<<< Date Index >>>     <<< Thread Index >>>

SCARE metrics and tool release



Hi,

Scare, the Source Code Analysis Risk Evaluation tool for measuring security complexity in C source code is now available. The tool is written to support the OpenTC project (opentc.net) as the SCARE methodology project available at:

http://www.isecom.org/scare

We have done some test cases with the tool already do track trends in Xen and are now working on measuring trends in the Linux Kernel.

USE
The SCARE analysis tool is run against source code. Currently only C code is supported. The ouput file will contain all operational interactions possible which need controls (the current version does not yet say if and what controls are already there). At the bottom of the list are three numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged into the RAV Calculation spreadsheet available at isecom.org/ravs. The Delta value is then subtracted from 100 to give the SCARE percentage which indicates the complexity for securing this particular application. The lower the value, the worse the SCARE.

Trends in Xen:

XEN ver.     Vis    Accesses    Trusts    SCARE    Delta
--------------------------------------------------------
3.0.3_0       1       314        28577    58.26    -41.74
3.0.4_1       1       311        31060    57.79    -42.21
3.1.0         1       316        33139    57.43    -42.57

As you can see, the security complexity of Xen is getting worse due to the increased numbers of Trusts (reliance on external variables which a user can manipulate as an input). Trust attacks can be tested according to the 4th point of the 4 Point test process in the OSSTMM 3: Intervention - changing resource interactions with the target or between targets.

At this stage, the tool cannot yet tell which interactions have controls already or if those controls are applicable however once that is available it will change the RAV but not the SCARE. The SCARE will also not yet tell you where the bugs are in the code however if you are bug hunting, it will extract all the places where user inputs and trusts with user-accessible resources can be found in the code.


We need help! We are looking for people to help us complete the SCARE methodology, add new programming languages to the tool, as well as even making a windows binary version for those who do not code in Linux. Contact me if you can do this.

Sincerely,
-pete.

--
Pete Herzog - Managing Director - pete@xxxxxxxxxx
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.