Expose the Charade

Eric Rescorla at Educated Guesswork comments on a posting at slashdot about a vulnerability discovery project at a university:

"…It’s pretty common for security types (myself included) to assume that software is so bug-riddled that any idiot can find an arbitrary number of vulnerabilities. Obviously, this was quite doable for some people, but others clearly found it very challenging. This project was 60% of the grade in the class, so they clearly had substantial incentive to find them.

On the other hand, the overlap between the vulnerabilities people found (even if we assume they worked totally independently) was quite small. Less than 15% of the vulnerabilities have more than one person listed. A small overlap is not what we’d expect if the reason it was hard to find vulnerabilities was that the total population was very small.1 The fact that some students were so successful suggests that perhaps the limiting factor in finding vulnerabilities isn’t that there is a limited number but rather that they are hard to find and some people are just better than others. It would be interesting to know what the two people who found 10 vulnerabilities did differently from everyone else.

These observations are extremely interesting, given that I am against vulnerability seeking. Here’s a line of reasoning:

  1. Vulnerabilities are plentiful. If we assume the independence of seekers (not validated) and the findings demonstrate little overlap in vulnerability identification, then either there are a lot of vulnerabilities to pick from or their were other forces at work (perhaps one of the seekers was so good he could dole out some vulns to his friends in the class?). I use an argument like this to assert that it is highly unlikely that the "good guys" will find the same vulns as the "bad guys" – one of the primary arguments for vulnerability seekers.
  2. Vulnerabilities are hard to find. There is a wide variance in the skills even with a single class at a single university. Extrapolate that out to all the QA people in the world and you have quite a challenge in finding the vulns during development. And from point 1, we can guess that vulnerabilities are easy to create (we can intuit that). This is also why software liability is such a bad idea (it is called ‘being human’).
  3. Once found, vulnerabilities are easily exploited – or at least Pandora’s box has been open.
  4. Therefore, we should let sleeping vulnerabilities lie – there are too many to find all of them, and it actually takes quite skilled people to find them.

Sure, it isn’t conclusive evidence, but then we don’t use conclusive evidence to support our current practices anyway…