SlideShare uma empresa Scribd logo

First Principles Vulnerability Assessment

Manuel Brugnoli
Manuel Brugnoli

This document describes a methodology called First Principles Vulnerability Assessment (FPVA) for identifying security vulnerabilities. FPVA is an analyst-centric and manual process that involves: 1) Analyzing a system's architecture and components, 2) Identifying key resources and privilege levels, 3) Evaluating components in-depth guided by the previous steps and knowledge of vulnerabilities, 4) Disseminating results to developers. FPVA was used to assess several grid middleware systems, finding over 50 vulnerabilities. While automated tools can help, manual assessment is still needed to identify new types of attacks not found by tools. Adopting FPVA leads to increased security awareness in development teams.

Tecnologia
1 de 20
Baixar para ler offline
First Principles Vulnerability Assessment Computer Architecture & Operating Systems Department Universitat Autònoma de Barcelona Elisa Heymann Manuel Brugnoli
2 The Bad News • The bad guys are trying to do really bad things to us. • They are smart, dedicated and persistent. • No single approach to security can be sufficient. • The attackers have a natural advantage over the defenders. We have to approach the defense of our systems as security in depth.
3 The Good News • We started by trying to do something simple: Increase our confidence in the security of some critical Grid middleware. • We ended up developing a new manual methodology: First Principles Vulnerability Assessment • We found some serious vulnerabilities … and more vulnerabilities … and more.
4 Key Issues for Security • Need independent assessment – Software engineers have long known that testing groups must be independent of development groups • Need an assessment process that is NOT based solely on known vulnerabilities – Such approaches will not find new types and variations of attacks
5 Our Piece of the Solution Space First Principles Vulnerability Assessment: • An analyst-centric (manual) assessment process. • You can’t look carefully at every line of code so: then identify key resources and privilege levels, component interactions and trust delegation, then focused component analysis. Don’t start with known threats … … instead, identify high value assets in the code and work outward to derive threats. • Start with architectural analysis,
First Principles Vulnerability Assessment Understanding the System Step 1: Architectural Analysis – Functionality and structure of the system, major components (modules, threads, processes), communication channels – Interactions among components and with users
Architectural Analysis: Condor condor & root OS privileges user master Condor submit host schedd shadow submit 1. fork 3. submit job ClassAd 8. fork master Condor execute host starter startd job 1. fork 8. fork 10. start job master Stork server host stork_server 1. fork Condor execute host master negotiator collector 1. fork 1. fork 5. Negotiator cycle 2. machine ClassAd 4. job ClassAd 5. Negotiator cycle 6. Report match 6. Report match 7. claim host 9. establish channel
First Principles Vulnerability Assessment Understanding the System Step 2: Resource Identification – Key resources accessed by each component – Operations allowed on those resources Step 3: Trust & Privilege Analysis – How components are protected and who can access them – Privilege level at which each component runs – Trust delegation
condor OS privileges root user generic Condor daemon (a) Common Resources on All Condor Hosts Condor Binaries & Libraries Condor Config etc Operational Data & Run-time Config Files spool Operational Log Files log ckpt_server (b) Unique Condor Checkpoint Server Resources Checkpoint Directory ckpt (d) Unique Condor Submit Resources shadow User’s Files user (c) Unique Condor Execute Resources User Job starter Job Execution Directories execute System Call Forwarding and Remove I/O (with Standard Universe Jobs) Send and Receive Checkpoints (with Standard Universe Jobs) Resource Analysis: Condor
First Principles Vulnerability Assessment Search for Vulnerabilities Step 4: Component Evaluation – Examine critical components in depth – Guide search using: Diagrams from steps 1-3 Knowledge of vulnerabilities – Helped by Automated scanning tools
First Principles Vulnerability Assessment Taking Actions Step 5: Dissemination of Results – Report vulnerabilities – Interaction with developers – Disclosure of vulnerabilities
First Principles Vulnerability Assessment Taking Actions
13 Studied Systems Condor, University of Wisconsin Batch queuing workload management system 15 vulnerabilities 600 KLOC of C and C++ SRB, SDSC Storage Resource Broker - data grid 5 vulnerabilities 280 KLOC of C MyProxy, NCSA Credential Management System 5 vulnerabilities 25 KLOC of C glExec, Nikhef Identity mapping service 5 vulnerabilities 48 KLOC of C Gratia Condor Probe, FNAL and Open Science Grid Feeds Condor Usage into Gratia Accounting System 3 vulnerabilities 1.7 KLOC of Perl and Bash Condor Quill, University of Wisconsin DBMS Storage of Condor Operational and Historical Data 6 vulnerabilities 7.9 KLOC of C and C++
14 Studied Systems Wireshark, wireshark.org Network Protocol Analyzer in progress 2400 KLOC of C Condor Privilege Separation, Univ. of Wisconsin Restricted Identity Switching Module 21 KLOC of C and C++ VOMS Admin, INFN Web management interface to VOMS data (role mgmt) 35 KLOC of Java and PHP CrossBroker, Universitat Autònoma de Barcelona Resource Mgr for Parallel & Interactive Applications in progress 97 KLOC of C++
15 In Progress for EMI ARGUS, wireshark.org gLite Authorization Service in progress glExec 0.8, Nikhef Identity mapping service in progress
What about Automated TOOLS? – Everyone asks for them – They may help but … ... they are definitely not enough!
Manual vs. Automated Vulnerability Assessment The literature on static analysis tools is self- limiting: – Missing comparison against a ground truth – Tool writers write about what they have found – Limited discussion of false positives Every valid new problem that a tool find is progress, but it’s easy to lose perspective on what these tools are not able to do
18 EMI • Roadmap needed: – gridFTP – CREAM – WMS • We need input from you!
23 How do You Respond? A change of culture within the development team: • When security becomes a first-class task, and when reports start arriving, awareness is significantly increased. • This effects the way developers look at code and the way that they write code. • A major landmark: when your developers start reporting vulnerabilities that they’ve found on their own.
24 Thank you. Questions? Elisa.Heymann@uab.es

Recomendados

Data mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptxData mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptx
Aditya Deshmukh
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
Ashwini Almad
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
Chong-Kuan Chen
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
David Jorm
 
Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)
FFRI, Inc.
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
Priyanka Aash
 
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения..."Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
Yandex
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 

Recomendados

Data mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptxData mining techniques for malware detection.pptx
Data mining techniques for malware detection.pptx
Aditya Deshmukh
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
Ashwini Almad
 
Malware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning PerspectiveMalware Detection - A Machine Learning Perspective
Malware Detection - A Machine Learning Perspective
Chong-Kuan Chen
 
AusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternativesAusCERT 2016: CVE and alternatives
AusCERT 2016: CVE and alternatives
David Jorm
 
Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)Fighting advanced malware using machine learning (English)
Fighting advanced malware using machine learning (English)
FFRI, Inc.
 
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI LocksmithingDeepLocker - Concealing Targeted Attacks with AI Locksmithing
DeepLocker - Concealing Targeted Attacks with AI Locksmithing
Priyanka Aash
 
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения..."Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
"Быстрое обнаружение вредоносного ПО для Android с помощью машинного обучения...
Yandex
 
OpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight SecurityOpenDaylight Brisbane User Group - OpenDaylight Security
OpenDaylight Brisbane User Group - OpenDaylight Security
David Jorm
 
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Sung Kim
 
Who Changed You? Obfuscator Identification for Android
Who Changed You? Obfuscator Identification for AndroidWho Changed You? Obfuscator Identification for Android
Who Changed You? Obfuscator Identification for Android
MobileSoft
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
FFRI, Inc.
 
AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...
Priyanka Aash
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
David Jorm
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware Detection
Kaspersky
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
OWASP
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET Journal
 
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Raffi Khatchadourian
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
Naga Venkata Sunil Alamuri
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
ijseajournal
 
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
Stefano Dalla Palma
 
Regular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSRegular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoS
Michael Hidalgo
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Pietro De Nicolao
 
Unit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injectionUnit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injection
Yn Reddy
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
UT, San Antonio
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Final_Presentation_FlowDroid
Final_Presentation_FlowDroidFinal_Presentation_FlowDroid
Final_Presentation_FlowDroid
Kruti Sharma
 
Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid Security
EnergySec
 
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Manuel Brugnoli
 

Mais conteúdo relacionado

Mais procurados

Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Sung Kim
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
Stephan Chenette
 
AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...
Priyanka Aash
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
Stephan Chenette
 
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Raffi Khatchadourian
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
ijseajournal
 
Regular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSRegular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoS
Michael Hidalgo
 
Unit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injectionUnit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injection
Yn Reddy
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Final_Presentation_FlowDroid
Final_Presentation_FlowDroidFinal_Presentation_FlowDroid
Final_Presentation_FlowDroid
Kruti Sharma
 

Mais procurados (20)

Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
Partitioning Composite Code Changes to Facilitate Code Review (MSR2015)
 
Who Changed You? Obfuscator Identification for Android
Who Changed You? Obfuscator Identification for AndroidWho Changed You? Obfuscator Identification for Android
Who Changed You? Obfuscator Identification for Android
 
The Future of Automated Malware Generation
The Future of Automated Malware GenerationThe Future of Automated Malware Generation
The Future of Automated Malware Generation
 
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
STRIDE Variants and Security Requirements-based Threat Analysis (FFRI Monthly...
 
AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...AI approach to malware similarity analysis: Maping the malware genome with a...
AI approach to malware similarity analysis: Maping the malware genome with a...
 
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
2013 Toorcon San Diego Building Custom Android Malware for Penetration Testing
 
Building world-class security response and secure development processes
Building world-class security response and secure development processesBuilding world-class security response and secure development processes
Building world-class security response and secure development processes
 
Machine Learning in Malware Detection
Machine Learning in Malware DetectionMachine Learning in Malware Detection
Machine Learning in Malware Detection
 
[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles[Warsaw 26.06.2018] SDL Threat Modeling principles
[Warsaw 26.06.2018] SDL Threat Modeling principles
 
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical ApproachIRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
IRJET- Penetration Testing using Metasploit Framework: An Ethical Approach
 
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
Actor Concurrency Bugs: A Comprehensive Study on Symptoms, Root Causes, API U...
 
Null meet Code Review
Null meet Code ReviewNull meet Code Review
Null meet Code Review
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
 
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
 
Regular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoSRegular Expression Denial of Service RegexDoS
Regular Expression Denial of Service RegexDoS
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
 
Unit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injectionUnit testing using Mock objects and dependency injection
Unit testing using Mock objects and dependency injection
 
Static Analysis with Sonarlint
Static Analysis with SonarlintStatic Analysis with Sonarlint
Static Analysis with Sonarlint
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
 
Final_Presentation_FlowDroid
Final_Presentation_FlowDroidFinal_Presentation_FlowDroid
Final_Presentation_FlowDroid
 

Destaque

Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid Security
EnergySec
 
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core CaseVulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
Manuel Brugnoli
 
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
AdaCore
 
Big data and social media, BAE Systems Detica
Big data and social media, BAE Systems DeticaBig data and social media, BAE Systems Detica
Big data and social media, BAE Systems Detica
Internet World
 

Destaque (11)

Red Teaming and Energy Grid Security
Red Teaming and Energy Grid SecurityRed Teaming and Energy Grid Security
Red Teaming and Energy Grid Security
 
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
Vulnerability Assessment for EGI and EMI - Presentation for NATO-OTAN 2013
 
Thisworldofours
ThisworldofoursThisworldofours
Thisworldofours
 
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core CaseVulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
Vulnerability Assessment of Middleware Packages Supplied by EMI: VOMS Core Case
 
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
HIS 2015: Roderick Chapman - Murphy Vs Satan Why programming secure systems i...
 
Big data and social media, BAE Systems Detica
Big data and social media, BAE Systems DeticaBig data and social media, BAE Systems Detica
Big data and social media, BAE Systems Detica
 
Hadoop Ecosystem
Hadoop EcosystemHadoop Ecosystem
Hadoop Ecosystem
 
Building a Big Data platform with the Hadoop ecosystem
Building a Big Data platform with the Hadoop ecosystemBuilding a Big Data platform with the Hadoop ecosystem
Building a Big Data platform with the Hadoop ecosystem
 
Hadoop Ecosystem Architecture Overview
Hadoop Ecosystem Architecture Overview Hadoop Ecosystem Architecture Overview
Hadoop Ecosystem Architecture Overview
 
The Ecosystem is too damn big
The Ecosystem is too damn big The Ecosystem is too damn big
The Ecosystem is too damn big
 
What is Big Data?
What is Big Data?What is Big Data?
What is Big Data?
 

Semelhante a First Principles Vulnerability Assessment

EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
MichaelM85042
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Lastline, Inc.
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
PLUMgrid
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
Steve Poole
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Kevin Moran
 

Semelhante a First Principles Vulnerability Assessment (20)

Code Quality - Security
Code Quality - SecurityCode Quality - Security
Code Quality - Security
 
Web applications security conference slides
Web applications security conference slidesWeb applications security conference slides
Web applications security conference slides
 
EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22EMBA Firmware analysis - TROOPERS22
EMBA Firmware analysis - TROOPERS22
 
Software Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and SecuritySoftware Analytics: Data Analytics for Software Engineering and Security
Software Analytics: Data Analytics for Software Engineering and Security
 
how-to-bypass-AM-PPL
how-to-bypass-AM-PPLhow-to-bypass-AM-PPL
how-to-bypass-AM-PPL
 
Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12Nt2580 Unit 7 Chapter 12
Nt2580 Unit 7 Chapter 12
 
Vulnerability Detection Based on Git History
Vulnerability Detection Based on Git HistoryVulnerability Detection Based on Git History
Vulnerability Detection Based on Git History
 
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
 
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
Full-System Emulation Achieving Successful Automated Dynamic Analysis of Evas...
 
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack CloudsIn-kernel Analytics and Tracing with eBPF for OpenStack Clouds
In-kernel Analytics and Tracing with eBPF for OpenStack Clouds
 
Offensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agendaOffensive cyber security engineer pragram course agenda
Offensive cyber security engineer pragram course agenda
 
Offensive cyber security engineer
Offensive cyber security engineerOffensive cyber security engineer
Offensive cyber security engineer
 
Offensive cyber security engineer updated
Offensive cyber security engineer updatedOffensive cyber security engineer updated
Offensive cyber security engineer updated
 
2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?2022 APIsecure_Are your APIs Rugged Enough?
2022 APIsecure_Are your APIs Rugged Enough?
 
chap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systemschap-1 : Vulnerabilities in Information Systems
chap-1 : Vulnerabilities in Information Systems
 
Using Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security ProblemsUsing Analyzers to Resolve Security Problems
Using Analyzers to Resolve Security Problems
 
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
The Anatomy of Java Vulnerabilities (Devoxx UK 2017)
 
Machine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and ClusteringMachine Learning for Malware Classification and Clustering
Machine Learning for Malware Classification and Clustering
 
Application Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs SecurityApplication Explosion How to Manage Productivity vs Security
Application Explosion How to Manage Productivity vs Security
 
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
Discovering Flaws in Security-Focused Static Analysis Tools for Android using...
 

Último

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Último (20)

Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot ModelNavi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Navi Mumbai Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
Apidays Singapore 2024 - Scalable LLM APIs for AI and Generative AI Applicati...
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024AXA XL - Insurer Innovation Award Americas 2024
AXA XL - Insurer Innovation Award Americas 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 

First Principles Vulnerability Assessment

  • 1. First Principles Vulnerability Assessment Computer Architecture & Operating Systems Department Universitat Autònoma de Barcelona Elisa Heymann Manuel Brugnoli
  • 2. 2 The Bad News • The bad guys are trying to do really bad things to us. • They are smart, dedicated and persistent. • No single approach to security can be sufficient. • The attackers have a natural advantage over the defenders. We have to approach the defense of our systems as security in depth.
  • 3. 3 The Good News • We started by trying to do something simple: Increase our confidence in the security of some critical Grid middleware. • We ended up developing a new manual methodology: First Principles Vulnerability Assessment • We found some serious vulnerabilities … and more vulnerabilities … and more.
  • 4. 4 Key Issues for Security • Need independent assessment – Software engineers have long known that testing groups must be independent of development groups • Need an assessment process that is NOT based solely on known vulnerabilities – Such approaches will not find new types and variations of attacks
  • 5. 5 Our Piece of the Solution Space First Principles Vulnerability Assessment: • An analyst-centric (manual) assessment process. • You can’t look carefully at every line of code so: then identify key resources and privilege levels, component interactions and trust delegation, then focused component analysis. Don’t start with known threats … … instead, identify high value assets in the code and work outward to derive threats. • Start with architectural analysis,
  • 6. First Principles Vulnerability Assessment Understanding the System Step 1: Architectural Analysis – Functionality and structure of the system, major components (modules, threads, processes), communication channels – Interactions among components and with users
  • 7. Architectural Analysis: Condor condor & root OS privileges user master Condor submit host schedd shadow submit 1. fork 3. submit job ClassAd 8. fork master Condor execute host starter startd job 1. fork 8. fork 10. start job master Stork server host stork_server 1. fork Condor execute host master negotiator collector 1. fork 1. fork 5. Negotiator cycle 2. machine ClassAd 4. job ClassAd 5. Negotiator cycle 6. Report match 6. Report match 7. claim host 9. establish channel
  • 8. First Principles Vulnerability Assessment Understanding the System Step 2: Resource Identification – Key resources accessed by each component – Operations allowed on those resources Step 3: Trust & Privilege Analysis – How components are protected and who can access them – Privilege level at which each component runs – Trust delegation
  • 9. condor OS privileges root user generic Condor daemon (a) Common Resources on All Condor Hosts Condor Binaries & Libraries Condor Config etc Operational Data & Run-time Config Files spool Operational Log Files log ckpt_server (b) Unique Condor Checkpoint Server Resources Checkpoint Directory ckpt (d) Unique Condor Submit Resources shadow User’s Files user (c) Unique Condor Execute Resources User Job starter Job Execution Directories execute System Call Forwarding and Remove I/O (with Standard Universe Jobs) Send and Receive Checkpoints (with Standard Universe Jobs) Resource Analysis: Condor
  • 10. First Principles Vulnerability Assessment Search for Vulnerabilities Step 4: Component Evaluation – Examine critical components in depth – Guide search using: Diagrams from steps 1-3 Knowledge of vulnerabilities – Helped by Automated scanning tools
  • 11. First Principles Vulnerability Assessment Taking Actions Step 5: Dissemination of Results – Report vulnerabilities – Interaction with developers – Disclosure of vulnerabilities
  • 12. First Principles Vulnerability Assessment Taking Actions
  • 13. 13 Studied Systems Condor, University of Wisconsin Batch queuing workload management system 15 vulnerabilities 600 KLOC of C and C++ SRB, SDSC Storage Resource Broker - data grid 5 vulnerabilities 280 KLOC of C MyProxy, NCSA Credential Management System 5 vulnerabilities 25 KLOC of C glExec, Nikhef Identity mapping service 5 vulnerabilities 48 KLOC of C Gratia Condor Probe, FNAL and Open Science Grid Feeds Condor Usage into Gratia Accounting System 3 vulnerabilities 1.7 KLOC of Perl and Bash Condor Quill, University of Wisconsin DBMS Storage of Condor Operational and Historical Data 6 vulnerabilities 7.9 KLOC of C and C++
  • 14. 14 Studied Systems Wireshark, wireshark.org Network Protocol Analyzer in progress 2400 KLOC of C Condor Privilege Separation, Univ. of Wisconsin Restricted Identity Switching Module 21 KLOC of C and C++ VOMS Admin, INFN Web management interface to VOMS data (role mgmt) 35 KLOC of Java and PHP CrossBroker, Universitat Autònoma de Barcelona Resource Mgr for Parallel & Interactive Applications in progress 97 KLOC of C++
  • 15. 15 In Progress for EMI ARGUS, wireshark.org gLite Authorization Service in progress glExec 0.8, Nikhef Identity mapping service in progress
  • 16. What about Automated TOOLS? – Everyone asks for them – They may help but … ... they are definitely not enough!
  • 17. Manual vs. Automated Vulnerability Assessment The literature on static analysis tools is self- limiting: – Missing comparison against a ground truth – Tool writers write about what they have found – Limited discussion of false positives Every valid new problem that a tool find is progress, but it’s easy to lose perspective on what these tools are not able to do
  • 18. 18 EMI • Roadmap needed: – gridFTP – CREAM – WMS • We need input from you!
  • 19. 23 How do You Respond? A change of culture within the development team: • When security becomes a first-class task, and when reports start arriving, awareness is significantly increased. • This effects the way developers look at code and the way that they write code. • A major landmark: when your developers start reporting vulnerabilities that they’ve found on their own.