SlideShare uma empresa Scribd logo

20100309 03 - Vulnerability analysis (McCabe)

L
LeClubQualiteLogicielle

What is vulnerability analysis

Software
1 de 19
Baixar para ler offline
Vulnerability analysis - Vulnerability analysis involves discovering a subset of the input space with which a malicious user can exploit logic errors in an application to drive it into an insecure state. http://doi.ieeecomputersociety.org What is Vulnerability Analysis? copyright c March 9 2010 McCabe Technology
Potential vulnerabilities – locations within a program that contain known weaknesses - Example: The usage of APIs known to be susceptible to buffer overflows - Potential vulnerabilities may or may not be exploitable. Exploitable vulnerabilities - exist when a potentially vulnerable program location... - Is dependent on or able to be influenced by user supplied input - Is reachable on the program control flow graph at runtime Potential vs. Exploitable Vulnerabilities copyright c March 9 2010 McCabe Technology
Paths Connecting Attack Surface & Target Attack Surface Entry Libraries Attack Surface Target Libraries Subtrees/Paths RECV() STRCPY() copyright c March 9 2010 McCabe Technology
Advanced Exclude: Select Load Option Use the Advanced Exclude Menu to load a Class file that includes all the banned functions from Microsoft & OWASPS. This file user editable. Additional modules and/or library functions can be added. copyright c March 9 2010 McCabe Technology
Preloaded User Definable Classes for Security • List of Banned APIs from the Microsoft Secure Software Development Lifecycle & from OWASP • Attack Surface APIs and Libraries (entry points) • Vulnerable APIs and Libraries (exploitable targets) • Individual Attack Surface Entry Point • Individual Attack Surface Target Point copyright c March 9 2010 McCabe Technology
Class Editor: User Definable Class Libraries Preloaded with Microsoft & OWASP’s Banned Functions. User has the ability to add or delete Attack Surface & Target parameters copyright c March 9 2010 McCabe Technology
Advanced Exclude: Narrow Scope Use the Advanced Exclude Option to understand entry points into the system, narrow the scope of analysis, and to view attack space in context of the rest of the system copyright c March 9 2010 McCabe Technology
Attack Modeling copyright c March 9 2010 McCabe Technology
Even if you can make any code you write secure, you're still at the mercy of all those libraries. The C language is notorious for creating software with buffer overflows because of library calls. Standard C functions that do no range checking of character string inputs are vulnerable to function algorithm attacks. These functions include scanf(), gets(), getwd(), [vg]scanf, realpath, [v]sprintf(), sprintf(), vsprintf(), strcpy(), and strcat(). Gets() is an excellent example. This function performs the common task of reading user input, but it keeps accepting the input until it sees a command ending the line or closing the file. That means that gets() can always be used to overflow any size buffer—no matter how large. If you use fgets() instead, you can set a parameter to limit the number of characters it will accept, thus preventing buffer overflows. Strcpy() is similar in that it copies a string from a source to a buffer (again, it doesn’t limit the size of the string). There are safe ways to use strcpy(), such as adding a check; however, it’s often simpler to use strncpy(dst, src, dst_size – 1), which lets you specify a maximum number of characters. This is a particularly good alternative for many uses because it doesn’t throw an error when the input is too big—it simply terminates. If you need to generate an error when a specified string length is exceeded, you can use strcpy() along with a check, such as: if(strln(src) >= dst_size)... Strcat() concatenates a string onto the end of a buffer. Strncat() is a safer alternative, but it does require that you monitor the room left in the buffer. Libraries: Major challenge for developers who need to produce secure applications copyright c March 9 2010 McCabe Technology
A software system’s attack surface is the subset of resources that an attacker can use to attack the system. The classic attack surface definition assumes all entry points into the software system; this can include certain Windows registry keys, open handles to windowed objects, or command-line parameters It is important to differentiate the classic definition of attack surface from the useable attack surface. ... What is the Attack Surface? copyright c March 9 2010 McCabe Technology
Use the tools to extract subgraph of overall CFG that includes all nodes on a path between input acceptance node and target nodes (potentially vulnerability nodes containing things like strcpy calls) Standard C functions that do no range checking of character string inputs are vulnerable to function algorithm attacks. These functions include scanf(), gets(), sprintf(), vsprintf(), strcpy(), and strcat() Other possible vulnerable procedures include: printf, fprintf, snprintf, vsnprintf. This list names some of the worst offenders. Also, even though there are safer alternatives for most of these functions, those alternatives aren’t absolutely safe. You can still get into trouble using them—often with unterminated strings or by specifying the wrong buffer size Attack Map Modeling using McCabe IQ Battlemap copyright c March 9 2010 McCabe Technology
It is the portion of the attack surface that an attacker could use to crash the software, access sensitive information or gain access to the host machine remotely. It is these particular areas of code that we are interested in exercising as they pose the highest degree of risk. It is also independent of configuration, and specification, as we are testing the connected code to a particular input source. What is Useable Attack Surface? Parsing & validation logic on path between recv and strcpy copyright c March 9 2010 McCabe Technology
Attack Surface Analysis & Reduction Microsoft Secure Software Development Series Best Practices -The Security Development Lifecycle SDL: A Process for Developing Demonstrably More Secure Software By Michael Howard and Steve Lipner http://www.microsoft.com/security/sdl/about/process.aspx copyright c March 9 2010 McCabe Technology
Viewing Attack space in relation to rest of code copyright c March 9 2010 McCabe Technology
In order to determine if the vulnerability is an exploitable threat, one must prove that it is reachable on the execution path given some user supplied input. The exploitability is dependent upon the control flow logic on the paths between the external input and targeted exploitable routines. The diagram below illustrates this idea, in this case showing control flow inclusive of packet acceptance and the basic block where a vulnerable API function is used. To narrow the scope of exploitable code, we consider its attack trees. … Exploitability Implies Reachability Parsing & validation logic on path between recv and strcpy copyright c March 9 2010 McCabe Technology
What is An Attack Tree? An Attack Tree is a set of paths connecting a specific attack surface and specific attack target. Attack Tree is also known as “And/Or Trees”. The history of the Attack Tree can be traced back to the Fault Tree developed by Bell Labs and the U.S. Air Force in 1960s. The software related application of Fault Tree is also known as Threat Tree, which is an excellent tool for modeling a particular attack scenario. McCabe IQ uses the McCabe Design Complexity Metrics, visual subtree graphs, subtree test conditions and code coverage as Attack Trees. McCabe Design Complexity metrics are typically calculated rooted at the input node of the attack surface. copyright c March 9 2010 McCabe Technology
Applying McCabe Design Complexity to Attack Trees Definition: module design complexity of a module is a measure of the decision structure which controls the invocation of the module’s immediate subordinate modules. It is a quantification of the testing effort of a module as it calls its subordinates. The module design complexity is calculated as the cyclomatic complexity of the reduced graph. Reduction is completed by removing decisions and nodes that do not impact the calling control of the module over its subordinates. McCabe Design complexity metrics should be calculated by rooting at the input acceptance node. The McCabe Design complexity metrics and subtrees can be used to understand and test Attack Trees within the source code. copyright c March 9 2010 McCabe Technology
How do you assess complexity & test effort for component design? S1 = S0 - n + 1= 12 - 7 + 1 = 6 By measuring the integration paths in its modules Integration complexity S1 copyright c March 9 2010 McCabe Technology
McCabe System Design Complexity Attack Tree copyright c March 9 2010 McCabe Technology

Recomendados

VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
Stefano Dalla Palma
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
Checkmarx
 
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Amine Barrak
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
PVS-Studio
 
Dupressoir
DupressoirDupressoir
Dupressoir
anesah
 
Automated server-side model for recognition of security vulnerabilities in sc...
Automated server-side model for recognition of security vulnerabilities in sc...Automated server-side model for recognition of security vulnerabilities in sc...
Automated server-side model for recognition of security vulnerabilities in sc...
IJECEIAES
 
Creating and Analyzing Source Code Repository Models - A Model-based Approach...
Creating and Analyzing Source Code Repository Models - A Model-based Approach...Creating and Analyzing Source Code Repository Models - A Model-based Approach...
Creating and Analyzing Source Code Repository Models - A Model-based Approach...
Markus Scheidgen
 
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Markus Scheidgen
 

Recomendados

VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
VCCFinder: Finding Potential Vulnerabilities in Open-Source Projects to Assis...
Stefano Dalla Palma
 
A Platform for Application Risk Intelligence
A Platform for Application Risk IntelligenceA Platform for Application Risk Intelligence
A Platform for Application Risk Intelligence
Checkmarx
 
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Just-in-time Detection of Protection-Impacting Changes on WordPress and Media...
Amine Barrak
 
Detection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzersDetection of vulnerabilities in programs with the help of code analyzers
Detection of vulnerabilities in programs with the help of code analyzers
PVS-Studio
 
Dupressoir
DupressoirDupressoir
Dupressoir
anesah
 
Automated server-side model for recognition of security vulnerabilities in sc...
Automated server-side model for recognition of security vulnerabilities in sc...Automated server-side model for recognition of security vulnerabilities in sc...
Automated server-side model for recognition of security vulnerabilities in sc...
IJECEIAES
 
Creating and Analyzing Source Code Repository Models - A Model-based Approach...
Creating and Analyzing Source Code Repository Models - A Model-based Approach...Creating and Analyzing Source Code Repository Models - A Model-based Approach...
Creating and Analyzing Source Code Repository Models - A Model-based Approach...
Markus Scheidgen
 
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Metamodeling vs Metaprogramming, A Case Study on Developing Client Libraries ...
Markus Scheidgen
 
29-Krishan Kumar
29-Krishan Kumar29-Krishan Kumar
29-Krishan Kumar
krishan8018
 
Model Comparison for Delta-Compression
Model Comparison for Delta-CompressionModel Comparison for Delta-Compression
Model Comparison for Delta-Compression
Markus Scheidgen
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
Generation of Random EMF Models for Benchmarks
Generation of Random EMF Models for BenchmarksGeneration of Random EMF Models for Benchmarks
Generation of Random EMF Models for Benchmarks
Markus Scheidgen
 
4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testing
phanleson
 
Model-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesModel-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software Repositories
Markus Scheidgen
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
ijseajournal
 
Reference Representation in Large Metamodel-based Datasets
Reference Representation in Large Metamodel-based DatasetsReference Representation in Large Metamodel-based Datasets
Reference Representation in Large Metamodel-based Datasets
Markus Scheidgen
 
Resume
ResumeResume
Resume
Arvind Raghuwanshi
 
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVCUpgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
FPGA Central
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
Pietro De Nicolao
 
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
AdaCore
 
A Closer Look at Real-World Patches
A Closer Look at Real-World PatchesA Closer Look at Real-World Patches
A Closer Look at Real-World Patches
Dongsun Kim
 
System verilog important
System verilog importantSystem verilog important
System verilog important
elumalai7
 
Jpl coding standard for the c programming language
Jpl coding standard for the c programming languageJpl coding standard for the c programming language
Jpl coding standard for the c programming language
Kwanghee Choi
 
Automatic reverse engineering of malware emulators
Automatic reverse engineering of malware emulatorsAutomatic reverse engineering of malware emulators
Automatic reverse engineering of malware emulators
UltraUploader
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
DevOps.com
 
Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
Kapil Nagrale
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
Checkmarx
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
Trupti Shiralkar, CISSP
 
Software security
Software securitySoftware security
Software security
Roman Oliynykov
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
IJNSA Journal
 

Mais conteúdo relacionado

Mais procurados

29-Krishan Kumar
29-Krishan Kumar29-Krishan Kumar
29-Krishan Kumar
krishan8018
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
IJNSA Journal
 
4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testing
phanleson
 
Model-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesModel-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software Repositories
Markus Scheidgen
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
ijseajournal
 
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVCUpgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
FPGA Central
 
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
AdaCore
 
A Closer Look at Real-World Patches
A Closer Look at Real-World PatchesA Closer Look at Real-World Patches
A Closer Look at Real-World Patches
Dongsun Kim
 
Automatic reverse engineering of malware emulators
Automatic reverse engineering of malware emulatorsAutomatic reverse engineering of malware emulators
Automatic reverse engineering of malware emulators
UltraUploader
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
DevOps.com
 

Mais procurados (17)

29-Krishan Kumar
29-Krishan Kumar29-Krishan Kumar
29-Krishan Kumar
 
Model Comparison for Delta-Compression
Model Comparison for Delta-CompressionModel Comparison for Delta-Compression
Model Comparison for Delta-Compression
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGR...
 
Generation of Random EMF Models for Benchmarks
Generation of Random EMF Models for BenchmarksGeneration of Random EMF Models for Benchmarks
Generation of Random EMF Models for Benchmarks
 
4.Security Assessment And Testing
4.Security Assessment And Testing4.Security Assessment And Testing
4.Security Assessment And Testing
 
Model-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software RepositoriesModel-based Analysis of Large Scale Software Repositories
Model-based Analysis of Large Scale Software Repositories
 
Standardizing Source Code Security Audits
Standardizing Source Code Security AuditsStandardizing Source Code Security Audits
Standardizing Source Code Security Audits
 
Reference Representation in Large Metamodel-based Datasets
Reference Representation in Large Metamodel-based DatasetsReference Representation in Large Metamodel-based Datasets
Reference Representation in Large Metamodel-based Datasets
 
Resume
ResumeResume
Resume
 
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVCUpgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
Upgrading to System Verilog for FPGA Designs, Srinivasan Venkataramanan, CVC
 
TriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android ApplicationsTriggerScope: Towards Detecting Logic Bombs in Android Applications
TriggerScope: Towards Detecting Logic Bombs in Android Applications
 
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
HIS 2015: Alastair F. Donaldson - Fighting for Software Correctness in a Mass...
 
A Closer Look at Real-World Patches
A Closer Look at Real-World PatchesA Closer Look at Real-World Patches
A Closer Look at Real-World Patches
 
System verilog important
System verilog importantSystem verilog important
System verilog important
 
Jpl coding standard for the c programming language
Jpl coding standard for the c programming languageJpl coding standard for the c programming language
Jpl coding standard for the c programming language
 
Automatic reverse engineering of malware emulators
Automatic reverse engineering of malware emulatorsAutomatic reverse engineering of malware emulators
Automatic reverse engineering of malware emulators
 
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case StudyFinding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
Finding Zero-Days Before The Attackers: A Fortune 500 Red Team Case Study
 

Semelhante a 20100309 03 - Vulnerability analysis (McCabe)

SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
IJNSA Journal
 
Aspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NETAspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NET
Waqas Tariq
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
Amit Kumbhar
 
Binary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programmingBinary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programming
nong_dan
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker
akila_mano
 
What
WhatWhat
What
anity
 
Organizational TemplateA- Identify the Vulnerability Type(s)B- Lis.docx
Organizational TemplateA- Identify the Vulnerability Type(s)B- Lis.docxOrganizational TemplateA- Identify the Vulnerability Type(s)B- Lis.docx
Organizational TemplateA- Identify the Vulnerability Type(s)B- Lis.docx
hye345678
 

Semelhante a 20100309 03 - Vulnerability analysis (McCabe) (20)

Buffer overflow attacks
Buffer overflow attacksBuffer overflow attacks
Buffer overflow attacks
 
Application Security Guide for Beginners
Application Security Guide for Beginners Application Security Guide for Beginners
Application Security Guide for Beginners
 
Secure coding-guidelines
Secure coding-guidelinesSecure coding-guidelines
Secure coding-guidelines
 
Software security
Software securitySoftware security
Software security
 
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
SOURCE CODE ANALYSIS TO REMOVE SECURITY VULNERABILITIES IN JAVA SOCKET PROGRA...
 
Advanced System Security and Digital Forensics
Advanced System Security and Digital ForensicsAdvanced System Security and Digital Forensics
Advanced System Security and Digital Forensics
 
SmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_ExploitationSmartphoneHacking_Android_Exploitation
SmartphoneHacking_Android_Exploitation
 
A035401010
A035401010A035401010
A035401010
 
Aspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NETAspect Oriented Programming Through C#.NET
Aspect Oriented Programming Through C#.NET
 
Exploits Attack on Windows Vulnerabilities
Exploits Attack on Windows VulnerabilitiesExploits Attack on Windows Vulnerabilities
Exploits Attack on Windows Vulnerabilities
 
Binary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programmingBinary code obfuscation through c++ template meta programming
Binary code obfuscation through c++ template meta programming
 
SOHIL_RM (1).pptx
SOHIL_RM (1).pptxSOHIL_RM (1).pptx
SOHIL_RM (1).pptx
 
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdftheVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
theVIVI-AD-Security-Workshop_AfricaHackon2019.pdf
 
10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker10. sig free a signature free buffer overflow attack blocker
10. sig free a signature free buffer overflow attack blocker
 
What
WhatWhat
What
 
Commix
Commix Commix
Commix
 
ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)ASIP (Application-specific instruction-set processor)
ASIP (Application-specific instruction-set processor)
 
spamzombieppt
spamzombiepptspamzombieppt
spamzombieppt
 
Safety criticalc++
Safety criticalc++Safety criticalc++
Safety criticalc++
 
Organizational TemplateA- Identify the Vulnerability Type(s)B- Lis.docx
Organizational TemplateA- Identify the Vulnerability Type(s)B- Lis.docxOrganizational TemplateA- Identify the Vulnerability Type(s)B- Lis.docx
Organizational TemplateA- Identify the Vulnerability Type(s)B- Lis.docx
 

Mais de LeClubQualiteLogicielle

20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...
20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...
20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...
LeClubQualiteLogicielle
 

Mais de LeClubQualiteLogicielle (20)

20171122 03 - Les tests de performance en environnement DevOps
20171122 03 - Les tests de performance en environnement DevOps20171122 03 - Les tests de performance en environnement DevOps
20171122 03 - Les tests de performance en environnement DevOps
 
20171122 04 - Automatisation - formation et certifications
20171122 04 - Automatisation - formation et certifications20171122 04 - Automatisation - formation et certifications
20171122 04 - Automatisation - formation et certifications
 
20171122 01 - REX : Intégration et déploiement continu chez Engie
20171122 01 - REX : Intégration et déploiement continu chez Engie20171122 01 - REX : Intégration et déploiement continu chez Engie
20171122 01 - REX : Intégration et déploiement continu chez Engie
 
20171122 02 - Engage developers to use better coding practices
20171122 02 - Engage developers to use better coding practices20171122 02 - Engage developers to use better coding practices
20171122 02 - Engage developers to use better coding practices
 
20171122 - Accueil Club Qualité Logicielle
20171122 - Accueil Club Qualité Logicielle 20171122 - Accueil Club Qualité Logicielle
20171122 - Accueil Club Qualité Logicielle
 
20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...
20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...
20151013 - Crédit Mutuel ARKEA : mise en place d'une traçabilité outillée des...
 
20151013 - Agirc arrco : Behavior driven development
20151013 - Agirc arrco : Behavior driven development20151013 - Agirc arrco : Behavior driven development
20151013 - Agirc arrco : Behavior driven development
 
20151013 - Réduire les coûts des tests de performance ?
20151013 - Réduire les coûts des tests de performance ?20151013 - Réduire les coûts des tests de performance ?
20151013 - Réduire les coûts des tests de performance ?
 
20151013 - Accueil Club Qualité Logicielle
20151013 - Accueil Club Qualité Logicielle 20151013 - Accueil Club Qualité Logicielle
20151013 - Accueil Club Qualité Logicielle
 
20151013 - DevOps et qualification continue
20151013 - DevOps et qualification continue20151013 - DevOps et qualification continue
20151013 - DevOps et qualification continue
 
20140410 - Cartographie applicative multi-technologies et analyse d'impact
20140410 - Cartographie applicative multi-technologies et analyse d'impact20140410 - Cartographie applicative multi-technologies et analyse d'impact
20140410 - Cartographie applicative multi-technologies et analyse d'impact
 
20140410 - Implémentation de squash TM-TA - Architecture et méthodologie
20140410 - Implémentation de squash TM-TA - Architecture et méthodologie20140410 - Implémentation de squash TM-TA - Architecture et méthodologie
20140410 - Implémentation de squash TM-TA - Architecture et méthodologie
 
20140410 - Gestion des identités, traçabilité des accés - Analogie avec la qu...
20140410 - Gestion des identités, traçabilité des accés - Analogie avec la qu...20140410 - Gestion des identités, traçabilité des accés - Analogie avec la qu...
20140410 - Gestion des identités, traçabilité des accés - Analogie avec la qu...
 
20140410 - Choisir et implanter un outil de test
20140410 - Choisir et implanter un outil de test20140410 - Choisir et implanter un outil de test
20140410 - Choisir et implanter un outil de test
 
20130113 02 - TMMI, un modèle pour rentabiliser une organisation de test et a...
20130113 02 - TMMI, un modèle pour rentabiliser une organisation de test et a...20130113 02 - TMMI, un modèle pour rentabiliser une organisation de test et a...
20130113 02 - TMMI, un modèle pour rentabiliser une organisation de test et a...
 
20130113 06 - Travaux de recherche sur la corrélation entre qualité du code e...
20130113 06 - Travaux de recherche sur la corrélation entre qualité du code e...20130113 06 - Travaux de recherche sur la corrélation entre qualité du code e...
20130113 06 - Travaux de recherche sur la corrélation entre qualité du code e...
 
20130113 05 - Inspection continue et roadmap 2013
20130113 05 - Inspection continue et roadmap 201320130113 05 - Inspection continue et roadmap 2013
20130113 05 - Inspection continue et roadmap 2013
 
20130113 04 - Tests d'integration et virtualisation - La vision IBM
20130113 04 - Tests d'integration et virtualisation - La vision IBM20130113 04 - Tests d'integration et virtualisation - La vision IBM
20130113 04 - Tests d'integration et virtualisation - La vision IBM
 
20130523 06 - The mathematics the way algorithms think / the mathematics the ...
20130523 06 - The mathematics the way algorithms think / the mathematics the ...20130523 06 - The mathematics the way algorithms think / the mathematics the ...
20130523 06 - The mathematics the way algorithms think / the mathematics the ...
 
20130523 05 - Cyclomatic complexity
20130523 05 - Cyclomatic complexity20130523 05 - Cyclomatic complexity
20130523 05 - Cyclomatic complexity
 

Último

%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
masabamasaba
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Steffen Staab
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
Delhi Call girls
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
panagenda
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
Health
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Medical / Health Care (+971588192166) Mifepristone and Misoprostol tablets 200mg
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
9953056974 Low Rate Call Girls In Saket, Delhi NCR
 

Último (20)

%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
%in Bahrain+277-882-255-28 abortion pills for sale in Bahrain
 
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
%in Hazyview+277-882-255-28 abortion pills for sale in Hazyview
 
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park %in kempton park+277-882-255-28 abortion pills for sale in kempton park
%in kempton park+277-882-255-28 abortion pills for sale in kempton park
 
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
%+27788225528 love spells in Atlanta Psychic Readings, Attraction spells,Brin...
 
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
Shapes for Sharing between Graph Data Spaces - and Epistemic Querying of RDF-...
 
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
OpenChain - The Ramifications of ISO/IEC 5230 and ISO/IEC 18974 for Legal Pro...
 
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
call girls in Vaishali (Ghaziabad) 🔝 >༒8448380779 🔝 genuine Escort Service 🔝✔️✔️
 
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
W01_panagenda_Navigating-the-Future-with-The-Hitchhikers-Guide-to-Notes-and-D...
 
%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare%in Harare+277-882-255-28 abortion pills for sale in Harare
%in Harare+277-882-255-28 abortion pills for sale in Harare
 
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
WSO2Con2024 - From Code To Cloud: Fast Track Your Cloud Native Journey with C...
 
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension AidDirect Style Effect Systems - The Print[A] Example - A Comprehension Aid
Direct Style Effect Systems - The Print[A] Example - A Comprehension Aid
 
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
+971565801893>>SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHAB...
 
Define the academic and professional writing..pdf
Define the academic and professional writing..pdfDefine the academic and professional writing..pdf
Define the academic and professional writing..pdf
 
%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto%in Soweto+277-882-255-28 abortion pills for sale in soweto
%in Soweto+277-882-255-28 abortion pills for sale in soweto
 
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
Abortion Pill Prices Tembisa [(+27832195400*)] 🏥 Women's Abortion Clinic in T...
 
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa%in tembisa+277-882-255-28 abortion pills for sale in tembisa
%in tembisa+277-882-255-28 abortion pills for sale in tembisa
 
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICECHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
CHEAP Call Girls in Pushp Vihar (-DELHI )🔝 9953056974🔝(=)/CALL GIRLS SERVICE
 
WSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go PlatformlessWSO2CON2024 - It's time to go Platformless
WSO2CON2024 - It's time to go Platformless
 
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdfPayment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
Payment Gateway Testing Simplified_ A Step-by-Step Guide for Beginners.pdf
 
Announcing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK SoftwareAnnouncing Codolex 2.0 from GDK Software
Announcing Codolex 2.0 from GDK Software
 

20100309 03 - Vulnerability analysis (McCabe)

  • 1. Vulnerability analysis - Vulnerability analysis involves discovering a subset of the input space with which a malicious user can exploit logic errors in an application to drive it into an insecure state. http://doi.ieeecomputersociety.org What is Vulnerability Analysis? copyright c March 9 2010 McCabe Technology
  • 2. Potential vulnerabilities – locations within a program that contain known weaknesses - Example: The usage of APIs known to be susceptible to buffer overflows - Potential vulnerabilities may or may not be exploitable. Exploitable vulnerabilities - exist when a potentially vulnerable program location... - Is dependent on or able to be influenced by user supplied input - Is reachable on the program control flow graph at runtime Potential vs. Exploitable Vulnerabilities copyright c March 9 2010 McCabe Technology
  • 3. Paths Connecting Attack Surface & Target Attack Surface Entry Libraries Attack Surface Target Libraries Subtrees/Paths RECV() STRCPY() copyright c March 9 2010 McCabe Technology
  • 4. Advanced Exclude: Select Load Option Use the Advanced Exclude Menu to load a Class file that includes all the banned functions from Microsoft & OWASPS. This file user editable. Additional modules and/or library functions can be added. copyright c March 9 2010 McCabe Technology
  • 5. Preloaded User Definable Classes for Security • List of Banned APIs from the Microsoft Secure Software Development Lifecycle & from OWASP • Attack Surface APIs and Libraries (entry points) • Vulnerable APIs and Libraries (exploitable targets) • Individual Attack Surface Entry Point • Individual Attack Surface Target Point copyright c March 9 2010 McCabe Technology
  • 6. Class Editor: User Definable Class Libraries Preloaded with Microsoft & OWASP’s Banned Functions. User has the ability to add or delete Attack Surface & Target parameters copyright c March 9 2010 McCabe Technology
  • 7. Advanced Exclude: Narrow Scope Use the Advanced Exclude Option to understand entry points into the system, narrow the scope of analysis, and to view attack space in context of the rest of the system copyright c March 9 2010 McCabe Technology
  • 8. Attack Modeling copyright c March 9 2010 McCabe Technology
  • 9. Even if you can make any code you write secure, you're still at the mercy of all those libraries. The C language is notorious for creating software with buffer overflows because of library calls. Standard C functions that do no range checking of character string inputs are vulnerable to function algorithm attacks. These functions include scanf(), gets(), getwd(), [vg]scanf, realpath, [v]sprintf(), sprintf(), vsprintf(), strcpy(), and strcat(). Gets() is an excellent example. This function performs the common task of reading user input, but it keeps accepting the input until it sees a command ending the line or closing the file. That means that gets() can always be used to overflow any size buffer—no matter how large. If you use fgets() instead, you can set a parameter to limit the number of characters it will accept, thus preventing buffer overflows. Strcpy() is similar in that it copies a string from a source to a buffer (again, it doesn’t limit the size of the string). There are safe ways to use strcpy(), such as adding a check; however, it’s often simpler to use strncpy(dst, src, dst_size – 1), which lets you specify a maximum number of characters. This is a particularly good alternative for many uses because it doesn’t throw an error when the input is too big—it simply terminates. If you need to generate an error when a specified string length is exceeded, you can use strcpy() along with a check, such as: if(strln(src) >= dst_size)... Strcat() concatenates a string onto the end of a buffer. Strncat() is a safer alternative, but it does require that you monitor the room left in the buffer. Libraries: Major challenge for developers who need to produce secure applications copyright c March 9 2010 McCabe Technology
  • 10. A software system’s attack surface is the subset of resources that an attacker can use to attack the system. The classic attack surface definition assumes all entry points into the software system; this can include certain Windows registry keys, open handles to windowed objects, or command-line parameters It is important to differentiate the classic definition of attack surface from the useable attack surface. ... What is the Attack Surface? copyright c March 9 2010 McCabe Technology
  • 11. Use the tools to extract subgraph of overall CFG that includes all nodes on a path between input acceptance node and target nodes (potentially vulnerability nodes containing things like strcpy calls) Standard C functions that do no range checking of character string inputs are vulnerable to function algorithm attacks. These functions include scanf(), gets(), sprintf(), vsprintf(), strcpy(), and strcat() Other possible vulnerable procedures include: printf, fprintf, snprintf, vsnprintf. This list names some of the worst offenders. Also, even though there are safer alternatives for most of these functions, those alternatives aren’t absolutely safe. You can still get into trouble using them—often with unterminated strings or by specifying the wrong buffer size Attack Map Modeling using McCabe IQ Battlemap copyright c March 9 2010 McCabe Technology
  • 12. It is the portion of the attack surface that an attacker could use to crash the software, access sensitive information or gain access to the host machine remotely. It is these particular areas of code that we are interested in exercising as they pose the highest degree of risk. It is also independent of configuration, and specification, as we are testing the connected code to a particular input source. What is Useable Attack Surface? Parsing & validation logic on path between recv and strcpy copyright c March 9 2010 McCabe Technology
  • 13. Attack Surface Analysis & Reduction Microsoft Secure Software Development Series Best Practices -The Security Development Lifecycle SDL: A Process for Developing Demonstrably More Secure Software By Michael Howard and Steve Lipner http://www.microsoft.com/security/sdl/about/process.aspx copyright c March 9 2010 McCabe Technology
  • 14. Viewing Attack space in relation to rest of code copyright c March 9 2010 McCabe Technology
  • 15. In order to determine if the vulnerability is an exploitable threat, one must prove that it is reachable on the execution path given some user supplied input. The exploitability is dependent upon the control flow logic on the paths between the external input and targeted exploitable routines. The diagram below illustrates this idea, in this case showing control flow inclusive of packet acceptance and the basic block where a vulnerable API function is used. To narrow the scope of exploitable code, we consider its attack trees. … Exploitability Implies Reachability Parsing & validation logic on path between recv and strcpy copyright c March 9 2010 McCabe Technology
  • 16. What is An Attack Tree? An Attack Tree is a set of paths connecting a specific attack surface and specific attack target. Attack Tree is also known as “And/Or Trees”. The history of the Attack Tree can be traced back to the Fault Tree developed by Bell Labs and the U.S. Air Force in 1960s. The software related application of Fault Tree is also known as Threat Tree, which is an excellent tool for modeling a particular attack scenario. McCabe IQ uses the McCabe Design Complexity Metrics, visual subtree graphs, subtree test conditions and code coverage as Attack Trees. McCabe Design Complexity metrics are typically calculated rooted at the input node of the attack surface. copyright c March 9 2010 McCabe Technology
  • 17. Applying McCabe Design Complexity to Attack Trees Definition: module design complexity of a module is a measure of the decision structure which controls the invocation of the module’s immediate subordinate modules. It is a quantification of the testing effort of a module as it calls its subordinates. The module design complexity is calculated as the cyclomatic complexity of the reduced graph. Reduction is completed by removing decisions and nodes that do not impact the calling control of the module over its subordinates. McCabe Design complexity metrics should be calculated by rooting at the input acceptance node. The McCabe Design complexity metrics and subtrees can be used to understand and test Attack Trees within the source code. copyright c March 9 2010 McCabe Technology
  • 18. How do you assess complexity & test effort for component design? S1 = S0 - n + 1= 12 - 7 + 1 = 6 By measuring the integration paths in its modules Integration complexity S1 copyright c March 9 2010 McCabe Technology
  • 19. McCabe System Design Complexity Attack Tree copyright c March 9 2010 McCabe Technology