Assignment
(In)security Controls
Have you ever walked on a new sidewalk? If so, you might have noticed how clean and smooth it was. You also might have been impressed with how seemingly impenetrable it was. If you were to revisit that same sidewalk years later, you likely would see cracks running through it. Although concrete is one of the toughest and most durable materials in existence today, it has vulnerabilities that the forces of nature can exploit.
OSs and browsers are like sidewalks. New versions are clean and smooth, with seemingly hard, unassailable attack surfaces. However, like tiny cracks in new sidewalks that are invisible to the naked eye, design flaws are inherent in any new version's source code. Each flaw is a potential vulnerability just waiting to be discovered. Will the good guys or the bad guys discover a particular flaw first? If it is the good guys, they will patch it as quickly as possible. If it is the bad guys, they likely will keep it secret until they decide to exploit it.
To prepare for this Discussion, read the notes in the Unit 4 Notes, located in this unit's Learning Resources, before proceeding.
In light of the Pwn2Own annual contests, explain why the combination of security controls present in modern OSs and browsers is still failing to prevent exploitation by determined attackers.
Notes
Since 2007, information security professionals have been able to gauge the relative robustness of the major web browsers thanks to the Pwn2Own annual browserbreaking contest. In this annual contest, held in conjunction with the CanSecWest conference in Vancouver, Canada, security researchers can demonstrate their ability to compromise a machine by attacking the one application that everyone on the Internet is using-the web browser. In exchange for the prize monies, the security researchers share the particular vulnerabilities exploited with browser vendors, who in turn, work to resolve the issues quickly.
While today's browsers and OSs are more robust against attacks with technologies like Data Execution Prevention (DEP), Address Space Layout Randomization (ASLR), and sandboxing, attackers and security researchers have demonstrated year after year that a determined opponent can still find and exploit weaknesses at the OS or browser level.
Required Resources Readings
• Oriyano, S.-P. (2014). Hacker techniques, tools, and incident handling. (2nd ed.) Burlington, MA: Jones & Bartlett Learning.
• Chapter 9, "Web and Database Attacks"
This chapter discusses common web server and database vulnerabilities and how they are typically exploited.
• Wikipedia. (n.d.). Pwn2Own at CANSEC west. Retrieved July 27, 2012, from http://en.wikipedia.org/wiki/Pwn2Own
This entry contains the history of the Pwn2Own competition from 2007 to the current year.
• Nachreiner, C. (2012). Radio free security: April 2012 episode. WatchGuard Security Center. Retrieved from http://watchguardsecuritycenter.com/tag/pwn2own/
This site contains a number of short security related articles.
• Naked Security. (2012). Pw2Own. Retrieved from http://nakedsecurity.sophos.com/tag/pwn2own/
This page contains several links to articles related to Pwn2Own.