The First Usenix Workshop on Offensive Technologies is coming to Boston on Aug. It’s hard to resist an event called WOOT, even though we weren’t quite sure what it was all about. So we shot an e-mail to Tal Garfinkel, a Ph.D graduate student in Stanford University’s computer science department and one of WOOT’s program chairs, and asked him to explain.
The First Usenix Workshop on Offensive Technologies is coming to Boston on Aug 6. It’s hard to resist an event called WOOT, even though we weren’t quite sure what it was all about. So we shot an e-mail to Tal Garfinkel, a Ph.D graduate student in Stanford University’s computer science department and one of WOOT’s program chairs, and asked him to explain.
What do you mean exactly by “offensive technologies”?
There are many ways to chop up the conceptual space of computer security. One way is by grouping technologies into those required for attack and defense. The primary focus of traditional academic computer security has been defense. Intrusion detection, access control, bug detection/prevention and the like. The primary focus of much of the more "black hat" or "grey hat" communities has been offensive technologies -- techniques for exploiting software weaknesses, reverse engineering, information gathering, evading detection and the like. Interestingly, for any given question in the defensive space -- for example, how do you defend against keyloggers? -- there is a dual in the offensive space, such as: How do you design a better keylogger? By understanding both perspectives, one gets a deeper understanding of computer security, and for many years one side has informed the other.
Many of us have read some of the black hat magazines, read the code of attack tools, and followed the state of the art in attack to inform our view of defense. However, the coverage of that side of the equation has often been spotty. The editorial quality of places like Phrack is quite low, and the lack of peer review means sometimes the veracity of claims being made is questionable. In black hat, for example, the metric for quality often seems to be how much news the hype about your work induces, rather than how original, important or credible your claims are.
Why the need for this separate workshop from the broader Usenix Security Symposium taking place that week in Boston?
While attack technologies have definitely been part of forums like Usenix Security for a while, the bar for publishing new attack work is quite high in terms of novelty and certain topics (such as reverse engineering, malware design, automatic exploit development) are often overlooked entirely. Often there is work that would really be helpful to have in the literature to help researchers understand the state of the art in offensive practice, that simply doesn't fit the model of what we are currently looking for in academic conferences. The absence of this work not only means we have a less than complete literature to draw from, but also tends to exclude many practitioners who have a lot of valuable stuff to contribute to the academic discourse.
I think if you look at our program committee you find a really interesting cross section of folks from different backgrounds with different relationships to attack technologies -- this is both to represent different view points and attract broader participation.
We're running out of stuff to write about worms, phishing, pharming, bots, spyware and so on. What's the next big thing the bad guys have up their sleeves?
I can't say for sure, although I think the best advice to predict this is to follow the money.
One area I think there is interesting potential for growth is in high value targets, such as business intelligence that can be used for arbitrage, or intellectual property that can be sold to offshore interests where litigation and enforcement may be challenging. There has been very interesting and public growth in the high end of computer security, with people selling custom rootkits, exploits and other technology that just a few years ago would only be available to folks in government agencies, or that you would have to build on your own. I expect in the coming years the information that is available in black markets, and the pool of skilled talent that has the know-how to acquire this information will continue to increase. Given the spotty state of security within the enterprise perimeter, this seems like cause for concern
Can you cite and example or two of exciting research you've come across of late in the computer security field that might be of interest to someone running a corporate network?
I'm clearly biased, but I think our work on redesigning the enterprise network with security in mind (SANE/Ethane) points to some important ideas that hopefully will gain greater traction in the coming years. Such as implementing fine-grain, centrally managed access controls at the level of users and end-hosts, and using strongly authenticated network endpoints for doing access control, instead of the mess of IP and MAC-level ACLs that we have today.
I also think that virtualization technology has the potential to radically change the way we secure enterprise networks, by providing a more flexible platform for deploying security technologies both on (in the form of intrusion detection and prevention that leverages virtualization) and off (in the form of virtual appliances) the end-host.
How do you think the battle is going these days between those attacking networks and those defending them?
Hard to say, since it really depends on what market you are talking about. There is a constant arms race going on between attackers and defenders, and fortunes change pretty rapidly.
Overall the space of technologies seems to be growing a lot faster than the space of well designed/secure technologies. So I don't expect to be out of work anytime soon. That said, I think the Wild West atmosphere with huge herds of botnets roaming the plains is bound to give out at some point, I don't think there is a question of if here -- merely when.
Any other hot buttons for you?
The most important thing that folks like you in the technology press can do is influence CIOs and others making purchasing decisions to put pressure on vendors to build more secure products. The more intelligence there is in the market about what practices make products robust (such as the use of good development practices, from conservative design to safe languages and testing), and the more negative market response there is to security vulnerabilities, the sooner we will have more secure systems. Bruce Schneier and others are right in their claims that we don't need a security industry, what we need are operating system vendors, network equipment vendors, database vendors and so on that are shipping products that are more secure by design.
Other than that, I think that the usability of security right now is still abysmal. Any vendor shipping a product that pops up a button that asks an end user to make some choice that they clearly can't make with any degree of intelligence should be ruthlessly hounded until they do the right thing.
Visit our Alpha Doggs blog on network-oriented research coming out of university and other labs.
Learn more about this topic
Alpha Doggs network-oriented research blog
How worried is the FBI about the real-life Sopranos catching the cybercrime bug?05/09/07
Security: Thumb sucking, slurping, snarfing…Excuse me?05/11/07
