Risk Based Approach to Cyber Vulnerability Assessment
Dr. Peter Beling
Dr. Barry Horowitz
Dr. Cody Fleming
This proposal addresses research needs defined by the United States (US) Army Combat Capabilities Development Command Armaments Center (CCDC AC) in Picatinny, NJ. The proposed research will extend the static analysis capabilities of the CCDC AC Software Assurance Toolset by integrating filters based on functional risk.
This research task is an integral part of the SERC’s Research Strategy for trusted systems, which is outlined in the SERC’s 2014‐2018 Technical Plan. The overall goal for the SERC’s trusted systems research is to transform system assurance from a late, reactive activity to an early and continuous, pro‐active orchestration of advanced assurance methods, processes, and tools in ways that balance the simultaneous achievement of cyber‐security trust and assurance with complementary MPTs for assuring safe, reliable, available, usable, interoperable, and resilient mission cost‐effectiveness. This research task is anchored on the work from several previous SERC research tasks (RTs), including, RT‐8, RT‐28, RT‐42, RT‐115, RT‐136, RT‐156, RT‐172, RT‐191, and RT‐196 that aim to develop safe, secure, dependable defense systems that are resilient to cyber and other threats through systemic security approaches that complement today’s current, incomplete perimeter/network methods.
BACKGROUND: A number of commercial and research tools are available for static analysis of software systems. These tools produce lists of potential implementation vulnerabilities based on analysis of a system’s software, without the need to execute the code. The current state of the art for separating true positive from false positive detections rely on review by human experts. For weapons control and other complex software systems, however, a single static vulnerability‐analysis tool might produce vulnerability detections that number in the thousands, making manual review of all vulnerabilities very expensive. To address this issue CCDC AC has been working with the Software Engineering Institute (SEI) on machine learning techniques to filter out false positive detections based on the patterns in the outputs of large collections of static analysis tools. The outputs from that effort have been incorporated into SEI’s Source Code Analysis Laboratory (SCALe) and are currently in use by CCDC AC.
The University of Virginia (UVA) has recently completed RT‐191, a SERC research project focused on enhancing resilience methods and technology and associated decision‐support tools. The principal outcome of this work was the Cyber Security Requirements Methodology (CSRM), a methodology for identifying the functions that are viewed as most important by the owners or operators of the system. A key principle of this work is that the determination of opportunities for engineering resilience into a system requires assessments of the cyberrelated risks related to individual system functions. The UVA research team for RT‐191, which overlaps with that for this proposed effort, demonstrated the use of CSRM to develop requirements for a hypothetical networked munition system. Those requirements provide the basis for a cyber resilience prototyping activity and the addition of qualitative input data to the decision support tool evaluation process.
RESEARCH NEEDED: By combining static analysis filtering methods in SCALe with the CSRM functional risk analysis methodology, one can develop algorithms to prioritize vulnerabilities detected by a static analysis based upon the functional risks associated with the parts of the software being evaluated. The anticipated result would be reduced levels of human effort to determine which parts of the software system to recommend for improvement. In addition to increasing the productivity in selecting candidates for improved quality, an important second benefit would be related to providing more involvement and buy‐in to quality enhancement decisions by the ultimate users who contribute to the functional risk analysis of the system.
The scope of the research is to develop natural language processing, probabilistic, and statistical methods that will support linking the CSRM for functional risk analysis and SCALe. The tasks proposed in response to the Performance Work Statement requirements (PWS 3.1‐3.2) are:
Task 1: Develop natural language processing, probabilistic, and statistical methods that allow automated extraction of linkages between identified risk scenarios and sections of software. These linkages will be used in algorithms that produce a prioritized list of vulnerabilities.
Task 2: Integrate technology with the existing toolset (Source Code Analysis Laboratory (SCALe). This task will involve deep dives into the CCDC AC Software Assurance Toolset and its use by CCDC AC, integration of the technology developed in Task 1 into the CCDC AC toolset, and testing the output of the integrated system.
To accomplish these tasks, the SERC team plans to leverage the CSRM framework developed in RT‐191, natural language processing techniques from RT‐196, and supporting intellectual concepts in security engineering and risk assessment from RT‐8, RT‐28, RT‐42, RT‐115, RT‐136, RT‐156, and RT‐172.