
Bug Larping for Fun and Profit - ingve
https://anti.computer/rants/2020-09-12-bug-larping-for-fun-and-profit.html
======
wffurr
If code quality is the most cost effective mitigation, then does it follow
that valgrind and now Rust are the most effective defensive tools?

~~~
SCHiM
My opinion is that they are. There's another argument to be had that the essay
touches on as well in the end: developers don't need to know the ins-and-outs
of each and every vulnerability class. It's just not feasible if we expect
developers to actually ship software. We need to make the tools themselves
safe, fix these problems at the source, instead of patching the tail-end.

I don't really see the point of automated triaging myself. Given the
sophistication and skill of some writers out there, you should just assume
that an attacker-controlled write primitive would eventually lead to RCE. The
essay mentions this when it goes into the intersection of skill, motivation
and resources. But on the defender side this shouldn't matter no? A bug is a
bug, and memory corruption should just blindly be assumed to be a 'worst
case'.

~~~
albntomat0
> I don't really see the point of automated triaging myself. Given the
> sophistication and skill of some writers out there, you should just assume
> that an attacker-controlled write primitive would eventually lead to RCE.
> The essay mentions this when it goes into the intersection of skill,
> motivation and resources. But on the defender side this shouldn't matter no?
> A bug is a bug, and memory corruption should just blindly be assumed to be a
> 'worst case'.

I think the utility of auto-triaging is when the bug isn't a clear arb
read/write. The article links to
[https://seanhn.files.wordpress.com/2019/11/heelan_ccs_2019.p...](https://seanhn.files.wordpress.com/2019/11/heelan_ccs_2019.pdf),
which talks about how to automatically develop exploits from limit heap
corruption primitives.

------
choeger
Serious question: Did someone ever find an exploitable bug in software written
in something more safe than C/C++? Remote shells in Java, C#, Rust, Go,
Haskell?

~~~
wglb
Heartbleed was duplicated in Rust.

Very often breaches can be found to be in cloud permission configurations.

There are many business-rules-level vulnerabilities.

The following post will give some insight: [https://www.nccgroup.com/us/about-
us/newsroom-and-events/blo...](https://www.nccgroup.com/us/about-us/newsroom-
and-events/blog/2009/november/ninja-threat-modeling/)

~~~
lisper
> Heartbleed was duplicated in Rust.

There's a big difference between intentionally duplicating a known flaw in a
safe language an unintentionally producing a new exploitable flaw in a safe
language.

~~~
wglb
The point is not whether or not it is intentional, but to illustrate that many
vulnerabilities exist that don't depend on memory unsafety.

