SCALED APPROACH TO OPEN SOURCING DEPARTMENT OF THE NAVY PRODUCED SOFTWARE

The Department of Defense (DoD) must continue to develop, sustain, and update its software-based capabilities. For the Department of the Navy (DoN), the life cycle costs of software continue to grow; over time, developing code will not be cost effective. An alternative to developing code is to further integrate open source software (OSS) into DoN programs. OSS is software that grants users the ability to view, use, and change the software source code. The use of OSS has been extensively researched, as addressed in the MITRE Corporation’s study on free and open source software (FOSS) in the DoD, completed in 2003. Despite favorable reports and published DoD policy, and the widespread successful use of OSS in current software, program managers are reluctant to fully integrate OSS into the DoN due to concerns with legal requirements, cybersecurity, total expenses, and the ability to implement and control OSS on classified systems while adhering to security regulations. This study utilized a quantitative, scaled approach to determine the risks and benefits to open sourcing for all DoN software. Several OSS case studies were examined. This research concluded that while OSS has been tested and proven cost-effective in certain areas of the DoN, it may not be the most efficient solution for all DoN projects. Therefore, the DoN should consider further implementation of OSS in security, software development, infrastructure support, and for program lifecycle cost reductions.DoN Secretariat Historianhttp://archive.org/details/scaledapproachto1094560404Captain, United States Marine CorpsCaptain, United States Marine CorpsApproved for public release; distribution is unlimited

Firmware Counterfeiting and Modification Attacks on Programmable Logic Controllers

Recent attacks on industrial control systems (ICSs), like the highly publicized Stuxnet malware, have perpetuated a race to the bottom where lower level attacks have a tactical advantage. Programmable logic controller (PLC) firmware, which provides a software-driven interface between system inputs and physically manifested outputs, is readily open to modification at the user level. Current efforts to protect against firmware attacks are hindered by a lack of prerequisite research regarding details of attack development and implementation. In order to obtain a more complete understanding of the threats posed by PLC firmware counterfeiting and the feasibility of such attacks, this research explores the vulnerability of common controllers to intentional firmware modifications. After presenting a general analysis process that takes advantage of various techniques and methodologies applied to similar scenarios, this work derives the firmware update validation method used for the Allen-Bradley ControlLogix PLC. A proof of concept demonstrates how to alter a legitimate firmware update and successfully upload it to a ControlLogix L61. Possible mitigation strategies discussed include digitally signed and encrypted firmware as well as preemptive and post-mortem analysis methods to provide protection. Results of this effort facilitate future research in PLC firmware security through direct example of firmware counterfeiting

A Formal Framework for Concrete Reputation Systems

In a reputation-based trust-management system, agents maintain information about the past behaviour of other agents. This information is used to guide future trust-based decisions about interaction. However, while trust management is a component in security decision-making, many existing reputation-based trust-management systems provide no formal security-guarantees. In this extended abstract, we describe a mathematical framework for a class of simple reputation-based systems. In these systems, decisions about interaction are taken based on policies that are exact requirements on agents’ past histories. We present a basic declarative language, based on pure-past linear temporal logic, intended for writing simple policies. While the basic language is reasonably expressive (encoding e.g. Chinese Wall policies) we show how one can extend it with quantification and parameterized events. This allows us to encode other policies known from the literature, e.g., ‘one-out-of-k’. The problem of checking a history with respect to a policy is efficient for the basic language, and tractable for the quantified language when policies do not have too many variables

A Logical Framework for Reputation Systems

Reputation systems are meta systems that record, aggregate and distribute information about the past behaviour of principals in an application. Typically, these applications are large-scale open distributed systems where principals are virtually anonymous, and (a priori) have no knowledge about the trustworthiness of each other. Reputation systems serve two primary purposes: helping principals decide whom to trust, and providing an incentive for principals to well-behave. A logical policy-based framework for reputation systems is presented. In the framework, principals specify policies which state precise requirements on the past behaviour of other principals that must be fulfilled in order for interaction to take place. The framework consists of a formal model of behaviour, based on event structures; a declarative logical language for specifying properties of past behaviour; and efficient dynamic algorithms for checking whether a particular behaviour satisfies a property from the language. It is shown how the framework can be extended in several ways, most notably to encompass parameterized events and quantification over parameters. In an extended application, it is illustrated how the framework can be applied for dynamic history-based access control for safe execution of unknown and untrusted programs

Vulnerable Open Source Dependencies: Counting Those That Matter

BACKGROUND: Vulnerable dependencies are a known problem in today's open-source software ecosystems because OSS libraries are highly interconnected and developers do not always update their dependencies. AIMS: In this paper we aim to present a precise methodology, that combines the code-based analysis of patches with information on build, test, update dates, and group extracted from the very code repository, and therefore, caters to the needs of industrial practice for correct allocation of development and audit resources. METHOD: To understand the industrial impact of the proposed methodology, we considered the 200 most popular OSS Java libraries used by SAP in its own software. Our analysis included 10905 distinct GAVs (group, artifact, version) when considering all the library versions. RESULTS: We found that about 20% of the dependencies affected by a known vulnerability are not deployed, and therefore, they do not represent a danger to the analyzed library because they cannot be exploited in practice. Developers of the analyzed libraries are able to fix (and actually responsible for) 82% of the deployed vulnerable dependencies. The vast majority (81%) of vulnerable dependencies may be fixed by simply updating to a new version, while 1% of the vulnerable dependencies in our sample are halted, and therefore, potentially require a costly mitigation strategy. CONCLUSIONS: Our case study shows that the correct counting allows software development companies to receive actionable information about their library dependencies, and therefore, correctly allocate costly development and audit resources, which is spent inefficiently in case of distorted measurements.Comment: This is a pre-print of the paper that appears, with the same title, in the proceedings of the 12th International Symposium on Empirical Software Engineering and Measurement, 201