Is finding security holes a good idea?
Jerrold Leichter
jerrold.leichter at smarts.com
Tue Jun 15 18:08:37 EDT 2004
| Thor Lancelot Simon <tls at rek.tjls.com> writes:
|
| > On Mon, Jun 14, 2004 at 08:07:11AM -0700, Eric Rescorla wrote:
| >> Roughly speaking:
| >> If I as a White Hat find a bug and then don't tell anyone, there's no
| >> reason to believe it will result in any intrusions. The bug has to
| >
| > I don't believe that the premise above is valid. To believe it, I think
| > I'd have to hold that there were no correlation between bugs I found and
| > bugs that others were likely to find; and a lot of experience tells me
| > very much the opposite.
|
| The extent to which bugs are independently rediscovered is certainly
| an open question which hasn't received enough study. However, the
| fact that relatively obvious and serious bugs seem to persist for
| long periods of time (years) in code bases without being found
| in the open literature, suggests that there's a fair amount of
| independence.
I don't find that argument at all convincing. After all, these bugs *are*
being found!
It's clear that having access to the sources is not, in and of itself,
sufficient to make these bugs visible (else the developers of close-source
software would find them long before independent white- or black-hats).
Something else accounts for their surfacing. I would guess that at least two
factors are involved:
- There's a level of similarity beyond, say, "buffer overflow".
For example, once one buffer overflow in parsing a "To:"
field is found, everyone starts looking for bugs in "To:"
field parsing - and then at the closely-related code for
parsing other header fields. We know from experience - look
at the attempts to gain super-high reliability through
N-version programming - that bugs cluster: Certain kinds of
problems are harder to get right than others. Thus, this
focused attention on an area where bugs have been found is
highly likely to find other bugs.
- New tools and techniques for finding bugs in code are developed,
bring to light previously-hidden bugs.
To the extent these are true, a white-hat could reasonably argue that a
newly-found bug is unlikely to be rediscovered only if it is neither closely
related to previously-found bugs; nor found using a new technique. But these
are exactly the cases in which you would *want* to publish!
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list