Thursday, March 22, 2007

Bug Hunting Is Getting Harder

If you have been a part of the security community for even just a couple of years you have no doubt noticed the decrease in serious bugs being reported and exploited out there. This is definitely no coincidence. Vulnerabilities are getting harder to find and even harder to exploit. This creates a lot of value for quality bugs in widely used software. I have partly blogged on this in the past.

I should also probably mention I don't consider XSS bugs a part of these statistics...yet. They are without a doubt a serious issue but at this point are still in their infancy and affect (probably) more then %90 of web applications out there. It's like looking back at bugtraq from 2000 and seeing "buffer overflow", they too will settle down in time.

Sometimes we still see straight forward stack overflows like the recent Snort DCE/RPC overflow found by Neel Mehta, but in general I feel bugs are getting more and more obscure. I personally feel there are many, many integer over/under flow vulnerabilities still waiting to be found, they are hard to come by and even harder to exploit, the conditions have to be just right. We saw new research into uninitialized variable attacks in the past two years, yet they remain non existant on our mailing lists. Are they not being found? Or just very hard to exploit?

So whats the point of this blog post? A question for you. What is the future of vulnerability research? Where are we headed in terms of exploitation techniques? Are there anymore undiscovererd bug classes?

My answers to these questions-> The future of vulnerability research is this. Bugs will continue to become more and more obscure and gain more and more monetary value as time goes on. Exploitation techniques are going to get trickier in order to defeat now mainstream memory protection techniques. There are undiscovered bug classes in my opinion, and when I find one, i'll let you know!

3 comments:

Anonymous said...

Where is the post about the linux reverse me?

Chris Rohlf said...

I accidentally deleted that post. Yes I know im not very smart. If you still want to download it, you can find it here:

http://chris.rohlf.googlepages.com/rev

It requires a key to unlock an internal encoded PNG file. When the right key is supplied 'decrypted.png' will have the following details "PNG image data, 35 x 25, 8-bit/color RGB, non-interlaced" and the SHA1 hash of "f458eb16275311251d3c86cde1181549ebb361e2"

namedp said...

I feel that there are a lot of 'potential' bugs in code, the problem is that they precise conditions to allow them to take place. You can manufacture the error, however developing a reliable exploit for it "in the wild" is improbable.

As for the future of vulnerability research, I feel that right now a lot of the bugs that will be find will be logic related (lots of people have problems with integers for example). I also agree with your position that new techniques and bugs will appear with the changing environment.