Uninformed: Informative Information for the Uninformed

Vol 9» 2008.Jan

Potential Uses

Program analysis is one area that may benefit from the use of exploitation properties. In particular, an auditor can make use of exploitation properties to assist in the process of identifying regions of code that should be audited more closely or with greater precedence. This determination can be made by using exploitation properties to understand the ease of exploitation associated with specific binaries or functions. By combining this information with other data that is collected either manually or automatically, an auditor can get a better understanding of the security aspects that are associated with a system. This is beneficial both to an attacker and a defender. An attacker can identify regions of code that would be easier to exploit and thus devote more time to auditing those regions. Likewise, a defender can use this information to the same extent but for different purposes. This type of information is especially useful to a defender who needs to balance the cost associated with performing security reviews because it should offer a better understanding of what the business cost might be if a vulnerability is found in a region of code. This cost can be derived from the negative publicity and response effort needed to cope with a flaw that is found publicly in a region of code that is widely exploited. For example, consider some of the Windows flaws that have lead to wormable issues and the cost they have had relative to other issues.

Exploitation properties may also benefit the security community by helping to identify ways in which future mitigations can be applied. This would involve analyzing regions of code that could be more easily exploited in an effort to determine what other forms of mitigations could help to protect these regions, if any. This information could be fed back to the compiler to make it possible for mitigations to be enabled that might otherwise be disabled by default. For example, a function that by default would not have GS but is subsequently found to be highly exploitable may benefit from having the compiler insert GS.