Saturday, 19 May 2012

2 Microsoft Research Papers to Read


Two interesting papers from Microsoft Research, both from June 2011. Interesting because they seem to go against the prevailing trend that we are all doomed as a result of poor security. They are worth reading to get an alternative point of view. You can skip over the mathematical equations if that is not your thing.

"Sex, Lies and Cyber-crime Surveys" argues that cyber crime surveys are in general pretty rubbish. It discusses the difficult of performing surveys properly, especially on relatively rare phenomena. From section 4.3:
  • "Our assessment of the quality of cyber-crime surveys is harsh: they are so compromised and biased that no faith whatever can be placed in their findings."
Of particular interest to application security people is the following from the conclusion:
  • "The importance of input validation has long been recognized in security. Code injection and buffer overflow attacks account for an enormous range of vulnerabilities. You should never trust user input" says one standard text on writing secure code. It is ironic then that our cyber-crime survey estimates rely almost exclusively on unverified user input. A practice that is regarded as unacceptable in writing code is ubiquitous in forming the estimates that drive policy. A single exaggerated answer adds spurious billions to an estimate, just as a buffer overflow can allow arbitrary code to execute."

The second paper, "Where Do All The Attacks Go?" tries to answer the question "Why isn't everyone hacked everyday?" Here's the abstract:
  • "The fact that a majority of Internet users appear unharmed each year is diffcult to reconcile with a weakest-link analysis. We seek to explain this enormous gap between potential and actual harm. The answer, we find, lies in the fact that an Internet attacker, who attacks en masse, faces a sum-of-effort rather than a weakest-link defense. Large-scale attacks must be profitable in expectation, not merely in particular scenarios. For example, knowing the dog's name may open an occasional bank account, but the cost of determining one million users' dogs' names is far greater than that information is worth. The strategy that appears simple in isolation leads to bankruptcy in expectation. Many attacks cannot be made profitable, even when many profitable targets exist. We give several examples of insecure practices which should be exploited by a weakest-link attacker but are extremely difficult to turn into profitable attacks."
The main conclusion is that it is difficult to calculate risk accurately if you are basing your calculations on cyber-crime surveys. It is more useful just to concentrate on the impact of a threat.

Useful Links:

Social: del.icio.us DiggIt! Reddit Stumble Google Bookmarks Technorati Slashdot

No comments:

Post a comment