Embed Size (px)
Citation preview
The Industrial Age of Hacking
Timothy Nosco1
Jared Ziegler2
Zechariah Clark1
Davy Marrero1
Todd Finkler1
Andrew Barbarello1
W. Michael Petullo1
1United States Cyber CommandFort Meade, Maryland USA
2National Security AgencyFort Meade, Maryland USA
July 13, 20201/30
Wouldn’t it be great if everyone knew all of this?
Is it all required?
2/30
Background
3/30
Motivation
4/30
The hacking process
Target Gatherinfo.
Learnprogram
Evaluateattacksurface
Explore DiscoverVulns. Report
5/30
Targeting and information gathering
Target Gatherinfo.
Learnprogram
Evaluateattacksurface
Explore DiscoverVulns. Report
6/30
Program understanding and attack surface analysis
Target Gatherinfo.
Learnprogram
Evaluateattacksurface
Explore DiscoverVulns. Report
I Identify program’s functionality.
I Rehost, emulate, or run.
I Prepare the program for fuzzing.
7/30
Exploration
Target Gatherinfo.
Learnprogram
Evaluateattacksurface
Explore DiscoverVulns. Report
8/30
Vulnerability recognition and reporting
Target Gatherinfo.
Learnprogram
Evaluateattacksurface
Explore DiscoverVulns. Report
I Explore corpus for bugs: crashes, ASan, valgrind errors.
I Prioritize, filter, and deduplicate.
I Write a report that indicates severity: likelihood ofvulnerability, projected investment to convert bug into anexploit.
9/30
Combining hackers with machines
Human and machine working together, but how?
10/30
The prevailing method: depth-first search
CAUTION: Diamond Mining
11/30
The problem
R = T×SL×V
Increases Risk: Decreases Risk:
Projected Time investment Liklihood of successRequired Skill level Value of success
A deliberate risk formula
12/30
Our method: breadth-first search
I Write custom tools
I Heavily modify target
I Cutting-edge tools
I Tailor target to tool
Use well-known tools
Automation
Apprentice
Journeyman
Master
Skill
&eff
ort
incr
ease M
entorship
13/30
Our method: breadth-first search
Our vulnerability-discovery process adds targeting (*) to the steps of Votipka, et al. (†)
14/30
Metaphor: fishing For bugs
There are fish out there. How do we best catch them?
15/30
Metaphor: fishing For bugs
Larger holes in net =⇒ less friction.
16/30
Metaphor: fishing For bugs
Some fish might escape, but we cover more area.
17/30
Experimental design
Orientation Day Week One Week Two
T rai
ning
Skill
Ass
essm
ent
Team
Ass
ignm
ent
Depth
Breadth
Skill
Ass
essm
ent
Breadth
Depth
Skill
Ass
essm
ent
Team A
Team B
Applicants
Selection Orientation Execution
Individual skill differential
With
in-s
ubje
cts
test
s
Between-subjects tests
Self
Ass
essm
ent
18/30
Target selection
19/30
Target selection
Something else entirely
20/30
Workflow
Strict schedules
21/30
Workflow
TargetInformation gathering
Program understandingAttack surface Automated exploration Promote to journeyman
22/30
Results: surveys
23/30
Results: surveys
24/30
Results: surveys
25/30
Results: surveys
26/30
Results: surveys
27/30
Results: bugs found
Team Method Harnesses T0 T1 T2
A SD 8 3 2 3A SB 42 31 23 40B SB 61 42 49 40B SD 12 4 4 4
28/30
Results: documentation produced
Tue, 11/12 Wed, 11/13 Thu, 11/14 Fri, 11/15 Mon, 11/18 Tue, 11/19 Wed, 11/20 Thu, 11/21 Fri, 11/22
Date
0
200
400
Cumulativematerialcount
Breadth-First
Depth-First
29/30
Conclusion
We described a repeatable experiment for measuring a novel workflow that:
I efficiently uses human resources, both novice and expert,
I finds more bugs,
I produces more documentation and learning resources,
I better applies automated bug-finding tools, and
I clearly defines work roles.
Tim Nosco: [email protected]/30
![beertalk 2013 hacking industrial control systems v1.5 de · Hacking Industrial Control Systems -Angriffam Fließband [CompassBeertalk–Jona –21.03.2013] ... Lizenz(BY 2.0) Paul-Gerhard](https://img.dokumen.tips/doc/110x75/602803791536f507ce7dbca1/beertalk-2013-hacking-industrial-control-systems-v15-de-hacking-industrial-control.jpg)
