Pages

Friday, 28 January 2011

Why education on exploitation isn't helping security

To start off, I feel it imperative I give a little background, I'm a student at university in London (don't worry I know the little value that a degree has), and I want to get into infosec.*
And as I want the best chance of getting into the industry, I'm generalising the things I'm learning. Learning about networking, exploiting machines on Windows, and linux, different exploits and how they work, web application hacking, but the one thing that bothers me by far the most out of everything I've read, is that you are nearly never told how to prevent the problem. You are told the reason why something has a vulnerability in, but not how to stop it occurring.
I know some vulnerabilities are easy to sort the problem, whether it be not using strcpy(), and using strncpy() instead, but it isn't always the case. Whenever you read about webapp hacking, with all the different problems that can be sorted by input sanitisation, but you are nearly never told how to do this effectively, since just reading this once may make you believe you can just easily sort the problem, but they may not consider unicode encoding, or recursive sanitisation, where a program may get delete %22 if it occurs in the string, but this could cause %%2222 to work since it only checks the string once.
In the end, I can only think of 3 reasons why authors and such do not write about how to defend against  or fix these vulnerabilities:
  • It may be a case by case basis,
  • It isn't what people want to read about. We want to see about how to get into somebody's machine, our 'end result'
  • The person writing actually has no idea about how to defend against or fix the vulnerability.

Case by case
Now I can understand this for quite a few vulnerabilities, as it may be a slight coding error, or even a design fault. The first may be specific to the program or project, where they haven't thought about everything that could happen, and the latter can't really be changed unless you take the 'feature' out, or change it so that it cannot be used in that way.
But this isn't to say you couldn't tell people how to protect against the vulnerability. For example, if somebody is willing to write a short C program showing exploitable code, why can't they show the fixed program? The programs often used to show vulnerabilities are very short programs that clearly show the vulnerability, also meaning they are usually very easy to fix and easy to show the differences in code.
I fully understand that not all cases can be shown, but I think just a general helping could go a long way.

Reader doesn't want to know
This reason (presuming it is a valid reason) especially annoys me. This is because, if you ever read in a book on hacking, or exploitation, where it says in the book who the book was made for, it states something like "hackers, people in the information security industry and system administrators wanting to understand how hackers work," but how is this true for the last group of people? Somebody on the defensive side would want to know what causes the exploit, and then more importantly how to fix it. There's no point finding a vulnerability in your own code, then doing a bad job trying to fix the problem, and actually not completely fixing it.
The same goes for courses I have taken, they may show you methodology, or information about hacking, or vulnerabilities but may not show you how to fix the problem, but give a general explanation of how to fix it.
Plus if you're a pentester and you don't believe fixing the problem is part of your 'end result' then I think you should be in another job, since you are not helping the customer at all, but just getting paid to hack into a company's network. The main reason for a company to do a pentest or vulnerability assessment is their ROI (return on investment). There are solutions that don't need much detail, like specific patches they need, but if you're putting "SQL injections possible in form xyz, better input sanitisation needed" then that doesn't give them much information. And the only way to properly help them is to know how to do it yourself since if you give some example code on how to fix it, and they take the code, implement it, and a similar problem happens, then it is you, not the company who hired you, who is at fault (except maybe they are at fault for hiring you in the first place).

Author doesn't know how to fix the vulnerability

This reason doesn't annoy me, but would really worry me.
I couldn't give a crap who the author is, or the person giving the course is, if they don't know how to fix the basic vulnerability or exploit they are showing you how to do, then I don't want to be learning from them, as I don't think they have the right to tell teach anybody anything. I wouldn't teach somebody how to take a car engine apart if I didn't know how to put it back together, so why should they teach me how to break something without being able to tell me how to fix it?

People in information security are constantly complaining about the same old vulnerabilities in 'crappy', but is it any surprise when you have often have to go the extra mile to find out about fixing problems? It just shows that a lot of people don't really care about fixing stuff, because they're not on the programmers' side. They just want to break stuff and be a "1337 h4X0R Wh0 pWNd uR M4cH1N3."

In the end, not everything is bad, but there is a lot of information out there, and most of it doesn't help security,**

-Lavamunky

p.s. If you know of any good books or courses that go over exploitation & then how to fix the vulnerability, please leave a comment.

*I know getting into the information security industry from university is often not the best way, but I feel the fact I want to get into infosec now, and that I'm willing to spend days researching old and new ways to find vulnerabilities, and trying to discover vulnerabilities myself, whilst also taking the OSCP certification at the same time as my degree shows some of my dedication, and I feel although the better way, it is not necessarily the right way for me to get into infosec.
**It can be debated that finding more vulnerabilities & making the vendor create a patch is helping security, though I am basing this more on a penetration testing/vulnerability assessment view or the view of a vulnerability researcher trying to find vulnerabilities in their own company's programs.

No comments:

Post a comment