Mudge CanSecWest 2013 1 Distribution A: Approved for Public
Release, Distribution Unlimited.
Slide 2
Cyber Fast Track DARPA-PA-11-52 2 Amendment 4 (posted January
31, 2013): Closing Date: Proposals will be accepted at any time
until 12:00 noon (ET), August 3 April1, 2013
https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html
Distribution A: Approved for Public Release, Distribution
Unlimited.
Slide 3
1.What is the problem, why is it hard? 2.How is it solved
today? 3.What is the new technical idea; why can we succeed now?
4.What is the impact if successful? 5.How will the program be
organized? 6.How will intermediate results be generated? 7.How will
you measure progress? 8.What will it cost? Heilmeyer Questions: 3
When George Heilmeier was the director of DARPA in the mid 1970s,
he had a standard set of questions he expected every proposal for a
new research program to answer. Distribution A: Approved for Public
Release, Distribution Unlimited.
Slide 4
2011 Ground truth Federal Cyber Incidents fiscal years 2006
2011 [1]GAO Testimony. GAO-12-166T CYBERSECURITY Threats Impacting
the Nation 0 5,000 10,000 15,000 20,000 25,000 30,000 35,000 40,000
45,000 Cyber Incidents Reported to US-CERT [1] by Federal agencies
20062007200820092010 4 Distribution A: Approved for Public Release,
Distribution Unlimited.
Slide 5
2011 Ground truth Federal Cyber Incidents and Defensive Cyber
Spending fiscal years 2006 2011 [1]GAO Testimony. GAO-12-166T
CYBERSECURITY Threats Impacting the Nation [2]INPUT reports 2006
2011 Federal Defensive Cyber Spending [2] ($B) 0 5,000 10,000
15,000 20,000 25,000 30,000 35,000 40,000 45,000 Cyber Incidents
Reported to US-CERT [1] by Federal agencies 20062007200820092010
0.0 2.0 4.0 6.0 8.0 10.0 12.0 5 Distribution A: Approved for Public
Release, Distribution Unlimited.
Slide 6
Mudge or Cyber-Heilmeyer Questions: 6 1.Is the solution
tactical or strategic in nature? 2.What is the asymmetry for this
solution? 3.What unintended consequences will be created? 4.Do
attack surfaces shrink, grow, or remain unchanged? 5.How will this
solution incentivize the adversary? Distribution A: Approved for
Public Release, Distribution Unlimited.
Slide 7
Malware: 125 lines of code* Lines of Code
198519901995200020052010 x x x x DEC Seal Stalker Milky Way Snort
Network Flight Recorder Unified Threat Management 10,000,000
8,000,000 6,000,000 4,000,000 2,000,000 0 Security software
*Malware lines of code averaged over 9,000 samples x x Are you
tactical or strategic; what is the asymmetry? 7 Distribution A:
Approved for Public Release, Distribution Unlimited.
Slide 8
How do *you* handle passwords? 8 Distribution A: Approved for
Public Release, Distribution Unlimited.
Slide 9
The first CrackMeIfYouCan contest challenged participants to
crack 53,000 passwords. In 48 hours, the winning team had 38,000*.
(*this was not the important take away) Profile for the winning
team, Team Hashcat. Time # Passwords Unintended consequences 9
Distribution A: Approved for Public Release, Distribution
Unlimited.
Slide 10
Profile for the winning team, Team Hashcat. Time # Passwords
Unintended consequences 10 Distribution A: Approved for Public
Release, Distribution Unlimited. The first CrackMeIfYouCan contest
challenged participants to crack 53,000 passwords. In 48 hours, the
winning team had 38,000*. (*this was not the important take
away)
Slide 11
Awaiting Vendor Reply/ConfirmationAwaiting CC/S/A use
validationVendor Replied Fix in development Color Code Key: Current
vulnerability watch list: Vulnerability TitleFix Avail?Date Added
XXXXXXXXXXXX XXXXXXXXXXXX Local Privilege Escalation
VulnerabilityNo8/25/2010 XXXXXXXXXXXX XXXXXXXXXXXX Denial of
Service VulnerabilityYes8/24/2010 XXXXXXXXXXXX XXXXXXXXXXXX Buffer
Overflow VulnerabilityNo8/20/2010 XXXXXXXXXXXX XXXXXXXXXXXX
Sanitization Bypass WeaknessNo8/18/2010 XXXXXXXXXXXX XXXXXXXXXXXX
Security Bypass VulnerabilityNo8/17/2010 XXXXXXXXXXXX XXXXXXXXXXXX
Multiple Security VulnerabilitiesYes8/16/2010 XXXXXXXXXXXX
XXXXXXXXXXXX Remote Code Execution VulnerabilityNo8/16/2010
XXXXXXXXXXXX XXXXXXXXXXXX Use-After-Free Memory Corruption
VulnerabilityNo8/12/2010 XXXXXXXXXXXX XXXXXXXXXXXX Remote Code
Execution VulnerabilityNo8/10/2010 XXXXXXXXXXXX XXXXXXXXXXXX
Multiple Buffer Overflow VulnerabilitiesNo8/10/2010 XXXXXXXXXXXX
XXXXXXXXXXXX Stack Buffer Overflow VulnerabilityYes8/09/2010
XXXXXXXXXXXX XXXXXXXXXXXX Security-Bypass VulnerabilityNo8/06/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Security
VulnerabilitiesNo8/05/2010 XXXXXXXXXXXX XXXXXXXXXXXX Buffer
Overflow VulnerabilityNo7/29/2010 XXXXXXXXXXXX XXXXXXXXXXXX Remote
Privilege Escalation VulnerabilityNo7/28/2010 XXXXXXXXXXXX
XXXXXXXXXXXX Cross Site Request Forgery VulnerabilityNo7/26/2010
XXXXXXXXXXXX XXXXXXXXXXXX Multiple Denial Of Service
VulnerabilitiesNo7/22/2010 Additional security layers often create
vulnerabilities 6 of the vulnerabilities are in security software
11 Distribution A: Approved for Public Release, Distribution
Unlimited.
Slide 12
Additional security layers often create vulnerabilities 12
Distribution A: Approved for Public Release, Distribution
Unlimited.
Slide 13
DLLs: run-time environment = more commonality Application
specific functions Constant surface area available to attack.
Regardless of the application size, the system loads the same
number of support functions. For every 1,000 lines of code, 1 to 5
bugs are introduced. Identifying attack surfaces 13 Distribution A:
Approved for Public Release, Distribution Unlimited.
Slide 14
Understanding them in the context of game theory reveals the
problem. Bot Herder Cost Bot Herder Return Antivirus Cost Antivirus
Return ShortLong SmallHigh LowHigh SmallHigh0 Low Traditional C2
Botnet New P2P Botnet Strategy 2: AES * branch Solution exists:
weekly patch, kills branch Solution needed: high cost solution,
kills tree Storm Botnet Strategy 1: XOR branch Bot Herder strategy
example: The security layering strategy and antitrust has created
cross incentives that contribute to divergence. = exclusive or
logical operation * = Advanced Encryption Standard RootTreeBranch
How are you incentivizing the adversary? 14 Distribution A:
Approved for Public Release, Distribution Unlimited.
Slide 15
Mudge Questions (aka Cyber-Heilmeyer): 15 1.Is the solution
tactical or strategic (a)? 2.What is the asymmetry for this
solution (a)? 3.Can you forecast the unintended consequences
(b)(e)? 4.Do attack surfaces shrink, grow, or remain unchanged?
(c)(d)? 5.How does this solution incentivize the adversary (e)? (*)
If you had to defeat your own effort, how would you go about it?
abcde Distribution A: Approved for Public Release, Distribution
Unlimited.
Slide 16
16 Creating a vehicle to tackle these issues: Cyber Fast Track
DARPA-PA-11-52 cft.usma.edu
https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html
Distribution A: Approved for Public Release, Distribution
Unlimited.
Slide 17
CFT Mission Statement 17 Identify aligned areas of interest
between the DoD and a novel performer community. Become a resource
to that community in a way that encourages mutually beneficial
research efforts resulting in prototypes and proofs of concepts in
a matter of months Improve goodwill and understanding in both
communities. CFT promotes aligned interests, not the realigning of
interests to meet Government needs Distribution A: Approved for
Public Release, Distribution Unlimited.
Slide 18
Indirect - Enabling/Promoting: Commercial Open Source Other
Direct Program of Record (POR) Memorandum of Understanding (MOU)
Memorandum of Agreement (MOA) Technology Transition Agreement (TTA)
The Importance of Transition 18 The objective of technology
transition is to make the desired technology available as quickly
as possible and at the lowest cost. Distribution A: Approved for
Public Release, Distribution Unlimited.
Slide 19
The first proof that it might be do-able 19 NMAPv6 CINDER
Advanced IPv6 capabilities 200 new network scanning and discovery
modules (NSE) Common Platform Enumeration (CPE) output support
Scanner, GUI, and differencing engine performance scaling (1
million target IP addresses) Adversary Mission Identification
System (AMIS) Transition: Downloads 3,096,277 (5,600.gov &
5,193.mil) and counting Distribution A: Approved for Public
Release, Distribution Unlimited.
Slide 20
The two key ingredients to CFT: 20 Programmatics A unique
process that allows DARPA to legally do Cyber R&D contracting
extremely fast A framework that anyone can use Streamline negations
One page commercial contracts Firm Fixed price Rapid awards
(selection to contract in 10 days or less) Diplomacy Align the
Cyber Fast Track research goals with the goals of the research
community How do your priorities and theirs align? Engage leaders
and influencers Socialize the effort, take feedback, and modify the
program structure accordingly Ambassador Speak the language,
demonstrate an understanding of both cultures Distribution A:
Approved for Public Release, Distribution Unlimited.
Slide 21
350+ submissions & 90+ awards Submissions Awards
Distribution A: Approved for Public Release, Distribution
Unlimited.
Slide 22
CFT Contract Award Time Average of 6 working days to award 100
90 80 70 60 50 40 30 20 10 0 Min. days Avg. days Max. days
BAAPROCESSBAAPROCESS CFT 2 6 12 90+ Distribution A: Approved for
Public Release, Distribution Unlimited.
Slide 23
23 48 Projects Completed 44 Projects in Progress (2/13/2013) 44
programs underway19 completed programs open-source 29 completed
programs closed source 92 Projects awarded to date (as of Feb 13,
2013) 48% 21% 31% Distribution A: Approved for Public Release,
Distribution Unlimited.
Slide 24
CFT Efforts 24
Slide 25
Antenna Detection Truck-Security Framework NAND Exploration
Phy-layer AuditingIPMI Security BIOS Integrity Logical Bug
Detection Binary Defense Obstructing Configurations Side Channel
Analysis Anti-Reverse Engineering Virtualization Security Source
Code Analysis Distributed Validation Secure Parsers Deobfuscating
Malware Android OS Security Baseband Emulation Network Stack
Modification Securing Legacy RF Network Visualization Software
Hardware A Sampling of Current CFT Programs 25 Distribution A:
Approved for Public Release, Distribution Unlimited. Embedded
System Vulnerabilities BIOS Implant Analysis Automotive-Security
Applications Android Application Forensics Images provided by: Bit
Systems
Slide 26
26 Soon to be released
Slide 27
Bunnies Routers 27 Soon to be released Image provided by:
Bunnie Huang
Slide 28
Bunnies Routers Charlies Cars 28 Image provided by: Charlie
Miller Soon to be released Image provided by: Bunnie Huang
Slide 29
The beginning of The end of CFT 29
Slide 30
www.darpa.mil 30 Distribution A: Approved for Public Release,
Distribution Unlimited.