Dailydave mailing list archives
Re: New presentation is up: 0days: How hacking reallyworks
From: <halvar () gmx de>
Date: Tue, 1 Feb 2005 08:06:43 -0800
Hey all,
who promptly own my network with their three 0days that they've home grown. What have I gained from this?
Now, the penetration testing team doesn't necessarily even need the three 0days. You could just model the entire attack like this: The pentester can _choose_ for which k (probably less than
4) applicationsan 0day will be assumed. This means that the pentester will get access to any box he can reach and that is running one of the listed applications. If you can keep a pentester out of the network although he has 3 _chosen_ vulnerabilities, you're in pretty good shape against
an attacker that has a stack of 0days. This game can be played in multiple manners: 1) The pentester can choose k 0days before beginning the pentest2) The pentester has k 0day-tokens which he can exchange against an 0day in a particular application during the test. Additional restrictions might apply reflecting the (possible) difficulty of the pentester obtaining a particular piece of code to analyze in the first place.
Of course, this turns a pentest into more of a boardgame, but also into more of an exercise of extending access. The pentesting team is still free to do all the password cracking/sniffing/mim'ing they can. The point is that 0day's are used as crowbars for entering, but access has to be furthered beyond the point of entry -- and this is usually where the creative/interesting part of pentesting is
going on. I personally would play under the assumptions that the pentest team has a local priviledge escalation on all platforms.Obviously, the rules of this game greatly encourage using heterogenic software. At this point we're at the old debate of monocultures vs polycultures again. The interesting thing I see about the monocultures vs polycultures debate is that polycultures seem good at preventing worm attacks (and limiting the desastrous effect of a single bug), but also imply a lot more code (and thus a lot more bugs).
This is where a rarely debated point in the entire mono- vs. polyculture debate comes in: Polycultures do have higher survivability under the assumption given an attacker a limited number of 0day, but I am not sure wether they represent an actual improvement in security. Polycultures imply a lot more code, and a lot more dwelling grounds for bugs, and my gut feeling tells me that polycultures trade greater survivability against less security against patient intrustions. Polycultures also seem to ignore the fact that software is a natural monopoly, and in the long run there won't be different pieces of software to
choose from in every situation.Perhabs we should start a debate on proper rules for conducting better penetration tests :-)
In an ideal world we would have a free (auction-style) market for vulnerabilities. This would help conducting a Pentest tremendously, as the market would reflect the cost of developing a vulnerability for a particular target. It would then become a lot easier to model for example the attack of an adversary willing to spend 200k USD
on getting your customer database. While I am at writing a (potentially provocative) rant:I personally feel that an ebay-style market for vulnerability information would have many benefits, amongst
others(a) reflecting the threat posed by a particular vulnerability automatically (no more "critical" ratings for
noncritical bugs)
(b) put a price tag on the cost of conducting an attack with n 0days
(c) provide incentive for bug discoverers to give up their bugs instead of
using them
(d) _reduce_ the number of intrusions (as fewer exploits will be traded
amongst peers once they have a clear value)
(e) provide reliable information about the number of 0days in circulation(f) provide incentive for software vendors to write better software as the market will reflect how much money would need to be spent in order to hack a box running product XYZ -- if you only need to spend $5k to hack a box running software for 15$k, your sales people might have a hard time competing against a competitor which has
either no 0days available (or only at a much higher price)I think the software industry has a market failure in the realms of software security as customers cannot tell an insecure product from a secure one, and can't judge coding quality themselves. A market for vulnerabilities would
provide clear information of the security of a product.Of course, this is all under the assumption of creating not only a market but also a perfect market (economically speaking) for vulnerabilities, and there might be adverse effects in the proposed model. It strikes me as odd though
that the benefits that such a market would bring are so rarely debated. Cheers,Halvar
_______________________________________________ Dailydave mailing list Dailydave () lists immunitysec com https://lists.immunitysec.com/mailman/listinfo/dailydave
Current thread:
- New presentation is up: 0days: How hacking really works Dave Aitel (Jan 29)
- Re: New presentation is up: 0days: How hacking really works Kevin Ponds (Feb 01)
- Re: New presentation is up: 0days: How hacking really works Tom Parker (Feb 01)
- Re: New presentation is up: 0days: How hacking reallyworks halvar (Feb 01)
- Re: New presentation is up: 0days: How hacking really works robert (Mar 19)
- Re: New presentation is up: 0days: How hacking really works Kevin Ponds (Feb 01)