Security Basics mailing list archives

RE: how to discover vulnerability?

From: "David Gillett" <gillettdavid () fhda edu>
Date: Thu, 17 Apr 2003 12:06:12 -0700

-----Original Message-----
From: Quynh Nguyen Anh [mailto:quynh () sfc keio ac jp]

i have a question: almost every day, there are many security 
holes are discovered. i wonder how they can find these holes?

1. for open source softwares, they must read every source line ?
2. for closed source softwares, they must reverse engineering 
binary code ?

anway, i dont know exactly how they can discover holes!

your ideas on this matter?


  If reading the source code were the best/only way to find 
vulnerabilities, they'd usually be found by the people with 
most intimate access to the source.  That doesn't seem to be
the case, at least partly because those reading the source are
caught up in knowing and understanding what the code is
SUPPOSED to do -- it's really hard to spot that it also does
something it is NOT supposed to do.

  Code tends to fail around "boundary conditions" -- something
is bigger than the programmer expected, smaller, faster, slower,
contains null bytes or has the upper bit turned on, etc.  It's
actually easier to create input that "breaks the rules" in specific
ways if you know what the rules are, but NOT what the code that
is supposed to implement them looks like.  You discover that it 
will let you do something wrong that the code author never thought
to try.

  This is called "black box" testing.  You don't get to look inside
to see what it does or why -- all you do is through a variety of
strange inputs at it, and watch for it to do something unexpected.
If it crashes, that can be a Denial-of-Service attack.  If it gives
you root privileges, that's an exploit.  If it tries to execute the
data you've provided as code, that's a different kind of exploit
which you might be able to turn into one of the first two.

David Gillett


---------------------------------------------------------------------------
Attend Black Hat Briefings & Training Europe, May 12-15 in Amsterdam, the 
world's premier event for IT and network security experts.  The two-day 
Training features 6 hand-on courses on May 12-13 taught by professionals.  
The two-day Briefings on May 14-15 features 24 top speakers with no vendor 
sales pitches.  Deadline for the best rates is April 25.  Register today to 
ensure your place.  http://www.securityfocus.com/BlackHat-security-basics 
----------------------------------------------------------------------------

Current thread:

how to discover vulnerability? Quynh Nguyen Anh (Apr 17)
- RE: how to discover vulnerability? David Gillett (Apr 17)
- Re: how to discover vulnerability? Andy Cuff [talisker] (Apr 17)
  - Re: how to discover vulnerability? K. K. Mookhey (Apr 21)
- <Possible follow-ups>
- Re: how to discover vulnerability? Ali Saifullah Khan (Apr 21)
  - Re: how to discover vulnerability? dwarkeeper (Apr 25)