User:Tqbf/Vulnerability Research

In computer science, vulnerability research refers to...

A lot of crappy WP articles try to synthesize and contextualize technical topics like this; I'd like this to be heavy on the tech, a value prop this article would have over "Software Security Assurance" or whatever.

Concepts[edit]

Vulnerabilities[edit]

A vulnerability is an exploitable flaw in a system

Vulnerabilities occur in hardware, software, and firmware

Vulnerabilities have different impacts --- CIA triad and AAA protocol are two metrics

The canonical vulnerabilities are remote code execution, SQL injection, and XSS.

Finding vulnerabilities[edit]

Vuln researchers utilize a bunch of techniques to find vulnerabilities

Strategy is usually dictated by circumstances, most important of which is, do we have source

Penetration testing[edit]

In computer security, refers to breaking into specific computers. In VR, refers to finding flaws in software.

Sometimes "Application Penetration Testing"

A service. White hat.

Source code review[edit]

Code review

A rich topic in CS and (in particular) computer engineering

Here somewhat different in that it involves less close-reading and more best-practices

Needs a reference to McDonald.

A stated benefit of Open Source security

Source code scanners --- Fortify, Coverity, Ounce, Klocwork.

Reverse engineering[edit]

Reverse engineering, also RCE

When code isn't available

Renaissance in 2000's: IDA Pro, Jad, Reflector

Prevalence of Win32 findings (no published Win32 kernel code)

Fuzzing[edit]

Fuzzing, also Fault injection

Ambiguous term, can mean random inputs, can mean pathological inputs with no known response

Massively successful in terms of finding vulnerabilities. For instance, MOAB vulns were mostly fuzzer finds.

Advisories[edit]

Industry adoption[edit]

Started out secretive. CORE and Infohax digest.

Mainstreamed with Bugtraq in the '90s

Now an established part of dev process, Microsoft SDLC

In-house vulnerability research[edit]

Vendors do VR so that vulns are found before (1) product ships and (2) vulns can go public

Microsoft: SDLC. Blue Hat. Extensive 3rd-party review.

Cisco: Contrast?

Google: Tavis Ormandy, Ben Laurie, others.

Vulnerability research at security vendors[edit]

Security ISVs do VR so they can enhance their products. Security ISVs typically operate branded security labs

ISS/IBM - X-Force

TippingPoint

MCAF - Avert

Industry venues[edit]

Black Hat

Uninformed

WOOT

CERT

Bugtraq

Metasploit

Societal impact[edit]

Voting: Avi Rubin.

DRM: Ed Felten, Freedom to Tinker, Bunnie Huang.

SCADA

Parallels in antivirus[edit]

Writing virus signatures not the same thing as VR.

Parallels in cryptography[edit]

Cryptanalysis is most of cryptography.

Controversy[edit]

VR is controversial for two reasons

blackhats use VR to find vulns they can exploit that can't be patched

blackhats can use findings from whitehats to exploit vulns in laggards

Some people say VR shouldn't be conducted at all, some say not in public

Full Disclosure[edit]

Full Disclosure

Means different things to different people:

Acknowledging vulns
Full details
Exploit code

Responsible disclosure an attempt to formalize

Vulnerability markets[edit]

Deserves own article

Vulns have a value, to black hats (particularly phishing and spamming) and white hats (PR, marketing, product differentiation)

Value depends on target, circumstances (impact), time

Government agencies allegedly buy

Organized crime allegedly buys

iDefense

TippingPoint Zero Day Initiative

WabiSabiLabs

Legal issues[edit]

Finding and (particularly) publishing vulns can get you sued or sent to prison.

Web application testing[edit]

You don't own the app, so you can get busted for finding vulns.

End-user license agreements[edit]

Virtually every EULA prohibits RCE, but very few successful test cases. EULAs don't seem to have inhibited.

Nondisclosure agreements[edit]

Penetration tests are universally done under NDA. Professional VR rarely gets disclosed because you'd get sued.