contract Award Time
100
90+
90
B
A
A
80
70
60
50
40
30
CFT
20
10
0
12
6
2
Min. days
Avg. days
Max. days
Average of 6 working days to award
Distribution A: Approved for Public Release, Distribution Unlimited.
P
R
O
C
E
S
S
92 Projects awarded to date (as of Feb 13, 2013)
44 programs underway
19 completed programs
open-source
21%
48%
31%
29 completed programs
closed source
48 Projects Completed – 44 Projects in Progress (2/13/2013)
Distribution A: Approved for Public Release, Distribution Unlimited.
23
CFT Efforts
24
A Sampling of Current CFT Programs
Hardware
Embedded System
Vulnerabilities Securing Legacy RF NAND Exploration Phy-layer Auditing
BIOS Implant
Analysis
IPMI Security
Truck-Security
Framework
Automotive-Security
Applications
Software
Android Application
Forensics
Deobfuscating
Malware
BIOS Integrity
Logical Bug
Detection
Obstructing
Configurations
Side Channel
Analysis
Binary Defense
Anti-Reverse
Engineering
Secure Parsers
Virtualization
Security
Distributed
Validation
Source Code
Analysis
Baseband
Emulation
Android OS
Security
Network Stack
Modification
Network
Visualization
Images provided by: Bit Systems
Antenna Detection
25
Distribution A: Approved for Public Release, Distribution Unlimited.
Soon to be released…
26
Soon to be released…
Bunnie’s Routers…
Image provided by: Bunnie Huang
27
Soon to be released…
Bunnie’s Routers…
Charlie’s Cars…
Image provided by: Bunnie Huang
Image provided by: Charlie Miller
28
The end of CFT…
The beginning of…
29
www.darpa.mil
30
Distribution A: Approved for Public Release, Distribution Unlimited.
Download