RE: Techniques for Vulneability discovery

From: Guillermo Marro (
Date: 04/06/02

Date: Fri, 5 Apr 2002 15:26:09 -0800 (PST)
From: Guillermo Marro <>
To: Oliver Petruzel <>

From an academic perspective, it's worth mentioning
that UCDavis is currently offering (this spring
quarter) a very interesting grad class about this
topic taught by Matt Bishop.

Some pointers you might find of interest:

Protection Analysis (PA) model
RISOS (Research Into Secure Operating Systems) model
Aslam's model
NRL Taxonomy

Additionally Gupta & Gligor have made important
research contributions in this area.

If you prefer the information logically organized and
condensed, you might want to wait for Bishop's book
"Art & Science of Computer Security" to be published
soon. (you'll find a whole chapter devoted to this


Oliver Petruzel wrote:

I am sincerely glad someone brought this up. My
concern lies in a total
lack of education or training in this area. Hacking
101 courses are all
over the place now; teaching MCSE-kiddies and
non-technical managers how
to run scripts and nmap (swell..$2-4k to learn this
stuff in 3 days?
Ach, ask a single grad of those programs what nmap is
ACTUALLY sending
and "duhh, errr, but it says it's BeOS
with port 80 open,
I'll just use securityfocus like they showed me to
find a script to
shoot at it..")...

(I digress...) There are not many courses that I know
of that actually
explain the methodology in searching for *new*
vulnerabilities... As in
"Tearing apart that new .dll, .asp, or cgi from a
security perspective

Some folks claim it's just trial and error and dumb
luck. Others say
that folks troll the "most downloaded" new pieces of
software at
shareware sites and then pound away semi-blindly with
 input variables
and switches that have worked against previously
announced holes in
other software until they find something that will get
their name on

Problem is, in our growing field of infosec, beyond
post-grad or
doctorate level CS, there aren't very many educational
tracks to show
your average programmer/engineer how to start finding
new holes... The
only thing I can think of is to send someone through:
a secure
programming program AND a webapp dev course AND a
windows API course AND
AND AND..etc...we're talking tens of thousands of
bucks there, not to
mention the hours involved..ouch.

My goal: I want to take 4 of my Jr Security Engineers
and send them
somewhere for a week or two, or perhaps several weeks
at night, and have
them come back to tear apart software like it's
nothing... <foundstone,
hint hint, E&Y, hint hint.. Anyone? Bueller?
Bueller?...> Of course,
pre-req's would be a solid know
ledge of scripting languages, C/C++,
network architectures and protocols, and all
publically known scripts
and code... (but I require that of my jr's anyways so
I just want
someone else to show them the next level! I have no
time, and hell, if
the course is good enough, I would even go so that I
can stop using
semi-educated dumbluck and trial and error! lol)

I am VERY interested to see someone post a resource...
Maybe this is
just a pipe-dream.


Ps: on a side note, there are several interesting
projects currently in
dev everywhere to automate all of this.. So don't
worry, soon those
afraid of anything they can't click on will also be
able to point and
click their way through code to find new vulns...swell
eh? There are
even dev projects going to automate vulnerability
discovery in ALREADY
COMPILED software! Woohoo...

"Excellent Smithers! Now activate the artificial
lightning and blue
screens of death!"

-----Original Message-----
From: kaipower []
Sent: Thursday, April 04, 2002 8:05 PM
Subject: Techniques for Vulneability discovery


After reading the mailing list for quite a while,
there is a burning
question which I kept asking myself:

How do experts discover vulnerabilities in a

Some categories of vulnerabilities that I am aware of:
1) Buffer overflow (Stack or Heap)
2) Mal access control and

Do You Yahoo!?
Yahoo! Tax Center - online filing with TurboTax