Is finding security holes a good idea?
Eric Rescorla
ekr at rtfm.com
Fri Jun 11 18:15:17 EDT 2004
lists at notatla.org.uk writes:
> From: Eric Rescorla <ekr at rtfm.com>
>
>> Is finding security holes a good idea?
>
>>Paper: http://www.dtc.umn.edu/weis2004/rescorla.pdf
>>Slides: http://www.dtc.umn.edu/weis2004/weis-rescorla.pdf
>
> In section 1 there's a crucial phrase not properly followed up:
> "significant opportunity cost since these researchers
> could be doing other security work instead of finding
> vulnerabilities".
> What "other security work" is being used for comparison ?
> - finding and fixing non-program flaws (such as in configuration)
> I do a lot of this - and I'm not about to run out of it.
> I know that _finding_ the flaws is easy. Even finding
> many of them systematically is easy. Fixing them is
> often gets stuck on the problem of that's Fred's piece
> of work and he doesn't feel like doing it.
> - fixing long-known and neglected bugs (are there many ?)
> - accelerating patch uptake
> - technical work on tolerant architectures/languages etc
> - advocacy work on tolerant architectures/languages etc
> (Where's Howard Aitken when you need him ?)
> - forensics
> - other ?
All of the above? Probably my favorite would be finding mechanical
ways to make programs more secure--e.g. stuff like Stackguard,
etc. As you say, moving to non-C languages would be a really
good start!
> Footnote 1 mentions an indirect effect of vulnerability research.
> Another one would be programmer education - but reporting yet
> another bug of a common type seems to have low value. People
> do need to be aware that (their!) software can be faulty and in
> roughly what ways.
Good point.
> In 3.4 if proactive WHD is not worth the effort because the bugs
> get discovered anyway when they are widely exploited what does
> this say about finding vulnerabilities through their use in the
> wild ? Is this more costly but better aimed at the bugs that matter ?
> Are there cost-effective ways to do this reactive discovery ? What
> tools would simplify it ?
Excellent point. There's no real data on this topic but my
intuition would be that better IDS/anomaly detection would be
a useful tool here. Also, some kind of automated
forensic network recording so that when intrusions are
detected it's easy to backfigure what happened.
-Ekr
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list