Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email firstname.lastname@example.org
Re: DJB's students release 44 *nix software vulnerability advisories
From: Crispin Cowan (crispinimmunix.com)
Date: Wed Dec 22 2004 - 12:26:41 CST
D. J. Bernstein wrote:
>Stephen Samuel writes:
>>I'm asking for a reasonable ammount of time for a responsible
>>programmer to ensure that his/her user community is properly served
>>and protected from the effects of the bugs.
>Same delusion: you think that users are protected from security holes if
>the security holes are patched before they're announced. Sorry, but
>that's not nearly fast enough. Protecting the users means making the
>programs secure before they're deployed in the first place.
In theory, theory is just like practice. But in practice, it isn't.
In theory, I agree with DJB: an infinitely-funded adversary can hire a
gang of code analysts to scour a code base looking for vulnerabilities
and *not* publish them, effectively manufacturing private exploits in
whatever quantity they are willing to pay for. It is conjectured that
certain foreign governments are actually doing this.
But in practice, there is a *substantial* amount of epidemiological data
that shows that wide-spread attacks against software follow shortly
after the disclosure (responsible or otherwise) of a vulnerability. See
Brown, Arbaugh et al A Trend Analysis of Exploitations
<http://www.cs.umd.edu/%7Ewaa/pubs/CS-TR-4200.pdf> for great data on
when attacks happen with respect to disclosure. Furthermore, if you
force a fire drill in releasing the security patch, you compromise the
quality of the patch. See my work on patch quality "Timing the
Application of Security Patches for Optimal Uptime", Beattie et al
ugly PDF <http://immunix.com/%7Ecrispin/time-to-patch-usenix-lisa02.pdf>.
So while I am sympathetic to DJB's passion for correct software and to
hell with the tender feelings of developers who ship buggy code, in
practice this kind of 0-day notice of vulnerabilities *mostly* just
Crispin Cowan, Ph.D. http://immunix.com/~crispin/
CTO, Immunix http://immunix.com