A call to researchers: Mix some creation with your destruction

Since I can first remember being interested in information security, my personal hacker heroes (and I’m using hacker positively here) were the researchers who discovered zero day software vulnerabilities and could create proof-of-concept exploits to demonstrate them.

Some security nerds (again, a term I use positively) are fascinated by social engineers like Kevin Mitnick; others admire keen cryptographers like Bruce Schneier; but I always most respected the folks with deep programming and technical computing knowledge like HD Moore (and many before him), who could find 0-day vulnerabilities, and show how to leverage them to do things others would never suspect.

A great deal of my respect for these type of researchers came from my introduction to a pivotal Phrack article, which I’m sure many of you are familiar with: Smashing the Stack for Fun and Profit by Aleph One (Elias Levy). This great article not only opened my eyes—a programming student at the time—to how attackers could leverage memory corruption bugs in bad code, but it gave a me new respect for the technical knowledge these shrewd assembly ninjas needed to figure out how to exploit them.

These smart hackers not only understood high-level coding, but they have deep knowledge of assembly and the intricacies of memory stacks and CPU registers. They have strong understanding of the OS they target and its components, and often have to work within significant confines, such as tiny amounts of memory or limited character sets. Nowadays, these smart technicians even have to figure out how to escape memory security features such as ASLR or DEP, making successful exploits that much more impressive. All of this skill is in addition to the innovative, outside-the-box thinking they need to even find vulnerabilities in the first place.

In short, I’ve always respected vulnerability researchers because they were imaginative and just “wicked smart.”

Furthermore, I also appreciate what these researchers are doing for the software and security community. Before the days of zero day auctions, underground marketplaces, bug bounties, and vulnerability warehouses, many security researchers found and reported vulnerabilities on their own time. They did so to help make software more safe, and perhaps to earn the respect of their peers.

These researchers believed in what they did. They wanted vendors to learn secure coding practices and deliver safe software. Early on, many software vendors weren’t very responsive to security disclosures, which came at the detriment of their customers’ security. Vulnerability researchers paved the way to changing vendors’ stance on software security with their persistence and public disclosure. As a result, software vendors, big and small, pay a lot more attention to secure coding practices, or at least respond quickly when researchers find issues in their products. We have security researchers to thank for this.

Why am I spending so much time telling you why I think security researchers are so great? Well, because I also want to share a slight critique. I think security researchers spend far too much time breaking things rather than creating them.

Don’t get me wrong. I think finding vulnerabilities in software (breaking things) is a very valuable service to the security community (assuming you disclose them responsibly). I hope security researchers will to continue to report and find these flaws.

We know the “ideal” solution for software vulnerabilities is perfectly secure code. But let’s face it, we live in the real world. We’re all human. There will never be perfectly secure code, and smart researchers will always find ingenious ways to leverage bugs. That’s why I’d love to see security researchers devoting at least a small part of their time to figuring out ways to plug our vulnerability window.

You guys know these systems better than anyone else. For instance, if you’ve figured out an inspired new way to get past ASLR, you have a deeper understanding of it than most programmers. It would be great to see you use that in-depth knowledge to create some new mechanism to protect us from future exploits. I know it’s a lot to ask, but only you have the specialized knowledge to understand these problems from a different perspective.

I don’t know what the next security innovation will be, but I feel strongly that it’ll come from the mind of a security researcher who spends his or her time evading defenses. While I hope security researchers continue breaking things and sharing flaws with software vendors, I also hope they use their ingenuity and unique perspective to help create new defense mechanisms that protect us from all software vulnerabilities in the future. Spend a bit of your time creating rather than breaking, and I think you could make the Internet a much safer place.