Texas A&M Presentation Tomorrow

By Dan Cornell

I will be speaking to the Texas A&M IT Forum tomorrow.  The topic is Static Analysis and Application Security.  I think they actually stream the video of the talk on Channel 20.

--Dan

ROOTS Conference Wrap Up

By Dan Cornell

I made it back to the States after the ROOTS conference and wanted to post some comments.  It was a great conference with a lot of interesting folks and I was thrilled to have the opportunity to present.

On Tuesday, Andre Klingsheim and Lars-Helge Netland gave a great talk on Architectural Risk Analysis.  They ran us through a fantastic exercise where we had to work with folks at our tables and rank the most common causes of death in the USA.  My partner and I did all right - we got all the right causes of death but had some of them in the wrong order.  That was useful for examining perceived versus actual risk.  They also discussed the traditional Risk = Probability x Impact formula for quantitative risk analysis and why it is challenging to apply consistently across practitioners and projects so we also looked at qualitative risk analysis.  This is great material for software developers to cover and having more conversations in this area can do nothing but help increase the awareness of software security issues across the industry.

Martin Knobloch and Marinus Kuivenhoven gave a fantastic Application Security Workshop on Wednesday.  They went through an introduction to OWASP tools like WebScarab and WebGoat and then walked through the OWASP Top 10 2007 with examples.  I have been over this material a number of times, but I got a lot of benefit out of a number of the examples and case studies they talked about.  Again - presentations like this can only help to get the software development community more interested in the security implications of the applications they are producing.

Thanks again to the ROOTS committee and all the attendees.

--Dan
dan _at_ denimgroup.com

(The picture is of an extremely well-dressed stick figure crossing the street in Bergen, Norway)

Scanning VHDL for Backdoors?

By Dan Cornell

There has been a rising concern as of late about potential security issues related to backdoor functionality included in processors.  This is predominantly a concern about state actors compromising products that are then exported to other nations.  Bruce Schneier posted earlier about a USENIX paper on the topic and I recently saw on Slashdot that DARPA is sponsoring a contest to spur some research about this issue.

That all got me thinking.  I attended a great talk by Chris Wysopal at OWASP AppSec 2007 titled "Backdoors and Other Developer Introduced 'Features'"  He talked about a number of "signatures" that could be used to detect intentionally-introduced backdoors in application code.  Could the same thing be done for hardware-specification languages such as VHDL?  You could probably come up with a useful set of signatures that might help to provide some assurance, but you would run into at least two issues:

1. Static analysis tools don't understand the "intent" of the systems they are analyzing so there are defects that they simply will not be able to find.  This is even more of the case for backdoors where you would not know how the bad guys intent ("I want to this system to send me information about what it is doing via some covert channel") was actually realized in the code ("Send it to a network socket.  Or send it to a hidden file.  Or change the timing by which the application responds to requests.")
2. How do you know that the specification code you reviewed was what was actually used to create the final hardware chip?  With software binaries at least you can re-run the software build process and do binary comparisons or hash comparisons to provide some assurance (This is, of course, ignoring Ken Thompson's "Trusting Trust" problem for the moment).  With hardware?  It would be tough to calculate a "hash" of a piece of physical hardware.

This seems to be a pretty serious issue and there do not seem to be even reasonably good solutions for it yet.  Multinational companies are going to move operations to locations where they can minimize their costs and those locations are not necessarily going to be located in "friendly" parts of the world.

Perhaps some combination of static analysis of the specifications as well as dynamic "fuzzing" of the inputs and outputs of the device might provide some assurance, but, as always, good trust is hard to find.

--Dan
dan _at_ denimgroup.com

(Photo is of the Pacific Northwest Totem located in Nordnes park in Bergen, Norway)

ROOTS Slide Deck Online

By Dan Cornell

The slide deck from my talk at ROOTS 2008 is now up online.  That talk covered security testing with static analysis tools and dynamic analysis tools, looked at strengths and weaknesses of both approaches and then discussed how to us them together.

This has been a great conference and I hope to post some more details shortly.

--Dan
dan _at_ denimgroup.com

(Photo is of a statue of Henrik Ibsen here in Bergen, Norway)

TRISC Slide Deck Online

By Dan Cornell

The slide deck from my talk at the Texas Regional Infrastructure Security Conference (TRISC) is now up online.  The talk covered integrating security into the software development life cycle and covered some of the steps we have taken at Denim Group in order to make that a reality.

--Dan
dan _at_ denimgroup.com

ROOTS Conference in Norway

By Dan Cornell

I will be speaking at the Recent Object Oriented Trends (ROOTs) conference in Bergen, Norway next week.  My talk will cover static analysis, dynamic analysis and how to use them together.  For all of our Norway-based readers: I hope to see you there!

--Dan
dan _at_ denimgroup.com

Wargames Turns 25

By Dan Cornell

I was flipping through some channels on the TV tonight and saw that AMC was showing the movie Wargames for its 25th anniversary.  Good stuff!

I remember the "bad old days" when systems were compromised by "inane" stuff like:

• people picking easy to guess passwords and writing them down where others can find them
• leaving backdoor connections to sensitive networks available for discovery by the public

Good thing we've moved beyond all that...

--Dan
dan _at_ denimgroup.com

Cyber Defense Competition

By Dan Cornell

UTSA's Center for Infrastructure Assurance and Security (CIAS) put on the National Collegiate Cyber Defense Competition this weekend and I had the distinct honor of being a White Team member on Sunday.  Other Denim Group folks who were also on the White Team at various times during the weekend included John Dickson, Kevin, Chad and Phil.

This was a really impressive event.  Unlike a lot of computer security competitions the focus is on defense rather than offense.  The student teams have to maintain and protect a network while dealing with simulated requests from business users.  That would be hard enough by itself but they also have to deal with a hostile Red Team that is trying to break into their network, steal information and stop services.

Check out a Linux.com article on the event.

--Dan
dan _at_ denimgroup.com

NSA Article on Enigma

By Dan Cornell

I took a short break from the RSA conference today to read an article from our good friends at the NSA about the Enigma machine and World War II.  Very cool stuff.  I saw this on Bruce Schneier's blog a couple of days ago and it really resonated because I just finished re-reading Cryptonomicon.

--Dan
dan _at_ denimgroup.com

PS - If you haven't read Cryptonomicon yet - read it.  That is one of my favorite novels of all time.

Headed to RSA

By Dan Cornell

I'm headed to San Francisco later today to catch a little bit of the 2008 RSA conference.  Denim Group's John Dickson has been up there since Monday and will be leading a discussion group Thursday on the tradeoffs between black box and white box application testing (dynamic versus static analysis).

All the reports I have seen so far indicate that this is shaping up to be one heck of a conference so I'm looking forward to seeing some of the new products and meeting up with folks.  If you are in the area drop me a line.

--Dan
dan _at_ denimgroup.com