Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Thinking Beyond the Ivory Towers
Dave Aitel, 2008-05-15

In the information-security industry, there are clear and vast gaps in the way academia interacts with professional researchers. While these gaps will be filled in due time, their existence means that security professionals outside the hallowed halls of colleges and universities need to be aware of the differences in how researchers and professionals think.

In the most recent example, a paper on automatic patch-based exploit generation (APEG) by some researchers at Carnegie Mellon and University of Pittsburgh contained some decent technical work, but put forth vastly overreaching conclusions that the sky was falling and massive technical measures must be undertaken to save the Internet. The research translated a program to a specialized intermediate language that can then be turned into an equation. This equation is solved to find what kind of data you need to send the program to reach a certain state. The technique was tested against a few sample vulnerabilities and demonstrated to crash the programs when given the patch information.

If you've listened to Halvar Flake at BlackHat for the past six years, this will sound eerily familiar. It's all very cool stuff technically and potentially useful for many things, finding zero-day vulnerabilities chief among them.

One issue an exploit developer may notice immediately while reading the paper is that crashing a program is not that same as exploiting it. Even having control of the instruction pointer is not even close to exploiting it in this day and age. In the paper, the authors stated that:

determining the specific address for a successful control hijack requires predicting the processes memory layout, which changes each time the process is invoked. Attackers currently do this by essentially repeatedly launching an attack until the memory layout matches what the exploit expects. We similarly repeatedly launch the attack until we achieve a successful control hijack.
This is not true. Attackers control the memory layout via memory leaks and carefully crafted requests. They don't repeatedly launch attacks and hope that luck is on their side. You rarely get the chance to run your exploit twice these days. If the process crashes, you're done.

An exploit in standard parlance is a program that can get control of another program, not just crash it. Crashing a program is known as producing a proof-of-concept. It's the difference between screaming "Haberdashery!" at someone until they go away and convincing them with reasoned argument.

As an aside, this is also why many academics have failed to understand why the security vulnerabilities market seems depressed. Writing a reliable exploit can take a long time even when you know about a vulnerability. It's always unknown if writing the exploit is even possible, until you have it working. If you buy a vulnerability for $10,000, you are expecting to potentially put another $80,000 into making it an exploit worth using. Of course, you wouldn't know this unless you had experience writing exploits.

The last paragraph of the APEG paper, a broad call to action, is summarized on the author's page as:

Attackers can simply wait for a patch to be released, use these techniques, and with reasonable chance, produce a working exploit within seconds. Coupled with a worm, all vulnerable hosts could be compromised before most are even aware a patch is available, let alone download it. Thus, Microsoft should redesign Windows Update.
These are statements that don't follow from the paper's research at all.

Story continued on Page 2 

Dave Aitel is the CTO and founder of Immunity, a Miami Beach-based information security company focusing on offensive technologies.
    Digg this story   Add to del.icio.us   (page 1 of 2 ) next 
Comments Mode:
Thinking Beyond the Ivory Towers 2008-05-15
Thinking Beyond the Ivory Towers 2008-05-16
Stephen L (1 replies)
To be fair... 2008-05-22
Thinking Beyond the Ivory Towers 2008-05-24
Thinking Beyond the Ivory Towers 2008-05-26
Thinking Beyond the Ivory Towers 2008-05-27


Privacy Statement
Copyright 2010, SecurityFocus