Is finding security holes a good idea?

Jerrold Leichter jerrold.leichter at smarts.com
Tue Jun 15 18:08:37 EDT 2004


| Thor Lancelot Simon <tls at rek.tjls.com> writes:
|
| > On Mon, Jun 14, 2004 at 08:07:11AM -0700, Eric Rescorla wrote:
| >> Roughly speaking:
| >> If I as a White Hat find a bug and then don't tell anyone, there's no
| >> reason to believe it will result in any intrusions.  The bug has to
| >
| > I don't believe that the premise above is valid.  To believe it, I think
| > I'd have to hold that there were no correlation between bugs I found and
| > bugs that others were likely to find; and a lot of experience tells me
| > very much the opposite.
|
| The extent to which bugs are independently rediscovered is certainly
| an open question which hasn't received enough study. However, the
| fact that relatively obvious and serious bugs seem to persist for
| long periods of time (years) in code bases without being found
| in the open literature, suggests that there's a fair amount of
| independence.
I don't find that argument at all convincing.  After all, these bugs *are*
being found!

It's clear that having access to the sources is not, in and of itself,
sufficient to make these bugs visible (else the developers of close-source
software would find them long before independent white- or black-hats).
Something else accounts for their surfacing.  I would guess that at least two
factors are involved:

	- There's a level of similarity beyond, say, "buffer overflow".
		For example, once one buffer overflow in parsing a "To:"
		field is found, everyone starts looking for bugs in "To:"
		field parsing - and then at the closely-related code for
		parsing other header fields.  We know from experience - look
		at the attempts to gain super-high reliability through
		N-version programming - that bugs cluster:  Certain kinds of
		problems are harder to get right than others.  Thus, this
		focused attention on an area where bugs have been found is
		highly likely to find other bugs.

	- New tools and techniques for finding bugs in code are developed,
		bring to light previously-hidden bugs.

To the extent these are true, a white-hat could reasonably argue that a
newly-found bug is unlikely to be rediscovered only if it is neither closely
related to previously-found bugs; nor found using a new technique.  But these
are exactly the cases in which you would *want* to publish!

							-- Jerry

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list