HP_Angle_Light_16x9_EB Green

Gray, the New BlackBrian Chess, Ph.D.Distinguished Technologist, HPFounder and Chief Scientist, HP FortifyGray-Box Vulnerability Testing2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice

Brian ChessFounder/Chief Scientist Fortify SoftwarePh.D. from University of California 2002Started Fortify Software 2003Fortify acquired by HP 2010Loves:Success is foreseeing failureHates:The only way to stop the bad guysis to hunt them down and sue themuntil they stop.TodoWhy automated security testingPopular testing techniquesCombining analysis approachesEmpirical results

Automated Security Testing is CriticalVulnerability-finding robots vs. hackers and better educationThe supply of legacy code is never-endingDont invest in security until youve created valueSecure today, hacked tomorrow A constant and consistent need for re-testingSecurity cant be tested like a feature Explore all corners of the application for all vulnerabilities

We need thorough and consistent vulnerability detection over enormous amounts of code 1.1 Legacy code: We will always be playing catch-up because people build something of value before they try to protect it. Doing otherwise would be silly. 1.2 Even new code needs to be verified 1.3 Software security can't be tested as a feature--we need to explore the whole app. This makes typical feature-based testing methods not so useful.22 August 2011HP Confidential4Perfect Security AutomationFinds all the vulnerabilities (no false negatives)Never wrong (no false positives)Runs fastEasy to useEasy to know youre using it correctlyCheap

Black-Box TestingSystem-level testsNo assumptions about implementationExample: fuzzingGood: concrete resultsBad: a losing gameThe Software Security GameObjectiveRules vs. StrategyPlaying Field

OBJECTIVE:Protect everythingOBJECTIVE:Exploit one vulnerabilityRules for the DefenderDont attack the attacker

Rules vs. StrategyRulesDont attack the attacker

StrategyEmulate attackers techniques

Who wins?

TechnologyExpertiseWho wins?

TimeTechnologyExpertise12Who wins?

TechnologyExpertiseTimeChanging the odds

The Defenders Advantage

TimeInsideAccessTechnologyExpertiseWhite-Box Testing

Examine implementationTest components in isolationExample: static analysisGood: thoroughBad: too thoroughBad: no show me exploitsGray-Box TestingSystem-level tests (like black-box)Examine implementation (like white-box)

Prior Art2005: Concolic testing: Sen, University of Illinois2008: SAGE: Godefroid, MSR2008: Test Gen for Web Apps: Shay et al, U. Washington2008: Accunetix: AccusensorHybrid AnalysisDynamic AnalysisStatic AnalysisCorrelation EngineApplicationCorrelation is GoodA single reportNo more comparing apples and orangesPoints out problems with analyzers & configurationsHaters club: Static/Dynamic Hybrid doesnt work because Detecting attack surface statically doesnt workDynamic and late-binding frameworksCorrelating results doesnt workNot enough information in results to match them upDoesnt help with false positives and false negativesMultiplies analysis weaknesses by over-emphasizing overlapImproving HybridDynamic AnalysisStatic AnalysisCorrelation EngineApplicationMonitorLining Up an Attack with the CodeDynamicStaticMonitorID: 234File: MyCode.csLine: 27ID: 234File: MyCode.csLine: 27http://www.sales.xyz.com?n= Source trace: Generation 3: Integrated AnalysisDynamic AnalysisApplicationReal-Time AnalysisReal-time linkFind MoreFix FasterFind MoreDetect new types of vulnerabilitiesPrivacy violation, Log ForgingFind more of all kinds of vulnerabilitiesAutomatic attack surface identificationUnderstand effects of attacks

Attack surface identification/login.jsp/pages/account.jsp/pages/balance.jsp/backdoor.jspFile systemConfiguration-drivenProgrammaticUnderstand effects of attacks/backdoor.jspCommand Injectionsysadmin$./sh Fix FasterProvide Actionable DetailsStack traceLine of codeGroup Symptoms with a Common CauseActionable Details

/login.jsp

Grouping Symptoms with a Common Cause/login.jsp/pages/account.jsp/pages/balance.jsp1 Cross-Site Scripting Symptom 2 Cross-Site Scripting Symptoms 3 Cross-Site Scripting Symptoms 1 Cross-Site Scripting Cause JavaBB Case StudyOpen Source Bulletin BoardAdditional VulnerabilitiesFinds18 SQL Injection resultsRoot cause analysis18 SQL injection results have 1 root causeVulnerability Diagnosis & Actionable Details

Confirmed SQL Injection

Line of CodeParametersStack TraceYazd Case StudyOpen Source ForumAdditional Attack SurfaceDiscovers hidden admin area3 Additional Cross-Site Scripting resultsRoot cause analysisCollapses 34 XSS into 24 root-cause vulnerabilitiesAttack surface identification

Hidden admin area

Group Common-Cause Issues

More to come:Automated anti-anti automation

Haters ClubDetecting attack surface statically doesnt workCorrelating results doesnt workDoesnt help with false positives and false negativesNobody will monitor the execution of the softwareThe Case for Gray-Box TestingAutomated security testing is criticalBlack-box is a losing game, white-box is incompleteIntegrated analysis finds moreAttack surfaceTypes of vulnerabilitiesVulnerability diagnosisIntegrated analysis enables faster fixesRoot cause analysisGroup symptoms with a common cause

The Evolution of Software SecurityBrian Chess, Ph.D.Distinguished Technologist, HPFounder and Chief Scientist, HP FortifyFind More, Fix Faster2011 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice