In part I of this article I wrote about the history of vulnerability research and how researchers having legal access to the software and hardware they need to conduct their research is a pre-requisite. This is why there was such little research on software before 1996.
Not only is legal access important but being able to run the software in a lab environment is important. Pure black box testing is very inefficient for finding security bugs. You need to instrument the running program and be able to perform static analysis. This usually takes the form of using debuggers and shims which the program is running and using disassemblers to statically inspect the software. These techniques have been honed and improved over the years and there are even books
Technology marches on and a new way of running software is gaining significant ground over traditional software. Software as a Service (SaaS) is a model where you don’t install software on your own hardware. You use the software in a client server model over the web. Yahoo Mail for individuals and Salesforce.com for corporations are examples of this new model. An organization such as Yahoo runs the software and you just use it. It can be free or paid for with a subscription. The key difference here is you don’t run the software on your hardware.
This is a big change for vulnerability researchers who can’t use their white and gray box techniques, well legally anyway. Even using a strictly black box probably steps over the legal line in most cases. We are charting new territory here. Creating hundreds of sessions and inspecting session IDs is probably OK. Fuzzing all form fields is probably not OK.
Last Thursday, the U.S. Attorney's Office in the Central District of California leveled a single charge of computer intrusion against San Diego-based information-technology professional Eric McCarty, alleging that he used a Web exploit to illegally access an online application system for prospective students of the University of Southern California last June. The security issue--which could have allowed an attacker to manipulate a database of some 275,000 USC student and applicant records--was reported to SecurityFocus that same month. An article was published after the university was notified of the issue and fixed the vulnerable Web application. The prosecution of the IT professional that found the flaw shows that security researchers have to be increasingly careful of the legal minefield they are entering when reporting vulnerabilities, said Lee Tien, senior staff attorney for the Electronic Frontier Foundation, a digital-rights advocacy group. "I think the bottom line is that anybody that does disclosures of security vulnerabilities has to be very careful (so as to) not be accused of being a hacker," Tien said. "The computer trespass laws are very, very tricky.
And this from The Register,
Cuthbert, a 28 year old from Whitechapel, London, was a security consultant at ABN Amro, a job he lost as a result of his arrest. He also lectured at Westminster and Royal Holloway universities - ironically he taught some members of the Computer Crime Unit.
On December 31, 2004, Cuthbert, using an Apple laptop and Safari browser, became concerned that a website collecting credit card details for donations to the Tsunami appeal could be a phishing site. After making a donation, and not seeing a final confirmation or thank-you page, Cuthbert put ../../../ into the address line. If the site had been unprotected this would have allowed him to move up three directories.…
The police were able to track Cuthbert down because of the donation he made just before running the tests. He was arrested, brought in for questioning and subsequently charged with breaking the Computer Misuse Act.
These two cases should be a big enough warning that probing web sites for vulnerabilities has a good chance of landing, even those with good intentions, in jail.
It’s my belief that vulnerability researchers have not only educated the software community about how to find security vulnerabilities, but they have also been 3rd party consumer watchdogs. They have giving consumers a fighting chance in understanding what software and which vendors. For both of these benefits, there is a need for vulnerability researchers to have access to the software that people use.
I fear that these benefits will disappear as more software moves into the Software as a Service realm. Some possible solutions are:
- SaaS providers could deploy their software on test servers where people would be free to attack it. If they are really bold they could give shell accounts.
- Congress could pass a “good Samaritan” law that would exempt researchers from the computer trespass laws if they are engaged in legitimate research.
- SaaS providers could engage trusted 3rd parties to perform security testing and allow them to publish the results for consumers to see.
I am interested if others have ideas or how think the growth of SaaS will change the vulnerability research landscape.