SCARE metrics and tool release
Hi,
Scare, the Source Code Analysis Risk Evaluation tool for measuring security
complexity in C source code is now available. The tool is written to
support the OpenTC project (opentc.net) as the SCARE methodology project
available at:
http://www.isecom.org/scare
We have done some test cases with the tool already do track trends in Xen
and are now working on measuring trends in the Linux Kernel.
USE
The SCARE analysis tool is run against source code. Currently only C code
is supported. The ouput file will contain all operational interactions
possible which need controls (the current version does not yet say if and
what controls are already there). At the bottom of the list are three
numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged
into the RAV Calculation spreadsheet available at isecom.org/ravs. The
Delta value is then subtracted from 100 to give the SCARE percentage which
indicates the complexity for securing this particular application. The
lower the value, the worse the SCARE.
Trends in Xen:
XEN ver. Vis Accesses Trusts SCARE Delta
--------------------------------------------------------
3.0.3_0 1 314 28577 58.26 -41.74
3.0.4_1 1 311 31060 57.79 -42.21
3.1.0 1 316 33139 57.43 -42.57
As you can see, the security complexity of Xen is getting worse due to the
increased numbers of Trusts (reliance on external variables which a user
can manipulate as an input). Trust attacks can be tested according to the
4th point of the 4 Point test process in the OSSTMM 3: Intervention -
changing resource interactions with the target or between targets.
At this stage, the tool cannot yet tell which interactions have controls
already or if those controls are applicable however once that is available
it will change the RAV but not the SCARE. The SCARE will also not yet tell
you where the bugs are in the code however if you are bug hunting, it will
extract all the places where user inputs and trusts with user-accessible
resources can be found in the code.
We need help! We are looking for people to help us complete the SCARE
methodology, add new programming languages to the tool, as well as even
making a windows binary version for those who do not code in Linux. Contact
me if you can do this.
Sincerely,
-pete.
--
Pete Herzog - Managing Director - pete@xxxxxxxxxx
ISECOM - Institute for Security and Open Methodologies
www.isecom.org - www.osstmm.org
www.hackerhighschool.org - www.isestorm.org
-------------------------------------------------------------------
ISECOM is the OSSTMM Professional Security Tester (OPST),
OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
Teacher certification authority.