Friday, January 26, 2018

Changing the Meta: Format String Bugs

New bugclasses often change the meta-game of cyber war, and a smart player will prepare for that eventuality. And the one I think best represents this dates to 2000, when Scut of TESO did a talk at Chaos Computer Congress 17 and then released a paper on it. Who is this Scut guy and whatever happened to him, you might ask? I'm sure it's not important.

The specifics of what a format string bug are a bit beyond a policy blog, but here's some things you learn from his paper:

  1. Format string vulnerabilities were everywhere
  2. Exploiting them taught the hacking community a lot about exploit primitives, for example how to covert relative write-one word primitives to absolute write-many or into information leaks. In that sense it was a watershed.
  3. Having source code made it super easy to scan for format string vulnerabilities, including with automated analysis techniques. That's why today, like Dodos, they are rather rare.
To return those glory days of free remotes in every public daemon you have to go into IoT auditing. But there were winners and losers when it came to the format string feeding frenzy of 2001. Having source code mattered for the offensive teams because it was a race and because exploitation at this level involves a deeper understanding of an entire program than vulnerability finding does.

But that said, when it's not a race, binaries are just as good as source, and often better.

To take it back into a higher level: The meta changed and if you were prepared for it and could adapt quickly enough, you were able to establish a beachhead of shells on boxes all around the world that could establish a permanent power projection capability.

Adaptability is a hard thing to measure in your offensive team. Can your static analysis tools be quickly retooled to find a new bugclass? Can your implants be quickly ported to a new platform? Does your operator team have the ability to quickly absorb a new toolkit?

And yes: Having a lot of source matters to prepare for meta changes because grep is the cheapest and best security analysis tool ever invented. There's a reason every Government finds a way to get source code to everything. If it 's not some sort of issue with your imports being certified, then it's because you want to export your code and it happens to link to a cryptographic library. In that sense, source code access is about new bugclasses, not new bugs.

No comments:

Post a Comment