The Matasano H0t-S1x-4-0h-S1x: Security Technologies To Pay Attention To

Thomas Ptacek | September 27th, 2006 | Filed Under: Industry Punditry, Uncategorized

I’m quoted in several places in Dark Reading’s recent roundup of six hot new security products. I agree with some of their picks, and not with others. But hey, it’s a great excuse to do my own roundup. Duck!

Six H0t Security Technologies For 2006

1. Coverity: Static Code Analysis.

   Sometime around 2004 something happened; static code analysis started to work. Static analysis takes raw source code, figures out what it will do (without actually running a real build of it), and uses that to find bugs in the code. For almost a decade, the leading alternative to static analysis (“dynamic” analysis —- programs like Purify and valgrind —- which actually require you to run your code and work via runtime checking) had so kicked static’s ass that I’m sure some people had written it off.

   Static is back with a vengeance, led (in my opinion) by Bay Area startup Coverity. Brainchild of a Stanford team led by Dawson Engler, who Tim Newsham sends me papers from, Coverity has made a name for themselves by offering their technology to open source projects free of charge; unlike some other companies in the space, Coverity’s results have garnered accolades, and Coverity has racked up an impressive customer list.

   Static code analysis opens up a debate about whether code analysis or fuzzing finds more bugs. Right now the needle seems to point in fuzzing’s direction, but it’s silly to think that either approach offers a complete solution, and, in the meantime, the debate is healthy.

2. Tenable PVS (fka NeVO): Passive Scanning

   In 2001, my then-business-partner Dave Meltzer proposed a security startup that would offer something that looked like an IDS, but instead of detecting attacks, it would detect vulnerabilities. “That’s a retarded idea!”, I seem to recall asserting. “You’ll miss 50% of what an active scanner will pick up. It’s just a gimmic!”

   Fast forward five years; I’ve had the experience of adding an innocuous active scanning feature (port probes only) to an otherwise passive product, and having the DoD inform me that it wasn’t enough to have it off by default: we had to mangle the UI to make it impossible for an analyst to accidentally enable it. Scanning scares the shit out of network managers, and probably for good reason.

   I was wrong, and Dave was right, but it’s Ron Gula who’s going to clean up on the idea, which he and Renaud Deraison at Tenable had independently of us. PVS is a “scanner” you can deploy passively; it sits there, benignly, like the network security equivalent of those Roomba vacuum robots, finding and reporting vulnerabilities. Like the Roomba, it isn’t going to clean up everything, but the effort (and risk) involved in using it is so low that you’d contemplate buying something that sounds as silly as a little robot that goes around vacuuming your house. Or a sniffer that detects vulnerabilities.

3. Voltage IBE: Identity Based Encryption

   Here’s what an SSH key looks like:

   1024 35 24c77738636c56409ee30dea2a4c7aa80c14dd58034541b5 
   09039832881c2d505b387405987e80fb4de94b2ae3fbecf61d7fb185
   8f8745e302de089ed087067a90fa2b070f98b34d2ce2c599f450477e
   586492a4fd5141af25ada8926964a1ec2cac616d7b91ee7db010c6dc
   b8004e65b5a4322904f64c3f48b8a8ca7fa31db22e1416e foo@bar.com
   

   Here’s what an IBE key looks like:

   foo@bar.com
   

   What’s the catch? To encrypt a message to foo@bar.com, you need a one-time relation to a key server, which feeds you elliptic curve parameters. From that point on, you can encrypt to foo@bar.com, or, 2 years later, without contacting the key server again, when you hire baz@bar.com, to her as well.

   How does it work? The key server gives you enough information to use a hash of a string as point on a curve, and then use that point to synthesize a public key for a key pair that only the key server will know. The key server dutifully provides that key pair to foo@bar.com when he authenticates himself; this is, again, a one-time relationship.

   Why is this so cool? As a small example, think about provisioning SSH access. Want to securely add “tqbf@matasano.com” to your shell server? Try:

   echo tqbf@matasano.com >> ~tqbf/.ssh/id_ibe.pub
   

   That’s it. No “secret handshake”, no man-in-the-middle. This is space-alien technology, recovered by Stanford crypto prof Dan Boneh from a crashed saucer site in Half Moon Bay. Unfortunately, from what I can tell, this SSH functionality doesn’t exist, and Voltage is spending their effort on secure email, which I think is a waste compared to the immediate $5+Bn market opportunity for systems management. But what do I know?

4. PaiMei: Assessment Accelerator

   My obligatory open source pick, PaiMei is a gathering storm of dynamic code analysis security tools built around a programmable debugger written entirely in Python. If you don’t know what all of that means, that’s fine: find your friend who reverse engineers Windows binaries and ask him, but don’t forget to bring a towel to mop up the drool.

   The tightest thing PaiMei does right now is hit-trace diffing (“Process Stalking” in author Pedram Amini’s lingo). Process Stalking eliminates whole swaths of code from consideration during a test by allowing you to isolate the specific code that executes during a test case (say, on receipt of a packet), while excluding all the background noise. On a real project for a real program, where you’re dealing with tens of thousands of subroutines scattered across 20 DLLs, this isn’t just a cool feature: it can speed up an evaluation by an order of magnitude. Do you reverse engineer code? This tool prints money.

   Right now PaiMei is built around Python hooks to Microsoft’s native debugging libraries. That means it’s Windows-only. But the basic concepts the PyDbg debugging core are built around are simple (a breakpoint is just an instruction you write into the memory of a process that halts execution); multiple people are working on Unix ports, and I eagerly await agent-based remote debugging. Better still, there are promises of a PaiMei extension that eliminates the dependence on IDA Pro.

5. 802.11x VLAN Assignment: Restoring Order To Internal Networks

   In the category of “hot security tools you’ve had for three years but didn’t realize”, we have dynamic VLAN segmentation. In 2006, there is no reason your helpdesk workers should be able to talk to your mainframe batch processing systems or (god forbid) your storage networks.

   Forget about NAC. The problem is not that infected laptops can get access to your network; infected laptops are always going to screw things up for you. Smart network architects don’t waste time trying to eliminate the inevitable; they focus their effort on mitigating its impact. Ask yourself the question: would you rather be 80% effective at preventing one network worm a year (but not email viruses!), or would you rather make it so that your sales guy can’t even talk to 80% of the systems on your network?

   Network segmentation is the great challenge of internal network security. No matter what flashy boxes you pilot in your Des Moines branch office or plug your conference room jacks into, the goal of internal security is the defense of assets. NAC defends ethernet jacks, quite possibly your single least valuable IT asset. Segmentation defends everything else.

6. Next-Gen Attack Tools: Black Box Vulnerability Testing

   And finally, the “we’re too chicken to crown a king” multi-pick: the hardcore assessment tools.

   Led by the pioneering CORE Security and loveable iconoclast Dave Aitel’s ImmunitySec, this space began as a toolkit for penetration testers, which is to say, as consultingware. But the last few years have witnessed drastically increased interest in testing gear before it’s deployed, and the realization that it doesn’t matter if you crash something if it’s a QA deployment on a lab network. As a result, CORE IMPACT and Immunity CANVAS are now staples of enterprise product evaluations.

   With the positioning battle settling down and the niche established, we’re seeing new entrants. The space now looks like this:

   • The Runtime Proxies: IMPACT and CANVAS have at their core a “runtime” for exploits that allows them to benignly infect a vulnerable victim and then leverage the infection RPC-style to conduct further attacks.

   • The Fuzzers: Codenomicon and ProtoVer: commercialized fuzzer tools designed to exhaustively exercise protocols; scourge of SNMP and LDAP implementations over the last four years.

   • The Appliances: MuSecurity and upcoming BreakingPoint:
     promises a synthesis of tools like IMPACT and “pure software fuzzers”, built for speed and with a focus on lab network product evaluation.

Three of my picks have as their core value prop “eradicating vulnerabilities from insecure software”. This is where one of the most meaningful battles in security is being fought: can we make a dent in the problem by “fighting them over there, before we fight them here”? I’ll concede that it’s an open question, but I’m hopeful.