lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Fri, 30 Nov 2007 16:30:18 +0100
From: Pete Herzog <lists@...com.org>
To: bugtraq@...urityfocus.com
Subject: SCARE metrics and tool release

Hi,

Scare, the Source Code Analysis Risk Evaluation tool for measuring security 
complexity in C source code is now available.  The tool is written to 
support the OpenTC project (opentc.net) as the SCARE methodology project 
available at:

http://www.isecom.org/scare

We have done some test cases with the tool already do track trends in Xen 
and are now working on measuring trends in the Linux Kernel.

USE
The SCARE analysis tool is run against source code.  Currently only C code 
is supported.  The ouput file will contain all operational interactions 
possible which need controls (the current version does not yet say if and 
what controls are already there).  At the bottom of the list are three 
numbers: Visibilities, Access, and Trusts.  These 3 numbers can be plugged 
into the RAV Calculation spreadsheet available at isecom.org/ravs.  The 
Delta value is then subtracted from 100 to give the SCARE percentage which 
indicates the complexity for securing this particular application.  The 
lower the value, the worse the SCARE.

Trends in Xen:

XEN ver.     Vis    Accesses    Trusts    SCARE    Delta
--------------------------------------------------------
3.0.3_0       1       314        28577    58.26    -41.74
3.0.4_1       1       311        31060    57.79    -42.21
3.1.0         1       316        33139    57.43    -42.57

As you can see, the security complexity of Xen is getting worse due to the 
increased numbers of Trusts (reliance on external variables which a user 
can manipulate as an input). Trust attacks can be tested according to the 
4th point of the 4 Point test process in the OSSTMM 3: Intervention - 
changing resource interactions with the target or between targets.

At this stage, the tool cannot yet tell which interactions have controls 
already or if those controls are applicable however once that is available 
it will change the RAV but not the SCARE.  The SCARE will also not yet tell 
you where the bugs are in the code however if you are bug hunting, it will 
extract all the places where user inputs and trusts with user-accessible 
resources can be found in the code.


We need help!  We are looking for people to help us complete the SCARE 
methodology, add new programming languages to the tool, as well as even 
making a windows binary version for those who do not code in Linux. Contact 
me if you can do this.

Sincerely,
-pete.

-- 
Pete Herzog - Managing Director - pete@...com.org
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ