Implementation Assurance

고려대학교정보보호대학원

마스터 제목 스타일 편집


Implementation Assurance





3

Security engineering is about building systems to remain dependable in the face of malice, error and mischance. As a discipline, it focuses on the tools, processes and methods needed to design, implement and test complete systems, and to adapt existing systems as their environment evolves.

(by Ross Anderson)

Security Engineering



4

SDL (Security Development Lifecycle)


마스터 제목 스타일 편집국제공통평가기준 (Common Criteria)



6

국제공통평가기준 (Common Criteria)

Samsung Smart TV Security Solution(received CC EAL1 certification)

LG Smart TV Application Security Solution(received CC EAL2 certification)

LG Smart TV Samsung Smart TV



7



8

Threat-Risk Modeling supports

Security ( ) and security ( ) identification

Systematic ( ) and penetration testing ⇒ Structured penetration testing

Secure code review

Threat-Risk Modeling

(Quan Heng Lim, "Pentesting Methodology 101",https://blog.horangi.com/pentesting-methodology-101-28151c53eebf)



9

MS’s STRIDE Threat Modeling Tools



10

Threat Modeling also Deals with..

(Carl Ellison, "Ceremony Design and Analysis“ )



11

Threat Modeling also Deals with..



12



13

Validation & Verification

Validation :

Verification :



14

Formal means two things : A mathematical (not English) ( ) An exhaustive ( ) method (not

simulation) ( ) coverage (i.e., over all possible

sequences of test vectors)

Sometimes “semiformal” is used to mean… Formal specification, but not verification, or Nothing formal, but using similar algorithms.

( ) coverage

What is Formal Method?



15


The Real World

Formal Specification

CodeAlgorithm / Code



16

Informal simulation methodology

”Semiformal” simulation methodology

Formal verification methodology




17

Theorem Proving

Model Checking




18




19

Theorem prover

Accepts assumptions (“givens”) & goal in some notation

Tries to produce proof of goal, starting from assumptions

Using only a sequence of allowed inference rules & theorems

Theorem proving tools may be either :

Automated Interactive (“proof assistant”)

Theorem Proving-Based Testing



20

General purpose theorem prover ( ) was used to reason 5 classic authentication protocols and their variation.

( ) was used to analyze the Needham-Schroeder protocol and SET.

( ) was used to verify authentication protocol.

Theorem Proving-Based Testing



21

Assume there is a formal model M for the specification of the System under Test (SUT).

Specify the security goals φ (e.g., confidentiality, authenticity).

A model-checker will report M |= φ for all security properties φ defining the security goals of the model.

Model-Based Security Testing



22

But program verification is ( )! (by Alan Turing)

Even if the problem were in theory solvable for a given system, there are two common reasons that make a solution ( ):

The behaviour of the system or parts of the system may not be amenable to a mathematical treatment, or

The system may simply be too complex for verification to be feasible.




23

In 1996, model checker ( ) was used to exhibit a flaw in the Needham-Schroeder protocol.

Since then many other model check tools or other proving tools showed the same thing.

Other protocols were or are being checked. SSL by Stanford IKE, SET by Meadows Netbill electronic payment protocol




24




25




26

Strengths : ( ) Can provide ( ) guarantees.

Weaknesses : ( ) between the model and the

SUT has to be addressed. Model creation is burden on programmer The model might be incorrect. If verification fails, is the problem in the model

or the program?

( ) issues




27

Security Testing Techniques in the Secure Software Development Lifecycle

But, Model-Based Testing Is Not Easy..



28

Also known as ‘Source Code Analysis’ or ‘White-Box Testing’.

Techniques :

Code-Based Testing and Static Analysis



29

Strengths : ( )

Can provide ( ) guarantees - that is, a static analysis system can show, with certainty, that a given piece of binary code is secure.

( )

Weaknesses : Resulting in a large amount of ( ).

( ) provide ‘actionable input’ (i.e., an example of a specific input that can trigger a detected vulnerability).

Code-Based Testing and Static Analysis



30

Also known as ‘Black-Box Testing’.

Techniques :

Strengths : Can provide ‘( )’.

Pentesting and Dynamic Analysis



31

Plan : ( ) should be done early to be effective (Waterfall model)

“The earlier you find problems, the easier it is to fix them.”

Do

Check : ( ) (dynamic analysis)

Act

Threat Modeling vs. Pentesting



32

“Pentesting cannot replace threat modeling! Pentesting should be used as

an adjunct to threat modeling.”




33




34




35




36




37




38

Pentesting Can't Guarantee Coverage!

Pentesting can identify some vulnerabilities for repair. However,

the failure of any particular penetration team to find

vulnerabilities does not imply their absence. It only indicates that the team failed to find any. This is the

reason we need a rigorous development process (i.e., Security

Engineering or SDL).

1) Daniel Jackson et al., "Software for Dependable Systems: Sufficient Evidence?"



39

How to Get Code-Proof



40


☞ Aaron Tomb (Galois, Inc), "Assuring Crypto Code with Automated Reasoning",QCon, London, March 2017



41

There are rarely any guarantees that real-world cryptographic implementations match the mathematical specifications

targeted by cryptanalysis research.




42


(☞ Aaron Tomb, "Automated Verification of Real-World Cryptographic Implementations“)



43

Equivalence-Checking : Checks whether two functions, f and g, agree on all inputs

Safety-Checking : Checks run-time exceptions. Given a function f, we would like to know if f's execution can perform operations such as division by zero or index out of bounds.


☞ David A. Ramos and Dawson R. Engler, "Practical, Low-Effort Equivalence Verificationof Real Code", CAV 2011 : This shows a technique for performing a semantic equivalenceverification of new implementations vs reference implementations using a modified version of KLEE.



44

Several Ways to Link Model with Prog.

☞ Matteo Avalle, Alfredo Pironti, Riccardo Sisto, "Formal Verification of Security ProtocolImplementations: a Survey", Formal Aspects of Computing, January 2014.



45

Several famous theorems (particularly Gödel’s incompleteness theorem and Rice’s theorem) imply that it’s impossible to write a program that can always construct a proof of some arbitrary theorem (or some arbitrary property of a piece of software). Because of these theoretical limits, ( ).

In practice, however, ( )contains characteristics that make many of its properties ( ).

The Limits of Automated Proof



46

Haskell based DSL (Domain-Specific Language) for writing ( )

DSL :

Cryptol

☞ Lewis JR, Martin B., "Cryptol: High-Assurance, Retargetable Crypto Development and Validation", MILCOM 2003



47

Created by Galois Inc. with support from ( )

Cryptol specifications can be used to verify various implementations

C code, VHDL, etc.

Cryptol

☞ Lewis JR, Martin B., "Cryptol: High-Assurance, Retargetable Crypto Development and Validation", MILCOM 2003



48



49(☞ "Verified correctness and security of OpenSSL HMAC", Usenix Security Symposium 2015)



50



51



52

The key strategy is to upgrade weapon systems to qualify as High-Assurance Cyber Military Systems (HACMS),

strategically designed to better withstand a cyber attack.



53



54



55


마스터 제목 스타일 편집사이버무기시험〮평가연구센터

사이버무기 시험〮평가 연구센터(CW-TEC : Cyber Weapon Test and Evaluation Center)

고신뢰 암호장비실(High-Assurance Cryptography)

고신뢰 시스템〮네트워크실(High-Assurance System•Network)

고신뢰 관리체계실(High-Assurance Management

System)

(센터장 : 황석중 교수, 부센터장 : 김승주 교수)

(실장 : 홍석희 교수) (실장 : 김승주 교수) (실장 : 이경호 교수)

암호알고리즘연구실 (홍석희 교수) 보안성분석〮평가연구실 (김승주 교수) 위험관리연구실 (이경호 교수)

Red Team

CyKor

(사)HARU

(팀장 : 이기택 박사과정)

정형기법연구실 (최진영 교수) 암호프로토콜연구실 (이동훈 교수)

외부 자문단

사이버사, 기무사, KISA, TTA,국가보안기술연구소 등

네트워크연구실 (이원준 교수)



57



58


Security Regression Testing



59

Test suite minimization

Test case prioritization

Test case selection

Security Regression Testing



60



June 3, 2015) In the Beginning…

61

Brief Introduction to CGC



62


Cyber Grand Challenge




(Korea Univ’s CyKor + Korea Univ’s SANE Lab + Others)

Traditional Capture The Flag




Traditional Pwn2Own




65

(source: DARPA)

Robots’ CTF, Cyber Grand Challenge




66

(source: DARPA)

Robots’ CTF, Cyber Grand Challenge




67




68

Brief Introduction to CGC – in 2014 –

(source: DARPA)



69

The CRS had to work without human intervention. Any teams found to use human assistance were disqualified.

The CRS had to patch bugs in challenges. Points were gained for every bug successfully patched. Challenges with no patched bugs received zero points.

The CRS could prove bugs exist in challenges. The points from patched challenges were doubled if the CRS could generate an input that crashed the challenge.

The patched challenges had to function and perform almost as well as the originals. Points were lost based on performance and functionality loss (= availability loss) in the patched challenges.

Teams are allowed to combine after the qualifying event.

Brief Introduction to CGC – Rules –



70

Brief Introduction to CGC – Schedule –

- ~70 teams → 7 qualified teams- Every qualified team received 750,000$(8억7천만원)!

- 1st: 2,000,000$(23억3천만원)- 2nd: 1,000,000$- 3rd: 750,000$

(source: DARPA)



71

Brief Introduction to CGC – Finalists –

(source: DARPA)


마스터 제목 스타일 편집Brief Introduction to CGC – Finalists –


마스터 제목 스타일 편집ForAllSecure’s MAYHEM


마스터 제목 스타일 편집DEFCON CTF 2015


마스터 제목 스타일 편집MAYHEM @ DEFCON CTF 2016


마스터 제목 스타일 편집MAYHEM @ Smithsonian



77

August 2016

- Automated unpacking- Vulnerability discovery- Taint tracing- Anomaly Detection

Fully autonomous network defense: Interact with opponent!

(source: DARPA)

Brief Introduction to CGC – After CGC –



78

"Security operations must besignificantly more automated and

manageable"

Why CGC?



79

Categorization

Mutation-based (Dumb fuzzing) :

Generation-based (Smart fuzzing) :

Evolutionary :

Fuzzing [1]



80

Problems

Suffer from the need for an ( ) set of test cases.

Can you ‘guess’ when fuzzing is ‘finished’?

Thus we need ‘( )’!

( ) : The degree to which the source code of a program is tested by a particular test suite

Fuzzing [1]



81

Lack of code coverage is a bad thing Can’t find bugs in code you’re ( )

executing

Then, how to gain ‘( )’ code coverage

Code Coverage Analysis



82

Symbolic Expression (Example) 3x + 2y = 8

Symbolic Execution Proposed in 1976.

A system to generate test data and symbolically execute programs (Lori Clarke, 1976)

Symbolic execution and program testing (James King, 1976)

2005 ~ present : practical symbolic execution

Rather than executing a program with concrete input value, execute it ( ) representing the inputs.

Symbolic Execution [2,3]



83

Applications :

Bug finding

Test Input Generation (a.k.a Symbolic Execution Tree)

Program verification (= Code assurance)

Determining functional equivalence

Worst-case execution time estimation for real-time software




84




85

Memory :

Environment :

Loops :

State space explosion and path selection :

Constraint solver :

Binary code :

Challenges of Symbolic Execution



86

( ) : Symbolic execution of a program may result in a very large, possibly infinite number of paths.

|paths| ~ 2|if-statements|




87




88

By ( ), symbolic execution can explore the target program more efficiently. However, if a precondition is ( ), no ( ) will be found.

Precondition Symbolic Execution



89

Problem : Traditional symbolic execution ( ) is too slow to find exploitable bugs.

Insight : Only explore ( ) (Fast).

Precondition Symbolic Execution to only (likely) ( )

(e.g.)

Precondition Symbolic Execution



90

Static and dynamic program analysis techniques can be used to narrow the space of states.

(E.g.)

Program Slicing :

Taint-analysis :

Program Slicing & Taint-Analysis



91

SAT : Find an assignment to a set of Boolean variables that makes the Boolean formula true

Example :

p∧(q∨¬p)∧(¬q∨¬r) is satisfiable. Choose p, q, v : p=true, q=true, r=false

p∧(q∨¬p)∧(¬q∨¬p) is unsatisfiable.

SAT Solver



92

Simple method for checking satisfiability :

Check all ( ) possibilities for v where n = number of variables.

Good news : It ( ) works

Bad news : It is ( ), so only feasible for ( ) n. It has been proven that SAT is ( )

(1970).

SAT Solver



93

SMT (Satisfiability Modulo Theories) = SAT++

An SMT formula is a Boolean combination of formulas over first-order theories.

The State of the Art : Handle ( ). (Example)

SMT Solver



94

SMT-Solvers :

SMT-Lib : Library of benchmarks

http://www.smtlib.org

SMT Solver



95

DARPA's APAC(Automated Program Analysis for Cybersecurity) for DoD mobile app marketplaces

DARPA's VET(Vetting Commodity IT SW and FW)

Only CGC Event? Not! – R&Ds



96

Turing Test) Loebner Prize Competition

http://www.loebner.net/Prizef/loebner-prize.html

Artificial Intelligence) AAAI Annual Computer Poker Competition

http://www.computerpokercompetition.org/

Satisfiability) SAT Competition

http://www.satcompetition.org/

Satisfiability Modulo Theories) SMT Competition

http://www.smtcomp.org

Only CGC Event? Not! – Competitions



97

Now drawing widespread attention!



98




99




100

☞ Symposium Celebrates Ed Clarke and Model Checking, CMU, September 2014

But It’s a Branch of Model Checking



101

☞ 차상길, "바이너리 분석을 통한 자동 익스플로잇 생성: 과거, 현재, 그리고 미래", SECUINSIDE 2016




102

☞ Symposium Celebrates Ed Clarke and Model Checking, CMU, September 2014



마스터 제목 스타일 편집Security Engineering vs. CC Evaluation





105

CC Part 3

* Assurance Classes

* Assurance Components

CC Part 2Security Functional Requirements

* Functional Classes

* Functional Families

* Functional Components

* Detailed Req.

* Functional Packages

CC Part 1Introduction and General Model

* Assurance Families

* Detailed Req.

* Eval. Assur. Levels

Security AssuranceRequirements

CC Part 3

* General Concepts

* Evaluation Model

Security Engineering vs. CC Evaluation





End-to-End Proof

High-AssuranceCyber System

Scope, Depth,Rigor



108

Security Engineering vs. CC Evaluation



109

Now The World Goes for High-EALs



110

Now The World Goes for High-EALs



111

Any Others?



112

The CC is not alone.

Many evaluation programs exist (30+).

Let’s take a look at them…. briefly!

Security Assurance Landscape



113



114

1. B. P. Miller, L. Fredriksen, and B. So. "An Empirical Study of the Reliability of UNIX Utilities", Commun. ACM, 33(12):32-44, Dec. 1990.

2. James C. King, "Symbolic Execution and Program Testing", Communications of the ACM, volume 19, number 7, 1976, 385-394.

3. Lori A. Clarke, "A Program Testing System", ACM 76: Proceedings of the Annual Conference, 1976, pages 488-491, Houston, Texas, United States.

4. Dawn Song, David Brumley, Heng Yin, Juan Caballero, Ivan Jager, Min Gyung Kang, Zhenkai Liang, James Newsome, PongsinPoosankam, Prateek Saxena, "BitBlaze : A New Approach to Computer Security via Binary Analysis", ICISS '08 Proceedings of the 4th International Conference on Information Systems Security, Pages 1-25

5. Nick Stephens, John Grosen, Christopher Salls, Andrew Dutcher, Ruoyu Wang, Jacopo Corbetta, Yan Shoshitaishvili, Christopher Kruegel and Giovanni Vigna, "Driller : Augmenting Fuzzing Through Selective Symbolic Execution", Network and Distributed System Security Symposium (NDSS) 2016

6. Trail of Bits, “How We Fared in the Cyber Grand Challenge”, Trail of Bits Blog

References




Implementation Assurance