Ancestors

Written by Addison on 2024-10-06 at 16:12

Why I don't write exploits*: https://addisoncrump.info/important-information/why-i-dont-write-exploits/

In which I describe why I avoid writing exploits at all costs.

[#]testing #defense #vulnerability #academia #research

=> More informations about this toot | More toots from addison@nothing-ever.works

Written by Frederik Braun � on 2024-10-06 at 16:33

@addison That’s approximately the same reason why the Mozilla bug bounty program doesn’t require exploits as part of the report. Source line and explanation is enough. We font want to incentivize people learning how to attack Firefox users. Sure, a PoC helps during QA, but we don’t need a working exploit. We just want to fix the bug :)

=> More informations about this toot | More toots from freddy@security.plumbing

Written by Frederik Braun � on 2024-10-06 at 16:36

@addison there’s a footnote here too: Some things are not believed to be severe and an exploit will help settle all arguments (like a proof of construction as Sergey Bratus likes to say). A full exploit is also helpful to better understand the meta game and a chain of mitigations.

=> More informations about this toot | More toots from freddy@security.plumbing

Toot

Written by Addison on 2024-10-06 at 16:45

@freddy@social.security.plumbing That's true. I certainly am not saying that full exploits don't have value, but that we can do them after the patch for further research into mitigation techniques. These are orthogonal works, i.e. exploit research (including on mitigations) should not be (and probably does not need to be) applied on unpatched vulnerabilities.

I haven't read it in depth, but I know there is some work being done on demonstrating the existence of exploits given the primitive(s) without development of a concrete exploit. I think this is a great step forward, if it actually starts seeing use, but this is a bit out of my wheelhouse and I worry it may be an excuse to get out of doing defense in depth...

=> More informations about this toot | More toots from addison@nothing-ever.works

Descendants

Written by Frederik Braun � on 2024-10-06 at 17:25

@addison right. Mitigations can totally be tested against a theoretical self-inflicted vuln in test environments. Not really needed IRL. Mozilla does that for Sanitizer/CSP bypasses bugs and just assume there’s untrusted input / an injection involved.

Another great value in real life exploits is the "chaotic" energy, where defenders have some established rules by which attackers are likely to construct their exploits (which often turn out to be subtly wrong).

=> More informations about this toot | More toots from freddy@security.plumbing