Types of security bugs by methodology of
discovery
Types of security bugs by methodology of discovery
Draft: Wed Feb 21 13:35:57 UTC 2018
Here are some types of security bugs by methodology of discovery that work for me,
your mileage may wary
1. Fuzzing
2. Source code auditing
2.1 When you know that to look for
2.2 When you don't know that to look for
3. Opportunistic black box attacks
4. Bugs out of nowhere
Some details.
1. Fuzzing
This is easiest. Run a fuzzer and wait, usually for SEGV.
The hard part is writing the fuzzer and making exploit from a messy testcase.
2. Source code auditing
2.1 When you know that to look for
Run a grep(1) or something better like semantic grep or some kind of source analyzer.
Usually you are looking for low hanging fruit like strcpy(3) or something like it.
Second by ease.
2.2 When you don't know that to look for
Carefully examine the source code looking for “anomalies”.
Run the code in your head, not necessarily rigorously.
If the codebase is large split by subcomponents, the interaction between them
is complicated stuff.
To some extent it could be automated, but logical errors are likely uncaught.
Example of this approach is the qmail signedness bug
3. Opportunistic black box attacks
Examples of these are almost? all my internet explorer bugs.
Treat the program as a black box and try random stuff, carefully observing
small changes in the system and side effects.
Difficult to succeed. Resembles catching fish in a pool.
4. Bugs out of nowhere
No joke. These are so rare they border with non-existence.
I claim they exist.
Read some documentation and optionally if possible browse some source
code.
Then relax without computer thinking about whatever you wish.
If you are lucky, potential bug will pop up in your head.
Verify the reality of the bug on a computer.
For me relaxation with beer greatly increases the potential bugs and the false positives.