This morning I noticed that McAfee announced yesterday that they fully intend to once again enter the game of public vulnerability disclosure. Now, as you may or may not know, I’m a huge fan of full-disclsure; given my belief that full-disclosure is a …

Furthermore, there exists a new market to sell disclosure to those who can pay regardless of intentions. Like any criminal activity, this is a natural process. Pete refers to the natural process of development to discovered vulnerabilty that researchers are disturbing. It never was a natural process. Someone has to actively look for most bugs and then consider implications/payload/process before it becomes a verifiable problem. So whether it be the misguided evolution of penetration testing to force researchers to add 0-days to their bag of tricks (to earn more money) or sec researchers looking for bugs for money or attention the process has always been forced.

As the issue now stands, it is unfixable through “responsible disclosure”. The market has been made. Anyone with a debugger and a fuzzer stands to make something of themselves one way or another. Even 3rd party “IDS/IPS/FW/Anti-Virus/Bogus Powdered Spit Protection” wants a share of the cash. Some of them are the same vendors who sell the buggy software to start with. The capitalistic forces in this market segment are overwhelming and the disclosure debate is no more than a form of idleness. There can only be one way forward here and that’s to close the loop– vendors need to stop releasing bad software WITHOUT warranty/responsibility/reliability.

How do we get there? Disclosure. It’s a force that has existed as long as humans have been social creatures living in communities. We share the scary stuff with each other through song, dance, or recently, words, and try to help our neighbors by making them aware so they can help watch out with us. Secrets of pain are only hurtful to ourselves in the long run.

> You both make the case that the effort should be on protecting systems and data from all vulnerabilities at either o/s or app level.

I took care to change that claim from all vulnerabilities to entire classes of vulnerabilities. Anyone who is claiming to protect against all known and unknown problems is obviously selling you something.

A trusted base is the starting point, but covers well more than the OS itself. You have to start with the hardware and build up the trust of your base from there.

Even with SE Linux installed with a well thought out policy, application level flaws could lead to Confidentiality and Integrity faults depending on how well the application code was written. IE, SQL injection would still be possible, but you wouldn’t be able to “pop a shell”.

As we both more or less said previously, moving towards a trusted model, we’d still have the need to find, track, and fix vulnerabilities, but the game would be different from the standpoint that most of them would be mitigated by our policies, instead of having to frantically install patches.

If you’re really interested in this stuff, irc on the efnet network and join #selinux. We can talk in detail about trusted computing there.

Robert

You both make the case that the effort should be on protecting systems and data from all vulnerabilities at either o/s or app level. When that happens, the glory for successfully writing a worm or virus, (from the cracker side) or for finding a vulnerability(from the bug finder side), will fade to zero, right?

Since this level of protection can only occur on the host, does this lead to a natural conclusion that we should be looking at trusted operating systems?

If this would be achievable, then the vulnerabilities would still exist, they would just not be useable to escalate privileges. Does this mean that the risk and threat models would change, as no vulnerability would be used to become a threat and risk would then become zero?

Whoa, I neither said anything like that nor believe anything like that, so we must be much different than you think. Inline security solutions are the only ones that can quickly protect us from the logical extension of the damage you are doing. We’d be even more helpless without them.

Most of the bugs we find are found while we’re testing customers for other bugs. I think part of our postions overlap in the fact that we both view the practice of actively looking for new bugs for the sole sake of finding new bugs as a distraction from more important things. I support the development of technologies that take advantage of security mechanisms that have been proven effective.

I’m not sure what you mean by all treated equally. The criticality of a bug should be something an end user determines, not a researcher. As a researcher, all we care to share is the category of problem, what it’s likely to affect (CIA), etc. High/Medium/Low depends on the organizations pain thressholds for being affected.

> Our goal should be to protect ourselves not from the individual vulns found as they are found, but to protect ourselves from all vulnerabilities all of the time, by taking an architectural view.

Ok, on this particular point, we are definitely in agreement, I just see it as an “and”, not an “or” to the disclosure discussion.

> Vulnerabilities would still be found and we would still provide protection, but the process would be different.

I think I said it in my last post. The “find a bug”, “disclose a bug”, “patch a bug” game is ultimately fruitless unless it increases the number of consumers who demand technology that will let them “protect [them]selves from [entire classes of] vulnerabilities all of the time, by taking an architectural view”

> A competent organization should be protecting themselves from today’s, tomorrow’s, and next year’s vulnerabilities. Why don’t you want them to do that?

That is our goal, but customers using technology that was only intended to be used in cooperative non-hostile environments, on the internet, are going to have problems. No firewall/IPS/Anti-Virus is going to change that.

> Windows is Common Criteria certified. Vulnerabilities are inevitable.

It is, you are correct, but look at the Protection Profile selected (CAPP). The Controlled Access Protection Profile was intended for non-hostile, cooperative environments. Basically the assurance level matters more if they had tried for better security controls. When windows achives CC evaluation with LSPP, then it will be more interesting. If you read the Security Target for windows, you’ll see that the security mechanisms wern’t meant to protect you from bad people on the internet.

Windows 2003 Security Target: http://niap.nist.gov/cc-scheme/st/ST_VID4025-ST.pdf
Windows 2003 Evaluation Report: http://niap.nist.gov/cc-scheme/st/ST_VID4025-VR.pdf

Trusted Solaris 8 Security Target: http://www.commoncriteriaportal.org/public/files/epfiles/TSolaris8_Issue3.1.pdf
Trusted Solaris 8 Security Evaluation Report: http://www.commoncriteriaportal.org/public/files/epfiles/CRP170v3.pdf

To summarize the Strength of Environment for the two…

Windows: The evaluation of Windows 2003/XP provides a moderate level of independently assured security in a
conventional TOE and is suitable for the environment specification in this ST. Translated – This will work pretty well in a cooperative, non-hostile environment.

TSOL: Trusted Solaris 8 4/01 is intended for use in organisations who need to safeguard
sensitive information (e.g., organisations concerned with processing commercially
sensitive or classified information) and who require security features unavailable
in standard commercial operating environments.

Neither can make a “bug free” claim, but the second one tries to deliver technology that lets a consumer “protect [them]selves from [entire classes of] vulnerabilities all of the time, by taking an architectural view”.

> Make no mistake, what you are doing does nothing to protect us from the real threats that are out there – it simply distracts us from doing so.

We’re more similar than you think. I have the same opinion about IDS/IPS/FW/Anti-Virus/Bogus Powdered Spit Protection. They do nothing to protect us from the real threats that are out there – they simply distracts us from doing so. I’m not arguing the merrits of active vs passive bug finding. Rather my initial comments were directed at the right to disclose or not to disclose.

Robert