The Market-Driven (Vulnerability) Economy
“Markets are doing what they do best.”
“That’s why the market has always been a better problem-solver than government and it always will be.”
Markets fascinate me. I have never studied economics, and honestly, I realized how fascinating it is excessively late. Nevertheless, I am still fascinated by markets. Their forces, their currents, their dynamism. Everything about them fascinates me. Those two quotes above from the NBC television show the West Wing (or paraphrases or sort-of quotes) sum it up best for me: markets find efficiencies and solutions to problems. The wisdom of a crowd and all of that.
Earlier today at CanSecWest, there was a panel discussion surrounding the economics of vulnerability research. As usual, it was a lively conversation w/ tempers on the verge of flaring (but not quite). It got me thinking; some of the vulnerability research market is formal. Things like “0-bay” or even as literal as putting a vulnerability up for sale on eBay qualify as sort of formal. Things like iDEFENSE Inc.’s Vulnerability Contributor Program (VCP) or TippingPoint’s Zero-Day Initiative (ZDI) are far more formal. And, honestly, look at what happens when someone comes unexpectedly and starts posting great bug finds and exploits on a public list: they are hired or brought into a community.
The reality is that it is one big marketplace, even if you do not always see it. The forces of this are not always tied to money; they are sometimes tied to other incentives. However, a huge incentive was recently made by iDEFENSE: US$ 10,000 for anyone providing them with a Microsoft vulnerability that ultimately leads to Microsoft recognizing the vulnerability and qualifying it as “critical.”
This should tell you three things:
1. While Microsoft code has many vulnerabilities, they have made so many significant changes in their Windows XP product that the low hanging fruit has probably been grabbed by someone else or is moot. Data Execution Prevention (DEP) might take care of your stack overflow and reduce it to a DoS. The default firewall might block the service. The service might be off by default. All of these changes make a difference.
2. There remains a huge value in finding bugs in Microsoft products. When Windows powers so much of the Internet, and is on almost every cable modem user’s desktop around the world, a vulnerability in any fraction of a Microsoft windows installation is a serious threat to the Internet at large. Release a bot with a vulnerability like that and you have something on your hands.
3. Notice that iDEFENSE did not offer the same incentive for Linux or FreeBSD, or any other open-source project. It is not that these are likely to be safer products…it’s that there’s little prize involved when such a diverse userbase exists and, to be fair, almost all of the critical bugs have been found already in those projects. It’s not that hard to run something like RATS or Flawfinder over a major project like Linux or Apache and find a potential bug, but the chances of it being a critical vulnerability are likely small. Someone else has already found most of those. Open-source is doing its job…
Therefore, if you want that US$ 10,000, fire up your fuzzers and get cracking. People are finding the best bugs with tools like fuzzers (look at the plethora of LDAP bugs in February 2006!) or binary analysis tools like BinNavi or BinDiff. grep used to work, and it still works on small projects with a small userbase. However, it does not work on stuff that is out there in quantity. Therefore, US$ 10,000 is an appropriate amount to entice the people who really know what they are doing. The question is, are you one of them? For US$ 10,000 and probably a ticket to a good job paying ten times that to keep on finding those bugs, are you willing to learn?
Markets ultimately fascinate me because they reveal, in no uncertain terms, the realities of what is out there. If a CEO says “we’re healthy” but their stock is tanking, whom do you believe? If the foreign exchange rates for the dollar plummet, whom do you listen to: the market or the US Federal Reserve chairman? Markets do what they do best: strip away things that obfuscate the truth and reveal where true value lies.