1 / 19

SATE 2010 Analysis

SATE 2010 Analysis. Aurélien Delaitre, NIST aurelien.delaitre@nist.gov October 1, 2010 The SAMATE Project http://samate.nist.gov/. Outline. What tools find What people find CVEs Manual analysis. Building on SATE 2009. SATE 2010. SATE 2010. SATE 2009. SATE 2009. Security Quality

cookr
Télécharger la présentation

SATE 2010 Analysis

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. SATE 2010 Analysis Aurélien Delaitre, NIST aurelien.delaitre@nist.gov October 1, 2010 The SAMATE Project http://samate.nist.gov/

  2. Outline • What tools find • What people find • CVEs • Manual analysis

  3. Building on SATE 2009 SATE 2010 SATE 2010 SATE 2009 SATE 2009

  4. Security Quality Insignificant SATE 2010 Improving categories True Insignificant SATE 2009

  5. Improving the guidelines 45 lines → 314 lines Considering weakness types Better uniformity in evaluations

  6. Decision process Security Context ... Quality Path ... ... Type Unknown Insignificant ... Bug False

  7. Sampling Warnings of each class of severity 1 - 4

  8. Weakness categories

  9. Quality and security related

  10. Non-false overlap

  11. CVEs Key elements of the path for matching: Blocks of code Sink or upflow path elements But not exhaustive

  12. Example /* Dialect Index */ dialect = tvb_get_letohs(tvb, offset); if (si->sip && si->sip->extra_info_type==SMB_EI_DIALECTS) { dialects = si->sip->extra_info; if (dialect <= dialects->num) { dialect_name = dialects->name[dialect]; } } if (!dialect_name) { dialect_name = "unknown"; }

  13. Manual analysis Dovecot for C Pebble for Java • Used a slightly later version

  14. Dovecot No remotely exploitable vulnerability found Fuzzing Threat modeling Code review

  15. Pebble Pen. test Threat modeling Code review Several vulnerabilities found

  16. Tools ∩ humans No human findings for Dovecot No matches for Chrome and Wireshark

  17. Interpretation CVEs ∩ tool findings = ∅ CVEs Tool findings All weaknesses

  18. Interpretation CVE descriptions ∩ tool findings = ∅ CVE descriptions CVEs Tool findings All weaknesses

  19. Questions

More Related