Why I don't write exploits*: https://addisoncrump.info/important-information/why-i-dont-write-exploits/
In which I describe why I avoid writing exploits at all costs.
[#]testing #defense #vulnerability #academia #research
=> More informations about this toot | More toots from addison@nothing-ever.works
@addison That’s approximately the same reason why the Mozilla bug bounty program doesn’t require exploits as part of the report. Source line and explanation is enough. We font want to incentivize people learning how to attack Firefox users. Sure, a PoC helps during QA, but we don’t need a working exploit. We just want to fix the bug :)
=> More informations about this toot | More toots from freddy@security.plumbing
@addison there’s a footnote here too: Some things are not believed to be severe and an exploit will help settle all arguments (like a proof of construction as Sergey Bratus likes to say). A full exploit is also helpful to better understand the meta game and a chain of mitigations.
=> More informations about this toot | More toots from freddy@security.plumbing
@freddy@social.security.plumbing That's true. I certainly am not saying that full exploits don't have value, but that we can do them after the patch for further research into mitigation techniques. These are orthogonal works, i.e. exploit research (including on mitigations) should not be (and probably does not need to be) applied on unpatched vulnerabilities.
I haven't read it in depth, but I know there is some work being done on demonstrating the existence of exploits given the primitive(s) without development of a concrete exploit. I think this is a great step forward, if it actually starts seeing use, but this is a bit out of my wheelhouse and I worry it may be an excuse to get out of doing defense in depth...
=> More informations about this toot | More toots from addison@nothing-ever.works
@addison right. Mitigations can totally be tested against a theoretical self-inflicted vuln in test environments. Not really needed IRL. Mozilla does that for Sanitizer/CSP bypasses bugs and just assume there’s untrusted input / an injection involved.
Another great value in real life exploits is the "chaotic" energy, where defenders have some established rules by which attackers are likely to construct their exploits (which often turn out to be subtly wrong).
=> More informations about this toot | More toots from freddy@security.plumbing
@addison The executives who control the money that the engineers need to spend in order to fix things do not always understand the implications of an ASan report, or even of a harmless PoC. Sad, but true. Often, not even other engineers do. Sad, but still true. Working exploits contributed greatly in getting us out of the dark ages, and I'm not excited about going back.
No defender sides with the NSO Groups of the world. Yet to be effective, we sometimes, rarely, do need to handle hazmat.
=> More informations about this toot | More toots from fugueish@wandering.shop
@fugueish @addison yes. A demo works wonders sometimes. "Open this page to open calculator" is hard to argue against.
=> More informations about this toot | More toots from freddy@security.plumbing This content has been proxied by September (3851b).Proxy Information
text/gemini