Mudge

Mudge

CanSecWest 2013

1Distribution A: Approved for Public Release, Distribution Unlimited.

Cyber Fast Track – DARPA-PA-11-52

2

Amendment 4 (posted January 31, 2013):

Closing Date: Proposals will be accepted at any time until 12:00 noon (ET), August 3 April1, 2013

https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html

Distribution A: Approved for Public Release, Distribution Unlimited.

1. What is the problem, why is it hard?2. How is it solved today? 3. What is the new technical idea; why can we succeed now? 4. What is the impact if successful?5. How will the program be organized?6. How will intermediate results be generated? 7. How will you measure progress? 8. What will it cost?

Heilmeyer Questions:

3

When George Heilmeier was the director of DARPA in the mid 1970s, he had a standard set of questions he expected every proposal for a new research program to answer.


2011

Ground truth…

Federal Cyber Incidents fiscal years 2006 – 2011

[1] GAO Testimony. GAO-12-166T CYBERSECURITY Threats Impacting the Nation

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

45,000

Cyber Incidents Reported to US-CERT [1]

by Federal agencies

2006 2007 2008 2009 2010


2011

Ground truth…

Federal Cyber Incidents and Defensive Cyber Spending

fiscal years 2006 – 2011

[1] GAO Testimony. GAO-12-166T CYBERSECURITY Threats Impacting the Nation

[2] INPUT reports 2006 – 2011

Fede

ral

Defe

nsiv

e Cy

ber

Spen

ding

[2]

($B)

0

5,000

10,000

15,000

20,000

25,000

30,000

35,000

40,000

45,000

Cyber Incidents Reported to US-CERT [1]

by Federal agencies

2006 2007 2008 2009 20100.0

2.0

4.0

6.0

8.0

10.0

12.0


Mudge or “Cyber-Heilmeyer” Questions:

6

1. Is the solution tactical or strategic in nature?2. What is the asymmetry for this solution?3. What unintended consequences will be created?4. Do attack surfaces shrink, grow, or remain unchanged?5. How will this solution incentivize the adversary?


Malware:125 lines of code*

Lines

of C

ode

1985 1990 1995 2000 2005 2010

xxxxDEC Seal Stalker

Milky WaySnort

Network Flight Recorder

Unified Threat Management10,000,000

8,000,000

6,000,000

4,000,000

2,000,000

0

Security software

* Malware lines of code averaged over 9,000 samples

x

x

Are you tactical or strategic; what is the asymmetry?


How do *you* handle passwords?


The first CrackMeIfYouCan contest challenged participants to crack 53,000 passwords. In 48 hours, the winning team had 38,000*.

(*this was not the important take away…)

Profile for the winning team, Team Hashcat.

Time

# Pa

sswo

rds

Unintended consequences…


Profile for the winning team, Team Hashcat.

Time

# Pa

sswo

rds

Unintended consequences…


The first CrackMeIfYouCan contest challenged participants to crack 53,000 passwords. In 48 hours, the winning team had 38,000*.

(*this was not the important take away…)

Awaiting Vendor Reply/Confirmation

Awaiting CC/S/A use validation Vendor Replied – Fix in developmentColor Code Key:

Current vulnerability watch list:Vulnerability Title Fix Avail? Date AddedXXXXXXXXXXXX XXXXXXXXXXXX Local Privilege Escalation Vulnerability No 8/25/2010

XXXXXXXXXXXX XXXXXXXXXXXX Denial of Service Vulnerability Yes 8/24/2010

XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability No 8/20/2010

XXXXXXXXXXXX XXXXXXXXXXXX Sanitization Bypass Weakness No 8/18/2010

XXXXXXXXXXXX XXXXXXXXXXXX Security Bypass Vulnerability No 8/17/2010

XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities Yes 8/16/2010

XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability No 8/16/2010

XXXXXXXXXXXX XXXXXXXXXXXX Use-After-Free Memory Corruption Vulnerability No 8/12/2010

XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution Vulnerability No 8/10/2010

XXXXXXXXXXXX XXXXXXXXXXXX Multiple Buffer Overflow Vulnerabilities No 8/10/2010

XXXXXXXXXXXX XXXXXXXXXXXX Stack Buffer Overflow Vulnerability Yes 8/09/2010

XXXXXXXXXXXX XXXXXXXXXXXX Security-Bypass Vulnerability No 8/06/2010

XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security Vulnerabilities No 8/05/2010

XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow Vulnerability No 7/29/2010

XXXXXXXXXXXX XXXXXXXXXXXX Remote Privilege Escalation Vulnerability No 7/28/2010

XXXXXXXXXXXX XXXXXXXXXXXX Cross Site Request Forgery Vulnerability No 7/26/2010

XXXXXXXXXXXX XXXXXXXXXXXX Multiple Denial Of Service Vulnerabilities No 7/22/2010

Additional security layers often create vulnerabilities…

6 of the vulnerabiliti

es are in security software


Additional security layers often create vulnerabilities…

12

1/25/20137/20

1/14/20135/21

1/2/20135/20

12/28/20125/20

12/14/20128/22

12/3/20124/18

11/30/20124/17

11/15/20124/17

11/1/20122/11

10/31/20121/9

10/15/20124/9

10/1/20126/14

Distribution A: Approved for Public Release, Distribution Unlimited.10/1/2012

10/15/201210/31/2012

11/1/201211/15/2012

11/30/201212/3/2012

12/14/201212/28/2012

1/2/20131/14/2013

1/25/20130%

10%20%30%40%50%60%70%80%90%

100%

43% 44%

33%18%

24% 24%

22%

36%25%

20%

24% 30%

DLLs: run-time environment = more

commonality

Application specific functions

Constant surface area available to

attack.

Regardless of the application

size, the system loads the same

number of support

functions.For every 1,000

lines of code, 1 to 5 bugs are

introduced.

Identifying attack surfaces…


Understanding them in the context of ‘game theory’ reveals the problem.

Bot Herder Cost

Bot Herder Return Antiviru

s Cost

Antivirus Return

Short Long

Small High High Low High

Small High 0 High Low

Traditional C2 Botnet

New P2P Botnet

Strategy 2: AES* branch

Solution exists: weekly patch, kills branchSolution needed: high cost solution, kills tree

“Storm”Botnet

Strategy 1: XOR‡ branch

Bot Herder strategy example:

The security layering strategy and antitrust has created cross incentives that contribute to divergence.‡ = “exclusive or” logical operation

* = Advanced Encryption Standard

Root Tree Branch

How are you incentivizing the adversary?


Mudge Questions (aka “Cyber-Heilmeyer”):

15

1. Is the solution tactical or strategic (a)?2. What is the asymmetry for this solution (a)?3. Can you forecast the unintended consequences (b)(e)?4. Do attack surfaces shrink, grow, or remain unchanged? (c)(d)?5. How does this solution incentivize the adversary (e)?

(*) If you had to defeat your own effort, how would you go about it?

a b c d e


16

Creating a vehicle to tackle these issues:

Cyber Fast Track

DARPA-PA-11-52

cft.usma.edu

https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html


CFT Mission Statement

17

• Identify aligned areas of interest between the DoD and a novel performer community.

• Become a resource to that community in a way that encourages mutually beneficial research efforts resulting in prototypes and proofs of concepts in a matter of months

• Improve goodwill and understanding in both communities.

CFT promotes aligned interests, not the realigning of interests to meet Government needs


• Indirect - Enabling/Promoting:• Commercial• Open Source• Other

• Direct• Program of Record (POR)• Memorandum of Understanding

(MOU)• Memorandum of Agreement

(MOA)• Technology Transition Agreement

(TTA)

The Importance of Transition

18

The objective of technology transition is to make the desired technology available as quickly as possible and at the lowest cost.


The first proof that it might be do-able…

19

NMAPv6 – CINDER

•Advanced IPv6 capabilities•200 new network scanning and discovery modules (NSE)•Common Platform Enumeration (CPE) output support •Scanner, GUI, and differencing engine performance scaling (1 million target IP addresses)•Adversary Mission Identification System (AMIS)

•Transition:Downloads 3,096,277 (5,600 .gov & 5,193 .mil)… and counting…


The two key ingredients to CFT:

20

Programmatics•A unique process that allows DARPA to legally do Cyber R&D contracting extremely fast• A framework that anyone can

use• Streamline negations• One page commercial contracts• Firm Fixed price• Rapid awards (selection to

contract in 10 days or less)

Diplomacy• Align the Cyber Fast Track

research goals with the goals of the research community

• How do your priorities and theirs align?

• Engage leaders and influencers• Socialize the effort, take

feedback, and modify the program structure accordingly

• Ambassador• Speak the language,

demonstrate an understanding of both cultures


Aug-11 Sep-11 Oct-11 Nov-11 Dec-11 Jan-12 Feb-12 Mar-12 Apr-12 May-12 Jun-12 Jul-12 Aug-12 Sep-12 Oct-12 Nov-12 Dec-12 Jan-130

50

100

150

200

250

300

350

400

350+ submissions & 90+ awards

Submissions

Awards


CFT Contract Award Time

Average of 6 working days to award

100

90

80

70

60

50

40

30

20

10

0 Min. days Avg. days Max. days

BAA

PROCESS

CFT

26

12

90+


2348 Projects Completed – 44 Projects in Progress (2/13/2013)

44 programs underway

19 completed programsopen-source

29 completed programs closed source

92 Projects awarded to date (as of Feb 13, 2013)

48%21%

31%


CFT Efforts

24

Antenna Detection

Truck-SecurityFramework NAND Exploration Phy-layer Auditing IPMI Security

BIOS Integrity Logical BugDetection Binary DefenseObstructing

ConfigurationsSide Channel

AnalysisAnti-ReverseEngineering

VirtualizationSecurity

Source CodeAnalysis

DistributedValidation

Secure Parsers

DeobfuscatingMalware

Android OSSecurity

BasebandEmulation

Network StackModification

Securing Legacy RF

NetworkVisualization

Software

Hardware

A Sampling of Current CFT Programs


Embedded SystemVulnerabilities

BIOS ImplantAnalysis

Automotive-SecurityApplications

Android ApplicationForensics

Images provided by: Bit Systems

26

Soon to be released…

Bunnie’s Routers…

27


Image provided by: Bunnie Huang

Bunnie’s Routers… Charlie’s Cars…

28

Image provided by: Charlie Miller


Image provided by: Bunnie Huang

The beginning of…

The end of CFT…

29

www.darpa.mil


Documents

Mudge