search menu icon-carat-right cmu-wordmark

Security Vulnerabilities: Keeping a Strong Defense

Created December 2017

Software vulnerabilities cause critical problems for government and industry, and other software users. To reduce cybersecurity risk, CERT researchers conduct and promote coordinated vulnerability disclosure, research and publish vulnerability discovery methods and tools, work to improve vulnerability data and information systems, model vulnerability in technology ecosystems, research vulnerability presented by complicated supply chains, and model adversary behavior—all with the goal of helping themselves and other defenders improve their knowledge and skills.

Interconnection Increases Vulnerability

Software users must be constantly alert to vulnerabilities that might affect them. Enabling such awareness demands increasing effort as devices in the environment interconnect at a breakneck pace. More software is embedded in more products but often with little knowledge of the potential security risk, increasing the threat of intrusion and malfunction.

For example, one data issue is supply chain/inventory. Modern systems have complex supply chains that frequently contain multiple layers of software into which the user and vendor have limited insight. When a newly discovered vulnerability is announced, the user may not know what software or software version is buried in the product and whether it requires patching.

In addition, in many safety-critical and embedded systems, security updates often don’t occur regularly as they do in the traditional computing world. The WannaCry ransomware incident in May 2017 showed how this can affect hospitals, where, due to contractual issues, the people who operate the system don’t necessarily own the support for it. The result was hospitals having to close and send patients elsewhere because their software was compromised by ransomware.

Technical vulnerability is also now complicated by public policy and contractual factors, compounded by security issues of the Internet of Things. Today’s environment presents plentiful low-hanging fruit to adversaries and an increased need for intense focus on awareness, detection, and prevention of vulnerabilities.

Addressing Risk on Multiple Fronts

We collaborate with vendors, researchers, and standards organizations to promote reporting and public awareness of vulnerabilities and provide the best mitigation guidance. To proactively identify, assess, and resolve new risks, we work to constantly advance tools and methodologies. We also anticipate the potential for harm to safety-critical embedded systems and their users by researching the capabilities of adversaries, who find new opportunities for intrusion as more products interconnect.

Alerting the Public to Vulnerabilities

Our work in coordinated vulnerability disclosure (CVD) begins with the vulnerability reports we receive through the CERT Coordination Center. Upon receiving a report, we consult with the software vendor, allowing the vendor time to provide a fix or patch. We then notify the public, providing detailed technical information and mitigation strategies via CERT Vulnerability Notes, which propagate to the National Institute of Standards and Technology (NIST) National Vulnerability Database (NVD). We’ve done this for almost 30 years; the first CERT advisory, published in 1988, was the result of a CVD process involving vulnerabilities exploited by the Morris Worm. Currently, we’re very involved in standards and policy development, process engineering, and outreach—transferring CVD work to the U.S. Department of Defense (DoD) and others.

Improving Vulnerability Data Systems

Effective CVD requires well-functioning vulnerability information systems. CERT researchers analyze vulnerability data, collaborate with others to improve information exchange, and interface with external standards groups such as the NIST, NVD, and Common Vulnerability and Exposures (CVE) system to enhance data formats or exchange protocols.

Discovering Vulnerabilities During Development

Beyond our work with security defects in deployed software, we also perform vulnerability discovery to catch defects early in the development lifecycle and develop downloadable vulnerability discovery and analysis tools. For example, our researchers have created tools that perform fuzz testing (feeding large volumes of random code into a program to detect failure) and have researched improving and optimizing fuzz testing algorithms.

Studying Adversary Behavior

Effective defense against vulnerabilities also involves knowing the adversary’s mindset and capabilities. To see what attackers do, we practice adversary modeling—a version of threat modeling (taking on a hypothetical adversary’s point of view to identify potential threats). Adversary modeling is about what can happen in software-reliant systems—including cars, implanted medical devices, airplanes, industrial control systems, and emerging domains—due to physical impact caused by connected systems.

We’ve focused on safety-critical connected systems, such as vehicles and medical devices. For example, it’s been demonstrated that a car can be controlled through a laptop, potentially by an adversary, as reported by Andy Greenberg in WIRED in July 2015. Likewise, a person with an implanted insulin pump may present potential for someone outside his house to interfere with its function, causing patient harm, as reported by Todd Beardsley in the RAPID7 Blog in October 2014.

Software and Tools

Big Grep

August 2017

BigGrep is a tool used to index and search a large corpus of binary files and uses a probabalistic N-gram based approach to balance index size and search speed.

download

CERT Tapioca

July 2017

CERT Tapioca is a network-layer MITM proxy utility that checks for apps that fail to validate certificates and investigates content of network traffic, including HTTP and HTTPS.

download

CERT BFF

October 2016

CERT BFF is a software-testing tool that finds defects in applications that run on Microsoft Windows, Linux, Mac OS X, and other unix-like platforms.

download

bgpuma

December 2015

bgpuma is a tool that looks through BGP update files quickly to find direct matches for CIDR blocks and CIDR blocks that contain the initial set and are contained by the initial set.

download

CERT Dranzer

June 2015

Dranzer is a tool that enables users to examine effective techniques for fuzz testing ActiveX controls.

download

CERT Triage Tools

May 2014

CERT Triage Tools consist of a triage script and a GNU Debugger (GDB) extension named 'exploitable' that classify Linux application defects by severity.

download

CERT FOE

September 2013

Failure Observation Engine (FOE) is a mutational file-based fuzz testing tool for finding defects in applications that run on the Windows platform.

download

CERT IPA

September 2011

CERT IPA is an IP address annotation system that provides a repository of IP address information and related tools for accessing the data.

download

Learn More

The CERT Guide to Coordinated Vulnerability Disclosure

The CERT Guide to Coordinated Vulnerability Disclosure

August 15, 2017 Special Report
Allen D. HouseholderGarret WassermannArt Manion

This guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful Coordinated Vulnerability Disclosure process. It also provides insights into how CVD can go awry and how to respond when it does so.

read
The CERT Guide to Coordinated Vulnerability Disclosure

The CERT Guide to Coordinated Vulnerability Disclosure

August 15, 2017 Blog Post
Allen Householder

We are happy to announce the release of the CERT® Guide to Coordinated Vulnerability Disclosure (CVD). The guide provides an introduction to the key concepts, principles, and roles necessary to establish a successful CVD process. It also provides insights into...

read