Is finding security holes a good idea?

Eric Rescorla ekr at rtfm.com
Thu Jun 17 10:34:37 EDT 2004 

Birger Toedtmann <btoedtmann at exp-math.uni-essen.de> writes:

> Am Do, den 10.06.2004 schrieb Eric Rescorla um 20:37:
>> Cryptography readers who are also interested in systems security may be
>> interested in reading my paper from the Workshop on Economics
>> and Information Security '04:
>> 
>>     Is finding security holes a good idea?
> [...]
>
> The economic reasoning within the paper misses casualties that arise
> from automated, large scale attacks.
>
> In figure 2, the graph indicating the "Black Hat Discovery Process"
> suggests we should expect a minor impact of "Private Exploitation" only,
> because the offending Black Hat group is small and exploits manually. 
> However, one could also imagine Code Red, Slammer and the like.  Apart
> from having a fix ready or not, when vulnerabilities of this kind are
> not known *at all* to the public (no problem description, no workaround
> like "remove file XYZ for a while" known), worms can hit the network far
> more severe than they already do with knowledge of vulnerability and
> even fixes available.  I would expect the "Intrusion Rate" curve to be
> formed radically different at this point.  This also affects the
> discussion about social welfare lost / gained through discloure quite a
> lot.
>
> I don't see how applying Browne's vulnerability cycle concept to the
> Black Hat Discovery case as it has been done in the paper can reflect
> these threat scenarios correctly.  

It's true that the Browne paper doesn't apply directly, but I don't
actually agree that rapid spreading malware alters the reasoning in
the paper much. None of the analysis on the paper depends on any
particular C_BHD/C_WHD ratio. Rather, the intent is to provide
boundaries for what one must believe about that ratio in order to
think that finding bugs is a good idea.

That said, I don't think that the argument you present above is that
convincing. it's true that a zero-day worm would be bad, but given the
shape of the patching curve [0], a day-5 worm would be very nearly as
bad (and remember that it's the C_BHD/C_WHD ratio we care about).
Indeed, note that all of the major worms so far have been based on
known vulnerabilities. 

-Ekr

[0] E. Rescorla, "Security Holes... Who Cares?", Proc. 12th USENIX
Security, 2003.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com

More information about the cryptography mailing list