[15637] in cryptography@c2.net mail archive

home help back first fref pref prev next nref lref last post

Re: Is finding security holes a good idea?

daemon@ATHENA.MIT.EDU (Eric Rescorla)
Thu Jun 17 14:24:52 2004

X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: btoedtmann@exp-math.uni-essen.de
Cc: cryptography@metzdowd.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
In-Reply-To: <1087469234.16135.44.camel@lomin> (Birger Toedtmann's message
 of "Thu, 17 Jun 2004 12:47:14 +0200")
Date: Thu, 17 Jun 2004 07:34:37 -0700

Birger Toedtmann <btoedtmann@exp-math.uni-essen.de> writes:

> Am Do, den 10.06.2004 schrieb Eric Rescorla um 20:37:
>> Cryptography readers who are also interested in systems security may be
>> interested in reading my paper from the Workshop on Economics
>> and Information Security '04:
>> 
>>     Is finding security holes a good idea?
> [...]
>
> The economic reasoning within the paper misses casualties that arise
> from automated, large scale attacks.
>
> In figure 2, the graph indicating the "Black Hat Discovery Process"
> suggests we should expect a minor impact of "Private Exploitation" only,
> because the offending Black Hat group is small and exploits manually. 
> However, one could also imagine Code Red, Slammer and the like.  Apart
> from having a fix ready or not, when vulnerabilities of this kind are
> not known *at all* to the public (no problem description, no workaround
> like "remove file XYZ for a while" known), worms can hit the network far
> more severe than they already do with knowledge of vulnerability and
> even fixes available.  I would expect the "Intrusion Rate" curve to be
> formed radically different at this point.  This also affects the
> discussion about social welfare lost / gained through discloure quite a
> lot.
>
> I don't see how applying Browne's vulnerability cycle concept to the
> Black Hat Discovery case as it has been done in the paper can reflect
> these threat scenarios correctly.  

It's true that the Browne paper doesn't apply directly, but I don't
actually agree that rapid spreading malware alters the reasoning in
the paper much. None of the analysis on the paper depends on any
particular C_BHD/C_WHD ratio. Rather, the intent is to provide
boundaries for what one must believe about that ratio in order to
think that finding bugs is a good idea.

That said, I don't think that the argument you present above is that
convincing. it's true that a zero-day worm would be bad, but given the
shape of the patching curve [0], a day-5 worm would be very nearly as
bad (and remember that it's the C_BHD/C_WHD ratio we care about).
Indeed, note that all of the major worms so far have been based on
known vulnerabilities. 

-Ekr

[0] E. Rescorla, "Security Holes... Who Cares?", Proc. 12th USENIX
Security, 2003.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com

home help back first fref pref prev next nref lref last post