It is often difficult to evaluate the current offerings of cybersecurity products against the needs of a particular software-intensive, safety-critical platform. One reason for this is the collection of grand but unsubstantiated claims of comprehensive security by many vendors. There is a growing number of anomaly detection-based security tool vendors building on the current popularity of machine learning. These anomaly-based tools attempt to spot attacks based on comparing observed behavior against learned models of "good" behavior.
This approach is doomed to both false positives (flagging an attack when the system is in fact reacting correctly to a highly unusual situation) and false negatives (where the attacker "flies under the radar" to hide their activity). While there is probably a legitimate— but limited—role for statistical methods in system monitoring, there are many unscrupulous vendors who claim that these methods can address all possible cybersecurity issues, when that is simply not the case.
Signature-based security software is insufficient and vulnerable
Even time-tested and trusted vendors are vulnerable to software bug exploitation. As a simple example, consider the April 2021 security patches from Microsoft. This release patched at least 110 security holes. Undeniably it is a good thing that Microsoft patched those newly discovered vulnerabilities, and it is important to install the updates as soon as possible. But how much more secure is your system after applying those patches than before? And, what potential damage occurred before that patch was released and installed onto your system?
Regardless of how many vulnerabilities have been found and fixed in the software stack you rely on, you know there are countless additional as-yet-undiscovered, or zero-day, vulnerabilities. Any signature-based approach, whether classic anti-virus or anomaly detection, is nearly impossible to characterize analytically. It is a longstanding challenge to characterize the security benefits of any particular tool under consideration.
Measuring the effectiveness of cybersecurity defenses with an analytical framework
Dover introduced an analytical framework a few years ago for evaluating the effectiveness of cybersecurity defenses, and it can be useful when assessing how different security methods prevent the exploitation of software vulnerabilities that lead to a cyberattack. This framework uses the MITRE database to quantify how different security methods prevent the exploitation of vulnerabilities.
MITRE uses two databases to track vulnerabilities. The CVE database collects known vulnerabilities in deployed systems (over 108,000 and growing), whereas the CWE database attempts to group common classes of software weaknesses that result in vulnerabilities.
The CWE database of entries associated with a specific vulnerability numbers only 206. For example, there are several CWEs related to mishandling pointers to memory (memory safety errors, which lead to buffer overflows), and there are many thousands of individual CVE records that link back to those few memory safety CWE classes. In other words, there are just a few software weaknesses that have been exploited to create many thousands of successful attacks.
CoreGuard micropolicies correspond closely to detecting and blocking CWE classes, thus blocking existing and future CVEs in that CWE class.
Our analytical framework proposes to use MITRE’s CVE and CWE lists as a basis for comparing the coverage of different security products.
So, how does the CoreGuard technology detect and block exploitation of common software weaknesses?
CoreGuard Micropolicies are Enforceable Security Policies
Dover Microsystems’ CoreGuard® technology takes an approach consistent with the seminal paper, Enforceable Security Policies by Fred Schneider. In that paper, Schneider formalizes a set of safety properties (safety is a specific formal property defined by Lamport) that can be enforced using execution monitoring.
Schneider also defines Security Automata as mathematical structures that can represent any enforceable security policy. Schneider formalizes security policies in terms of abstract actions, which can be as fine-grained as individual instructions, or as coarse-grained as operations on files or operating system processes.
Quantifying the Effectiveness of Dover’s CoreGuard Solution
CoreGuard uses a domain specific language that precisely specifies the allowed operations of a system in terms of metadata. CoreGuard takes a fine-grained approach, maintaining metadata for every word in the system and checking behavior against security rules at every instruction. CoreGuard metadata represents arbitrary security-related information about values in memory, such as confidentiality, provenance, or data type.
In terms of Schneider's Security Automata, the different states of Schneider's automata correspond to different assignments of CoreGuard metadata labels to values in memory.
CoreGuard enables the precise and transparent definition of the security policies to be enforced on a system. CoreGuard does this in three steps:
- Initial State: The initial assignment of metadata labels to memory when an application is loaded. For example, public inputs and outputs should be labeled, readable, writeable, and executable regions of memory identified, and so forth.
- Explicit Information Flow (metadata update): As computation progresses, metadata is updated. For example, confidential data may be combined with non-confidential data, causing the result to be labeled confidential.
- Policy Enforcement: CoreGuard micropolicies explicitly define disallowed operations, in terms of metadata. For example, writing a confidential value to a public output would be a violation.
With this basic framework, CoreGuard can implement fine-grained information flow confidentiality and security, control flow integrity, memory safety, and fine-grained compartmentalization (access control).
At Dover, we believe that the most promising approach to quantifiable security assurance is to take an approach consistent with Schneider's Enforceable Security Properties paper—namely to precisely define the allowed and disallowed behavior of a given system in terms of both observable events and metadata maintained and associated with individual objects. The granularity of events and objects may differ between security products; in CoreGuard's case, events are individual instructions executed by a CPU, and objects are words in memory. In this sense, CoreGuard is an oversight system associated with an execution system as described in the 1983 DoD Orange book.
Perfect security will forever be elusive. But what we can do is to precisely define a universe of allowed and disallowed behaviors, and provide a performant, non-subvertible execution oversight system that will reliably detect and block disallowed behaviors.
To learn more about our CoreGuard solution and to see micropolicies in action, request a demo today.