User:Tqbf/Vulnerability Research

From Wikipedia, the free encyclopedia
Jump to: navigation, search

In computer science, vulnerability research refers to...

A lot of crappy WP articles try to synthesize and contextualize technical topics like this; I'd like this to be heavy on the tech, a value prop this article would have over "Software Security Assurance" or whatever.



  • A vulnerability is an exploitable flaw in a system
  • Vulnerabilities occur in hardware, software, and firmware
  • The canonical vulnerabilities are remote code execution, SQL injection, and XSS.

Finding vulnerabilities[edit]

  • Vuln researchers utilize a bunch of techniques to find vulnerabilities
  • Strategy is usually dictated by circumstances, most important of which is, do we have source

Penetration testing[edit]

  • In computer security, refers to breaking into specific computers. In VR, refers to finding flaws in software.
  • Sometimes "Application Penetration Testing"
  • A service. White hat.

Source code review[edit]

  • A rich topic in CS and (in particular) computer engineering
  • Here somewhat different in that it involves less close-reading and more best-practices
  • Needs a reference to McDonald.
  • Source code scanners --- Fortify, Coverity, Ounce, Klocwork.

Reverse engineering[edit]

  • When code isn't available
  • Renaissance in 2000's: IDA Pro, Jad, Reflector
  • Prevalence of Win32 findings (no published Win32 kernel code)


  • Ambiguous term, can mean random inputs, can mean pathological inputs with no known response
  • Massively successful in terms of finding vulnerabilities. For instance, MOAB vulns were mostly fuzzer finds.


Industry adoption[edit]

  • Started out secretive. CORE and Infohax digest.
  • Mainstreamed with Bugtraq in the '90s
  • Now an established part of dev process, Microsoft SDLC

In-house vulnerability research[edit]

  • Vendors do VR so that vulns are found before (1) product ships and (2) vulns can go public
  • Microsoft: SDLC. Blue Hat. Extensive 3rd-party review.
  • Cisco: Contrast?
  • Google: Tavis Ormandy, Ben Laurie, others.

Vulnerability research at security vendors[edit]

  • Security ISVs do VR so they can enhance their products. Security ISVs typically operate branded security labs
  • ISS/IBM - X-Force
  • TippingPoint
  • MCAF - Avert

Industry venues[edit]

  • Black Hat
  • Uninformed
  • WOOT
  • CERT
  • Bugtraq
  • Metasploit

Societal impact[edit]

  • Voting: Avi Rubin.
  • DRM: Ed Felten, Freedom to Tinker, Bunnie Huang.

Parallels in antivirus[edit]

  • Writing virus signatures not the same thing as VR.

Parallels in cryptography[edit]

  • Cryptanalysis is most of cryptography.


  • VR is controversial for two reasons
  1. blackhats use VR to find vulns they can exploit that can't be patched
  1. blackhats can use findings from whitehats to exploit vulns in laggards
  • Some people say VR shouldn't be conducted at all, some say not in public

Full Disclosure[edit]

  • Means different things to different people:
  • Acknowledging vulns
  • Full details
  • Exploit code
  • Responsible disclosure an attempt to formalize

Vulnerability markets[edit]

  • Deserves own article
  • Vulns have a value, to black hats (particularly phishing and spamming) and white hats (PR, marketing, product differentiation)
  • Value depends on target, circumstances (impact), time
  • Government agencies allegedly buy
  • Organized crime allegedly buys
  • iDefense
  • TippingPoint Zero Day Initiative
  • WabiSabiLabs

Legal issues[edit]

  • Finding and (particularly) publishing vulns can get you sued or sent to prison.

Web application testing[edit]

  • You don't own the app, so you can get busted for finding vulns.

End-user license agreements[edit]

  • Virtually every EULA prohibits RCE, but very few successful test cases. EULAs don't seem to have inhibited.

Nondisclosure agreements[edit]

  • Penetration tests are universally done under NDA. Professional VR rarely gets disclosed because you'd get sued.

Trade secret law[edit]


  • The DMCA, anti-circumvention.

Specific laws[edit]

  • That Michigan law that bans sniffers

Notable events[edit]

The Geer debacle[edit]

The Lynn debacle[edit]

The Blackboard debacle[edit]