Dailydave mailing list archives

Re: A change

From: Ben Nagy <ben () iagu net>
Date: Mon, 25 Jan 2010 14:15:32 +0545

On Thu, Jan 21, 2010 at 11:02 PM, Menerick, John <jmenerick () netsuite com> wrote:

Comments inline


While I certainly appreciate brevity,  I feel that it must be
considered as one half of the ratio to content and not a virtue in and
of itself...

On Jan 20, 2010, at 2:04 PM, Jim Manico wrote:

How many similar 0-days are
for sale on the black market?


Quite a few.


I'd love to see your basis for this assertion. I'm not saying that in
the "I don't believe you" sense, only in the "everyone always says
that but nobody ever puts up any facts" sense.

What is the rate/difficulty for discovery
of new windows-based 0-days for the common MS and Adobe products that
are installed on almost every corporate client? (I heard Dave mention
that discovery is getting more difficult)?


Not terribly difficult for someone who is dedicated.  Then again, my idea of difficult is much different from the 
avg. person


I think that while finding 0-days might be 'not terribly difficult',
selecting and properly weaponising useful 0-days from the masses of
dreck your fuzzer spits out IS difficult - at least in my experience.
There was some discussion of the 'too many bugs' problem on this list
previously and I know several of the other fuzzing guys are currently
researching  the same area. Of course you'd explain this to your 'avg.
person', as well as explaining that the skillset for finding bugs is
not necessarily the same as the skillset for writing reliable exploits
for them, and that 'dedication' may not sufficiently substitute for
either.

How easy is discovery for
someone with resources like the Chinese government?


Much simpler.


Setting aside the previous point that discovery is only the start, I
think it's instructive to consider which elements of the process scale
well with money.

Finding the bugs: You need a fuzzing infrastructure that scales -
running peach on one laptop with 30 ninjas standing around it with IDA
Pro open is not going to work. Also consider tracking what you've
already tested, tracking the results, storing all the crashes, blah
blah blah. This does scale well with money, but it's an area that not
as many people have looked at as I would like.

Seeing which bugs are exploitable: Using a naive approach, this scales
horribly poorly with money - non-linearly, to put it mildly. There are
only so many analysts you will be able to hire that have enough smarts
to look at a non-trivial bug and correctly determine its
exploitability. You only have to look at some of the Immunity guys'
(hi Kostya) records with turning bugs that other people had discarded
as DoS or "Just Too Hard" into tight exploits. Even for ninjas, it's
slow. There is research being done into doing 'some' of this process
automatically (well, I'm doing some, and I know a couple of other guys
are too, so that counts), but I don't know of anyone that has a great
result in the area yet - I'd love to be corrected.

Creating nice, reliable exploits: I'd assert that this is like the
previous point, but even harder. To be honest, it's not really my
thing, so probably one of the people that write exploits for a living
would be better to comment, but from talking to those kind of guys,
it's often a very long road from 'woo we control ebx' to reliable
exploitation, especially against modern OSes and modern software that
has lots of stuff built in to make your life harder. I don't know how
much of the process can really be automated - I mean there are some
nice things like the (old now) EEREAP and newer windbg extensions from
the Metasploit guys that will find you jump targets according to
parameters and so forth, but up until now I was labouring under the
impression that a lot of it remains brain-jitsu, which is hard to
scale linearly with money.

So, while I think that 'simpler' is certainly unassailable, I would
need more than a two word assertion to be convinced that it is 'much'
simpler. If you give one team a million dollars and 100 people
selected at random from the top 10% graduating computer science and
you give the other team their pick of any 4 researchers in the world
and 3 imacs, whom does the smart money think will produce more weapons
grade 0day after 6 months?

(No it's not a fair comparison. It's a thought experiment.)

Food for thought, perhaps, since sound bites need little care and feeding.

Cheers,

ben
_______________________________________________
Dailydave mailing list
Dailydave () lists immunitysec com
http://lists.immunitysec.com/mailman/listinfo/dailydave

Current thread:

Re: A change, (continued)
- - Re: A change Moxie Marlinspike (Jan 15)
    - Re: A change Parity (Jan 19)
  - Re: A change Rich Smith (Jan 18)
  - Re: A change delchi delchi (Jan 20)
- Re: A change Nelson Brito (Jan 18)
  - Re: A change val smith (Jan 19)
  - Re: A change Matthew Wollenweber (Jan 20)
    - Re: A change Marius (Jan 20)
    - Re: A change Jim Manico (Jan 20)
    - Re: A change Menerick, John (Jan 24)
    - Re: A change Ben Nagy (Jan 26)
    - Re: A change Rodrigo Rubira Branco (BSDaemon) (Jan 27)
    - Re: A change Nick FitzGerald (Jan 27)
    - Re: A change Lurene Grenier (Jan 27)
    - Re: A change Dragos Ruiu (Jan 28)
- Re: A change Dragos Ruiu (Jan 20)
- Re: A change Haroon Meer (Jan 19)
  - Re: A change alexm (Jan 20)