The recent publicity surrounding the DNS cache-poisoning vulnerability and other high-profile bugs has had the unfortunate effect of dragging the battered, bloated corpse of the full-disclosure debate back above ground. Like a lot of other people in the industry, I’ve completely lost my taste for that discussion. The really interesting question is not whether disclosure of vulnerabilities and release of exploit code is necessary or ethical, but whether exploit development itself has any real value anymore. In one sense, it is now far more valuable than it has ever been, as some security companies and a few select government agencies are willing to pay quite a nice price for new vulnerability and exploit information. I’ve heard from a number of researchers that remotely exploitable server-side bugs in applications like Windows Server 2008 or Oracle databases can be worth well north of $50,000 if you know the right buyer. And that’s on the legitimate market.
But in the broader sense, the question is much more nuanced and the answers far from certain. For the researchers themselves, the intellectual satisfaction and pride of finding a new bug is a significant draw. In a recent podcast I did with Dino Dai Zovi, he described the feeling of creating a new, working exploit as “awesome” and said that once you’ve done it, you keep going back to the well. Most of the researchers I know got into the game as a result of intellectual curiosity, a desire to see how things work as well as how they fail. Few, if any, of them went in thinking that they’d make a living on their research, but many of them have been able to do just that.
The question remains, however: Does this research benefit anyone other than the researchers themselves? I believe it does. We know that no software maker is turning out perfect products. Microsoft, Oracle Corp. and others have implemented very strong security development programs, but they will never find every problem or think of every possible attack vector. The memory-protection attacks outlined at Black Hat by Mark Dowd and Alexander Sotirov are a perfect example. Microsoft’s threat modeling program identified many of the threats and the company implemented a number of new protections, such as DEP, ASLR and SafeSEH, but the researchers still found ways around them through the browser. Microsoft will respond and address those attacks, but without Dowd and Sotirov’s work, who knows whether those issue would have been found. Indeed, Sotirov told me in an interview yesterday that Microsoft officials were happy they brought the attacks to light so the company could address them in a future release.
It appears that many of the software vendors agree, as they have been hiring researchers a pretty good clip for a few years now. What a researcher does with his findings is another story altogether, but at least for now, I think there’s still quite a bit of value to be derived from the work.