Jump to content

User:Tqbf/Vulnerability Research

From Wikipedia, the free encyclopedia

In computer science, vulnerability research refers to...

A lot of crappy WP articles try to synthesize and contextualize technical topics like this; I'd like this to be heavy on the tech, a value prop this article would have over "Software Security Assurance" or whatever.

Concepts

[edit]

Vulnerabilities

[edit]
  • A vulnerability is an exploitable flaw in a system
  • Vulnerabilities occur in hardware, software, and firmware
  • The canonical vulnerabilities are remote code execution, SQL injection, and XSS.

Finding vulnerabilities

[edit]
  • Vuln researchers utilize a bunch of techniques to find vulnerabilities
  • Strategy is usually dictated by circumstances, most important of which is, do we have source

Penetration testing

[edit]
  • In computer security, refers to breaking into specific computers. In VR, refers to finding flaws in software.
  • Sometimes "Application Penetration Testing"
  • A service. White hat.

Source code review

[edit]
  • A rich topic in CS and (in particular) computer engineering
  • Here somewhat different in that it involves less close-reading and more best-practices
  • Needs a reference to McDonald.
  • Source code scanners --- Fortify, Coverity, Ounce, Klocwork.

Reverse engineering

[edit]
  • When code isn't available
  • Renaissance in 2000's: IDA Pro, Jad, Reflector
  • Prevalence of Win32 findings (no published Win32 kernel code)

Fuzzing

[edit]
  • Ambiguous term, can mean random inputs, can mean pathological inputs with no known response
  • Massively successful in terms of finding vulnerabilities. For instance, MOAB vulns were mostly fuzzer finds.

Advisories

[edit]

Industry adoption

[edit]
  • Started out secretive. CORE and Infohax digest.
  • Mainstreamed with Bugtraq in the '90s
  • Now an established part of dev process, Microsoft SDLC

In-house vulnerability research

[edit]
  • Vendors do VR so that vulns are found before (1) product ships and (2) vulns can go public
  • Microsoft: SDLC. Blue Hat. Extensive 3rd-party review.
  • Cisco: Contrast?
  • Google: Tavis Ormandy, Ben Laurie, others.

Vulnerability research at security vendors

[edit]
  • Security ISVs do VR so they can enhance their products. Security ISVs typically operate branded security labs
  • ISS/IBM - X-Force
  • TippingPoint
  • MCAF - Avert

Industry venues

[edit]
  • Black Hat
  • Uninformed
  • WOOT
  • CERT
  • Bugtraq
  • Metasploit

Societal impact

[edit]
  • Voting: Avi Rubin.
  • DRM: Ed Felten, Freedom to Tinker, Bunnie Huang.
  • SCADA

Parallels in antivirus

[edit]
  • Writing virus signatures not the same thing as VR.

Parallels in cryptography

[edit]
  • Cryptanalysis is most of cryptography.

Controversy

[edit]
  • VR is controversial for two reasons
  1. blackhats use VR to find vulns they can exploit that can't be patched
  1. blackhats can use findings from whitehats to exploit vulns in laggards
  • Some people say VR shouldn't be conducted at all, some say not in public

Full Disclosure

[edit]
  • Means different things to different people:
  • Acknowledging vulns
  • Full details
  • Exploit code
  • Responsible disclosure an attempt to formalize

Vulnerability markets

[edit]
  • Deserves own article
  • Vulns have a value, to black hats (particularly phishing and spamming) and white hats (PR, marketing, product differentiation)
  • Value depends on target, circumstances (impact), time
  • Government agencies allegedly buy
  • Organized crime allegedly buys
  • iDefense
  • TippingPoint Zero Day Initiative
  • WabiSabiLabs
[edit]
  • Finding and (particularly) publishing vulns can get you sued or sent to prison.

Web application testing

[edit]
  • You don't own the app, so you can get busted for finding vulns.

End-user license agreements

[edit]
  • Virtually every EULA prohibits RCE, but very few successful test cases. EULAs don't seem to have inhibited.

Nondisclosure agreements

[edit]
  • Penetration tests are universally done under NDA. Professional VR rarely gets disclosed because you'd get sued.

Trade secret law

[edit]
[edit]
  • The DMCA, anti-circumvention.

Specific laws

[edit]
  • That Michigan law that bans sniffers

Notable events

[edit]

The Geer debacle

[edit]

The Lynn debacle

[edit]

The Blackboard debacle

[edit]