Build it, Break it, Fix it A new security contest

From this document you will learn the answers to the following questions:

What is Fallacy?

What state is the University of Maryland located?

What is the name of the contest Prof . Michael Hicks co - created?

Similar documents
Article title goes here unless article begins on this page. If article begins on this page, override rules and text using Ctrl + Shift.

Harness Your Robot Army for Total Vulnerability Management

Secure in 2010? Broken in 2011! Matias Madou, PhD Principal Security Researcher

Tool-based Approaches to Software Security. Prof. Dr. Eric Bodden Andreas Follner

Cybersecurity Championship Cup Collegiate

APPLICATION SECURITY RESPONSE: WHEN HACKERS COME A-KNOCKING

Background ( )

Security Certification of Third- Parties Applications

Integrating Web Application Security into the IT Curriculum

Management (CSM) Capability

Getting Started with Web Application Security

Cybersecurity Championship Cup Collegiate Algorithm and Rules

Reducing the Cardholder Data Footprint

Secure in 2010? Broken in 2011!

A Biologically Inspired Approach to Network Vulnerability Identification

CyberNEXS Global Services

Virtualization System Vulnerability Discovery Framework. Speaker: Qinghao Tang Title:360 Marvel Team Leader

The Security Development Lifecycle. Steven B. Lipner, CISSP Senior Director Security Engineering Strategy Microsoft Corp.

REQUEST FOR PROPOSALS: CENTER FOR LONG-TERM CYBERSECURITY

AGENDA. Background. The Attack Surface. Case Studies. Binary Protections. Bypasses. Conclusions

A Test Suite for Basic CWE Effectiveness. Paul E. Black.

A Dozen Years of Shellphish From DEFCON to the Cyber Grand Challenge

Fine-grained covert debugging using hypervisors and analysis via visualization

Smart Device Security: From Threats to Mitigation Strategies

BREAKING THE KILL CHAIN AN EARLY WARNING SYSTEM FOR ADVANCED THREAT

ArcGIS Server Security Threats & Best Practices David Cordes Michael Young

Testing Rails. by Josh Steiner. thoughtbot

How To Manage A Network Security Risk

Guide for Designing Cyber Security Exercises

DoD Software Assurance (SwA) Overview

Ivan Medvedev Principal Security Development Lead Microsoft Corporation

Optimizing Network Vulnerability

MetaXSSploit. Bringing XSS in Pentesting A journey in building a security tool. Claudio

CONTINUOUS DIAGNOSTICS BEGINS WITH REDSEAL

Exploring a National Cyber Security Exercise for Community Colleges

The Collegiate Cybersecurity Championship Cup. Gregory B. White, Ph.D. National Initiative for CYBERSECURITY Education (NICE) 19 September 2013

Recent cyber-security studies in the U.S. David D. Clark MIT CFP May, 2009

How to hack VMware vcenter server in 60 seconds

Vulnerability Management in Software: Before Patch Tuesday KYMBERLEE PRICE BUGCROWD

Accounting for User Behavior in Predictive Cyber Security Models Masooda Bashir, Ken Keefe, Andrew Marturano, Mohammad Noureddine, Bill Sanders

Software Assurance Forum for Excellence in Code

Using Git with Rational Team Concert and Rational ClearCase in enterprise environments

Security within a development lifecycle. Enhancing product security through development process improvement

Lecture 15 - Web Security

Obtaining Enterprise Cybersituational

Virtualization System Security

HOW TO DESIGN AND IMPLEMENT AN EFFECTIVE PERFORMANCE MANAGEMENT PROGRAM

SECURITY RISK MANAGEMENT. FIRST 2007 Seville, Spain

Social Engineering & How to Counteract Advanced Attacks. Ralph Massaro, VP of Sales Wombat Security Technologies, Inc.

Computer and Network Security

Notes. futures market does not by itself have any effect on the spot market. It affects current price only to the extent that

U.S. Army Research, Development and Engineering Command. Cyber Security CRA Overview

Secure Programming with Static Analysis. Jacob West

Journey to the West Gábor Pék, PhD

112 BSIMM Activities at a Glance

Network Mission Assurance

Next Generation Strategies for Software Security in Critical Systems & Securing the Supply Chain BSides

Best Practices for Threat & Vulnerability Management. Don t let vulnerabilities monopolize your organization.

Cloud Computing Technologies Achieving Greater Trustworthiness and Resilience

Web application testing

GETTING REAL ABOUT SECURITY MANAGEMENT AND "BIG DATA"

APPLICATION SECURITY: FROM WEB TO MOBILE. DIFFERENT VECTORS AND NEW ATTACK

Bug hunting. Vulnerability finding methods in Windows 32 environments compared. FX of Phenoelit

Introduction to Cyber Defense Competition. Module 16

The Changing Threat Surface in. Embedded Computing. Riley Repko. Vice President, Global Cyber Security Strategy

Attacking the Traveling Salesman Point-of-sale attacks on airline travelers DEFCON 2014

The Open Cyber Challenge Platform *

Comparing Application Security Tools

Essential Visual Studio Team System

The Security Development Lifecycle. OWASP 24 June The OWASP Foundation

Vulnerability Management Nirvana: A Study in Predicting Exploitability

False Positives & Managing G11n in Sync with Development

Closing the Vulnerability Gap of Third- Party Patching

SAFECode Security Development Lifecycle (SDL)

University of Maryland Cybersecurity Center (MC 2 )

How To Teach A Cyber Security Course

Pragmatic Metrics for Building Security Dashboards

Blind Security Testing

Advancing Cyber Security Using System Dynamics Simulation Modeling for System Resilience, Patching, and Software Development

How To Test For Security

Code Dx: Visual analytics for triage of source code vulnerabilities

Upping the game. Improving your software development process

Contestant Requirements:

The Importance of Using Hacker Contests and Mindset in Teaching Networks and Information Assurance

Interactive Game Design with Greenfoot YEAR 1 Greenfoot Single-player Interactive Game

Building a Global Network Reputation System: Metrics, Data Analysis, and Risk Prediction

Computer Science. About PaaS Security. Donghoon Kim Henry E. Schaffer Mladen A. Vouk

Future of Mobile App Security. Vincent Sritapan Program Manager Cyber Security Division Science and Technology Directorate

How To Secure Cloud Computing

Ten Steps To Selecting the Right Practice Management Software

Small-Scale Cyber Security Competitions

The Hacker Strategy. Dave Aitel Security Research

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Software Defined Networking Security

Building Secure Cloud Applications. On the Microsoft Windows Azure platform

Cyber Security Day: Creating a Mock Cyber Competition Event to Increase Student Interest in Cyber Security

Intelligent Vulnerability Management The Art of Prioritizing Remediation. Phone Conference

Marble & MobileIron Mobile App Risk Mitigation

acceptance testing seng 301

Product Roadmap. Sushant Rao Principal Product Manager Fortify Software, a HP company

Transcription:

Build it, Break it, Fix it A new security contest Prof. Michael Hicks co-conceived with Andrew Ruef and co-developed with Jan Plane, Atif Memon, and David Levin University of Maryland, College Park USA Funding provided by

Contests are cool DEFCON CTF Collegiate Cyber defense challenge (CCDC) Pwn to Own Rewards those who can reverse engineer vulnerabilities in real or custom systems But what about the opposite? I.e., reward those who can build more secure systems Fallacy: if you know what/how to find the vulnerabilities you can build systems without them

Build it, Break it, Fix it Must satisfy basic correctness and performance requirements Bug reports are (failing) executable test cases, including exploits 72 hours 72 hours Doing so may wipe out many bug reports in one go: all count as the same bug Then: Judges tally final results 72 hours

Scoring Build-it team Gains points for good performance Loses points for (unique) bugs found by breakers Break-it team Gains points for unique bugs found (scaled by how many other teams found the same bug) Winners for both categories at end of round 3

Goals Encourage defense, not just offense Tie together security with reliability: Bugs are bad, whether they are exploitable or not Elevate real concerns: performance and maintainability Provide direct feedback A lack of security is penalized: feel the mistake! Empirically assess what actually works Correlate features of submission with score Programming language, framework, library, Developer experience, S/W process, Using static analysis, fuzz testing, etc.

Requirements: Making it work Scalability hundreds of submissions Requires (mostly) automated testing, scoring Handle adversarial participants DOS the scoring system Report the same bug multiple times in slightly different ways Collusion Get data from which we can draw interesting conclusions

Platform Submissions run in a VM that we provide We unpack their submission in a defined directory and then run tests etc. within the VM Several benefits VM is isolated from other software, limiting its negative effects on ours and others software Run-time environment is clearly defined (in advance), yet affords plenty of flexibility

Data Teams must use our git repository So we can see their process and intermediate checkins Teams must answer (brief) popup surveys during each phase What are you working on? What problems are you dealing with? Who is doing what? And, of course, tests and final submissions available

Challenge I How to automatically judge whether a bug claim (submitted as a test) is valid? Use Bayesian network to judge the likelihood test is valid based on outcome for all submissions Seed network with results of true tests Builder teams can, during the fix-it phase, argue that any bugs that slip through are not bugs Human judges arbitrate

Challenge II How to automatically judge whether two submitted tests are morally the same? Incentive for builders: find bugs that are the same in fix-it phase Incentive for breakers: only allowed 10 test cases per submission (want to avoid duplicates) (Best effort) automation: Idea: test case minimization (e.g., delta debugging) Idea: footprint across all submissions

Challenge III How to determine scores? More points for an exploit vs. a correctness bug Want to encourage coverage don t want to crown winner only because no one looked at code Limit 10 bugs per submission Want to encourage finding deep/challenging bugs Bugs are worth more (to break-it teams) if fewer teams find them

Challenge IV How to avoid collusion or behavior not in the spirit of the competition? Disallow direct obfuscation (judges will check) Indirect uses (spaghetti code that looks human-written) might hurt performance, or might actually be relevant Disallow cooperation among build-it teams Goal would be to obtain more than one prize position Run similarity detection tools on submissions

What are the right tasks? Must be interesting Must be able to complete in 72 hours Must have a reasonable attack surface Examples: parsers/interpreters/game engines Pilot: SDXF parser (arcane file format) Ideas?

Let s go write some secure code!

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information