Friday, August 19, 2011

Asymmetricity in Security

This is one of many topics I find very interesting.

People often say that it is easier to break than build. That is clearly an asymmetricity. Think about this, an organization IT group of, say, 10 persons has to constantly fight against an unknowing number (possibly large) of attackers, days and nights.

Additionally, one seemingly simple vulnerability could cause a collapse of the whole system and perhaps related external dependencies too. Think about the blackout in New York a few years back. That is another asymmetricity. To build, one has to be very careful to check for all possibilities of weak links. To break, an attacker only needs find one weak link.

However, the reverse is also true. It is most of the time easier to fix a bug than to exploit it. For example, a cross site scripting bug is easily fixed by encoding HTML output. However, to take advantage of that bug, an attacker will have to jump through many hoops. How about a buffer overflow? Fixing a buffer overflow is seldom a difficult task but exploiting that vulnerability requires deep knowledge and multiple stages, various tricks to bypass additional checks such as ASLR, Non-Executable stack and so on.

What is your thought about this?

No comments:

Post a Comment