CNIC Information System with Pakdata Cf In Pakistan
Find Security Flaws with AI using Microsoft Security Risk Detection, VSTS, and Azure
1.
2.
3. of cyber attacks
happen at the
application layer1
84%
of security incidents
come from exploited
software defects2
90%
of companies need
improved application
security practices3
64%
SANS.org
4. Microsoft Security Risk Detection in DevOps
Flexible follow-up with WebHooks and Azure Logic Apps.
Never stop.
Run every build,
every PR, your choice!
Runs multiple AI
testing methods.
Only reports bugs
that repro.
Provides full test
cases.
Runs on binaries. No
source code required.
Kick off from VSTS
Build Definitions
5.
6. #RSAC
Microsoft Cloud AI for Security: Neural Fuzzing
Problem Statement
Fuzz-testing file parsers to discover
security vulnerabilities
Hypothesis
Fuzz testing heuristics can be learned and
generalized from an existing graybox fuzzer.
Some control locations are more interesting to
fuzz than others.
Solution
Insert a neural model in the fuzz/test feedback loop.
Modify AFL to query neural model.
Production pipeline with Azure AI Batch built with
TensorFlow.
Previous
Blackbox fuzzing: e.g. random mutations
Whitebox fuzzing: e.g. dynamic analysis
Graybox fuzzing: human crafted mutation heuristics
aimed at maximizing code coverage
Core Concept: Transposing existing security problem into an already solved
problem from another domain
7. #RSAC
Readelf model performance over 48h and productization
Model trained
Size of data: 20 GB
Collected from: a 24h fuzzing run of AFL
Completed within: 12h
Model query
AFL modified to query model 50% of the time
Dataset
Unique
Code Paths
Number
of Crashes
AFL 8,123 1
Neural 9,207 62
Bugs reproduced, triaged, and reported automatically in MSRD
web portal for software being tested
(https://www.microsoft.com/en-us/security-risk-detection/)