SETC: A Vulnerability Telemetry Collection Framework

Ryan Holeman,John Hastings,Varghese Mathew Vaidyan
2024-06-10
Abstract:As emerging software vulnerabilities continuously threaten enterprises and Internet services, there is a critical need for improved security research capabilities. This paper introduces the Security Exploit Telemetry Collection (SETC) framework - an automated framework to generate reproducible vulnerability exploit data at scale for robust defensive security research. SETC deploys configurable environments to execute and record rich telemetry of vulnerability exploits within isolated containers. Exploits, vulnerable services, monitoring tools, and logging pipelines are defined via modular JSON configurations and deployed on demand. Compared to current manual processes, SETC enables automated, customizable, and repeatable vulnerability testing to produce diverse security telemetry. This research enables scalable exploit data generation to drive innovations in threat modeling, detection methods, analysis techniques, and remediation strategies. The capabilities of the framework are demonstrated through an example scenario. By addressing key barriers in security data generation, SETC represents a valuable platform to support impactful vulnerability and defensive security research.
Cryptography and Security
What problem does this paper attempt to address?
The problem that this paper attempts to solve is: **How to automatically generate and collect rich exploit data to support defensive security research**. Specifically, current security researchers face the following challenges when studying software vulnerabilities: 1. **Non - repeatability**: Data obtained from actual events or simulated environments is usually not repeatable. If researchers need additional telemetry data or data points, they cannot reacquire this data. 2. **Lack of control**: Researchers cannot control the specific vulnerabilities or attack techniques chosen by attackers, making it difficult to conduct in - depth research on specific vulnerabilities. 3. **Cumbersome manual process**: Manually reproducing the attack process requires creating vulnerable target systems, reproducing scenarios, and recording activities, which is both time - consuming and error - prone. 4. **Insufficient existing tools**: Existing tools are either of limited functionality or only focus on specific types of vulnerabilities (such as PHP vulnerabilities or local operating system vulnerabilities), lacking comprehensiveness and flexibility. To solve these problems, the paper introduces the **Security Exploit Telemetry Collection (SETC)** framework. The main goal of SETC is to provide an automated, customizable, and repeatable vulnerability testing platform that can generate diverse security telemetry data. SETC achieves this goal in the following ways: - **Automated deployment and execution**: SETC uses container technologies (such as Docker and Kubernetes) to deploy vulnerable services and execute exploits in an isolated environment. - **Modular configuration**: Vulnerability services, attack tools, monitoring tools, and log pipelines are all defined through JSON configuration files, allowing users to configure flexibly according to their needs. - **Rich telemetry data**: SETC records detailed attack telemetry data and converts the data into various standard formats (such as OCSF, CIM, CEF) through log pipelines for subsequent analysis. - **Scalable log pipelines**: SETC supports storing log data in SIEM systems, databases, or simple files for further analysis and sharing. Through these features, SETC provides researchers with a powerful platform to generate and analyze exploit data on a large scale, thereby promoting innovation in threat modeling, detection methods, analysis techniques, and remediation strategies.