The last few months have seen the revelation of a rash of critical vulnerabilities in a wide variety of software, from Oracle Corp.s database packages to Windows to Cisco Systems Inc.s IOS code. And if 2003 is to be remembered for being one of the worst years on record for such problems, this weeks Black Hat Briefings in Las Vegas may well go down as the event where security researchers began to turn the tide in the fight against faulty code.
Vulnerability research right now is something of a black art. Its practitioners are often fiercely independent who typically log long hours poring through lines of code and prying into the darkest corners of modern computer systems, searching for the smallest crack, that sliver of daylight that could allow a cracker to slither into the machine and make it his own. And the job is often a thankless one. The security community is sharply divided over the value of independent vulnerability research; some observers feel it leads to better coding practices and more secure networks, while others believe it does nothing but hand crackers a detailed instruction set for breaking into systems.
Two panel discussions on Wednesday will take on the topic of vulnerability research and try to inject some structure and analysis into the process. In the morning, the Organization for Internet Safety will formally unveil the final version of its long-awaited and much-discussed plan for handling security vulnerability disclosure and reporting. OIS, which is made up of security vendors and software makers including Microsoft Corp., @stake Inc. and BindView Corp. among others, released a draft version of the plan in early June and accepted public comments until July 4. The final version was posted to the groups Web site Monday.
The “Security Vulnerability Reporting and Response Process” lays out a regimented timeline and set of steps for the interaction between the person who discovers a vulnerability and the vendor or vendors affected by the problem. It addresses a wide range of issues, including how and when to notify the vendor, how the vendor should respond, how long the researcher should wait for a response and how to resolve communications problems or disputes. OIS members said they were happy with the way the comment period went and are satisfied with the final version.
“Everyone gave a little bit and got their ideas in there. A lot of time when you go through a process like this you end up with something that no one is happy with,” said Scott Blake, vice president of information security at Houston-based BindView, who will be on the OIS panel at Black Hat. “That didnt happen here. Everyone is pretty happy with it.”
The goal of all of the structure in OIS plan is to prevent details of new vulnerabilities from being leaked publicly before vendors and customers have a chance to fix them. To that end, the draft specifically prohibits including “proof of concept code or test code that could readily be turned into an exploit, or detailed technical information such as exact data inputs, buffer offsets or shell code strategies.”
The release of exploit code is a widely criticized practice that infuriates many researchers and virtually all software vendors. Hackers have released exploits for two recent severe vulnerabilities—a severe weakness in Ciscos IOS software and a buffer overrun in the Remote Procedure Call service in Windows—and such code is often used as the basis for worms.
In an afternoon session at Black Hat Wednesday, Gerhard Eschelbeck, CTO at Qualys Inc., will discuss a year-long research project hes been conducting on the nature, lifetime, severity and other defining characteristics of vulnerabilities. Eschelbeck has been collecting data from more than 185,000 systems and has compiled information on about 1.1 million vulnerabilities. He will discuss his newly defined “Law of Vulnerabilities” and will also unveil the creation of a free tool related to the research effort.
Sitting in on a panel discussion of Eschelbecks research will be Mary Ann Davidson, chief security officer of Oracle; Phil Zimmermann, creator of PGP; Simple Nomad, a senior security analyst at BindView and noted researcher; Richard Thieme, a business consultant; Jeff Moss, CEO of Black Hat Inc.; and JD Glaser, president and CEO of NT Objectives Inc., a security company.