In computer science, vulnerability research refers to...
A lot of crappy WP articles try to synthesize and contextualize technical topics like this; I'd like this to be heavy on the tech, a value prop this article would have over "Software Security Assurance" or whatever.
- 1 Concepts
- 2 Industry adoption
- 3 Controversy
- 4 Notable events
- A vulnerability is an exploitable flaw in a system
- Vulnerabilities occur in hardware, software, and firmware
- The canonical vulnerabilities are remote code execution, SQL injection, and XSS.
- Vuln researchers utilize a bunch of techniques to find vulnerabilities
- Strategy is usually dictated by circumstances, most important of which is, do we have source
- In computer security, refers to breaking into specific computers. In VR, refers to finding flaws in software.
- Sometimes "Application Penetration Testing"
- A service. White hat.
Source code review
- A rich topic in CS and (in particular) computer engineering
- Here somewhat different in that it involves less close-reading and more best-practices
- Needs a reference to McDonald.
- A stated benefit of Open Source security
- Source code scanners --- Fortify, Coverity, Ounce, Klocwork.
- Reverse engineering, also RCE
- When code isn't available
- Renaissance in 2000's: IDA Pro, Jad, Reflector
- Prevalence of Win32 findings (no published Win32 kernel code)
- Ambiguous term, can mean random inputs, can mean pathological inputs with no known response
- Massively successful in terms of finding vulnerabilities. For instance, MOAB vulns were mostly fuzzer finds.
- Started out secretive. CORE and Infohax digest.
- Mainstreamed with Bugtraq in the '90s
- Now an established part of dev process, Microsoft SDLC
In-house vulnerability research
- Vendors do VR so that vulns are found before (1) product ships and (2) vulns can go public
- Microsoft: SDLC. Blue Hat. Extensive 3rd-party review.
- Cisco: Contrast?
- Google: Tavis Ormandy, Ben Laurie, others.
Vulnerability research at security vendors
- Security ISVs do VR so they can enhance their products. Security ISVs typically operate branded security labs
- ISS/IBM - X-Force
- MCAF - Avert
- Black Hat
- Voting: Avi Rubin.
- DRM: Ed Felten, Freedom to Tinker, Bunnie Huang.
Parallels in antivirus
- Writing virus signatures not the same thing as VR.
Parallels in cryptography
- Cryptanalysis is most of cryptography.
- VR is controversial for two reasons
- blackhats use VR to find vulns they can exploit that can't be patched
- blackhats can use findings from whitehats to exploit vulns in laggards
- Some people say VR shouldn't be conducted at all, some say not in public
- Means different things to different people:
- Acknowledging vulns
- Full details
- Exploit code
- Responsible disclosure an attempt to formalize
- Deserves own article
- Vulns have a value, to black hats (particularly phishing and spamming) and white hats (PR, marketing, product differentiation)
- Value depends on target, circumstances (impact), time
- Government agencies allegedly buy
- Organized crime allegedly buys
- TippingPoint Zero Day Initiative
- Finding and (particularly) publishing vulns can get you sued or sent to prison.
Web application testing
- You don't own the app, so you can get busted for finding vulns.
End-user license agreements
- Virtually every EULA prohibits RCE, but very few successful test cases. EULAs don't seem to have inhibited.
- Penetration tests are universally done under NDA. Professional VR rarely gets disclosed because you'd get sued.
Trade secret law
- The DMCA, anti-circumvention.
- That Michigan law that bans sniffers