User:Tqbf/Vulnerability Research
In computer science, vulnerability research refers to...
A lot of crappy WP articles try to synthesize and contextualize technical topics like this; I'd like this to be heavy on the tech, a value prop this article would have over "Software Security Assurance" or whatever.
Concepts[edit]
Vulnerabilities[edit]
- A vulnerability is an exploitable flaw in a system
- Vulnerabilities occur in hardware, software, and firmware
- Vulnerabilities have different impacts --- CIA triad and AAA protocol are two metrics
- The canonical vulnerabilities are remote code execution, SQL injection, and XSS.
Finding vulnerabilities[edit]
- Vuln researchers utilize a bunch of techniques to find vulnerabilities
- Strategy is usually dictated by circumstances, most important of which is, do we have source
Penetration testing[edit]
- In computer security, refers to breaking into specific computers. In VR, refers to finding flaws in software.
- Sometimes "Application Penetration Testing"
- A service. White hat.
Source code review[edit]
- A rich topic in CS and (in particular) computer engineering
- Here somewhat different in that it involves less close-reading and more best-practices
- Needs a reference to McDonald.
- A stated benefit of Open Source security
- Source code scanners --- Fortify, Coverity, Ounce, Klocwork.
Reverse engineering[edit]
- Reverse engineering, also RCE
- When code isn't available
- Renaissance in 2000's: IDA Pro, Jad, Reflector
- Prevalence of Win32 findings (no published Win32 kernel code)
Fuzzing[edit]
- Fuzzing, also Fault injection
- Ambiguous term, can mean random inputs, can mean pathological inputs with no known response
- Massively successful in terms of finding vulnerabilities. For instance, MOAB vulns were mostly fuzzer finds.
Advisories[edit]
Industry adoption[edit]
- Started out secretive. CORE and Infohax digest.
- Mainstreamed with Bugtraq in the '90s
- Now an established part of dev process, Microsoft SDLC
In-house vulnerability research[edit]
- Vendors do VR so that vulns are found before (1) product ships and (2) vulns can go public
- Microsoft: SDLC. Blue Hat. Extensive 3rd-party review.
- Cisco: Contrast?
- Google: Tavis Ormandy, Ben Laurie, others.
Vulnerability research at security vendors[edit]
- Security ISVs do VR so they can enhance their products. Security ISVs typically operate branded security labs
- ISS/IBM - X-Force
- TippingPoint
- MCAF - Avert
Industry venues[edit]
- Black Hat
- Uninformed
- WOOT
- CERT
- Bugtraq
- Metasploit
Societal impact[edit]
- Voting: Avi Rubin.
- DRM: Ed Felten, Freedom to Tinker, Bunnie Huang.
- SCADA
Parallels in antivirus[edit]
- Writing virus signatures not the same thing as VR.
Parallels in cryptography[edit]
- Cryptanalysis is most of cryptography.
Controversy[edit]
- VR is controversial for two reasons
- blackhats use VR to find vulns they can exploit that can't be patched
- blackhats can use findings from whitehats to exploit vulns in laggards
- Some people say VR shouldn't be conducted at all, some say not in public
Full Disclosure[edit]
- Means different things to different people:
- Acknowledging vulns
- Full details
- Exploit code
- Responsible disclosure an attempt to formalize
Vulnerability markets[edit]
- Deserves own article
- Vulns have a value, to black hats (particularly phishing and spamming) and white hats (PR, marketing, product differentiation)
- Value depends on target, circumstances (impact), time
- Government agencies allegedly buy
- Organized crime allegedly buys
- iDefense
- TippingPoint Zero Day Initiative
- WabiSabiLabs
Legal issues[edit]
- Finding and (particularly) publishing vulns can get you sued or sent to prison.
Web application testing[edit]
- You don't own the app, so you can get busted for finding vulns.
End-user license agreements[edit]
- Virtually every EULA prohibits RCE, but very few successful test cases. EULAs don't seem to have inhibited.
Nondisclosure agreements[edit]
- Penetration tests are universally done under NDA. Professional VR rarely gets disclosed because you'd get sued.
Trade secret law[edit]
Copyright[edit]
- The DMCA, anti-circumvention.
Specific laws[edit]
- That Michigan law that bans sniffers