So one thing people don't have any scope of measuring - (maybe as a set
diagram finite states?) - is the difference between two parsers for the
same protocol. Ten years ago a lot of the security community had a
discussion about "LangSec <http://langsec.org/>" which turns out to have
been entirely correct in retrospect.
NCCGroup's recently released analysis of the F5 bug is a key example of
this principle in action:
Most people look at HTTP Desync as simply using Content-Length confusion -
figuring out ways to make one request look like it's not the same length,
and using that for SSRF or XSS or various other attacks. But *ANY
DIFFERENCE IN THE PARSERS* leads to critical level attacks.
Of course, what this means is that you need to have different emulated
parsers for each web server behind you depending on if they are
Apache/IIS/NGinx . . .
So I wanted to highlight this talk from Brad Spengler about the state of
Linux security. It's a damning report if you read even a little bit between
the lines. And on many levels. As Halvar points out, Android deliberately
avoided investing what they knew they needed to invest in platform security
in the effort to gather significant early market share, even knowing it
would harm their user-base in a multitude of ways.
And this kind of philosophical trade off taken by companies filters into
the Linux security ecosystem, creating Ogres of various sorts, like
Calamity Gannon's corruption of various parts of Hyrule. For example,
phones often run on an older Linux kernel, which means there is economic
incentive to backport features and security fixes to those kernels, or
pretend you can.
Likewise, much of the effort of the Linux security community is focused on
KASLR, which Brad points out, is largely a waste of time.
He also talks about Syzkiller, automated exploit generation, and a host of
other things. Well worth a listen!