Fwd: SCARE metrics and tool release

[ken at krvw.com (Kenneth Van Wyk)]

Reposted with permission, FYI...

Cheers,

Ken
SC-L Moderator

Begin forwarded message:

> From: Pete Herzog <lists at isecom.org>
> Date: November 30, 2007 10:30:18 AM EST
> To: bugtraq at securityfocus.com
> Subject: SCARE metrics and tool release
>
> Hi,
>
> Scare, the Source Code Analysis Risk Evaluation tool for measuring  
> security complexity in C source code is now available.  The tool is  
> written to support the OpenTC project (opentc.net) as the SCARE  
> methodology project available at:
>
> http://www.isecom.org/scare
>
> We have done some test cases with the tool already do track trends  
> in Xen and are now working on measuring trends in the Linux Kernel.
>
> USE
> The SCARE analysis tool is run against source code.  Currently only  
> C code is supported.  The ouput file will contain all operational  
> interactions possible which need controls (the current version does  
> not yet say if and what controls are already there).  At the bottom  
> of the list are three numbers: Visibilities, Access, and Trusts.   
> These 3 numbers can be plugged into the RAV Calculation spreadsheet  
> available at isecom.org/ravs.  The Delta value is then subtracted  
> from 100 to give the SCARE percentage which indicates the complexity  
> for securing this particular application.  The lower the value, the  
> worse the SCARE.
>
> Trends in Xen:
>
> XEN ver.     Vis    Accesses    Trusts    SCARE    Delta
> --------------------------------------------------------
> 3.0.3_0       1       314        28577    58.26    -41.74
> 3.0.4_1       1       311        31060    57.79    -42.21
> 3.1.0         1       316        33139    57.43    -42.57
>
> As you can see, the security complexity of Xen is getting worse due  
> to the increased numbers of Trusts (reliance on external variables  
> which a user can manipulate as an input). Trust attacks can be  
> tested according to the 4th point of the 4 Point test process in the  
> OSSTMM 3: Intervention - changing resource interactions with the  
> target or between targets.
>
> At this stage, the tool cannot yet tell which interactions have  
> controls already or if those controls are applicable however once  
> that is available it will change the RAV but not the SCARE.  The  
> SCARE will also not yet tell you where the bugs are in the code  
> however if you are bug hunting, it will extract all the places where  
> user inputs and trusts with user-accessible resources can be found  
> in the code.
>
>
> We need help!  We are looking for people to help us complete the  
> SCARE methodology, add new programming languages to the tool, as  
> well as even making a windows binary version for those who do not  
> code in Linux. Contact me if you can do this.
>
> Sincerely,
> -pete.
>
> -- 
> Pete Herzog - Managing Director - pete at isecom.org
> ISECOM - Institute for Security and Open Methodologies
> www.isecom.org - www.osstmm.org
> www.hackerhighschool.org - www.isestorm.org
> -------------------------------------------------------------------
> ISECOM is the OSSTMM Professional Security Tester (OPST),
> OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool
> Teacher certification authority.



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 2500 bytes
Desc: not available
Url : http://krvw.com/pipermail/sc-l/attachments/20071130/9c95d039/attachment.bin