RE: Techniques for Vulnerability discovery

["Oliver Petruzel" <opetruzel () cox rr com>]

I am sincerely glad someone brought this up. My concern lies in a total
lack of education or training in this area.  Hacking 101 courses are all
over the place now; teaching MCSE-kiddies and non-technical managers how
to run scripts and nmap (swell..$2-4k to learn this stuff in 3 days?
Ach, ask a single grad of those programs what nmap is ACTUALLY sending
and receiving..lol "duhh, errr, but it says it's BeOS with port 80 open,
I'll just use securityfocus like they showed me to find a script to
shoot at it..")...

(I digress...) There are not many courses that I know of that actually
explain the methodology in searching for *new* vulnerabilities... As in
"Tearing apart that new .dll, .asp, or cgi from a security perspective
101"

Some folks claim it's just trial and error and dumb luck.  Others say
that folks troll the "most downloaded" new pieces of software at
shareware sites and then pound away semi-blindly with input variables
and switches that have worked against previously announced holes in
other software until they find something that will get their name on
bugtraq... 

Problem is, in our growing field of infosec, beyond post-grad or
doctorate level CS, there aren't very many educational tracks to show
your average programmer/engineer how to start finding new holes... The
only thing I can think of is to send someone through: a secure
programming program AND a webapp dev course AND a windows API course AND
AND AND..etc...we're talking tens of thousands of bucks there, not to
mention the hours involved..ouch.

My goal:  I want to take 4 of my Jr Security Engineers and send them
somewhere for a week or two, or perhaps several weeks at night, and have
them come back to tear apart software like it's nothing... <foundstone,
hint hint, E&Y, hint hint.. Anyone? Bueller? Bueller?...>  Of course,
pre-req's would be a solid knowledge of scripting languages, C/C++,
network architectures and protocols, and all publically known scripts
and code... (but I require that of my jr's anyways so I just want
someone else to show them the next level!  I have no time, and hell, if
the course is good enough, I would even go so that I can stop using
semi-educated dumbluck and trial and error! lol)

I am VERY interested to see someone post a resource... Maybe this is
just a pipe-dream.

./oliver

Ps: on a side note, there are several interesting projects currently in
dev everywhere to automate all of this..  So don't worry, soon those
afraid of anything they can't click on will also be able to point and
click their way through code to find new vulns...swell eh?  There are
even dev projects going to automate vulnerability discovery in ALREADY
COMPILED software! Woohoo...

"Excellent Smithers! Now activate the artificial lightning and blue
screens of death!"

-----Original Message-----
From: kaipower [mailto:kaipower () subdimension com] 
Sent: Thursday, April 04, 2002 8:05 PM
To: security-basics () securityfocus com; vuln-dev () security-focus com;
vuln-dev () securityfocus com
Subject: Techniques for Vulneability discovery


Hi,

After reading the mailing list for quite a while, there is a burning
question which I kept asking myself:

How do experts discover vulnerabilities in a system/software?

Some categories of vulnerabilities that I am aware of:
1) Buffer overflow (Stack or Heap)
2) Mal access control and Trust management
3) Cross site scripting
4) Unexpected input - e.g. SQL injection?
5) Race conditions
6) password authentication

Do people just run scripts to brute force to find vulnerabilities? (as
in the case of Buffer overflows) Or do they do a reverse engineer of the
software?

How relevant is reverse engineering in this context?

Anybody out there care to give a methodology/strategy in finding
vulnerabilities?

Mike



_________________________________________________________
Do You Yahoo!?
Get your free @yahoo.com address at http://mail.yahoo.com