INDUSTRIAL REVOLUTION aka INDUSTRIAL AGE aka INDUSTRIALIZATION
The Industrial Age of Hacking
Transcript of The Industrial Age of Hacking
The Industrial Age of Hacking
Timothy Nosco1
Jared Ziegler2
Zechariah Clark1
Davy Marrero1
Todd Finkler1
Andrew Barbarello1
W. Michael Petullo1
1United States Cyber CommandFort Meade, Maryland USA
2National Security AgencyFort Meade, Maryland USA
July 13, 20201/30
The hacking process
Target Gatherinfo.
Learnprogram
Evaluateattacksurface
Explore DiscoverVulns. Report
5/30
Targeting and information gathering
Target Gatherinfo.
Learnprogram
Evaluateattacksurface
Explore DiscoverVulns. Report
6/30
Program understanding and attack surface analysis
Target Gatherinfo.
Learnprogram
Evaluateattacksurface
Explore DiscoverVulns. Report
I Identify program’s functionality.
I Rehost, emulate, or run.
I Prepare the program for fuzzing.
7/30
Exploration
Target Gatherinfo.
Learnprogram
Evaluateattacksurface
Explore DiscoverVulns. Report
8/30
Vulnerability recognition and reporting
Target Gatherinfo.
Learnprogram
Evaluateattacksurface
Explore DiscoverVulns. Report
I Explore corpus for bugs: crashes, ASan, valgrind errors.
I Prioritize, filter, and deduplicate.
I Write a report that indicates severity: likelihood ofvulnerability, projected investment to convert bug into anexploit.
9/30
The problem
R = T×SL×V
Increases Risk: Decreases Risk:
Projected Time investment Liklihood of successRequired Skill level Value of success
A deliberate risk formula
12/30
Our method: breadth-first search
I Write custom tools
I Heavily modify target
I Cutting-edge tools
I Tailor target to tool
Use well-known tools
Automation
Apprentice
Journeyman
Master
Skill
&eff
ort
incr
ease M
entorship
13/30
Our method: breadth-first search
Our vulnerability-discovery process adds targeting (*) to the steps of Votipka, et al. (†)
14/30
Experimental design
Orientation Day Week One Week Two
T rai
ning
Skill
Ass
essm
ent
Team
Ass
ignm
ent
Depth
Breadth
Skill
Ass
essm
ent
Breadth
Depth
Skill
Ass
essm
ent
Team A
Team B
Applicants
Selection Orientation Execution
Individual skill differential
With
in-s
ubje
cts
test
s
Between-subjects tests
Self
Ass
essm
ent
18/30
Workflow
TargetInformation gathering
Program understandingAttack surface Automated exploration Promote to journeyman
22/30
Results: bugs found
Team Method Harnesses T0 T1 T2
A SD 8 3 2 3A SB 42 31 23 40B SB 61 42 49 40B SD 12 4 4 4
28/30
Results: documentation produced
Tue, 11/12 Wed, 11/13 Thu, 11/14 Fri, 11/15 Mon, 11/18 Tue, 11/19 Wed, 11/20 Thu, 11/21 Fri, 11/22
Date
0
200
400
Cumulativematerialcount
Breadth-First
Depth-First
29/30
Conclusion
We described a repeatable experiment for measuring a novel workflow that:
I efficiently uses human resources, both novice and expert,
I finds more bugs,
I produces more documentation and learning resources,
I better applies automated bug-finding tools, and
I clearly defines work roles.
Tim Nosco: [email protected]/30