U.S. military researchers may have found a more productive vulnerability discovery process

Written by

A study from the U.S. government shows there is proof of a way to be more efficient when looking for flaws in software.

Security researchers of all expertise levels do better with an improved, automated analysis that better allocates human resources during investigations, U.S. military researchers from the National Security Agency, Cyber Command, Navy, Air Force, and Army posit in new research published this month. This differs from a common approach taken when researchers are more naturally inclined to zero in on a given piece of software to try to find flaws.

“There is a cognitive bias in the hacker community to select a piece of software and invest significant human resources into finding bugs in that software without any prior indication of success,” they write in the paper.

This status quo, which the researchers call the “depth-first” approach, places more of a burden on experienced researchers while beginners get lost in the shuffle, Jared Ziegler, a software developer at the NSA, told CyberScoop in an interview.

“The problem with that, as we discovered, is that with everybody looking at the same thing, your more novice people are going to quickly fall behind and fail to contribute, while your more advanced people are becoming overwhelmed. They’re being pulled in dozens of different directions,” Ziegler said, adding this was one of the reasons the researchers came together to try to find an alternative method. “It was clear it wasn’t working out for us.”

To test their new automated approach, which they call the “breadth-first” method, the researchers recruited 12 volunteers from Cyber Command and divided them into two teams of six. Some teams tested the breadth-first method, in which the volunteers use an automated software testing technique, called fuzzing, to find software bugs. They were encouraged to run as many fuzzing harnesses as they could in a day to assess as many targets as possible for bugs.

To compare it against the prevailing method, some volunteer teams tested the depth-first approach, with teams all working on the same piece of software at once. This required each hacker to have foundational knowledge about the software, creating a greater barrier for novices and a greater set of tasks for the more experienced hackers. Once the teams started a fuzzing run, they continued to work on the same target — but the researchers found this inefficient, as the fuzzing revealed information later that could have helped the process run smoother if discovered earlier on.

The researchers found overwhelmingly the automated breadth-first method allowed volunteers to find more software vulnerabilities than when using the depth-first approach. The breadth-first method also helped novice hackers engage in the research and grow their skills, as teams were able to pair knowledge levels with tasks throughout the vulnerability discovery process.

“[Breadth-first] encourages apprentice-level hackers to give up when it becomes clear that harnessing a particular target would require a significant time investment. Rather than continue down a ‘rabbit hole,’ apprentices document any pertinent information about the target before moving it to a separate [and more advanced] queue,” the researchers write. “This provides more experienced hackers material to review before applying their more experienced abilities.”

Hackers left behind at the Pentagon

The researchers hope the results will encourage vulnerability research teams in all sectors, not just those in the military, to reevaluate if their current methods lead to the best results. But the research might be a particularly attractive solution for frustrated U.S. military personnel who traditionally rotate in and out of positions every couple of years, even on vulnerability discovery teams at Cyber Command.

Using the depth-first approach might be leaving the U.S. military behind on discovering vulnerabilities to exploit, the researchers attest.

“In the military we frequently have service members rotating on three-year assignments. Due to the significant overhead in training someone on all of the important skills … there is little time left for meaningful on-the-job impact,” U.S. Army Captain Timothy Nosco, who co-wrote the research, said at the USENIX Security Symposium earlier this month.

Researchers who are new to the DOD often fall behind in vulnerability discovery and have to resort to handing off more difficult problem sets to their supervisors, Ziegler told CyberScoop.

“That’s just the norm,” Ziegler said. “If you have somebody that’s sort of new to this, there’s oftentimes not much more they can do than other sorts of work, or maybe like practice problems, like [capture the flag contests] until they start building up this huge array of skills to do these things.”

In addition to finding more bugs, researchers found the breadth-first approach left the volunteer hackers feeling more satisfied with their work. In post-experiment surveys, they said they felt less frustrated with and more interested in the material.

“[Breadth-first] allows team members to work with confidence on independent tasks, make progress until they understand the key pieces of information, and then communicate those pieces of information,” the researchers write.

Ziegler’s vulnerability discovery team at Cyber Command, whose mission he was not authorized to discuss, has started to implement the breadth-first method moving forward. The NSA and Cyber Command declined to comment on whether the breadth-first method was being employed more broadly at the NSA, Cyber Command, or the DOD.

Ziegler acknowledged not every researcher will find the breadth-first method works.

“While we do feel that there is a prevailing depth-first mindset in the [vulnerability research] community, we recognize that many organizations have found approaches that work for them, many of which do not fall neatly into this [categorization],” Ziegler told CyberScoop. “Our work seeks to encourage all organizations to think about their workflows, whether they could start making use of more automation, and how they might better engage the full spectrum of their workforce to make meaningful contributions.”