Mudge

1. Mudge CanSecWest 2013 Distribution A: Approved for Public Release, Distribution Unlimited.

2. Cyber Fast Track – DARPA-PA-11-52 Amendment 4 (posted January 31, 2013): Closing Date: Proposals will be accepted at any time until 12:00 noon (ET), August 3 April1, 2013 https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html Distribution A: Approved for Public Release, Distribution Unlimited.

3. Heilmeyer Questions: When George Heilmeier was the director of DARPA in the mid 1970s, he had a standard set of questions he expected every proposal for a new research program to answer. What is the problem, why is it hard? How is it solved today? What is the new technical idea; why can we succeed now? What is the impact if successful? How will the program be organized? How will intermediate results be generated? How will you measure progress? What will it cost? Distribution A: Approved for Public Release, Distribution Unlimited.

4. Ground truth… Federal Cyber Incidents fiscal years 2006 – 2011 45,000 40,000 35,000 30,000 Cyber Incidents Reported toUS-CERT [1] by Federal agencies 25,000 20,000 15,000 10,000 5,000 0 2006 2007 2008 2009 2010 2011 [1] GAO Testimony. GAO-12-166T CYBERSECURITY Threats Impacting the Nation Distribution A: Approved for Public Release, Distribution Unlimited.

5. Ground truth… Federal Cyber Incidents and Defensive Cyber Spendingfiscal years 2006 – 2011 45,000 12.0 40,000 35,000 10.0 30,000 Cyber Incidents Reported toUS-CERT [1] by Federal agencies 8.0 25,000 Federal Defensive Cyber Spending [2]($B) 6.0 20,000 4.0 15,000 2.0 10,000 5,000 0.0 0 2006 2007 2008 2009 2010 2011 [1] GAO Testimony. GAO-12-166T CYBERSECURITY Threats Impacting the Nation [2] INPUT reports 2006 – 2011 Distribution A: Approved for Public Release, Distribution Unlimited.

6. Mudge or “Cyber-Heilmeyer” Questions: Is the solution tactical or strategic in nature? What is the asymmetry for this solution? What unintended consequences will be created? Do attack surfaces shrink, grow, or remain unchanged? How will this solution incentivize the adversary? Distribution A: Approved for Public Release, Distribution Unlimited.

7. Are you tactical or strategic; what is the asymmetry? Unified Threat Management x 10,000,000 8,000,000 Security software Lines of Code 6,000,000 4,000,000 x Network Flight Recorder 2,000,000 Milky Way Malware:125 lines of code* x Snort DEC Seal Stalker x x x 0 1985 1990 1995 2000 2005 2010 * Malware lines of code averaged over 9,000 samples Distribution A: Approved for Public Release, Distribution Unlimited.

8. How do *you* handle passwords? Distribution A: Approved for Public Release, Distribution Unlimited.

9. Unintended consequences… The first CrackMeIfYouCan contest challenged participants to crack 53,000 passwords. In 48 hours, the winning team had 38,000*. (*this was not the important take away…) # Passwords Profile for the winning team, Team Hashcat. Time Distribution A: Approved for Public Release, Distribution Unlimited.

10. Unintended consequences… The first CrackMeIfYouCan contest challenged participants to crack 53,000 passwords. In 48 hours, the winning team had 38,000*. (*this was not the important take away…) # Passwords Profile for the winning team, Team Hashcat. Time Distribution A: Approved for Public Release, Distribution Unlimited.

11. Additional security layers often create vulnerabilities… Current vulnerability watch list: 6 of the vulnerabilities are in security software Color Code Key: Vendor Replied – Fix in development Awaiting Vendor Reply/Confirmation Awaiting CC/S/A use validation Distribution A: Approved for Public Release, Distribution Unlimited.

12. Additional security layers often create vulnerabilities… 1/25/2013 7/20 1/14/2013 5/21 1/2/2013 5/20 12/28/2012 5/20 12/14/2012 8/22 12/3/2012 4/18 11/30/2012 4/17 11/15/2012 4/17 11/1/2012 2/11 10/31/2012 1/9 10/15/2012 4/9 10/1/2012 6/14 Distribution A: Approved for Public Release, Distribution Unlimited.

13. Identifying attack surfaces… Constant surface area available to attack. Regardless of the application size, the system loads the same number of support functions. DLLs: run-time environment = more commonality For every 1,000 lines of code, 1 to 5 bugs are introduced. Application specific functions Distribution A: Approved for Public Release, Distribution Unlimited.

14. How are you incentivizing the adversary? Understanding them in the context of ‘game theory’ reveals the problem. Bot Herder strategy example: Traditional C2 Botnet Strategy 1: XOR‡ branch “Storm”Botnet Solution exists: weekly patch, kills branch New P2P Botnet Solution needed: high cost solution, kills tree Strategy 2: AES* branch Root Tree Branch The security layering strategy and antitrust has created cross incentives that contribute to divergence. ‡ = “exclusive or” logical operation *= Advanced Encryption Standard Distribution A: Approved for Public Release, Distribution Unlimited.

15. MudgeQuestions (aka “Cyber-Heilmeyer”): Is the solution tactical or strategic (a)? What is the asymmetry for this solution (a)? Can you forecast the unintended consequences (b)(e)? Do attack surfaces shrink, grow, or remain unchanged? (c)(d)? How does this solution incentivize the adversary (e)? (*) If you had to defeat your own effort, how would you go about it? a b c d e Distribution A: Approved for Public Release, Distribution Unlimited.

16. Creating a vehicle to tackle these issues: Cyber Fast Track DARPA-PA-11-52 cft.usma.edu https://www.fbo.gov/spg/ODA/DARPA/CMO/DARPA-RA-11-52/listing.html Distribution A: Approved for Public Release, Distribution Unlimited.

17. CFT Mission Statement • Identify aligned areas of interest between the DoD and a novel performer community. • Become a resource to that community in a way that encourages mutually beneficial research efforts  resulting in prototypes and proofs of concepts in a matter of months • Improve goodwill and understanding in both communities. CFT promotes aligned interests, not the realigning of interests to meet Government needs Distribution A: Approved for Public Release, Distribution Unlimited.

18. The Importance of Transition The objective of technology transition is to make the desired technology available as quickly as possible and at the lowest cost. • Direct • Program of Record (POR) • Memorandum of Understanding (MOU) • Memorandum of Agreement (MOA) • Technology Transition Agreement (TTA) • Indirect - Enabling/Promoting: • Commercial • Open Source • Other Distribution A: Approved for Public Release, Distribution Unlimited.

19. The first proof that it might be do-able… • NMAPv6 – CINDER • Advanced IPv6 capabilities • 200 new network scanning and discovery modules (NSE) • Common Platform Enumeration (CPE) output support • Scanner, GUI, and differencing engine performance scaling (1 million target IP addresses) • Adversary Mission Identification System (AMIS) • Transition: • Downloads 3,096,277 (5,600 .gov & 5,193 .mil)… and counting… Distribution A: Approved for Public Release, Distribution Unlimited.

20. The two key ingredients to CFT: • Diplomacy • Align the Cyber Fast Track research goals with the goals of the research community • How do your priorities and theirs align? • Engage leaders and influencers • Socialize the effort, take feedback, and modify the program structure accordingly • Ambassador • Speak the language, demonstrate an understanding of both cultures • Programmatics • A unique process that allows DARPA • to legally do Cyber R&D contracting • extremely fast • A framework that anyone can use • Streamline negations • One page commercial contracts • Firm Fixed price • Rapid awards (selection to contract in 10 days or less) Distribution A: Approved for Public Release, Distribution Unlimited.

21. 350+ submissions & 90+ awards Submissions Awards Distribution A: Approved for Public Release, Distribution Unlimited.

22. CFT Contract Award Time 100 90 80 70 60 50 40 30 20 10 0 90+ BAA PROCESS CFT 12 6 2 Avg.days Min. days Max. days Average of 6 working days to award Distribution A: Approved for Public Release, Distribution Unlimited.

23. 92 Projects awarded to date (as of Feb 13, 2013) 44 programs underway 19 completed programs open-source 21% 48% 31% 29 completed programs closed source 48 Projects Completed – 44 Projects in Progress (2/13/2013) Distribution A: Approved for Public Release, Distribution Unlimited.

24. CFT Efforts

25. A Sampling of Current CFT Programs Hardware Automotive-Security Applications Embedded System Vulnerabilities BIOS Implant Analysis Truck-Security Framework NAND Exploration IPMI Security Phy-layer Auditing Securing Legacy RF Software Logical Bug Detection Obstructing Configurations Anti-Reverse Engineering Android Application Forensics Side Channel Analysis BIOS Integrity Binary Defense Secure Parsers Baseband Emulation Android OS Security Deobfuscating Malware Virtualization Security Distributed Validation Source Code Analysis Network Stack Modification Network Visualization Images provided by: Bit Systems Antenna Detection Distribution A: Approved for Public Release, Distribution Unlimited.

26. Soon to be released…

27. Bunnie’s Routers… Soon to be released… Image provided by: Bunnie Huang

28. Bunnie’s Routers… Charlie’s Cars… Soon to be released… Image provided by: Bunnie Huang Image provided by: Charlie Miller

29. The end of CFT… The beginning of…

30. Distribution A: Approved for Public Release, Distribution Unlimited.