Internet security specialist iDefense Inc. has released a reverse-engineering tool to the open-source community as part of its controversial strategy of buying the rights to information on security flaws found by underground researchers.
The decision to roll out the IDA Sync tool was driven by a need to “contribute to the cycle” of making flaw-finding easier for the private individuals who participate in iDefenses VCP (Vulnerability Contributor Program).
The 3-year-old VCP involves financial incentives to anonymous researchers who agree to give up exclusive rights to advance notification of unpublished vulnerabilities or exploit code to iDefense.
Michael Sutton, director of iDefense Labs, said the wild success of the program has driven the company to release tools like IDA Sync, which is used to allow multiple analysts to synchronize their reverse-engineering efforts in real-time within the IDA Pro disassembler.
In an interview with eWEEK.com, Sutton said groups of researchers can use the IDA Sync plug-in to connect to the disassembler and share comments and name changes.
“A large group of researchers can now pick apart a program and share their findings with each other right within IDA Pro, which is the de-facto standard for disassembling within Windows,” Sutton said.
In addition to IDA Sync, iDefense has previously released tools such as IDA pGRAPH, a plug-in that generates control-flow graphs; IDA Function Analyzer, a IDA C++ plug-in designed to provide an abstracted layer over “chunked” functions; and the Attack Vector Test Platform, a tool that was used in the research for the paper titled “A Comparison of Buffer Overflow Prevention Implementations and Weaknesses.”
Flaw-finding has generated big business—and invaluable publicity—for the Reston, Va.-based iDefense. So far this year, the company is credited with the responsible disclosure of 36 security bulletins, including major flaws in products sold by Computer Associates International Inc., RealNetworks Inc. and Apple Computer Inc.
Sutton said that more than 80 percent of all vulnerabilities reported by iDefense were purchased from private, sometimes anonymous, software researchers.
“Well pay for the exclusive intellectual property rights to the research, and this program works for everyone. The researchers make money for their work, the vendors get the benefit of responsible advance notices, and the end users get well-tested patches.”
The critics speak up
Not everyone agrees. Firas Raouf, chief operating officer of eEye Digital Security, thinks that the business of buying rights to flaw information is a dangerous practice.
“We dont believe that finding software vulnerabilities should be a for-profit business. We have a problem with paying for flaws. People should not be rewarded financially with finding flaws. Researchers should consider that finding flaws is an end in itself to make the world a more secure place,” Raouf said in an interview.
iDefenses Sutton, however, argued that buying the information is the only way to make flaw discovery a scaleable business.
“Last year, we released more than 100 public advisories. If you were to hire a team to come up with that volume in a year, it would cost a ton of money. The VCP gives us a very flexible, scaleable business model.”
Sutton refused to discuss how much money is paid for the rights to a flaw discovery.
When the program launched in 2002, the company was offering up to $400 per vulnerability, and eEyes Raouf believes it is now in the range of $3,000 each.
“You have to remember there is a very lucrative underground market for this information. Theres a lot of work being done on the organized crime side to get this information, and the prices being offered are quite high,” Raouf said.
Raouf supports software vendors offering financial incentives, much like the Mozilla Foundations bounty program that pays up to $500 for any critical bug found in the open-source code base.
“Finding vulnerabilities should be part of a manufacturers QA [quality assurance] process. Microsoft, for example, is investing a lot of resources on training to help developers write secure code. It has worked quite well for Mozilla to get more professionals picking away at the code,” Raouf said.
“Paying for this kind of information could have some implications. You end up getting people who arent necessarily experts in the field trying to find something and sell it to the highest bidder … Once you start this, unless theres a strict process in place to manage it, you may end up with more problems for everyone,” Raouf added.
A spokeswoman for Microsoft said the company has never paid for information on product bugs from private individuals.
“We credit finders who report vulnerabilities under responsible disclosure and, from time to time, [we have] contracted security research companies to review code for products under development,” the spokeswoman said.