Automated - All Articles - CISO Platform2024-03-29T11:08:46Zhttps://www.cisoplatform.com/profiles/blogs/feed/tag/Automated4 Areas where Artificial Intelligence Fails in Automated Penetration Testinghttps://www.cisoplatform.com/profiles/blogs/4-areas-where-artificial-intelligence-fails-in-automated-pentest2016-02-20T09:00:00.000Z2016-02-20T09:00:00.000Z23j0c848tmyvuhttps://www.cisoplatform.com/members/23j0c848tmyvu<div><p><a href="http://www.cisoplatform.com/profiles/blogs/4-areas-where-artificial-intelligence-fails-in-automated-pentest" target="_blank"><img width="750" src="{{#staticFileLink}}8669804656,original{{/staticFileLink}}" class="align-full" alt="8669804656?profile=original" /></a></p><p>Formal Modeling and Automation is one of the things I love. I try to model everything and sometimes modeling helps and sometime it lands me in trouble. It helped me when I tried to model Penetration Testing and worked with my co-founder to design our first version of automated Penetration Testing Tool at iViZ. Where it did not help is in dancing. I think I am a poor dancer since my mind thinks modeling. By the time I model the step in my mind, I miss the beat. I believe there are a few things which we need to do from heart and not from mind.</p><p>I was thinking why in the context of today’s maturity of Artificial Intelligence (AI) we cannot fully automate Penetration Testing (or “maybe” we will never be able to). Here are the top reasons that come to my mind.</p><p>( <span id="docs-internal-guid-7e7ed265-371c-740c-ad6e-d7d5c8d40a57"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/major-components-of-it-grc-solutions"><span>Major Components Of IT GRC Solutions</span></a></span> )</p><p></p><p><strong style="font-size:1.5em;">Penetration Testing: Multi Stage Attack Planning is a PSPACE Complete Problem</strong></p><p>In <strong>Penetration Testing</strong>, attack chaining becomes a critical element in terms of strategizing as well as executing some brilliant hacks. Human mind sometimes can compute some brilliant attack plans in just a jiffy. However, when we try to model this as a standard “AI Planning” problem, we get into a mess. Every exploit/attack can be modeled as an action with precondition and post condition. So, the standard solution we can think of is to use “Planning Algorithms” to build the entire attack graph. However, the challenge is with state explosion and we will immediately run out of memory (PSPACE Complete Problem). Though approximations can help, it can never find all the possible attack paths the moment the number of nodes increases beyond a threshold. However, when it comes to coverage, AI would definitely do better than humans (since humans get bored).</p><p></p><h2><strong>Modeling Creativity is a Hard Problem</strong></h2><p>There had been some work in terms of Artificial Creativity. We do have AI programs writing Poems (<a href="http://nodebox.net/code/index.php/Flowerewolf" target="_blank">Flowerewolf</a>). However we are quite far from creating automation that can match the human creativity. There are potential ways to model creativity. As an example you can model the knowledge from one field and apply it in a completely different field and in some cases you may end up with a "creative model". However not much of work has happened to model human creativity in the field of ethical hacking.</p><p>( <span id="docs-internal-guid-7e7ed265-371c-d994-9076-850536937b21"><span>Read More:</span> <a href="http://www.cisoplatform.com/profiles/blogs/incident-response-how-to-respond-to-security-breach-first-24-hour"><span>Incident Response: How To Respond To A Security Breach During First 24 Hours (Checklist)</span></a></span> )</p><p></p><p><strong style="font-size:1.5em;">Programs cannot Question the Assumptions</strong></p><p>Human minds can question the fundamental assumptions. However a program runs on fundamental assumptions. Einstein challenged the assumptions of Newton. Heisenberg challenged the assumptions of Einstein and the game goes on. Any good pen tester/hacker challenges the assumption. When we broke Microsoft Bit locker encryption we challenged the assumption of the coders that from user land BIOS memory cannot be accessed. A program does not have the capability to challenge the assumptions and that is a severe limitation when it comes to automating Penetration Testing.</p><h2>“<strong>Artificial Intuition” is still in early days</strong></h2><p>Humans have intuition. As per wiki- “<strong>Intuition</strong> is the ability to acquire knowledge without inference and/or the use of reason. Intuition provides us with beliefs that we cannot justify in every case”. We can sometime solve some brilliant problem without the use of any reasoning. Artificial Intuition is there to model this but we are still in quite a primitive state to match what our brains can do.</p><p></p><p>I am a big believer of AI and a bigger believer of the human mind. We did use some decent bit of AI to automate Penetration Testing during our iViZ days. While doing that I learn’t more of what we cannot do than what we can do. I am sure with time AI will get better but will we ever be able to do Penetration Testing without the humans?</p><p><i> </i></p><p><span id="docs-internal-guid-99e3c9ef-3721-0272-ad04-ac5cc1afef29" class="font-size-4">More: <a href="http://www.cisoplatform.com/main/authorization/signUp">Join the community of 3000+ Chief Information Security Officers. Click here</a></span></p><p></p><p></p></div>Automated Discovery of Deserialization Gadget Chains (Black Hat Conference 2018)https://www.cisoplatform.com/profiles/blogs/automated-discovery-of-deserialization-gadget-chains-black-hat-co2018-10-01T08:00:00.000Z2018-10-01T08:00:00.000ZShubham Guptahttps://www.cisoplatform.com/members/ShubhamGupta<div><p><span>Although vulnerabilities stemming from the deserialization of untrusted data have been understood for many years, unsafe deserialization continues to be a vulnerability class that isn't going away. Attention on Java deserialization vulnerabilities skyrocketed in 2015 when Frohoff and Lawrence published an RCE gadget chain in the Apache Commons library and as recently as last year's Black Hat, Muñoz and Miroshis presented a survey of dangerous JSON deserialization libraries. While much research and automated detection technology has so far focused on the discovery of vulnerable entry points (i.e. code that deserializes untrusted data), finding a "gadget chain" to actually make the vulnerability exploitable has thus far been a largely manual exercise. In this talk, I present a new technique for the automated discovery of deserialization gadget chains in Java, allowing defensive teams to quickly identify the significance of a deserialization vulnerability and allowing penetration testers to quickly develop working exploits. At the conclusion, I will also be releasing a FOSS toolkit which utilizes this methodology and has been used to successfully develop many deserialization exploits in both internal applications and open source projects.</span></p><p></p><p><span class="font-size-5">Speaker</span></p><p></p><p><span><strong>Ian Haken</strong><br /> <br /> Ian Haken is a senior security software engineer at Netflix where he works on the platform security team to develop tools and services that defend the Netflix platform. Before working at Netflix, he spent two years as security researcher at Coverity where he developed defensive application security tools and helped to develop automated discovery of security vulnerabilities through static software analysis. He received his PhD in mathematics from the University of California, Berkeley in 2014 with a focus in computability theory and algorithmic information theory.</span></p><p></p><p></p><p></p><p><span class="font-size-5">Detailed Presentation:</span></p><p><iframe src="//www.slideshare.net/slideshow/embed_code/key/B4XzGDMiWM8IpE" width="595" height="485" frameborder="0" allowfullscreen=""></iframe></p><div style="margin-bottom:5px;"><strong><a href="//www.slideshare.net/cisoplatform7/automated-discovery-of-deserialization-gadget-chains-117547762" title="Automated Discovery of Deserialization Gadget Chains" target="_blank">Automated Discovery of Deserialization Gadget Chains</a></strong> from <strong><a href="https://www.slideshare.net/cisoplatform7" target="_blank">Priyanka Aash</a></strong></div><p></p><div><p><strong>(Source: Black Hat USA 2018, Las Vegas)</strong></p><p></p><p><strong><a href="http://www.cisoplatform.com/main/authorization/signUp?" target="_blank"><img src="{{#staticFileLink}}8669820464,original{{/staticFileLink}}" width="750" class="align-full" alt="8669820464?profile=original" /></a></strong></p></div><p></p><p></p><p></p><p><span> </span></p></div>