Saturday, November 5, 2011

DEFCON 19: Familiarity Breeds Contempt

Speakers: Sandy "Mouse" Clark University of Pennsylvania | Brad "RenderMan" Haines Chief research monkey,

"Good programmers write code, great programmers reuse" is one of the most well known truisms of software development. But what does that mean for security? For over 30 years software engineering has focused on writing the perfect code and reusing it as often as they can, believing if they can just get the bugs out, the system will be secure. In our talk we will demonstrate how the most prominent doctrine of programming is deadly for security. Analysis of software vulnerability data, including a full decade of data for several versions of the most popular operating systems, server applications and user applications (both open and closed source), shows that properties extrinsic to the software play a much greater role in the rate of vulnerability discovery than do intrinsic properties such as the actual software quality. We show that (at least in the first phase of a product's existence), software vulnerabilities have different properties from software defects. Our analysis of attacker tools and popular exploits shows that the attacker's learning curve determines when and which particular products are likely to be attacked. Improvements in those tools affect the frequency of attack, and the ultimate result is point-and-click usability. We will present several examples from both the defender and the attacker perspective illustrating how dangerous familiarity is for security. We will demonstrate that the more familiar an attacker is with your product, the more likely you are to be attacked and the more likely an attacker will succeed.


Post a Comment