Reposted with permission, FYI... Cheers,
Ken SC-L Moderator Begin forwarded message:
From: Pete Herzog <[EMAIL PROTECTED]> Date: November 30, 2007 10:30:18 AM EST To: [EMAIL PROTECTED] Subject: SCARE metrics and tool release Hi,Scare, the Source Code Analysis Risk Evaluation tool for measuring security complexity in C source code is now available. The tool is written to support the OpenTC project (opentc.net) as the SCARE methodology project available at:http://www.isecom.org/scareWe have done some test cases with the tool already do track trends in Xen and are now working on measuring trends in the Linux Kernel.USEThe SCARE analysis tool is run against source code. Currently only C code is supported. The ouput file will contain all operational interactions possible which need controls (the current version does not yet say if and what controls are already there). At the bottom of the list are three numbers: Visibilities, Access, and Trusts. These 3 numbers can be plugged into the RAV Calculation spreadsheet available at isecom.org/ravs. The Delta value is then subtracted from 100 to give the SCARE percentage which indicates the complexity for securing this particular application. The lower the value, the worse the SCARE.Trends in Xen: XEN ver. Vis Accesses Trusts SCARE Delta -------------------------------------------------------- 3.0.3_0 1 314 28577 58.26 -41.74 3.0.4_1 1 311 31060 57.79 -42.21 3.1.0 1 316 33139 57.43 -42.57As you can see, the security complexity of Xen is getting worse due to the increased numbers of Trusts (reliance on external variables which a user can manipulate as an input). Trust attacks can be tested according to the 4th point of the 4 Point test process in the OSSTMM 3: Intervention - changing resource interactions with the target or between targets.At this stage, the tool cannot yet tell which interactions have controls already or if those controls are applicable however once that is available it will change the RAV but not the SCARE. The SCARE will also not yet tell you where the bugs are in the code however if you are bug hunting, it will extract all the places where user inputs and trusts with user-accessible resources can be found in the code.We need help! We are looking for people to help us complete the SCARE methodology, add new programming languages to the tool, as well as even making a windows binary version for those who do not code in Linux. Contact me if you can do this.Sincerely, -pete. -- Pete Herzog - Managing Director - [EMAIL PROTECTED] ISECOM - Institute for Security and Open Methodologies www.isecom.org - www.osstmm.org www.hackerhighschool.org - www.isestorm.org ------------------------------------------------------------------- ISECOM is the OSSTMM Professional Security Tester (OPST), OSSTMM Professional Security Analyst (OPSA), and Hacker Highschool Teacher certification authority.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Secure Coding mailing list (SC-L) SC-L@securecoding.org List information, subscriptions, etc - http://krvw.com/mailman/listinfo/sc-l List charter available at - http://www.securecoding.org/list/charter.php SC-L is hosted and moderated by KRvW Associates, LLC (http://www.KRvW.com) as a free, non-commercial service to the software security community. _______________________________________________
