Wysopal: Vulnerability researcher did his job, strengthened security By Chris Wysopal 08 Aug 2005 | SearchSecurity.com http://searchsecurity.techtarget.com/columnItem/0,294698,sid14_gci1113755,00 .html Chris Wysopal is a founder of the Organization for Internet Safety, an industry group that has published guidelines for responsible vulnerability disclosure. As vice president of research and development for security consultancy @stake, he provided expert testimony before Congress on the subject of vulnerability research.
####### Responsible disclosure proponent refutes the claim that Black Hat presenter Mike Lynn was anything but responsible. Controversy surrounds researcher Mike Lynn's decision to present details on the Cisco IOS flaw, but where would we be without such disclosure? In his column, "Black Hat researcher Lynn no hero to global security," Ira Winkler takes the position that detailed vulnerability information should not be released to the general public because it causes more harm than good. He asserts that bad guys will use the information to write exploits and worms, while the only good coming from the disclosure is that people will know that they need to patch. However, there is actually little harm in releasing details once people have had time to patch and sharing vulnerability knowledge substantially benefits the future security of our infrastructure. I will admit that more information makes the worm or exploit writer's task easier. More information will generally cause malicious code to be written more quickly. But the lack of detailed information does not preclude the generation of an exploit. This has been true for years, but recent developments in the binary differential analysis of vendor patches make the point moot. Binary differential analysis is a reverse engineering technique that lets an exploit writer inspect a vendor's patch on day one of release and understand the exact details of the vulnerability. Recently, Halvar Flake, the creator of BinDiff, posted a message to a security mailing list detailing how he was able to use binary differential analysis to isolate the details of the Microsoft portable networked graphics (.png) vulnerability in 20 minutes. In early June, his company, Sabre Security, published a paper describing how it used BinDiff for 30 minutes to uncover the details of an SSL vulnerability Microsoft had patched. The reverse engineering of patches has been going on for years but current tools make the process much less time consuming. Technology marches on. We cannot ignore advances in vulnerability detail discovery when deciding security risk tradeoffs. Winkler's harm vs. good calculus left out a substantial part on the good side of the equation: the advancement of secure software development techniques. Secure software development requires in-depth knowledge of all classes of vulnerabilities and their potential exploitability. Why would anyone want to impede this? Consider the fact that a newly discovered vulnerability may introduce a new class of security issue. At one time format string vulnerabilities, cross-site scripting and integer overflows were new. Someone had to discover the first one and when they did they may not have even known it was a new class of vulnerability. Without publishing the details, a new class of vulnerability will never be widely known and development teams or their security contractors will not know to look for them as software is built. The same is true for new exploit techniques. If they aren't widely known, software development teams will prioritize issues as non-exploitable, no need to fix. People don't dedicate expensive development resources to fix classes of security bugs that are merely theoretically exploitable. If Winkler's vulnerability detail secrecy took hold back in 1995, today we wouldn't know to audit for format string vulnerabilities, cross-site scripting problems or integer overflows in software during its development. All Windows heap overruns would be downgraded to unexploitable, no need to patch. This head in the sand approach would cause our software infrastructure to be far more brittle than it is now. Once a vendor patch has been available for 30 days and people have had ample time to deploy the patch, it is time to learn from the vulnerability by publishing the details for all to study. That is how progress in an open society is made. We learn from our collective mistakes. Vulnerability secrecy will doom us to a future like the Soviet Union with its guarded photocopiers and cloistered scientists, not able to exchange information with their peers in the rest of the world or even their own unapproved countrymen. We cannot stop foreign governments and criminal gangs from advancing their own vulnerability research, but collectively we can make our infrastructure stronger by sharing knowledge. You are a subscribed member of the infowarrior list. Visit www.infowarrior.org for list information or to unsubscribe. This message may be redistributed freely in its entirety. Any and all copyrights appearing in list messages are maintained by their respective owners.
