Vulnerability Development mailing list archives

Re: Cons and Security Validation

From: Crispin Cowan <crispin () WIREX COM>
Date: Tue, 6 Feb 2001 23:37:21 -0800

Blue Boar wrote:

Me sitting on an exploit doesn't serve anybody.  So far I really like
the work going into the Immunix project.  I'd hate to see you guys
pull what some would see as a marketing scam.  Don't get me wrong..
nothing wrong with having your box as a target in CTF... what would be
wrong would be Immunix later saying it's secure based on lack of a breakin
during CTF.


Thanks very much for your praise and feedback.  It's kind of intriguing; we
became interested in CTF contests precisely because I have major problems
with the validity of Internet hack-me challenges like the Argus OpenHack,
although Argus was graceful enough to say the right things in their public
statements on the signficance of OpenHack.

So to broaden the question: what WOULD be the ideal way to demonstrate the
validity of the technology?  We actually do have an internal staff position
of Adversary, who regularly tests our tech. against whatever relevant
exploits we can find.  But some kind of external validation is needed; "we're
secure because we say so" is crap.

We'd love to hear suggestions from the communit, especially this community.
BB's suggestion of hack.immunix.com is a good one, but I'm not sure how much
it differs from the usual hack-me contest.  How do other people feel about
that?

This is a VERY hard problem.  From our discussions a month back, a secure
thingie is a thingie that does what it is supposed to, and nothing else.
Proving the "nothing else" part is astonishingly difficult.  The academic
community basically failed completely on that one, and punted to the BS in
the Orange Book, which is really just a recitation on some motherhood and
apple pie guidelines for good security design and good software engineering
implementation.  You can get an A1 secure rating and still be vulnerable.

Thanks,
    Crispin

--
Crispin Cowan, Ph.D.
Chief Research Scientist, WireX Communications, Inc. http://wirex.com
Free Hardened Linux Distribution:                    http://immunix.org

Current thread:

Re: Cons and Security Validation, (continued)
- - Re: Cons and Security Validation Crispin Cowan (Feb 07)
    - Re: Cons and Security Validation Pavel Slavin (Feb 07)
- Re: Cons and Security Validation Blue Boar (Feb 06)
  - Re: Cons and Security Validation Greg KH (Feb 06)
    - Re: Cons and Security Validation Blue Boar (Feb 06)
    - Re: Cons and Security Validation Crispin Cowan (Feb 07)
    - Re: Cons and Security Validation Dan Kaminsky (Feb 07)
    - Re: Cons and Security Validation Matt Barringer (Feb 07)
    - Re: Cons and Security Validation H D Moore (Feb 08)
    - Re: Cons and Security Validation Crispin Cowan (Feb 10)
  - Re: Cons and Security Validation Crispin Cowan (Feb 07)
    - Re: Cons and Security Validation Robert A. Seace (Feb 07)
    - Re: Cons and Security Validation Blue Boar (Feb 08)
    - Re: Cons and Security Validation Michel Kaempf (Feb 08)
    - Re: Cons and Security Validation Blue Boar (Feb 08)
    - Re: Cons and Security Validation Pavel Kankovsky (Feb 13)
- Re: Cons and Security Validation Jose Nazario (Feb 11)
- Re: Cons and Security Validation Glen Messenger (Feb 07)
- Re: Cons and Security Validation Robert G. Ferrell (Feb 07)
- Re: Cons and Security Validation Rowe, Michael CONT (Feb 07)
  - Re: Cons and Security Validation Robert A. Seace (Feb 07)