Howriskyisthesoftwareyouuse?

https://shmoo18.cyber-itl.org

CyberIndependentTestingLab

{SarahZatko,TimCarstens,PatrickStach,ParkerThompson,mudge}@CITL

WeareCITL

• Anon-profitorganizationbasedinUSA• FoundedbySarahZatko &mudge

• Mission:toimprovethestateofsoftwaresecuritybyprovidingthepublicwithaccuratereportingonthesecurityofpopularsoftware

• FundingfromtheFordFoundation• PartnerswithConsumerReportshttps://www.consumerreports.org&TheDigitalStandardhttps://thedigitalstandard.org

Somethinglikethis,butforsoftwaresecurity.

Howdoyoudothisforsoftwaresecurity?

Scores&Histograms

HardenedGentoo

Ubuntu16LTS

SamsungUN55KS9000

LG55UH8500

SecurityToday:

Youcanleadthepackbymasteringthefundamentals.

Visio LG Samsung UbuntuP55-E1 49UJ7700 UN55KS9000 16.04

#binaries 504 1740 4243 4991aslr 98% 67% 80% 100%

stackDEP 99% 99%* 99%* 99%64bit 0% 0% 0% 98%RELRO 100% 4% 9% 96%

stackguards 68% 1% 57% 79%fullyfortified 7% 0% 6% 11%

partialfort 43% 1% 37% 42%

hasgood 3% 3% 25% 4%hasrisky 68% 66% 67% 67%hasbad 28% 34% 23% 28%hasick 3% 5% 5% 3%

Ourgoals

1. Remainindependentofvendorinfluence2. Automated,comparable,quantitativeanalysis3. Actasauserwatchdog

• Non-goal:findanddisclosevulnerabilities• Non-goal:tellsoftwarevendorswhattodo• Non-goal:performfreesecuritytestingforvendors

Threebigquestions

1. Whatworks?

2. Howdoyourecognizewhenit’sbeingdone?

3. Who’sdoingit?

Thebasicidea

InformationTheoryPerspective

• Givenapieceofsoftware,wecanask1. Overall,howsecureisit?2. Whatareallofitsvulnerabilities?

• (1)appearstoaskforless-infothan(2)

• OurQuestion:Developanheuristicwhichcanefficientlyanswer(1)butnotnecessarily(2)

StepOne:StaticMeasurements

• Complexity• Functionscalled• Safetyfeatures

Yearsinthefieldgiveusagoodstartingpoint– lookforthesamethingswe’dlookatwhentryingtopickasofttargettoexploit.

But,thisfielddoesn’tknowenoughaboutimpact/effectivenessofbestpractices.

EarlyPromise

Browser “Underground”ExploitPrice

MicrosoftEdge $80,000

GoogleChrome $80,000

AppleSafari $50,000

MozillaFirefox $30,000

Step2:Fuzzing!Lotsofit.

• Fuzzingprovidesatestable,recognizedwaytoroughlymeasuresoftware’s“security”• Themorerobustsoftwareiswhenfuzzed,thelesslikelyitistobeexploitable• Ifwecouldfuzzeverything,wewouldn't’tevennecessarilyneedtheheuristics• Butwecan’t,so

Step3:Profit!Bayes!(1/3)

• Forsomesoftwares,weknowthatwecan’tcomputeP(s issecure)

• Asasurrogate,wecancomputeprobabilitiesofdifferentfuzzingoutcomes,like:

Ph,k =P(h unitsoffuzzingagainsts yields<k uniquecrashes)

Step3:Profit!Bayes!(2/3)

• Fuzzingisexpensive,sowe“goBayesian”• LetM beanobservablepropertyofsoftware

• Examples:iscompatiblewithRELRO,has“lowcomplexity,”etc• Forrandoms inS,considertheconditionalprobabilities

Ph,k(M) =P(h fuzzingons yields<k uniquecrashes|M istrueofs )

• Whatwewant:WhichM havePh,k(M)>0.5 forlargelog(h)/k?

Whichindicators(M)canbeusedtopredictfuzzingperformance?

Step3:Profit!Bayes!(3/3)

Indicatorsmightnotbecausal,andthat’sOK:

• ItcouldbethatM’spresenceliterallypreventscrashes

• ButitcouldalsobethatM ismostlyonlyfoundinsoftwarewrittenbyteamswhoshipreliablesoftware

• Ifyou’relookingforsecurity,whatdifferencedoesitmake?

IndicatorMinerals

Wanttofind:• Diamond (USGeologicalSurvey)

Lookfor:• Garnet

(Moha112100@Wikipedia)

• Diopside(RobLavinsky)

• Chromite(WeinrichMinerals,Inc.)

Step4:Reports

Whileweworkongatheringdataanddevelopingourmodel,we’realso•Developingreports•BuildingrelationshipswithpartnerorganizationslikeConsumerReports• Lookingforsecurityorgstosharedatawith

TheProgressionofCITLTech

Static(Prototype)

Static(Extensible)

AFL CITL-fuzz NEWFUZZERToday

FirstData Firstreports FinalModel&Reports

AppliedStaticAnalysis

• Lotsofarchitectures:x86-*,ARM-*,MIPS-*• Lotsofoperatingsystems:Windows,Linux,OSX• Lotsofbinaryformats:PE,ELF,MachO• Eachwiththeirownapp-armoringfeatures

• Lotsofversionsofeachoftheabove!

OSComparisons• Windowslagsinstackguards,buthasgoodusageofCFI• LinuxdoesmoresourcefortificationthanOSX• Windowshasthebestfunctionhygiene• Linux’sfunctionhygieneisslightlyworsethanOSX’s

Ubuntu Windows OSX16.04 10 10.13.1

64bit 97% 66% 77%aslr 100% 99% 100%dep 99% 98% 100%

stack_guards 79% 40% 73%fullyfortified 11% 2%

partialfort 42% 33%cfi 92%

good 4% 19% 29%risky 67% 30% 60%bad 28% 3% 24%ick 3% 0% 2%

LinuxBrowsers– Ubuntu16.04• Scoresareallveryclose,Firefoxwinsbyanoseinstaticanalysis• Chrome’ssandboxisn’tfactoredintoscoreyet

• Allhaveinconsistentfunctionhygiene• OperatakesahitforlackofRELRO• Chromelagsbehindinfortificationuse

Chrome Firefox Operaversion 63.0.3239.13257.0.4 50.0.2762.4564bit 100% 100% 100%aslr 100% 100% 100%dep 100% 100% 100%relro 86% 100% 11%

stack_guards 86% 87% 100%partialfortification 29% 70% 56%

functionsgood 12% 4% 22%risky 86% 91% 100%bad 62% 61% 89%

scores5th% 35 64 4350th% 58 78 4895th% 71 86 65

OSXBrowsers• FirefoxandOperahadallbinaries64bitwithASLR,StackDEP• Firefoxalsomademostuseofstackguardsandfortification• ChromeistheonlyonetoenableHeapprotectionflag• Safariisn’tusingsourcefortificationmuch• Scoresareveryclose,allnear95thpercentileforHighSierra(71)• SamegeneraloutcomeasinLinux

Chrome Firefox Opera Safari63.0.3239.13257.0.4 50.0.2762.4511.0.1

count 9 19 8 2564bit 89% 100% 100% 88%aslr 89% 100% 100% 100%dep 100% 100% 100% 100%heap 11% 0% 0% 0%

stack_guards 78% 95% 88% 68%partialfortification 33% 47% 38% 4%

good 33% 37% 25% 8%risky 89% 95% 100% 44%bad 44% 68% 38% 8%

scores5th% 33 43 38 2450th% 51 56 51 5195th% 63 71 63 64

Windows10Browsers• Scoresareveryclose,butEdgewinsbyahair• 95th percentileis64forWin10

• Chromehasmore32bitbinariesthantheothers• Edgeistheonlyonewith100%CFI• ChromeandOperadobetteronstackguards• Firefoxtakesahitbecauseitexcelsinneither,hasmoreriskyfunctions

Chrome Edge Firefox Operaversion 63.0.3239 41.16299 57.0.4 50.0.2762count 31 7 31 1664bit 62% 100% 94% 100%dep 100% 100% 100% 100%aslr 100% 100% 100% 100%cfi 13% 100% 13% 38%

stackguards 94% 57% 61% 94%functions

good 0% 0% 3% 0%risky 9% 0% 16% 0%bad 9% 0% 0% 0%

scores5th% 23 44 7.5 4450th% 44 64 44 4495th% 64 64 44 64

OSXTimeProgression• Lookedatfourversionsfrom10.10.5through10.13.1• 7.7%increaseinpercentofbinariesthatare64bit• 2%increaseinuseofstackguards,goodfunctions• HeapprotectiondecreasecorrelateswithASLRincrease?• HighSierrashowssignificantdecreasein#ofbinaries(~400fewer)

OSX OSX OSX OSX total10.10.5 10.11.6 10.12.6 10.13.1 change

#binaries 6449 6456 7017 662264bit 69% 71% 73% 77% +8aslr 99% 99% 100%* 100%* +1

heap 5% 5% 4% 4% -1stack_guards 71% 71% 72% 73% +2

goodfunctions 27% 27% 27% 29% +2riskyfunctions 62% 62% 60% 60% -2badfunctions 25% 25% 24% 24% -1

SafariTimeProgression• NewbinariesintroducedinHighSierragenerallydecreasedperformance• Overallincreasesin64bitandstackguards,butnotconsistently• Functionhygienegotabitworse,especiallyinHighSierra• PartialsourcefortificationintroducedinHS

Safari totalinOSX 10.10.5 10.11.6 10.12.6 10.13.1 change

#binaries 9 13 22 2564bit 83% 92% 86% 88% +5*

stack_guards 67% 69% 73% 68% +1partialfortification 0% 0% 0% 4% +4

goodfunctions 17% 15% 9% 8% -9risky 50% 36% 38% 44% -6*bad 0% 8% 5% 8% +8

MiningUsefulSpectre Gadgets• FocusonBTBpoisoningakaVariant2widgets• UseDFAtolocatethispattern:• Opreg1,[base(+index)]• BaseorIndexeitherattackercontrolledorusefuldata

• …(anythingthatdoesn’tdestroydatainreg1)• Op[base(+index)],reg2orOpreg2,[base(+index)]• Wherebaseorindexarereg1

• Tl;dr:load,loadorstore

MiningUsefulSpectre Gadgets

CITL:Impact

• We’vebeenreportingbugs• FirefoxonOSXwasmissingASLR(theyfixeditquick!)• Severalpatches&bugssubmittedtoLLVM&Qemu

• We’veinspiredothers• Bigshout-outtotheFedoraRedTeam

• We’vepartneredtocoverbroaderdomains• ConsumerReportshttps://www.consumerreports.org

• TheDigitalStandardhttps://thedigitalstandard.org

CITL:TodayandTomorrow

• Wearebuildingthetoolingnecessarytocomputethesurrogatesecurityscoresat-scale

• Inthemeantime,ourstaticanalyzersarealreadymakingsurprisingdiscoveries:seeourrecenttalksatDEFCON/Blackhat

• Advicetosoftwarevendors:MakesureyoursoftwareemployseveryexploitmitigationourTABhaseverheardof!

https://shmoo18.cyber-itl.org

CyberIndependentTestingLab

{SarahZatko

,TimCarstens

,ParkerThompson

,PatrickStach

,mudge

}@CITL