User:Tqbf/Vulnerability Research

In computer science, vulnerability research refers to...

A lot of crappy WP articles try to synthesize and contextualize technical topics like this; I'd like this to be heavy on the tech, a value prop this article would have over "Software Security Assurance" or whatever.

Vulnerabilities

 * A vulnerability is an exploitable flaw in a system


 * Vulnerabilities occur in hardware, software, and firmware


 * Vulnerabilities have different impacts --- CIA triad and AAA protocol are two metrics


 * The canonical vulnerabilities are remote code execution, SQL injection, and XSS.

Finding vulnerabilities

 * Vuln researchers utilize a bunch of techniques to find vulnerabilities


 * Strategy is usually dictated by circumstances, most important of which is, do we have source

Penetration testing

 * In computer security, refers to breaking into specific computers. In VR, refers to finding flaws in software.


 * Sometimes "Application Penetration Testing"


 * A service. White hat.

Source code review

 * Code review


 * A rich topic in CS and (in particular) computer engineering


 * Here somewhat different in that it involves less close-reading and more best-practices


 * Needs a reference to McDonald.


 * A stated benefit of Open Source security


 * Source code scanners --- Fortify, Coverity, Ounce, Klocwork.

Reverse engineering

 * Reverse engineering, also RCE


 * When code isn't available


 * Renaissance in 2000's: IDA Pro, Jad, Reflector


 * Prevalence of Win32 findings (no published Win32 kernel code)

Fuzzing

 * Fuzzing, also Fault injection


 * Ambiguous term, can mean random inputs, can mean pathological inputs with no known response


 * Massively successful in terms of finding vulnerabilities. For instance, MOAB vulns were mostly fuzzer finds.

Industry adoption

 * Started out secretive. CORE and Infohax digest.


 * Mainstreamed with Bugtraq in the '90s


 * Now an established part of dev process, Microsoft SDLC

In-house vulnerability research

 * Vendors do VR so that vulns are found before (1) product ships and (2) vulns can go public


 * Microsoft: SDLC. Blue Hat. Extensive 3rd-party review.


 * Cisco: Contrast?


 * Google: Tavis Ormandy, Ben Laurie, others.

Vulnerability research at security vendors

 * Security ISVs do VR so they can enhance their products. Security ISVs typically operate branded security labs


 * ISS/IBM - X-Force


 * TippingPoint


 * MCAF - Avert

Industry venues

 * Black Hat


 * Uninformed


 * WOOT


 * CERT


 * Bugtraq


 * Metasploit

Societal impact

 * Voting: Avi Rubin.


 * DRM: Ed Felten, Freedom to Tinker, Bunnie Huang.


 * SCADA

Parallels in antivirus

 * Writing virus signatures not the same thing as VR.

Parallels in cryptography

 * Cryptanalysis is most of cryptography.

Controversy

 * VR is controversial for two reasons


 * blackhats use VR to find vulns they can exploit that can't be patched


 * blackhats can use findings from whitehats to exploit vulns in laggards


 * Some people say VR shouldn't be conducted at all, some say not in public

Full Disclosure

 * Full Disclosure


 * Means different things to different people:


 * Acknowledging vulns
 * Full details
 * Exploit code


 * Responsible disclosure an attempt to formalize

Vulnerability markets

 * Deserves own article


 * Vulns have a value, to black hats (particularly phishing and spamming) and white hats (PR, marketing, product differentiation)


 * Value depends on target, circumstances (impact), time


 * Government agencies allegedly buy


 * Organized crime allegedly buys


 * iDefense


 * TippingPoint Zero Day Initiative


 * WabiSabiLabs

Legal issues

 * Finding and (particularly) publishing vulns can get you sued or sent to prison.

Web application testing

 * You don't own the app, so you can get busted for finding vulns.

End-user license agreements

 * Virtually every EULA prohibits RCE, but very few successful test cases. EULAs don't seem to have inhibited.

Nondisclosure agreements

 * Penetration tests are universally done under NDA. Professional VR rarely gets disclosed because you'd get sued.

Copyright

 * The DMCA, anti-circumvention.

Specific laws

 * That Michigan law that bans sniffers