SlideShare une entreprise Scribd logo

High Assurance Systems (Fisher)

Michael Scovetta
Michael Scovetta

Presentation from the Colloquium on Future Directions in Cyber Security on Nov 7, 2011.

Technologie
1  sur  8
Télécharger pour lire hors ligne
Kathleen Fisher Program Manager, Information Innovation Office High Assurance Systems DARPA Cyber Colloquium Arlington, VA November 7, 2011 Approved for Public Release, Distribution Unlimited.
Physical systems vulnerable to cyber attacks Falsified speedometer reading: 140 mph in [P]ark! K. Koscher, et al. "Experimental Security Analysis of a Modern Automobile," in Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 16-19, 2010. Approved for Public Release, Distribution Unlimited.
Many remote attack vectors Long-range wireless Indirect physical Entertainment Mechanic Short-range wireless Image sources: www.autoblog.com, www.journalofamnangler.com, www.1800pocketpc.com, en.wikipedia.org/wiki/Compact_Disc www.thedigitalbus.com, coolmaterial.com, www.laptopsarena.com, www.elec-intro.com, mybluetoothearbuds.blogspot.com, www.diytrade.com Approved for Public Release, Distribution Unlimited.
Pervasive vulnerability SCADA Systems Computer Peripherals Vehicles Medical Devices Communication Devices Sources: en.wikipedia.org/wiki/File:Gas_centrifuge_cascade.jpg, gis-rci.montpellier.cemagref.fr, cyberseecure.com, www.ourestatesale.com, www.eweek.com, pastorron7.wordpress.com, landsat.gsfc.nasa.gov, www.tech2date.com, www.militaryaerospace.com, www.naval-technology.com, www.chinacartimes.com Approved for Public Release, Distribution Unlimited.
We need a fundamentally different approach • State of the art: • Anti-virus scanning, intrusion detection systems, patching infrastructure • This approach cannot solve the problem. • Focused on known vulnerabilities; can miss zero-day exploits • Can introduce new vulnerabilities and privilege escalation opportunities 1/3 of the vulnerabilities are in security software! Approved for Public Release, Distribution Unlimited.
Critical Components within Reach of Formal Methods 100000000 Verified Yet-To-Be-Verified >$120M 40M Systems Systems 12K PY 10000000 5M 10M 1000000 Lines of Code 200K 100000 11 PY 10000 9K 1000 100 10 1 *Includes non-security relevant code Approved for Public Release, Distribution Unlimited.
High-Assurance Component Factory Key Challenges • Reusable components • Composition • Increasing automation Cyber Physical • Scaling • Concurrency • Cyber-physical integration Sources: en.wikipedia.org/wiki/File:Gas_centrifuge_cascade.jpg, gis-rci.montpellier.cemagref.fr, cyberseecure.com, www.ourestatesale.com, www.tech2date.com, www.eweek.com, dronewarsuk.wordpress.com High Assurance: Correctness, Safety, Security Approved for Public Release, Distribution Unlimited.
Feedback welcome! • Promising research directions? • Additional challenges? • Other things you think I should know? Contact Information: Kathleen.Fisher@darpa.mil Approved for Public Release, Distribution Unlimited.

Recommandé

Industrial Threats Landscape, H2'2017
Industrial Threats Landscape, H2'2017Industrial Threats Landscape, H2'2017
Industrial Threats Landscape, H2'2017Kaspersky
 
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...Andris Soroka
 
Howe Brand, smart security grid risks
Howe Brand, smart security grid risksHowe Brand, smart security grid risks
Howe Brand, smart security grid risksGavan Howe
 
Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Filip Maertens
 
Detecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural NetworksDetecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural NetworksKaspersky
 
Evolve_positioning_ss_v.1.03
Evolve_positioning_ss_v.1.03Evolve_positioning_ss_v.1.03
Evolve_positioning_ss_v.1.03Nimit Shishodia
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...Kaspersky
 

Recommandé

Industrial Threats Landscape, H2'2017
Industrial Threats Landscape, H2'2017Industrial Threats Landscape, H2'2017
Industrial Threats Landscape, H2'2017Kaspersky
 
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...
DSS ITSEC CONFERENCE - Lumension Security - Real Time Risk & Compliance Man...Andris Soroka
 
Howe Brand, smart security grid risks
Howe Brand, smart security grid risksHowe Brand, smart security grid risks
Howe Brand, smart security grid risksGavan Howe
 
Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Cyber Security Lecture at Rah Rah 7
Cyber Security Lecture at Rah Rah 7Filip Maertens
 
Detecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural NetworksDetecting ICS Attacks Using Recurrent Neural Networks
Detecting ICS Attacks Using Recurrent Neural NetworksKaspersky
 
Evolve_positioning_ss_v.1.03
Evolve_positioning_ss_v.1.03Evolve_positioning_ss_v.1.03
Evolve_positioning_ss_v.1.03Nimit Shishodia
 
Symantec Web Security Solutions
Symantec Web Security SolutionsSymantec Web Security Solutions
Symantec Web Security SolutionsSymantec
 
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...
Максим Никандров. Мультишина 10G цифровой ​подстанции — потенциальные ​пробле...Kaspersky
 
Attacking the WebKit Heap
Attacking the WebKit HeapAttacking the WebKit Heap
Attacking the WebKit HeapMichael Scovetta
 
Introducing the Ceylon Project
Introducing the Ceylon ProjectIntroducing the Ceylon Project
Introducing the Ceylon ProjectMichael Scovetta
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesMichael Scovetta
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForMichael Scovetta
 
Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Michael Scovetta
 
Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Michael Scovetta
 
The Ceylon Type System
The Ceylon Type SystemThe Ceylon Type System
The Ceylon Type SystemMichael Scovetta
 
Smooth CoffeeScript
Smooth CoffeeScriptSmooth CoffeeScript
Smooth CoffeeScriptMichael Scovetta
 
Android Attacks
Android AttacksAndroid Attacks
Android AttacksMichael Scovetta
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)Michael Scovetta
 
Strategic Surprise
Strategic SurpriseStrategic Surprise
Strategic SurpriseMichael Scovetta
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client BackdoorMichael Scovetta
 
Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Michael Scovetta
 
Stackjacking
StackjackingStackjacking
StackjackingMichael Scovetta
 
HTML5 Web Security
HTML5 Web SecurityHTML5 Web Security
HTML5 Web SecurityMichael Scovetta
 
Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Michael Scovetta
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 
DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)Michael Scovetta
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 
Chaos Engineering – why we should all practice breaking things on purpose by ...
Chaos Engineering – why we should all practice breaking things on purpose by ...Chaos Engineering – why we should all practice breaking things on purpose by ...
Chaos Engineering – why we should all practice breaking things on purpose by ...Alex Cachia
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CASTCAST
 

Contenu connexe

En vedette

Introducing the Ceylon Project
Introducing the Ceylon ProjectIntroducing the Ceylon Project
Introducing the Ceylon ProjectMichael Scovetta
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesMichael Scovetta
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForMichael Scovetta
 
Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Michael Scovetta
 
Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Michael Scovetta
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)Michael Scovetta
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client BackdoorMichael Scovetta
 
Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Michael Scovetta
 
Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Michael Scovetta
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesMichael Scovetta
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State MachinesMichael Scovetta
 

En vedette (18)

Attacking the WebKit Heap
Attacking the WebKit HeapAttacking the WebKit Heap
Attacking the WebKit Heap
 
Introducing the Ceylon Project
Introducing the Ceylon ProjectIntroducing the Ceylon Project
Introducing the Ceylon Project
 
Systematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android SmartphonesSystematic Detection of Capability Leaks in Stock Android Smartphones
Systematic Detection of Capability Leaks in Stock Android Smartphones
 
DEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking ForDEFCON 18- These Aren't the Permissions You're Looking For
DEFCON 18- These Aren't the Permissions You're Looking For
 
Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)Secure Computer Systems (Shrobe)
Secure Computer Systems (Shrobe)
 
Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)Anomaly Detection at Multiple Scales (Waltzman)
Anomaly Detection at Multiple Scales (Waltzman)
 
The Ceylon Type System
The Ceylon Type SystemThe Ceylon Type System
The Ceylon Type System
 
Smooth CoffeeScript
Smooth CoffeeScriptSmooth CoffeeScript
Smooth CoffeeScript
 
Android Attacks
Android AttacksAndroid Attacks
Android Attacks
 
National Cyber Range (Ranka)
National Cyber Range (Ranka)National Cyber Range (Ranka)
National Cyber Range (Ranka)
 
Strategic Surprise
Strategic SurpriseStrategic Surprise
Strategic Surprise
 
The Listening: Email Client Backdoor
The Listening: Email Client BackdoorThe Listening: Email Client Backdoor
The Listening: Email Client Backdoor
 
Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)Scalable Cyber Deception (Ragsdale)
Scalable Cyber Deception (Ragsdale)
 
Stackjacking
StackjackingStackjacking
Stackjacking
 
HTML5 Web Security
HTML5 Web SecurityHTML5 Web Security
HTML5 Web Security
 
Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013Peter Norvig - NYC Machine Learning 2013
Peter Norvig - NYC Machine Learning 2013
 
Modern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and TechniquesModern Kernel Pool Exploitation: Attacks and Techniques
Modern Kernel Pool Exploitation: Attacks and Techniques
 
Exploitation and State Machines
Exploitation and State MachinesExploitation and State Machines
Exploitation and State Machines
 

Similaire à High Assurance Systems (Fisher)

DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)Michael Scovetta
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011WASecurity
 
Chaos Engineering – why we should all practice breaking things on purpose by ...
Chaos Engineering – why we should all practice breaking things on purpose by ...Chaos Engineering – why we should all practice breaking things on purpose by ...
Chaos Engineering – why we should all practice breaking things on purpose by ...Alex Cachia
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CASTCAST
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)Michael Scovetta
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitectureHyTrust
 
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)Vince Garr
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservicedevopsdaysaustin
 
Cloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense ForcesCloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense Forcescommandersaini
 
eForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensicsMag
 
2012 Reenergize the Americas 3B: Angel Avila
2012 Reenergize the Americas 3B: Angel Avila2012 Reenergize the Americas 3B: Angel Avila
2012 Reenergize the Americas 3B: Angel AvilaReenergize
 
It aac defense-it-cloud2013
It aac defense-it-cloud2013It aac defense-it-cloud2013
It aac defense-it-cloud2013John Weiler
 
Law seminars intl cybersecurity in the power industry
Law seminars intl cybersecurity in the power industryLaw seminars intl cybersecurity in the power industry
Law seminars intl cybersecurity in the power industryKevin Murphy
 
Layer 7: Cloud Security For The Public Sector
Layer 7: Cloud Security For The Public SectorLayer 7: Cloud Security For The Public Sector
Layer 7: Cloud Security For The Public SectorCA API Management
 
ATAGTR2017 Security Testing / IoT Testing in Real World
ATAGTR2017 Security Testing / IoT Testing in Real WorldATAGTR2017 Security Testing / IoT Testing in Real World
ATAGTR2017 Security Testing / IoT Testing in Real WorldAgile Testing Alliance
 
Driving Towards Cloud 2015: A Technology Vision to Meet the Demands of Cloud ...
Driving Towards Cloud 2015: A Technology Vision to Meet the Demands of Cloud ...Driving Towards Cloud 2015: A Technology Vision to Meet the Demands of Cloud ...
Driving Towards Cloud 2015: A Technology Vision to Meet the Demands of Cloud ...Intel IT Center
 
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...Kaspersky
 
Network automation seminar
Network automation seminarNetwork automation seminar
Network automation seminarpatmisasi
 

Similaire à High Assurance Systems (Fisher) (20)

DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)DARPA: Cyber Analytical Framework (Kaufman)
DARPA: Cyber Analytical Framework (Kaufman)
 
IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011IT Vulnerability & Tools Watch 2011
IT Vulnerability & Tools Watch 2011
 
Chaos Engineering – why we should all practice breaking things on purpose by ...
Chaos Engineering – why we should all practice breaking things on purpose by ...Chaos Engineering – why we should all practice breaking things on purpose by ...
Chaos Engineering – why we should all practice breaking things on purpose by ...
 
2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST2011 App Failures - Year in Review CAST
2011 App Failures - Year in Review CAST
 
If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)If You Don't Like the Game, Hack the Playbook... (Zatko)
If You Don't Like the Game, Hack the Playbook... (Zatko)
 
PCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference ArchitecturePCI Compliance and Cloud Reference Architecture
PCI Compliance and Cloud Reference Architecture
 
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
Network security security landscape-10-11-2016 part i 1200 dpi (vgarr)
 
2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice2016 - 10 questions you should answer before building a new microservice
2016 - 10 questions you should answer before building a new microservice
 
Cloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense ForcesCloud Computing security Challenges for Defense Forces
Cloud Computing security Challenges for Defense Forces
 
eForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teasereForensics Free Magazine 01.12. teaser
eForensics Free Magazine 01.12. teaser
 
2012 Reenergize the Americas 3B: Angel Avila
2012 Reenergize the Americas 3B: Angel Avila2012 Reenergize the Americas 3B: Angel Avila
2012 Reenergize the Americas 3B: Angel Avila
 
It aac defense-it-cloud2013
It aac defense-it-cloud2013It aac defense-it-cloud2013
It aac defense-it-cloud2013
 
Law seminars intl cybersecurity in the power industry
Law seminars intl cybersecurity in the power industryLaw seminars intl cybersecurity in the power industry
Law seminars intl cybersecurity in the power industry
 
Layer 7: Cloud Security For The Public Sector
Layer 7: Cloud Security For The Public SectorLayer 7: Cloud Security For The Public Sector
Layer 7: Cloud Security For The Public Sector
 
Introduction to Chaos Engineering
Introduction to Chaos EngineeringIntroduction to Chaos Engineering
Introduction to Chaos Engineering
 
ATAGTR2017 Security Testing / IoT Testing in Real World
ATAGTR2017 Security Testing / IoT Testing in Real WorldATAGTR2017 Security Testing / IoT Testing in Real World
ATAGTR2017 Security Testing / IoT Testing in Real World
 
Avila 3 b
Avila 3 bAvila 3 b
Avila 3 b
 
Driving Towards Cloud 2015: A Technology Vision to Meet the Demands of Cloud ...
Driving Towards Cloud 2015: A Technology Vision to Meet the Demands of Cloud ...Driving Towards Cloud 2015: A Technology Vision to Meet the Demands of Cloud ...
Driving Towards Cloud 2015: A Technology Vision to Meet the Demands of Cloud ...
 
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
How We Stopped Being Just Antivirus and Became a Unique Industrial Infrastruc...
 
Network automation seminar
Network automation seminarNetwork automation seminar
Network automation seminar
 

Plus de Michael Scovetta

Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesMichael Scovetta
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst PracticesMichael Scovetta
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsMichael Scovetta
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Michael Scovetta
 
PROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationPROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationMichael Scovetta
 
Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Michael Scovetta
 

Plus de Michael Scovetta (6)

Don't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade MachinesDon't Give Credit: Hacking Arcade Machines
Don't Give Credit: Hacking Arcade Machines
 
Consumer Password Worst Practices
Consumer Password Worst PracticesConsumer Password Worst Practices
Consumer Password Worst Practices
 
A collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programsA collection of examples of 64 bit errors in real programs
A collection of examples of 64 bit errors in real programs
 
Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)Scaling Cyberwarfare (Roelker)
Scaling Cyberwarfare (Roelker)
 
PROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal VerificationPROCEED and Crowd-Sourced Formal Verification
PROCEED and Crowd-Sourced Formal Verification
 
Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)Beyond Passwords (Guidorizzi)
Beyond Passwords (Guidorizzi)
 

Dernier

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonetsnaman860154
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Dernier (20)

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
How to convert PDF to text with Nanonets
How to convert PDF to text with NanonetsHow to convert PDF to text with Nanonets
How to convert PDF to text with Nanonets
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

High Assurance Systems (Fisher)

  • 1. Kathleen Fisher Program Manager, Information Innovation Office High Assurance Systems DARPA Cyber Colloquium Arlington, VA November 7, 2011 Approved for Public Release, Distribution Unlimited.
  • 2. Physical systems vulnerable to cyber attacks Falsified speedometer reading: 140 mph in [P]ark! K. Koscher, et al. "Experimental Security Analysis of a Modern Automobile," in Proceedings of the IEEE Symposium on Security and Privacy, Oakland, CA, May 16-19, 2010. Approved for Public Release, Distribution Unlimited.
  • 3. Many remote attack vectors Long-range wireless Indirect physical Entertainment Mechanic Short-range wireless Image sources: www.autoblog.com, www.journalofamnangler.com, www.1800pocketpc.com, en.wikipedia.org/wiki/Compact_Disc www.thedigitalbus.com, coolmaterial.com, www.laptopsarena.com, www.elec-intro.com, mybluetoothearbuds.blogspot.com, www.diytrade.com Approved for Public Release, Distribution Unlimited.
  • 4. Pervasive vulnerability SCADA Systems Computer Peripherals Vehicles Medical Devices Communication Devices Sources: en.wikipedia.org/wiki/File:Gas_centrifuge_cascade.jpg, gis-rci.montpellier.cemagref.fr, cyberseecure.com, www.ourestatesale.com, www.eweek.com, pastorron7.wordpress.com, landsat.gsfc.nasa.gov, www.tech2date.com, www.militaryaerospace.com, www.naval-technology.com, www.chinacartimes.com Approved for Public Release, Distribution Unlimited.
  • 5. We need a fundamentally different approach • State of the art: • Anti-virus scanning, intrusion detection systems, patching infrastructure • This approach cannot solve the problem. • Focused on known vulnerabilities; can miss zero-day exploits • Can introduce new vulnerabilities and privilege escalation opportunities 1/3 of the vulnerabilities are in security software! Approved for Public Release, Distribution Unlimited.
  • 6. Critical Components within Reach of Formal Methods 100000000 Verified Yet-To-Be-Verified >$120M 40M Systems Systems 12K PY 10000000 5M 10M 1000000 Lines of Code 200K 100000 11 PY 10000 9K 1000 100 10 1 *Includes non-security relevant code Approved for Public Release, Distribution Unlimited.
  • 7. High-Assurance Component Factory Key Challenges • Reusable components • Composition • Increasing automation Cyber Physical • Scaling • Concurrency • Cyber-physical integration Sources: en.wikipedia.org/wiki/File:Gas_centrifuge_cascade.jpg, gis-rci.montpellier.cemagref.fr, cyberseecure.com, www.ourestatesale.com, www.tech2date.com, www.eweek.com, dronewarsuk.wordpress.com High Assurance: Correctness, Safety, Security Approved for Public Release, Distribution Unlimited.
  • 8. Feedback welcome! • Promising research directions? • Additional challenges? • Other things you think I should know? Contact Information: Kathleen.Fisher@darpa.mil Approved for Public Release, Distribution Unlimited.