Friday, September 09, 2011

Short note on static analysis and lobbying

After getting annoyed with Twitters 140-char limit to make a sane point, I switch back to an old-school medium that allows actual arguments ;)

I was commenting on the dishonesty in lobbying for legally mandated static analysis with "cyber security" as an underlying argument.

I think this is a total bullshit argument.

Static analysis is good at removing a large number of low-hanging fruit when it comes to both reliability and security bugs. But: Static analysis alone fails to significantly increase the resilience of real-world systems against determined attacks (although it may increase the resilience to really casual attacks).

So I think it is good & sane to mandate static analysis for some pieces of code for reliability reasons. I'd rather fly in an airplane with formally verified avionics code.

The reality is though that even the most sophisticated static analysis systems nowadays are not terribly good at dealing with dynamically allocated memory, suffer from grotesque overapproximation as a result of summarizing dynamically allocated memory, and in general don't deal with many common programming patterns very well.

Avionics code without dynamic memory allocation and a team of people getting a static analyzer going profits a lot from static analysis. The browser that I am typing this in profits much less: It uses a gazillion programming idioms that are notoriously hard to analyze. No existing and generally available static analysis will significantly impact the difficulty of finding a remotely exploitable bug in this browser.

So, in short: Using SA can have great benefits in particular scenarios. Verifying an avionics system is a great example. Verifying a microkernel that allows me to safely sandbox my terribly buggy browser is another example. Mandating SA for general software development is insanity, though: The current state of research (let's not even speak about available products) isn't capable of impacting the resiliency (against determined attack) of a browser or document viewer significantly. Let's not kid ourselves: The technology just isn't there, and won't be for another few years.

Posted by at 2:37 AM 0 comments

Tuesday, March 01, 2011

Wow ...

The company that produces your favourite security researchers' favourite tools has been acquired by Google. You, dear reader, have every right to be surprised; we ourselves are still recovering from the happy surprise.

"In mathematics, you don't understand things. You just get used to them."

-- John von Neumann


Old Jonny was right, but you might substitute "mathematics" with "life" in the above.

zynamics was never designed to be acquired. To be quite honest, zynamics wasn't designed at all -- it mostly just "happened". We never had a plan outside of "build the tools that we want to have, others will then want to have them too". We never took venture capital, and the only business plan I ever created was a half-baked attempt made with wizard software. It was never updated. The fact that we exceeded the forecasts was mostly due to me being an overly pessimistic planner.

Calling our structure engineering-centric would be an understatement; our everything-to-engineering ratio is roughly 7% (if I may still count myself as an engineer).

As we grew, the problems that we wanted to solve grew too -- at a much faster rate than our resources to solve them. The result was that I spent more and more time running around managing, doing sales, and acquiring resources so that my team could do the technical work that I love and am good at. I wanted the chance to focus on technical issues again.

So at some point in this process we started talking with Google, much to our own surprise. We had not anticipated this -- we are not web-centric, we are far away from their core business: At first glance the acquisition seemed like a strange choice for both sides.

Yes, we have excellent technology and a core of great engineers; we were just surprised about the fact that Google would be interested. It was certainly not an obvious pick.

Then again, Google shares an engineering-centric culture, and has just the resources we're lacking.

"The purpose of computing is insight, not numbers."

-- Richard Hamming


A friend of mine (rightfully) mocked me for trying to perform serious computation on something that strongly resembles a pocket calculator. According to him, there's roughly one and a half computers in this world -- and Google happens to have one of them. I tend to concur.

So, as of today, I can say that the entire zynamics team has joined Google. I am looking forward to tackling problems with the resources that Google can provide.

While there will be some changes, our products are not going away - on the contrary !


"Et si tu me demandes quel est donc ce 'propos' que je poursuis a longeur a mille pages, je repondrai: c'est de faire le recit, et par la-meme la decouverte, de l'aventure interieure qu'a ete et qu'est ma vie."

-- Alexandre Grothendiek


Running zynamics with my team was an exciting experience, but I have no doubt that the future will be every bit as exciting.


Posted by at 1:29 PM 0 comments

Tuesday, March 02, 2010

Trainings class with SP and me at CSW !

Hey all,

SP and me will be teaching a trainings class this year at CanSecWest. If you have some background in reverse engineering and want to
  • become a more efficient reverse engineer
  • become a more efficient bug hunter
  • become better at understanding stuff like Acrobat's JScript Engine
this class is for you. We will teach you stuff including but not limited to:
  • Quickly find where the interesting parts of the executable are: Who is parsing user input ? Who is responsible for the crypto ?
  • Save time: Identify what open-source libraries are statically linked into the executable. Why audit binary when you can read source ?
  • Want to understand what Acrobat is doing ? Or most C++ programs nowadays ? Generate UML diagrams from binaries, showing you all the classes and their hierarchy.
Anyhow, follow this link if you are interested. I think it's going to be a blast.

Cheers,
Halvar
Posted by at 10:00 AM 0 comments

Monday, February 08, 2010

Tax evasion and welfare fraud

Hey all,

now that all the technical stuff is going to the zynamics company blog , I will have some room here for writing about other topics. Beware: Politics might be involved, or just general rants.

Tonight I will write a little bit about tax evasion and welfare fraud. I somehow wound up in a discussion about the topic, and the end result was that I spent 20 minutes doing a bit of research on the topic.

Background: The German government was offered a CD containing data of people that have moved money into swiss bank accounts, presumably to evade taxes. The person offering the CD claims that it contains almost exclusively data of tax evaders, and demands a fee of 2.5 million EU to provide the CD to German authorities.

This situation has spawned a debate about the legality of the situation: Is it "right" for the German government to buy data that was obtained in a presumably illicit fashion ? (I intentionally avoid "illegal" here -- the person that obtained the data might be in breach of contract with his employer, but it is unclear whether he broke any criminal laws)

Clearly, it is a tricky question - but the difficulty of this question is not the topic of this blog post.

Recently, a German politician (who, ironically, was repeatedly involved in corruption affairs, most notably in the CDU-party-donations affair) by the name of "Roland Koch" argued that welfare fraud is a serious problem in Germany, and that 15% of all welware recipients do not actually want to work. He argued for annuling benefits of these 15% in a large conservative newspaper (the FAZ).

So in todays discussion, the question came up: What is actually the "bigger" crime (in terms of financial damage): Tax evasion of welfare fraud ?

It is relatively straightforward to calculate the cost of welfare fraud: Germany spent 21.7 billion EU in 2008 on the "Hartz-4" system. This includes administrative overhead. Assuming that Mr. Kochs claim has merit, and assuming that overhead is also inflated due to fraud, ~3.3 billion EU are lost annually to welfare fraud.

It is much more difficult to calculate the cost of tax evasion. There are many numbers that are difficult to justify, and most appear to be made up arbitrarily. The only halfways reliable number I could find was from this article:

The amount of money generated from tax investigations that followed evasion was ~1.6 billion EU in 2004. Inflation-adjusted to 2008 at 2% inflation, this ends up being ~1.73 billion.

This implies something rather interesting:
  1. Assuming that every third tax evader is caught (which I deem more realistic, just by gut feeling, e.g. without any scientific base), tax evasion is already a much bigger problem than welfare fraud.
The question of course is: What is the actual rate of tax evasion to "getting caught" ?
Posted by at 2:02 PM 2 comments

Tuesday, January 19, 2010

The new, shiny, reverse-engineering-centric zynamics blog !

Hey all,

for all those that have almost gotten sick of me posting only rarely on this blog:

We have a shiny new reverse-engineering-centric blog up on http://blog.zynamics.com ! :)

The entire team will post RE-related issues there, so I think it'll be a rather good read :)
Posted by at 3:15 AM 0 comments

Friday, December 18, 2009

Interesting Blog Posts

Hey all,

so while you, dear reader, are still waiting on me finally fullfilling my promise about blogging more, I have some interesting links for you :)

Vincenzo Iozzo has been blogging about some cool stuff he has been doing using NaviPython, REIL, MonoREIL etc. recently, and you can read about it here:

http://viozzo.wordpress.com/2009/12/11/scripting-with-binnavi-cyclomatic-complexity/
http://viozzo.wordpress.com/2009/12/18/finding-interesting-loops-using-monoreil/

Cheers,
Halvar
Posted by at 3:14 PM 0 comments

Sunday, November 15, 2009

Clarification to the previous post

Hey all,

I thought I need to clarify something about the previous post: I was trying to explain the fact that people reacted harshly to the hint that a new standard is being drafted, without knowing anything about it. So I talked about the historical perspective on the old OIS draft, and what my thoughts about it were, and what I think the reasons are that researchers usually do not bother with these things much.

This was not meant as a reaction to the ISO standard under discussion. Katie Moussouris clarifies a lot of important points here -- and what she writes is completely sensible.

Anyhow, enough of this :-). The upside of the entire discussion: I really like the pun in the above link. Yes, I know that I have a weird sense of humor.
Posted by at 11:52 PM 0 comments

Why are most researchers not a fan of standards on "responsible disclosure"

I usually try to stay away from the politics of vulnerability disclosure, mostly because I think (to paraphrase Feynman) that politics of vulnerability disclosure are as useful to the vulnerability researcher as ornithology is to birds.

But it seems that the entire discussion is not going away. The intensity of the reactions to k8em0's twitter post might be partially explained by the history of this all. I'll try to refresh what I remember:

A lot of the older vulnerability researchers remember the ghastly OIS attempt at forcing a standard written by a bunch of non-researchers down the throats of the research community. From the outside, it looked mostly like an attempt to kiss up to some vendors that were spending a lot of money on security review during that time.

I might be stepping on some people's toes, but to me it looked like a high-school class where the dimmest students drew up guidelines on how smart students "should" behave, and gave that to the teacher in order to earn brownie points - including clauses like 'not contradicting the teacher'.

Unfortunately, most of the research community prefers to do work instead of discussing with people that have little interesting to say about how the researchers should work. The result of this is that researchers were rarely ever involved in the entire discussion. Not for lack of opportunity, but mostly lack of interest -- if I can actually go and surf, why would I discuss with a bunch of people sitting in an office about the right way to come back to the beach ?

The entire discussion has always been somewhat phony. The entire "responsible/irresponsible" angle is sligthly fraudulent. The way I see it is the following:
  1. It is acceptable for AV companies to charge for signatures, which are in essence "information about malware"
  2. It is acceptable for AV companies to not publish, nor provide, malware to other parties, or to charge for it
  3. It is acceptable for software vendors to charge so I can use their software. It is also acceptable for them to charge more so that I can read their source code.
  4. Why again should a researcher be obliged to provide information to vendors free of charge again ?
  5. If anyone argues it's "responsible" to make everyone safer, I say: I'll give all my bugs to all vendors the same day that all security companies of the world provide free licenses for everyone for their software.
But well. Honestly, I am not sure whether I should post this. I do not really feel like spending too much time discussing this. But perhaps that's part of the problem...
Posted by at 12:22 PM 4 comments
Subscribe to: Posts (Atom)