DefCamp 2013 - Are we there yet?

10 Years Later:
Are We There Yet?
Carsten Eiram
Risk Based Security
@CarstenEiram

Quick Bio – VDB Work Experience

Involved with VDBs for 10+ years
• Currently, CRO at Risk Based Security – commercial arm of
Open Security Foundation (runs OSVDB and DatalossDB) – and
responsible for the VulnDB service.
• Chief Security Specialist at Secunia, running the Research team.

• Security Team Lead at Danish Verisign affiliate, running a
customer-only accessible vulnerability database.

NOT JUST SECURITY , THE RIGHT SECURITY

Quick Bio – Vulnerability Research

Officially been doing vulnerability research since 2003
• Focused on a static analysis / reverse engineering approach

• Jokingly refer to myself as a "vulnerability connoisseur"
- I enjoy analyzing vulnerabilities and their root causes.
• Critical vulnerabilities discovered in products from many major
software vendors.


INTRODUCTION
What will be discussed?

Reason for Talk

After 10+ years of VDB work,
I felt it was time to reflect
on certain areas related to
vulnerabilities


Considerations


Metrics and their Usage


Code Quality


Advisory Quality

VENDORS MAKE BAD DECISIONS


Vulnerability Handling / Bug Bounties


Million Dollar (or Leu) Question


Quick Show of Hands


Vulnerability
A Quick Overview To Set The Stage
Statistics

Currently Oldest Recorded Vulnerabilities

Vulnerabilities have been around for a very long time
- And will continue to be...
• Oldest entries in OSVDB are 79399 and 79400
• Marconi wireless telegraph
• Dated November 1902
• Message spoofing and message disclosure


Guglielmo Marconi

http://www.newscientist.com/article/mg21228440.700-dotdashdiss-the-gentleman-hackers-1903-lulz.html


First Ever Unbreakable Claim!



Nevil Maskelyne Ruins Demo



No Wire-Cutting Please

While not providing
the privacy and
security as promised,
the wireless telegraph
still had one significant
advantage over the
wired telegraph:

Not possible to cut the
wires!

Have We Improved?

Obviously, we have progressed a fair bit
technically since then, but have we gotten
significantly better?


Bringing The Internet Down – Old Lady Style

Article: http://news.softpedia.com/news/Old-Lady-Cuts-Off-Internet-in-Armenia-193640.shtml

10 Year Vulnerability Trend
12000

10000

8000

6000

# Vulns

4000

2000

0
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

All Datasets Are Incomplete!

All datasets are incomplete - some just more than others
Many love taking CVE content that’s free and do random
conclusions based on it, but since the dataset is severely
lacking, the conclusions are as well


2006 – 2013 Vulnerability Type Trend


2012 Data Breaches due to SQL Injection


Companies affected by XSS in 2012

Source: CWN - http://www.cyberwarnews.info/2012/07/04/300000-personal-details-leaked-38-sites-hacked-for-projectdragonfly/


Companies Impacted By Hacking In 2012


Which is more secure?

Product A
10 Vulnerabilities

Product B
20 Vulnerabilities


Security State != Number of Vulnerabilities

Previously, the security state of a product was considered
to be equal to the number of vulnerabilities.
Flawed conclusion!
Today, people understand that the number of vulnerabilities
!=
security state


Some Apparently Still Don’t Know...

“The problem with Java is that a lot of vulnerabilities are
constantly being reported in it, and when a lot of
vulnerabilities are reported, then there are a lot of hackers
using these to access programs built on Java“
- Morten Stengaard, CTO, Secunia

http://www.dr.dk/tv/se/tv-avisen/tv-avisen-827#!/

Dissecting the Statement – Part 1

”... then there are a lot of hackers
using these to access programs built on Java”
Most vulnerabilities in Java are not used to target Java
applications, but the Java Runtime Environment to
compromise the system.



”... when a lot of vulnerabilities are reported,
then there are a lot of hackers using these…”
Just because a lot of vulnerabilities are reported in a
product, a lot of hackers may not be exploiting them.



”The problem with Java is that a lot of vulnerabilities are
constantly being reported in it…”

The security state of a product is not defined by the number
of vulnerabilities reported in it.


We Should All Stop Using Popular Software Then
400
350
300

250
Java
200

Chrome
Firefox

150

Internet Explorer

100
50
0

Vulnerabilities (2013 - Nov 10th)

Facewall!


Microsoft Argument For SDL (Windows)


Microsoft Argument For SDL (SQL Server)


Microsoft Office Vulnerability Trend
Vulnerabilities in Office versions one year after product release
(based on Microsoft security bulletins)
14
12
10
8
6
4
2
0
Office 2000

Office 2007


Office 2010

Microsoft Security Bulletin Trend
350
300
250
200
Bulletins
150

CVEs

100

50
0
2003 2004 2005 2006 2007 2008 2009 2010 2011 2012 2013

Researcher Focus and SCADA


Stop Drawing Conclusions on Vulnerability Counts...


There are so many other aspects to consider!

More things to consider incl.

Patched vs. Unpatched
Vulnerability Type
Impact
Time-To-Patch
Time-To-Vendor-Response
Security Mechanisms
...


Vulnerability Metrics
Severity

Severity Metrics

Many different severity metrics – both public and internal

Most popular and hated is CVSS,
which currently has problems reflecting real risk
Many concerns raised about CVSSv2 by many people
e.g. myself and Brian Martin of OSVDB in our open letter:
"The CVSSv2 Shortcomings, Faults, and Failures Formulation"

http://www.riskbasedsecurity.com/reports/CVSS-ShortcomingsFaultsandFailures.pdf

Limitations of Severity Metrics

Reflecting the threat of vulnerability-dependent issues
(e.g. sandbox bypass, ASLR bypass related to memory
disclosure etc.)

By themselves and from a scoring point-of-view, these issues
are pretty minor, but when combined with code execution...
Jackpot!
Ability to disclose a few memory addresses was in the past
pretty much a non-issue – today it’s very useful.


Pick A Vuln... Any Vuln...

If I’d offer you one vulnerability
in e.g. Google Chrome, which
would you pick?
1) Code execution within
sandbox

CVSSv2:
6.8

2) Sandbox bypass

CVSSv2:
2.6


Severity Metrics and Sandbox Bypasses

If we conclude that exploiters are more interested in the
sandbox bypass and system administrators should focus on
fixing such a vulnerability over a code execution
vulnerability within the sandbox, why are we not rating
them higher?
Case of reality not being reflected well by severity metrics


Severity Metrics and Vulnerability Chains

And once these issues start occuring in chains, which is
becoming more and more common, then it really gets
complex...
You can have a lot of independent minor issues that when
combined suddenly are very serious


Google Chrome Pwn2Own Example
CVSSv2:
6.8

CVSSv2:
5.1

OSVDB 89734

IPC channel missing
listener process validation

OSVDB 80007

Plugin blocking logic not run
for NaCl in pre-rendering

CVSSv2:
7.6

OSVDB 80293

Unpacked NPAPI extension
installation without
confirmation

CVSSv2:
OSVDB 81645
5.1

GPU command decoding
integer underflow

CVSSv2:
2.6

OSVDB 80741

CVSSv2:
2.6

OSVDB 89736

Too permissive
LoadExtension
bindings for
extension manager

Unprivileged renderer
can navigate to
privileged URLs

http://blog.chromium.org/2012/05/tale-of-two-pwnies-part-1.html

When Severity Metrics Met Reality


Vulnerability Metrics
Exploitability

Microsoft Severity Ratings

Source: http://technet.microsoft.com/en-us/security/gg309177.aspx

Exploitability Index Ratings


Microsoft Approach: Pros and Cons

Pros

Cons

Gives an realistic evaluation of
the technical requirements to
exploit a given vulnerability and
how feasible it is

Requires significant technical
skills and resources to get right

Makes it clear which are
theoretical and which are
plausible

Still requires a bit of
guesstimation


No Granularity Really Added...


How Does Adobe Do It?


Adobe Approach: Pros and Cons
Pros
...Cons
Allows understanding which
Does not factor in technical
products, versions, and
requirements and the nature of
architectures are most critical to the vulnerability i.e. does not
prioritize
differentiate between theoretical
issues and straight-forward issues
to exploit
Dynamic approach that can be
easily tweaked
Requires very little resources –
just an understanding of historical
exploitation


How Does CVSSv2 Do It?


CVSSv2 Approach: Pros and Cons

Pros
Most reliable of all the
approaches: If an exploit is
available, a vulnerability is clearly
exploitable.
Requires very little resources –
just knowledge of availability of
PoCs and exploits

Cons
Purely reactive, requiring very
fast response times

Only takes into account when the
availability of an exploit is
publicly known i.e. may be
exploited long before being
flagged as such


No information about code quality


Code Quality
... And How To Measure It

Code Quality – Why Measure It?


Code Maturity Metric – The Idea

The idea of code maturity is that by evaluating
the prevalence of the different vulnerability
classes being discovered in a product, we can
conclude the maturity of that product.
We, naturally, focus on it from a security
perspective.


Code Maturity Metric – Scoring

• Each vulnerability can be scored based on
type, and how easy it is to discover.
• Researchers find simple vulnerabilities first - as
simple vulnerabilities are eliminated, researchers
move on to finding more complex vulnerabilities.

• When a vendor secures the code, basic
vulnerabilities are easier to spot and remedy or
never introduce compared to more complex
vulnerabilities.

Code Maturity Metric – Scoring Example
Level

Vulnerability Classes

0

Classic buffer overflows due to
e.g. strcpy, sprintf, sscanf and
format string issues.

1

Buffer overflows due to incorrect
size being used e.g. strncpy,
memcpy and array-indexing
issues

2

Arithmetic errors i.e. Integer
overflows/underflows, type
conversion, signedness.

3

Uninitialized variable, use-afterfree, bad cast, complex logic
errors.

Schneider Modbus Serial Driver Buffer Overflow

Source: http://www.riskbasedsecurity.com/research/RBS-2013-003.pdf


Code Maturity
Level: 1

ActiveX Control Vulnerability

Code Maturity
Level: 3

Office Vulnerabilities Analysed

Office 2000:
Office XP:

62
103

Office 2003:

90

Office 2007:

47

Office 2010:

14


Office Product Code Maturity Scores
Office 2010

Office 2007

Office 2003
Code Maturity
Office XP

Office 2000

0

0.5

1

1.5

2

2.5


3

Office Vulnerability Type Prevalence
Office 2010

Office 2007
Uninitialised Variable
Object Type Confusion
Use-after-free

Office 2003

Arithmetic
Array Indexing
Incorrect Size Copy

Office XP

Classic Buffer Overflow
Office 2000

0%

5%

10%

15%

20%

25%

30%

35%


Measuring the Efforts Taken By Vendors

With this we can put more focus on the code security
improvement efforts taken by vendors by being able to
measure them.

Allows system administrators to know which software to steer
clear from... and researcher to understand which types of
vulnerabilities they can expect to find in a given product.


Advisory Quality
Or Lack Thereof...

Information Needs To Be Publicly Available

Most vendors have also acknowledged that publishing
vulnerability information is beneficial
Juniper recently joined the party
Still some black sheep like SAP, trying to keep it a secret…


Needs To Include Vulnerability Type

Either clearly descripting the vulnerability type in the advisory
description
or
alternatively including CWEs


Everything Is Memory Corruption These Days


Microsoft MS12-037 vs MS13-080

----


Rise In Usage Of Memory Corruption Term


No requirements to include proper info

Various standards and formats e.g. CVRF are being
proposed, but these deal with required fields – not the
content of these.

Primary focus is to ensure a structure that is easy to parse in
an automated manner.

Completely up to the vendors how much information they
feel like sharing. Up to customers to raise their voice, if they
want/need more.

Vulnerability
... And Bug Bounties
Handling

Bug Bounties

When I started reporting vulnerabilities to vendors, I was
stoked each time I actually got a response - and it wasn't a
threat from a lawyer.
Had any of you told me back then that vendors today would
be offering bug bounties, I'd have smiled and shook my head.


Bug Bounties

A few interesting ones are of course Google's bounty, which is
one of the more serious vendor bounties, and especially their
latest twist: Bounties for other software!
Microsoft's bounty for vulnerabilities, but specifically
bypassing security mechanisms is very interesting


Shockwave Player Vulnerability Trend
90
80
70
60
50
40
30
20
10
0
2003

2004

2005

2006

2007

2008

2009

2010

2011


2012

2013

Bug Bounties

There has definitely been a shift in how vendors perceive bug
bounties.
It’s clear to me that if a vendor wants to encourage
researchers to look at their code and report it in a
coordinated manner, then bug bounties are very effective
when done right.


Security Software and Shiny Appliances


Everything Is Vulnerable – Even Security Software!

About 2.2% of all entries in
OSVDB cover vulnerabilities in
security software


The Security Software Paradox

Reducing attack surface by adding an even greater
attack surface is a paradox


Code Quality Improvements(?)

Microsoft, Google, and Adobe are examples of vendors
noticeably improving their security efforts.
Oracle may be on their way after everyone finally realized that
Java is a mess...


How Do We Force Vendors To Improve?


Grand Demonstrations!

We need
that ordinary people can
relate to!

FTC vs. TRENDnet

After demonstrating how network cameras were easily
publicly accessible and e.g. allowing spying on people in their
homes, the FTC (Federal Trade Commision) in USA went after
TRENDnet.

Eventually agreed that TRENDnet was ”prohibited from
misrepresenting the security of its cameras”, will establish a
comprehensive IS program, and hire outside consulting to
review security every two years for 20 years...

http://www.ftc.gov/opa/2013/09/trendnet.shtm

Is TRENDnet worse than the rest?

This is really something every single software vendor should
do – but definitely don’t!
Is TRENDnet really that much worse than other embedded
device vendors?


TRENDnet Product Vulnerabilities


D-Link Product Vulnerabilities


D-Link User-Agent Backdoor

Source: http://www.devttys0.com/2013/10/reverse-engineering-a-d-link-backdoor/


Is Legislation The Answer?


Software Will Always Have Vulns?

Vendors claim that they provide software ”as-is” and have
long EULAs to exempt them from liability

We seemingly accept that software will always have vulns...
... but the types of vulnerabilities matter as well as how the
vendor proactively reduces risk and reactively deals with
them.


Conclusion

Of all the areas, vulnerability coordination/handling is the
biggest improvement and continuing in the right direction.
Advisory quality overall seems static with some vendors
improving and others devolving.
Only a few major vendors really seem to have solid SDLs and
can show an improvement in code quality.

People are beginning to understand metrics better, and we’re
seeing attempts at providing more granularity.


The Good News: There is Room for Improvement


Discussion!


DefCamp 2013 - Are we there yet?

Recommended

Recommended

More Related Content

What's hot

What's hot (14)

Viewers also liked

Viewers also liked (6)

Similar to DefCamp 2013 - Are we there yet?

Similar to DefCamp 2013 - Are we there yet? (20)

More from DefCamp

More from DefCamp (20)

Recently uploaded

Recently uploaded (20)

DefCamp 2013 - Are we there yet?

Editor's Notes