Researchers Need to Focus on Defenses, Not Bug Hunting: Adobe
Modernizing Authentication — What It Takes to Transform Secure Access
CANCUN, Mexico -- Security researchers need to shift their attention away from hunting for vulnerabilities and start thinking about ways to make it difficult to create exploits, according to a security expert from Adobe.
There is too much focus on vulnerabilities and defects in software, Brad Arkin, director of product security and privacy at Adobe, said in his keynote speech at the Kaspersky Lab Security Analyst Summit Feb. 2. Instead of vulnerabilities, security researchers should be thinking about how to make it too expensive to target those applications, Arkin said.
Security researchers are typically involved in offensive research, and often provide enough information or a proof-of-concept that makes it easier for attackers interested in developing an exploit, Arkin said. Once the research is published or presented at a conference, the information is readily available without the attacker having to invest in original research. Tweaks to an existing exploit result in malware variants.
If you publish a paper about a new technique, a previously hard technique becomes easy, Arkin said.
To illustrate his point, Arkin discussed the recently disclosed and patched zero-day vulnerability in Adobe Reader. Attacks that exploited that flaw were extremely focused on defense industrial base firms. Fewer than 20 machines, spread across a number of defense companies were targeted in the attacks, according to Arkin.
Despite the sophisticated nature of the attack, the attackers took a shortcut to create the exploit. The zero-day vulnerability was exploited using a three-year-old proof-of-concept code written by a security researcher, according to Arkin. The exploit was publicly available so they didn't have to figure out how to use the vulnerability.
"The skill of writing something first is very high, but it is far easier to adapt an existing code sample, Arkin said.
Arkin was not telling the security researchers in the audience that they shouldn't discuss their discoveries. However, he felt they should stop to consider that cyber-criminals treat the publicly disclosed exploits as free R&D for their purposes.
Offensive researchers need to consider the consequences of what happens once an exploit or technique gets out there, Arkin said.
Arkin said in a perfect world, people would disclose vulnerabilities to only people who would never do anything malicious with the information. However, as this isn't the perfect world, researchers should err on the side of caution and consider how they disclose the information, he said.
Instead of finding new offensive techniques, it is far more valuable to find ways to make it harder to attack vulnerabilities, according to Arkin.
Recent security innovations, such as address space layout randomization and data execution prevention, have been instrumental in driving up the cost of attacking products that use them, Arkin said.
For example, Arkin noted that the exploit that targeted defense companies in the recent attack was blocked in Acrobat and Reader X, which had the Protected Mode sandbox. Adobe had to rush out an out-of-band patch for Adobe Reader and Acrobat 9.x for Windows because that version did not have the protection technology built-in. The vulnerability in Reader and Acrobat X for Windows was patched as part of Adobe's scheduled update in January.
Adobe's goal is not to try to address every vulnerability discovered in the software, but to make it harder to drive up the cost of writing exploits by investing in mitigation technologies. Only about two-dozen vulnerabilities in Adobe products identified in the past two years have actually been matched with exploit code, Arkin said.
Finding a bug is fairly straightforward, writing an exploit is harder, and writing a reliable exploit that works all the time is even harder, Arkin said.
Arkin noted that whenever an exploit module is added to the Metasploit penetration-testing suite, attacks targeting that vulnerability skyrocket. There's a clear correlation between the public release of information and people getting attacked, Arkin said.