Friday, September 23, 2016

Holes in the Math

When I worked with the NSA, I worked with Mathematicians more than anything else. This prezi, from 2011 is available here.

Not to drill holes in a dead horse, but the VEP was never meant to be real. It was always a mirage meant to assuage big domestic software companies. You can tell this by what is missing from it: Bugclasses and Math.

The NSA is the powerhouse it is precisely because it has a wide aperture on the capabilities it uses against a laser-focused mission. That, and sixty years of hiring the best mathematicians in the country and putting them to work on advancing a private library of mathematical tools for attacking problems in the signals and computing areas. 

A bugclass is something that is hard to define. But it's very important in these policy debates. The quintinessential easy-to-understand bugclass is the format string vulnerability. In short, the standard library everyone uses in C used to support string arguments that looked like this:

printf("Hello, %s! I am happy to meet you!",name);

The highlighted part in that string is known as the "Format String" as it takes commands like %s meaning "Read a string off the next argument". However, it also took the command %n, which meant "Write the current length to the stack". You could then, as an attacker, look for places in any program where you controlled what a format string would say, and put %n's into it, to either crash the program or control variables on the stack, leading the control of the program.

These are called "Format String bugs" and were easy to find, and easy to attack, and easy to remove. Now they are almost non-existent in real-world programs. 

But look at the VEP. What does it mean if I tell you "There is a class of vulnerabilities where you can put %n's into format strings and own programs with it". That's not a "vulnerability". It's a class of vulnerabilities. This distinction is super important. 

Many bugs are exploited not because they are useful individually, but because they are examples of bugclasses that MAY be useful in the future. In this sense they are part of a spectrum, at one end of which is the uber-expensive world-owning mathematical advancements that only the NSA can do. 

In other words, the VEP is a calculated sham because if it was there to do strategic work, it would have to recognize the full spectrum of offensive activity. It would be less about vulnerabilities, and more about Math, or even bugclasses. But those never even come up in discussion. They aren't relevant to a PR conversation. 

No comments:

Post a Comment