nsslabs.com

In order to support the extensive test suites created by NSS it is necessary to develop a high quality library of current exploits. This activity takes a disproportionate amount of time in an area which is not considered NSS core business - security testing and certification. The solution, therefore, was to locate a partner capable of meeting our extremely high standards in terms of vulnerability research and exploit production. 

The Vulnerability Research Service (VRS) from Assurent Secure Technologies, a TELUS company, provides security product vendors with timely, in-depth engineering analysis on the top five to eight security vulnerabilities that emerge each week.  

Vendors use the VRS to supplement their own internal research efforts, to help improve both quality and scope of coverage, increasing the quantity of security issues addressed and range of platforms covered. 

Assurent performs continuous monitoring of approximately 200 sources of information on emerging vulnerabilities (including commercial alerting feeds; vendor sources; mailing lists such as Bugtraq, NTBugtraq, Vuln-Dev and Full-Disclosure; and sources within the hacker “underground”).  

Each reported vulnerability is ranked for impact and severity using the SANS CVA formula, and prioritised on this basis. Vulnerabilities are then subjected to full differential analysis (including reproduction of the vulnerability with respect to known-vulnerable, suspected-vulnerable, known-non-vulnerable, and suspected-non-vulnerable targets).  

Unlike services which consolidate the fragments of information made available by vendors and individual vulnerability disclosures, Assurent's Vulnerability Research Team performs in-depth engineering analysis, with the goal of developing a complete understanding of the mechanism, preconditions, triggering conditions, and set of exposures created by each vulnerability.  

Detailed engineering reports are produced within a 24-hour time window, when a vulnerability is ranked critical relative to the SANS CVA formula. Each report includes, but is not limited to the following:  

• All relevant identifiers (CVE/CAN, SFID, CERT ID, CVA REF, etc.)
• Severity and impact analysis
• Affected product(s)
• Problem location (executable, DLL, shared library, function or method, parameter or property, data object(s))
• Problem mechanism (technical mechanism, and source-code level walkthrough when applicable)
• Triggering conditions and prerequisites
• Protocol flow diagram(s)
• Packet decodes (both attack cases and normal traffic cases)
• Behaviour of target during/following attack
• Vulnerability detection mechanisms (remote identification)
• Attack detection mechanisms (network-based detection of generic attacks and of known exploits)
• Exploit status (published, underground, and rumoured exploits)
• Exploit reproduction (usually including sample code)

Each report is delivered within hours of the emergence of a new issue, and provides sufficient information to permit a vendor to rapidly script a VA probe, IDS signature, or IPS filter of high quality (e.g. a signature which is able to detect all possible attempts to exercise the given vulnerability, rather than simply matching the known exploits).  

In addition to the “proof of concept” exploits provided with the VRS engineering reports, Assurent produces full remote code execution (shell code) exploits for a subset of the vulnerabilities covered by the VRS service, focused on the highest-severity remotely-exploitable vulnerabilities. 

In addition to delivery of research materials via e-mail, a full Web portal is provided to registered users allowing extensive search for vulnerabilities on a range of criteria, and subsequent download of research material and exploits on demand. NSS also uses Assurent’s Spyware Research Service, which provides similar research information for Spyware and Malware. 

To date, we have found the quality of the research material to be second to none, and the supplied exploits and packet captures to be invaluable in IDS and IPS product testing.