Digital security is tough to get right, and on the software side of the equation, it’s even harder. Traditionally, software security has come in the form of edge-of-network devices, like firewalls and intrusion detection systems. It is the software itself, however, that often offers up the exploitable surface area to an attacker.
USENIX Enigma, a new conference from the USENIX Advanced Computing Systems Association, brought attendees new ideas in software security, ranging from a new type of binary scanner to cutting-edge firmware-monitoring tools employed by Facebook.
In a world where the firewall cannot save the network from all the evils online, end-point security becomes paramount. This is compounded by the fact that some of the newest and most dangerous security exploits online involve firmware replacement and poisoning.
Teddy Reed, security engineer at Facebook, showed off an open-source tool his team built in order to counter this new threat: OSQuery. It works by hooking into the end machine’s stream of events at the kernel level. These events are pushed upstream to a monitoring console, and thus administrators and developers can use the tool to gain insight into events happening on networked machines.
Such event notifications can be triggered for something as trivial as the insertion of a USB plug, or as major as a kernel panic or firmware update. Reed said that having OSQuery on every computer is useful, but the type of computer determines the importance of those notifications.
On a developer’s laptop, for example, many unique USB devices may be randomly plugged in and brought online. On a server, however, anything plugged in via USB should immediately set off a red flag, as it’s a rare occurrence.
Reed encouraged the audience to try OSQuery, and then offered to help any users who wished to integrate it into an odd stack. He said this tool provides a form of security he called attestation. “Owner controller attestation will make devices safer,” he said.
No more false positives
When it comes to the software security side of the conference, its organizer actually had the most interesting and compelling story to tell. David Brumley is director of CyLab at Carnegie Mellon University. The lab was formed in 2003 and has become one of the largest cybersecurity research and education centers in the world.
In his work at CyLab, Brumley was involved in binary analysis tools. For those who have ever used a binary scanner to check applications for security vulnerabilities, they probably don’t know that the biggest problem with these types of tools is false positives.
Thus, binary scanners are not standard-issue in the nightly test chain; coming in to a list of 300 potential bugs every morning, when only three of them are real, can be a tad frustrating.
That wasn’t good enough for Brumley. His research focused on performing valid binary analysis, and instead of finding every possible bug (even ones that don’t matter), his tools attempted to give zero false positives.
“We saw static analysis and we wanted to go the other way,” said Brumley. “We wanted zero false positives. It is a reality now—the question we have now is how well does it scale and what sort of problems can you look at. You can have either zero false positives and miss some bugs, or you can go the other way. Coverity is used on some great codebases out there, but we really saw a need to have actionable results. If someone is going to use a binary program, it’s important to know if something is exploitable; it’s not just a theory, but someone has done it automatically.”
Brumley and his team at CyLab have productized their efforts into Secure For All, a company focused on spreading this binary scanning technology to all software users, everywhere. Its software is designed to not only give zero false positives, but also attempt to generate code to exploit any vulnerability it finds.
“We looked at what do humans do to find vulnerabilities,” said Brumley. “I want to be clear: There’s a huge gap between what automated tools can do and humans can do. We want to get on this path where if a human finds something, we can automate it.”
Rather than selling the software at a high price to enterprises, Brumley and his team hope to offer the tool to end users, so they can scan their own applications and ensure their security.