Slide 1

Mudge CanSecWest 2013 1 Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 2

Cyber Fast Track DARPA-PA-11-52 2 Amendment 4 (posted January 31, 2013): Closing Date: Proposals will be accepted at any time until 12:00 noon (ET), August 3 April1, 2013 https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 3

1.What is the problem, why is it hard? 2.How is it solved today? 3.What is the new technical idea; why can we succeed now? 4.What is the impact if successful? 5.How will the program be organized? 6.How will intermediate results be generated? 7.How will you measure progress? 8.What will it cost? Heilmeyer Questions: 3 When George Heilmeier was the director of DARPA in the mid 1970s, he had a standard set of questions he expected every proposal for a new research program to answer. Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 4

2011 Ground truth Federal Cyber Incidents fiscal years 2006 2011 [1]GAO Testimony. GAO-12-166T CYBERSECURITY Threats Impacting the Nation 0 5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 45,000 Cyber Incidents Reported to US-CERT [1] by Federal agencies 20062007200820092010 4 Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 5

2011 Ground truth Federal Cyber Incidents and Defensive Cyber Spending fiscal years 2006 2011 [1]GAO Testimony. GAO-12-166T CYBERSECURITY Threats Impacting the Nation [2]INPUT reports 2006 2011 Federal Defensive Cyber Spending [2] ($B) 0 5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000 45,000 Cyber Incidents Reported to US-CERT [1] by Federal agencies 20062007200820092010 0.0 2.0 4.0 6.0 8.0 10.0 12.0 5 Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 6

Mudge or Cyber-Heilmeyer Questions: 6 1.Is the solution tactical or strategic in nature? 2.What is the asymmetry for this solution? 3.What unintended consequences will be created? 4.Do attack surfaces shrink, grow, or remain unchanged? 5.How will this solution incentivize the adversary? Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 7

Malware: 125 lines of code* Lines of Code 198519901995200020052010 x x x x DEC Seal Stalker Milky Way Snort Network Flight Recorder Unified Threat Management 10,000,000 8,000,000 6,000,000 4,000,000 2,000,000 0 Security software *Malware lines of code averaged over 9,000 samples x x Are you tactical or strategic; what is the asymmetry? 7 Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 8

How do *you* handle passwords? 8 Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 9

The first CrackMeIfYouCan contest challenged participants to crack 53,000 passwords. In 48 hours, the winning team had 38,000*. (*this was not the important take away) Profile for the winning team, Team Hashcat. Time # Passwords Unintended consequences 9 Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 10

Profile for the winning team, Team Hashcat. Time # Passwords Unintended consequences 10 Distribution A: Approved for Public Release, Distribution Unlimited. The first CrackMeIfYouCan contest challenged participants to crack 53,000 passwords. In 48 hours, the winning team had 38,000*. (*this was not the important take away)

Slide 11

Awaiting Vendor Reply/ConfirmationAwaiting CC/S/A use validationVendor Replied Fix in development Color Code Key: Current vulnerability watch list: Vulnerability TitleFix Avail?Date Added XXXXXXXXXXXX XXXXXXXXXXXX Local Privilege Escalation VulnerabilityNo8/25/2010 XXXXXXXXXXXX XXXXXXXXXXXX Denial of Service VulnerabilityYes8/24/2010 XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow VulnerabilityNo8/20/2010 XXXXXXXXXXXX XXXXXXXXXXXX Sanitization Bypass WeaknessNo8/18/2010 XXXXXXXXXXXX XXXXXXXXXXXX Security Bypass VulnerabilityNo8/17/2010 XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security VulnerabilitiesYes8/16/2010 XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution VulnerabilityNo8/16/2010 XXXXXXXXXXXX XXXXXXXXXXXX Use-After-Free Memory Corruption VulnerabilityNo8/12/2010 XXXXXXXXXXXX XXXXXXXXXXXX Remote Code Execution VulnerabilityNo8/10/2010 XXXXXXXXXXXX XXXXXXXXXXXX Multiple Buffer Overflow VulnerabilitiesNo8/10/2010 XXXXXXXXXXXX XXXXXXXXXXXX Stack Buffer Overflow VulnerabilityYes8/09/2010 XXXXXXXXXXXX XXXXXXXXXXXX Security-Bypass VulnerabilityNo8/06/2010 XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security VulnerabilitiesNo8/05/2010 XXXXXXXXXXXX XXXXXXXXXXXX Buffer Overflow VulnerabilityNo7/29/2010 XXXXXXXXXXXX XXXXXXXXXXXX Remote Privilege Escalation VulnerabilityNo7/28/2010 XXXXXXXXXXXX XXXXXXXXXXXX Cross Site Request Forgery VulnerabilityNo7/26/2010 XXXXXXXXXXXX XXXXXXXXXXXX Multiple Denial Of Service VulnerabilitiesNo7/22/2010 Additional security layers often create vulnerabilities 6 of the vulnerabilities are in security software 11 Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 12

Additional security layers often create vulnerabilities 12 Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 13

DLLs: run-time environment = more commonality Application specific functions Constant surface area available to attack. Regardless of the application size, the system loads the same number of support functions. For every 1,000 lines of code, 1 to 5 bugs are introduced. Identifying attack surfaces 13 Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 14

Understanding them in the context of game theory reveals the problem. Bot Herder Cost Bot Herder Return Antivirus Cost Antivirus Return ShortLong SmallHigh LowHigh SmallHigh0 Low Traditional C2 Botnet New P2P Botnet Strategy 2: AES * branch Solution exists: weekly patch, kills branch Solution needed: high cost solution, kills tree Storm Botnet Strategy 1: XOR branch Bot Herder strategy example: The security layering strategy and antitrust has created cross incentives that contribute to divergence. = exclusive or logical operation * = Advanced Encryption Standard RootTreeBranch How are you incentivizing the adversary? 14 Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 15

Mudge Questions (aka Cyber-Heilmeyer): 15 1.Is the solution tactical or strategic (a)? 2.What is the asymmetry for this solution (a)? 3.Can you forecast the unintended consequences (b)(e)? 4.Do attack surfaces shrink, grow, or remain unchanged? (c)(d)? 5.How does this solution incentivize the adversary (e)? (*) If you had to defeat your own effort, how would you go about it? abcde Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 16

16 Creating a vehicle to tackle these issues: Cyber Fast Track DARPA-PA-11-52 cft.usma.edu https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 17

CFT Mission Statement 17 Identify aligned areas of interest between the DoD and a novel performer community. Become a resource to that community in a way that encourages mutually beneficial research efforts resulting in prototypes and proofs of concepts in a matter of months Improve goodwill and understanding in both communities. CFT promotes aligned interests, not the realigning of interests to meet Government needs Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 18

Indirect - Enabling/Promoting: Commercial Open Source Other Direct Program of Record (POR) Memorandum of Understanding (MOU) Memorandum of Agreement (MOA) Technology Transition Agreement (TTA) The Importance of Transition 18 The objective of technology transition is to make the desired technology available as quickly as possible and at the lowest cost. Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 19

The first proof that it might be do-able 19 NMAPv6 CINDER Advanced IPv6 capabilities 200 new network scanning and discovery modules (NSE) Common Platform Enumeration (CPE) output support Scanner, GUI, and differencing engine performance scaling (1 million target IP addresses) Adversary Mission Identification System (AMIS) Transition: Downloads 3,096,277 (5,600.gov & 5,193.mil) and counting Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 20

The two key ingredients to CFT: 20 Programmatics A unique process that allows DARPA to legally do Cyber R&D contracting extremely fast A framework that anyone can use Streamline negations One page commercial contracts Firm Fixed price Rapid awards (selection to contract in 10 days or less) Diplomacy Align the Cyber Fast Track research goals with the goals of the research community How do your priorities and theirs align? Engage leaders and influencers Socialize the effort, take feedback, and modify the program structure accordingly Ambassador Speak the language, demonstrate an understanding of both cultures Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 21

350+ submissions & 90+ awards Submissions Awards Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 22

CFT Contract Award Time Average of 6 working days to award 100 90 80 70 60 50 40 30 20 10 0 Min. days Avg. days Max. days BAAPROCESSBAAPROCESS CFT 2 6 12 90+ Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 23

23 48 Projects Completed 44 Projects in Progress (2/13/2013) 44 programs underway19 completed programs open-source 29 completed programs closed source 92 Projects awarded to date (as of Feb 13, 2013) 48% 21% 31% Distribution A: Approved for Public Release, Distribution Unlimited.

Slide 24

CFT Efforts 24

Slide 25

Antenna Detection Truck-Security Framework NAND Exploration Phy-layer AuditingIPMI Security BIOS Integrity Logical Bug Detection Binary Defense Obstructing Configurations Side Channel Analysis Anti-Reverse Engineering Virtualization Security Source Code Analysis Distributed Validation Secure Parsers Deobfuscating Malware Android OS Security Baseband Emulation Network Stack Modification Securing Legacy RF Network Visualization Software Hardware A Sampling of Current CFT Programs 25 Distribution A: Approved for Public Release, Distribution Unlimited. Embedded System Vulnerabilities BIOS Implant Analysis Automotive-Security Applications Android Application Forensics Images provided by: Bit Systems

Slide 26

26 Soon to be released

Slide 27

Bunnies Routers 27 Soon to be released Image provided by: Bunnie Huang

Slide 28

Bunnies Routers Charlies Cars 28 Image provided by: Charlie Miller Soon to be released Image provided by: Bunnie Huang

Slide 29

The beginning of The end of CFT 29

Slide 30

www.darpa.mil 30 Distribution A: Approved for Public Release, Distribution Unlimited.