Friday, 28 August 2009

Why We Need Breakers ( ... and virus writters ... )

One of the things that OWASP's Jeff Williams usually likes to say is that we need builders versus breakers.

He (and others) basically defend, that we need to have more guys focusing on how to protect systems, versus how to break/exploit them. He uses, as an example: ‘why do we need another example of how to exploit an specific variation of SQL injection instead of spending the resources figuring out how to fix it?’

The reality is that we need both. We actually need to have both researches activities/cultures, because showing us how to break something, is actually a great measurement of the current state of a particular problem (see also Jeremiah's Builders, Breakers, and Malicious Hackers).

The irony of all this, is that Jeff, in his Black Hat's Enterprise Java Rootkits presentation, become a BREAKER himself, and spend considerable resources and time showing in several powerful demos how dangerous is Java code executed outside the Java Security manager (i.e. outside a Sandbox). He is trying to do for Java what I tried (and gave up) on .NET (see Past research on Sandboxing and Code Access Security (CAS))

Today, just about everybody runs Java code outside a sandbox and the awareness that this could be very dangerous has still not reached critical mass. So for the people who are aware of this problem (i.e. Jeff), unless he starts hacking away real world targets to prove his point (not a very good idea in 2009) the only other alternative is to show what can be done and how bad is the current status quo. And by doing so, he is being a breaker.

Due to his past 'Builder vs Breaker positon' Jeff took a bit of slack for it, but basically he is showing / highlighting the problem and helping to raise awareness of its implications.

The main reason we need breakers, is because they actually show us the current state of the problem, since, the easier job the breaker has, the easier the target's can be exploited.

We also need 'non malicious' breakers because they actually show us what’s going on.

For example 'non malicious' (& with no criminal intent) virus writers!

I like to go on record to say that 'non malicious' Virus writers are actually our best friends, because they actually raise our overall level of security.

Although they may create short term havoc (and pain to the guys directly affected), they literally raise the level of security (for example 'forcing' people to patch existing vulns and making the eco-system more resilient)

This is why we need 'non malicious' viruses in the real world as well as the web world; they are actually benign and helpful (in the big scheme of things :) ).

In fact we (the good guys in the web application security world) should be paid to write viruses in order to push security up, but that is very unlikely to happen .... in the short term ... :)