Funded by: Department of Defense, Air Force Research Lab
Administered by: Rome Laboratories
The specter of malicious computer users, organized crime, or hostile nations waging information warfare against the United States is a growing threat---enough to concern the upper echelons of the U.S. government. Because the threat is real, we must urgently prepare to wage information warfare in both defensive and offensive postures. Current security analysis tools attempt to assess network-level vulnerabilities for a given site. These tools do not provide an assessment of an organization's vulnerability to information warfare waged from within---via malicious software programs. Recognizing that 90% of military systems use commercial architectures, the problem of untrusted software becomes of critical importance to those concerned with information warfare. The technology proposed here describes a methodology and accompanying tool designed to localize the vulnerabilities in systems that include commercial off-the-shelf (COTS) software components. By localizing which components engender security violations before they are incorporated into a system, we can develop a baseline for assessing the defensive integrity of a complete system.
Application-level vulnerabilities have particular significance in the area of information warfare. While some information warfare campaigns might be waged through frontal assaults on a network firewall, more insidious campaigns are those that wage war from within---via applications that are currently executing on commanders' desktops. Software applications with built-in vulnerabilities (whether intentionally placed or not) may allow a malicious user to do things contrary to security policy. Malicious activities can also be carried out by Web-based applications like Java applets. An attack applet can read files, write files, delete data, monitor user activity, and send data back over a network connection---all without the knowledge of the user. Network-level security analysis cannot protect against these types of malicious software applications. A prime example of the sort of component that cries out for vulnerability analysis is the omnipresent World Wide Web browser. Our methodology can detect where attacks can topple the first domino in a chain of events that eventually lead to a security violation.
Most software security vulnerabilities result from two factors: program bugs and malicious misuse. Technologies and methodologies for analyzing software in order to discover these vulnerabilities (and potential avenues for exploitation) are a current topic of computer security research. Dynamic software analysis technologies usually require program source code. However, most COTS software applications are delivered in the form of binary executables (including hooks to dynamic libraries), rendering source-code--based techniques useless. Thus, alternative methods for analyzing software vulnerability under malicious misuse or attack are required.
The purpose of this effort is to investigate a methodology based on dynamic black-box software analysis capable of revealing existing bugs and interesting new vulnerabilities in COTS software products. We will develop a prototype software tool for Rome Laboratories that automates the discovery of existing weaknesses in executable components. The black-box vulnerability analysis prototype that we develop will consist of three major parts: an input generation and perturbation module, a security watchdog module, and an execution manager (that ties all the parts into a coherent system).
To increase the likelihood of successfully fending off attacks, you must know your own weaknesses. To increase the likelihood of successfully attacking, you must know your adversary's weaknesses. The approach proposed here can aid in both cases. Results collected as our proposed tool runs will be useful for both offensive and defensive information warfare.
We will develop technology for analyzing COTS applications in the Microsoft Windows-NT environment given only the executable machine code binaries distributed by most vendors. This technology will be delivered in the form of a black-box software analysis tool capable of automatic dynamic software analysis. As part of the proposed effort, we will use the tool to analyze several popular PC-based COTS applications written for the Microsoft Windows-NT environment.
Dynamic black-box analysis is an important approach to software vulnerability localization that, given today's inexpensive hardware, can be performed relatively cheaply. This analysis is a variant on traditional software testing that is particularly attractive because it can be applied to binary executables, including COTS and legacy executables. This approach is not typical vanilla testing, but rather focused testing with the express purpose of determining a component's tolerance to attack. Though this approach neither requires functional specifications for components nor functional requirements, it does require the user to characterize what a security violation is (based on site-specific security policy).
As the military moves towards COTS-based systems, developing a means for analyzing and isolating vulnerabilities of such systems gains urgency. The world is quickly converging on two development platforms: UNIX and Windows-NT. Given that yesterday's MIL-SPEC procurements have been replaced by COTS-SPEC procurements, it is now possible for our adversaries to learn much about our vulnerabilities by spending as little as a few thousand dollars to buy the exact software upon which we depend. Access to vulnerability localization data in a clearly-presented fashion will give our strategists better ability to defend our existing information systems against malicious misuse while at the same time discovering new offensive capabilities to direct against enemy systems.