User:Tqbf/Vulnerability Research

In computer science, vulnerability research refers to...

A lot of crappy WP articles try to synthesize and contextualize technical topics like this; I'd like this to be heavy on the tech, a value prop this article would have over "Software Security Assurance" or whatever.

• A vulnerability is an exploitable flaw in a system

• Vulnerabilities occur in hardware, software, and firmware

• Vulnerabilities have different impacts --- CIA triad and AAA protocol are two metrics

• The canonical vulnerabilities are remote code execution, SQL injection, and XSS.

• Vuln researchers utilize a bunch of techniques to find vulnerabilities

• Strategy is usually dictated by circumstances, most important of which is, do we have source

• In computer security, refers to breaking into specific computers. In VR, refers to finding flaws in software.

• Sometimes "Application Penetration Testing"

• A service. White hat.

• Code review

• A rich topic in CS and (in particular) computer engineering

• Here somewhat different in that it involves less close-reading and more best-practices

• Needs a reference to McDonald.

• A stated benefit of Open Source security

• Source code scanners --- Fortify, Coverity, Ounce, Klocwork.

• Reverse engineering, also RCE

• When code isn't available

• Renaissance in 2000's: IDA Pro, Jad, Reflector

• Prevalence of Win32 findings (no published Win32 kernel code)

• Fuzzing, also Fault injection

• Ambiguous term, can mean random inputs, can mean pathological inputs with no known response

• Massively successful in terms of finding vulnerabilities. For instance, MOAB vulns were mostly fuzzer finds.

• Started out secretive. CORE and Infohax digest.

• Mainstreamed with Bugtraq in the '90s

• Now an established part of dev process, Microsoft SDLC

• Vendors do VR so that vulns are found before (1) product ships and (2) vulns can go public

• Microsoft: SDLC. Blue Hat. Extensive 3rd-party review.

• Cisco: Contrast?

• Google: Tavis Ormandy, Ben Laurie, others.

• Security ISVs do VR so they can enhance their products. Security ISVs typically operate branded security labs

• ISS/IBM - X-Force

• TippingPoint

• MCAF - Avert

• Black Hat

• Uninformed

• WOOT

• CERT

• Bugtraq

• Metasploit

• Voting: Avi Rubin.

• DRM: Ed Felten, Freedom to Tinker, Bunnie Huang.

• SCADA

• Writing virus signatures not the same thing as VR.

• Cryptanalysis is most of cryptography.

• VR is controversial for two reasons

1. blackhats use VR to find vulns they can exploit that can't be patched

1. blackhats can use findings from whitehats to exploit vulns in laggards

• Some people say VR shouldn't be conducted at all, some say not in public

• Full Disclosure

• Means different things to different people:

• Acknowledging vulns
• Full details
• Exploit code

• Responsible disclosure an attempt to formalize

• Deserves own article

• Vulns have a value, to black hats (particularly phishing and spamming) and white hats (PR, marketing, product differentiation)

• Value depends on target, circumstances (impact), time

• Government agencies allegedly buy

• Organized crime allegedly buys

• iDefense

• TippingPoint Zero Day Initiative

• WabiSabiLabs

• Finding and (particularly) publishing vulns can get you sued or sent to prison.

• You don't own the app, so you can get busted for finding vulns.

• Virtually every EULA prohibits RCE, but very few successful test cases. EULAs don't seem to have inhibited.

• Penetration tests are universally done under NDA. Professional VR rarely gets disclosed because you'd get sued.

• The DMCA, anti-circumvention.

• That Michigan law that bans sniffers