User:Tqbf/Vulnerability Research

From Wikipedia, the free encyclopedia

In computer science, vulnerability research refers to...

A lot of crappy WP articles try to synthesize and contextualize technical topics like this; I'd like this to be heavy on the tech, a value prop this article would have over "Software Security Assurance" or whatever.

Contents 1 Concepts 1.1 Vulnerabilities 1.2 Finding vulnerabilities 1.2.1 Penetration testing 1.2.2 Source code review 1.2.3 Reverse engineering 1.2.4 Fuzzing 1.3 Advisories 2 Industry adoption 2.1 In-house vulnerability research 2.2 Vulnerability research at security vendors 2.3 Industry venues 2.4 Societal impact 2.5 Parallels in antivirus 2.6 Parallels in cryptography 3 Controversy 3.1 Full Disclosure 3.2 Vulnerability markets 3.3 Legal issues 3.3.1 Web application testing 3.3.2 End-user license agreements 3.3.3 Nondisclosure agreements 3.3.4 Trade secret law 3.3.5 Copyright 3.3.6 Specific laws 4 Notable events 4.1 The Geer debacle 4.2 The Lynn debacle 4.3 The Blackboard debacle

[edit] Concepts

[edit] Vulnerabilities

• A vulnerability is an exploitable flaw in a system

• Vulnerabilities occur in hardware, software, and firmware

• Vulnerabilities have different impacts --- CIA triad and AAA protocol are two metrics

• The canonical vulnerabilities are remote code execution, SQL injection, and XSS.

[edit] Finding vulnerabilities

• Vuln researchers utilize a bunch of techniques to find vulnerabilities

• Strategy is usually dictated by circumstances, most important of which is, do we have source

[edit] Penetration testing

• In computer security, refers to breaking into specific computers. In VR, refers to finding flaws in software.

• Sometimes "Application Penetration Testing"

• A service. White hat.

[edit] Source code review

• Code review

• A rich topic in CS and (in particular) computer engineering

• Here somewhat different in that it involves less close-reading and more best-practices

• Needs a reference to McDonald.

• A stated benefit of Open Source security

• Source code scanners --- Fortify, Coverity, Ounce, Klocwork.

[edit] Reverse engineering

• Reverse engineering, also RCE

• When code isn't available

• Renaissance in 2000's: IDA Pro, Jad, Reflector

• Prevalence of Win32 findings (no published Win32 kernel code)

[edit] Fuzzing

• Fuzzing, also Fault injection

• Ambiguous term, can mean random inputs, can mean pathological inputs with no known response

• Massively successful in terms of finding vulnerabilities. For instance, MOAB vulns were mostly fuzzer finds.

[edit] Advisories

[edit] Industry adoption

• Started out secretive. CORE and Infohax digest.

• Mainstreamed with Bugtraq in the '90s

• Now an established part of dev process, Microsoft SDLC

[edit] In-house vulnerability research

• Vendors do VR so that vulns are found before (1) product ships and (2) vulns can go public

• Microsoft: SDLC. Blue Hat. Extensive 3rd-party review.

• Cisco: Contrast?

• Google: Tavis Ormandy, Ben Laurie, others.

[edit] Vulnerability research at security vendors

• Security ISVs do VR so they can enhance their products. Security ISVs typically operate branded security labs

• ISS/IBM - X-Force

• TippingPoint

• MCAF - Avert

[edit] Industry venues

• Black Hat

• Uninformed

• WOOT

• CERT

• Bugtraq

• Metasploit

[edit] Societal impact

• Voting: Avi Rubin.

• DRM: Ed Felten, Freedom to Tinker, Bunnie Huang.

• SCADA

[edit] Parallels in antivirus

• Writing virus signatures not the same thing as VR.

[edit] Parallels in cryptography

• Cryptanalysis is most of cryptography.

[edit] Controversy

• VR is controversial for two reasons

1. blackhats use VR to find vulns they can exploit that can't be patched

1. blackhats can use findings from whitehats to exploit vulns in laggards

• Some people say VR shouldn't be conducted at all, some say not in public

[edit] Full Disclosure

• Full Disclosure

• Means different things to different people:

• Acknowledging vulns
• Full details
• Exploit code

• Responsible disclosure an attempt to formalize

[edit] Vulnerability markets

• Deserves own article

• Vulns have a value, to black hats (particularly phishing and spamming) and white hats (PR, marketing, product differentiation)

• Value depends on target, circumstances (impact), time

• Government agencies allegedly buy

• Organized crime allegedly buys

• iDefense

• TippingPoint Zero Day Initiative

• WabiSabiLabs

[edit] Legal issues

• Finding and (particularly) publishing vulns can get you sued or sent to prison.

[edit] Web application testing

• You don't own the app, so you can get busted for finding vulns.

[edit] End-user license agreements

• Virtually every EULA prohibits RCE, but very few successful test cases. EULAs don't seem to have inhibited.

[edit] Nondisclosure agreements

• Penetration tests are universally done under NDA. Professional VR rarely gets disclosed because you'd get sued.

[edit] Trade secret law

[edit] Copyright

• The DMCA, anti-circumvention.

[edit] Specific laws

• That Michigan law that bans sniffers

[edit] Notable events

[edit] The Geer debacle

[edit] The Lynn debacle

[edit] The Blackboard debacle