[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20040120151923.GA72479@lightship.internal.homeport.org>
Date: Tue, 20 Jan 2004 10:19:24 -0500
From: Adam Shostack <adam@...eport.org>
To: ken kousky <kkousky@...inc.com>
Cc: 'Alun Jones' <alun@...is.com>, bugtraq@...urityfocus.org
Subject: Re: What is the point here?
On Mon, Jan 19, 2004 at 05:49:15PM -0500, ken kousky wrote:
| But with all that as background, showing off with better exploits isn't
| helping the cause or our defense strategies.
I've cut things down not because I disagree, but because I think that
this particular claim isn't usually examined, and I'd like to do so.
Good exploit code is fundamental to research. Not only the research
of "Is system X that I've deployed vulnerable to some form of attack
Y," but rather research of the form "Does this tool I've invented to
block attack vector A effective against a zoo of attack code?"
That's an important question which vexes researchers building things
like stack smashing defenses--there is no high quality repository of
"vulnerable code, exploit code, fixed code" which allows you to decide
what fraction of exploits your tool prevents.
If the POC code is poor quality, then it can not be used in such a
test. If we're going to move away from being bug hunter-gatherers and
patch distributors, we need to test the tools that take us away from
there. (Quick demonstration: There are about half a dozen
StackGuard-inspired systems out there. Which is best? Prove it.)
Now, does quality POC code need to come out in the days after the bug?
Probably not, based on the argument I've outlined above. (I'm taking
no position right now on its use by admins to test their own systems.)
However, there's the question of motivation: Why does someone spend
time to fix or improve the POC? There's reputation issues, they may
be paid to do so, or they might be altruistic. If there's reputation
at stake, then first to release wins. If someone's being paid, it
makes broad sense to split the work, and share the exploits--everyone
(in the club) gets exploit code for less money. But companies don't
like forming such clubs, while hackers do. So they argue for
disclosure policies that allow them to share the code. Thus, I think
it's unlikely that we'll see improved POC released later, as
attractive as that is to some sysadmins. (There are ways to
structure a market to make that later release more attractive to the
participants, but that's getting off topic.)
Adam
--
"It is seldom that liberty of any kind is lost all at once."
-Hume
Powered by blists - more mailing lists