'Offensive security research community helping bad guys'

Adobe security chief Brad Arkin argues that benevolent security researchers who publish techniques to defeat security mitigations are doing a major disservice.
Written by Ryan Naraine, Contributor

CANCUN, Mexico -- Adobe security chief Brad Arkin has a message for the benevolent security research community: Your work is driving down the cost and complexities of attacks against computer networks.

During a keynote presentation at the Kaspersky security analyst summit (see disclosure), Arkin said the intellectual pursuit of exploiting software vulnerabilities and defeating mitigations is simply providing a roadmap for the bad guys to break into computer systems.

[ SEE: Ten little things to secure your online presence ]

"We are involved in a cat-and-mouse game on [the software] engineering side. Every time we come up with something new and build new defenses, it creates incentive for the bad guy to look beyond that," Arkin explained, noting that the white-hat security research community helps cyber-criminals by publishing vulnerabilities, exploits and techniques to bypass security mitigations.

"My goal isn't to find and fix every security bug," Arkin argued.  "I'd like to drive up the cost of writing exploits.  But when researchers go public with techniques and tools to defeat mitigations, they lower that cost."

At Adobe, Arkin's security teams have been working overtime to stem the flow of zero-day attacks against two of its most widely deployed products -- Adobe Reader and Adobe Flash Player -- and he made the point that too much attention is being paid these days to responding to vulnerability reports instead of focusing on blocking live exploits.

"We may fix one vulnerability that has a security characteristic but when we change that code, we are creating a path to other vulnerabilities that may cause bigger problems in the future," he said.

[ SEE: New vulnerability disclosure deadline puts pressure on tardy software vendors ]

Arkin said that the volume of reported security vulnerabilities is forcing Adobe to respond in a way that may introduce new security defects.  "We may fix a security bug but all of a sudden Adobe Reader can't print to a certain brand of printer.  We're not clear if anyone has ever written an exploit for that bug but we have to push out a fix that cause problems."

Arkin suggested that Adobe -- and other big software vendors -- cut its losses and take a different approach.  Instead of the running on a treadmill to patch every vulnerability report, security teams should invest heavily on mitigations and anti-exploit technologies and work closer with the research community to curb the publication of information that can help malicious hackers.

"We have patched hundreds of CVEs [individual vulnerabilities] over the last year.  But, very, very few exploits have been written against those vulnerabilities.  Over the past 24 months, we've seen about two dozen actual exploits," Arkin said, making the argument that software vendors are not wisely using their security response resources.

[ SEE: Responsible disclosure, the Microsoft way ]

"Finding a bug is pretty straightforward but writing an exploit that works successfully is harder.  An exploit that works reliably 100 per cent of the time is even much harder.  Very few people have skill sets to write these exploits so we have to concentrate on driving up the costs of writing these exploits," he said.

Arkin argued that it's impossible for software vendors to produce code without security defects.  "You can improve the code but you're never going to get it perfect.  At Adobe, we have invested a lot to build mitigations and drive up the cost and complexity [of exploiting software bugs].  But now we have offensive research teams -- the good guys -- who are driving down that cost when they research a new technique to hack into software, write a paper and publish it to the world."

"Something hard becomes very very easy.  These exploits and techniques are copied, adapted and modified very cheaply."

"I'm not saying we should outlaw offensive research.  However, it's clear that these [intellectual] offensive advances very much change the game.  Once something gets published, it's only a matter of time before real-world bad guys put them into their operations."

* Image via Nikita Svetsov.

Editorial standards