Comments on: Thought Exercise: Automated Vulnerability Creation http://www.veracode.com/blog/2007/11/thought-exercise-automated-vulnerability-creation/ Application security testing, analysis, and metrics Tue, 15 May 2012 22:16:53 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Chris Eng http://www.veracode.com/blog/2007/11/thought-exercise-automated-vulnerability-creation/comment-page-1/#comment-642 Chris Eng Tue, 20 Nov 2007 20:29:33 +0000 http://www.veracode.com/blog/?p=70#comment-642 @Andy: As ds pointed out, it would be impractical to try and keep the hash the same -- that would require a major cryptographic breakthrough. The point was more along the lines of auto-generating test cases for code review tools, as opposed to creating undetectable backdoors. If you think about it, the effort involved in creating arbitrarily complex test cases is significant. You can use synthetic cases such as SAMATE but these don't approach the level of code complexity that a real-world codebase would have. Similarly, you can benchmark yourself against publicly-disclosed vulnerabilities in real-world code but that is a labor intensive process to catalog all the data. @Andy: As ds pointed out, it would be impractical to try and keep the hash the same — that would require a major cryptographic breakthrough. The point was more along the lines of auto-generating test cases for code review tools, as opposed to creating undetectable backdoors.

If you think about it, the effort involved in creating arbitrarily complex test cases is significant. You can use synthetic cases such as SAMATE but these don’t approach the level of code complexity that a real-world codebase would have. Similarly, you can benchmark yourself against publicly-disclosed vulnerabilities in real-world code but that is a labor intensive process to catalog all the data.

]]> By: ds http://www.veracode.com/blog/2007/11/thought-exercise-automated-vulnerability-creation/comment-page-1/#comment-639 ds Mon, 19 Nov 2007 20:31:11 +0000 http://www.veracode.com/blog/?p=70#comment-639 You are probably already familiar with the paper "Reflections on Trusting Trust", published in 1984 by Ken Thompson (he of C). http://cm.bell-labs.com/who/ken/trust.html Worth a read by those interested in this topic. As for Commenter Andy's suggestion on making the program have an identical hash value... if that were possible, then the hash algorithm in use would be broken and (hopefully) not in use anymore. -ds You are probably already familiar with the paper “Reflections on Trusting Trust”, published in 1984 by Ken Thompson (he of C).

http://cm.bell-labs.com/who/ken/trust.html

Worth a read by those interested in this topic.

As for Commenter Andy’s suggestion on making the program have an identical hash value… if that were possible, then the hash algorithm in use would be broken and (hopefully) not in use anymore.

-ds

]]> By: Andy Steingruebl http://www.veracode.com/blog/2007/11/thought-exercise-automated-vulnerability-creation/comment-page-1/#comment-631 Andy Steingruebl Sat, 17 Nov 2007 22:45:51 +0000 http://www.veracode.com/blog/?p=70#comment-631 The real trick would be to make one that exhibits one or more of these behaviors and has the same hash. Its pretty obvious when a trojan doesn't do the right then generally. Its an entirely different matter for it to behave almost identically, have the same hash, but have a few backdoors inserted. A thought exercise only I hope - not looking forward to this being practical :) The real trick would be to make one that exhibits one or more of these behaviors and has the same hash. Its pretty obvious when a trojan doesn’t do the right then generally. Its an entirely different matter for it to behave almost identically, have the same hash, but have a few backdoors inserted.

A thought exercise only I hope – not looking forward to this being practical :)

]]>