Dailydave mailing list archives
Re: A change
From: Ben Nagy <ben () iagu net>
Date: Mon, 25 Jan 2010 14:15:32 +0545
On Thu, Jan 21, 2010 at 11:02 PM, Menerick, John <jmenerick () netsuite com> wrote:
Comments inline
While I certainly appreciate brevity, I feel that it must be considered as one half of the ratio to content and not a virtue in and of itself...
On Jan 20, 2010, at 2:04 PM, Jim Manico wrote:How many similar 0-days are for sale on the black market?Quite a few.
I'd love to see your basis for this assertion. I'm not saying that in the "I don't believe you" sense, only in the "everyone always says that but nobody ever puts up any facts" sense.
What is the rate/difficulty for discovery of new windows-based 0-days for the common MS and Adobe products that are installed on almost every corporate client? (I heard Dave mention that discovery is getting more difficult)?Not terribly difficult for someone who is dedicated. Then again, my idea of difficult is much different from the avg. person
I think that while finding 0-days might be 'not terribly difficult', selecting and properly weaponising useful 0-days from the masses of dreck your fuzzer spits out IS difficult - at least in my experience. There was some discussion of the 'too many bugs' problem on this list previously and I know several of the other fuzzing guys are currently researching the same area. Of course you'd explain this to your 'avg. person', as well as explaining that the skillset for finding bugs is not necessarily the same as the skillset for writing reliable exploits for them, and that 'dedication' may not sufficiently substitute for either.
How easy is discovery for someone with resources like the Chinese government?Much simpler.
Setting aside the previous point that discovery is only the start, I think it's instructive to consider which elements of the process scale well with money. Finding the bugs: You need a fuzzing infrastructure that scales - running peach on one laptop with 30 ninjas standing around it with IDA Pro open is not going to work. Also consider tracking what you've already tested, tracking the results, storing all the crashes, blah blah blah. This does scale well with money, but it's an area that not as many people have looked at as I would like. Seeing which bugs are exploitable: Using a naive approach, this scales horribly poorly with money - non-linearly, to put it mildly. There are only so many analysts you will be able to hire that have enough smarts to look at a non-trivial bug and correctly determine its exploitability. You only have to look at some of the Immunity guys' (hi Kostya) records with turning bugs that other people had discarded as DoS or "Just Too Hard" into tight exploits. Even for ninjas, it's slow. There is research being done into doing 'some' of this process automatically (well, I'm doing some, and I know a couple of other guys are too, so that counts), but I don't know of anyone that has a great result in the area yet - I'd love to be corrected. Creating nice, reliable exploits: I'd assert that this is like the previous point, but even harder. To be honest, it's not really my thing, so probably one of the people that write exploits for a living would be better to comment, but from talking to those kind of guys, it's often a very long road from 'woo we control ebx' to reliable exploitation, especially against modern OSes and modern software that has lots of stuff built in to make your life harder. I don't know how much of the process can really be automated - I mean there are some nice things like the (old now) EEREAP and newer windbg extensions from the Metasploit guys that will find you jump targets according to parameters and so forth, but up until now I was labouring under the impression that a lot of it remains brain-jitsu, which is hard to scale linearly with money. So, while I think that 'simpler' is certainly unassailable, I would need more than a two word assertion to be convinced that it is 'much' simpler. If you give one team a million dollars and 100 people selected at random from the top 10% graduating computer science and you give the other team their pick of any 4 researchers in the world and 3 imacs, whom does the smart money think will produce more weapons grade 0day after 6 months? (No it's not a fair comparison. It's a thought experiment.) Food for thought, perhaps, since sound bites need little care and feeding. Cheers, ben _______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com http://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- Re: A change, (continued)
- Re: A change Moxie Marlinspike (Jan 15)
- Re: A change Parity (Jan 19)
- Re: A change Rich Smith (Jan 18)
- Re: A change delchi delchi (Jan 20)
- Re: A change Moxie Marlinspike (Jan 15)
- Re: A change Nelson Brito (Jan 18)
- Re: A change val smith (Jan 19)
- Re: A change Matthew Wollenweber (Jan 20)
- Re: A change Marius (Jan 20)
- Re: A change Jim Manico (Jan 20)
- Re: A change Menerick, John (Jan 24)
- Re: A change Ben Nagy (Jan 26)
- Re: A change Rodrigo Rubira Branco (BSDaemon) (Jan 27)
- Re: A change Nick FitzGerald (Jan 27)
- Re: A change Lurene Grenier (Jan 27)
- Re: A change Dragos Ruiu (Jan 28)
- Re: A change alexm (Jan 20)