Thursday, March 22, 2007

Bug Hunting Is Getting Harder

If you have been a part of the security community for even just a couple of years you have no doubt noticed the decrease in serious bugs being reported and exploited out there. This is definitely no coincidence. Vulnerabilities are getting harder to find and even harder to exploit. This creates a lot of value for quality bugs in widely used software. I have partly blogged on this in the past.

I should also probably mention I don't consider XSS bugs a part of these statistics...yet. They are without a doubt a serious issue but at this point are still in their infancy and affect (probably) more then %90 of web applications out there. It's like looking back at bugtraq from 2000 and seeing "buffer overflow", they too will settle down in time.

Sometimes we still see straight forward stack overflows like the recent Snort DCE/RPC overflow found by Neel Mehta, but in general I feel bugs are getting more and more obscure. I personally feel there are many, many integer over/under flow vulnerabilities still waiting to be found, they are hard to come by and even harder to exploit, the conditions have to be just right. We saw new research into uninitialized variable attacks in the past two years, yet they remain non existant on our mailing lists. Are they not being found? Or just very hard to exploit?

So whats the point of this blog post? A question for you. What is the future of vulnerability research? Where are we headed in terms of exploitation techniques? Are there anymore undiscovererd bug classes?

My answers to these questions-> The future of vulnerability research is this. Bugs will continue to become more and more obscure and gain more and more monetary value as time goes on. Exploitation techniques are going to get trickier in order to defeat now mainstream memory protection techniques. There are undiscovered bug classes in my opinion, and when I find one, i'll let you know!

Wednesday, March 14, 2007

Quick LibELF Guide

Libelf is great, I use it a lot. Its multi platform, well written, the license is LGPL, and the author answers questions quickly. But the documentation just isn't there. I get a lot of hits to this blog when people search google on libelf topics. So I thought a good blog entry on how to use libelf would be beneficial to others. Below is a link to heavily commented C code on using libelf to read the sections and symbols of an ELF object.

Libelf Example in C

It's an example of how to read an ELF objects section header and symbol table. Ill leave relocation reading as an exercise for the reader.

Tuesday, March 13, 2007

Linux Kernel

Does anyone follow the Linux Kernel changelog like I do? Well if you said yes, then your a real geek, congratulations.

$ grep fix ChangeLog- -i | wc -l

Yikes, thats a lot of 'fix'. Mostly NULL ptr derefences, Ill have to dig a bit deeper into these later. Despite all the vulnerabilities and bloated code, Linux remains my OS of choice. It is really maturing, and with PAX, it is mostly secure. Although security isn't what troubles me with Linux these days, its more of a reliability issue with the OS. But I guess thats the price you pay for constantly evolving functionality.