3

My question is rather generic. People are likely to downvote the question and admins will be tempted to close it at off-topic etc. But, I couldn't help myself asking the question to seek some fruitful answers.

Numerous software bugs/vulnerabilities/exploits are being found everyday. Security forums and mailing lists are getting overwhelmed by receiving the amount of posts researchers/users/engineers are posting everyday. CVE/NVD databases are getting filled up at lightening speed. What has surprised me for quite a while is how people are finding so many bugs in a short span of time, unless a large number of software are systematically explored/hunted for loopholes. For example, this guy has reported six bugs in this year so far.

As far as the bug-hunting techniques are concerned, what I can think of are the following:

  1. Black-box fuzzing (for both open and closed source products (COTS))
  2. White-box fuzzing (for open source products only)
  3. Symbolic execution guided search (not so scalable, to my knowledge)
  4. Reverse engineering (hectic, quite a lot of man hours involved)
  5. Hitting a bug by-chance (probably applicable to the cases reported by most of the end users)
  6. Code walkthrough (needs access to the source code, suited for internal auditing or open source products)
  7. Static analysis tools that helps in finding bugs of known patterns
  8. Dynamic analysis tools (not much familiar with this)

Still I wonder if any combination of all of the above can lead to discovery of so many bugs at such a rapid rate. Is/Are there any major techniques(s) I am missing?

sherlock
  • 519
  • 4
  • 6
  • Hi! Welcome to [security.se]. The question is interesting, but is, as you say, probably off-topic (too broad and even opinion based). I do not think there is a "special technique" for bug discovery. It's just practice and time, know what to look for and try. – M'vy Oct 06 '15 at 09:08
  • I'm not sure it's so much opinion based - for people working in the 'looking for security vulnerabilities' industry, there may be some very interesting, and factual, insights. – David Scholefield Oct 06 '15 at 09:56
  • 1
    I'm voting to close this question as off-topic because you've listed all the major techniques, and I'm not sure there is a question here. – RoraΖ Oct 06 '15 at 11:33

1 Answers1

0

I think this is probably a purely numbers game - there are a lot of people whose sole occupation is looking for security holes. Many of these people work for security consultancies and security service companies, and the kudos of finding and reporting is worth a lot to their brand.

There are some fruitful strategies as well - for example, fuzzing input parameters can often cause unexpected crashes and error messages and these may not be security issues, but they certainly suggest that further investigation would be useful. Chasing product update cycles is also interesting - software updates are surprisingly rich in security issues quite often because they may be released in exceptional circumstances such as time constraints or lower QA testing etc.

In the end though it's just the number of people and the number of hours applied I suspect.

David Scholefield
  • 1,824
  • 12
  • 21