Adam Shostack wrote an interesting post last week titled Smashing the Future for Fun and Profit. He said in part:
15 years ago Aleph One published “Smashing the Stack for Fun and Profit.” In it, he took a set of bugs and made them into a class, and the co-evolution of that class and defenses against it have in many ways defined Black Hat. Many of the most exciting and cited talks put forth new ways to reliably gain execution by corrupting memory, and others bypassed defenses put in place to make such exploitation harder or less useful. That memory corruption class of bugs isn’t over, but the era ruled by the vulnerability is coming to an end.
Now, I’m not a programmer, and I don’t play one at Mandiant. However, Adam’s last sentence in the excerpt caught my attention. My observation over the period that Aleph One’s historic paper was written is this: we don’t seem to “solve” any security problems. Accordingly, no “era” seems to end!
Is this true? To get a slight insight into whether my sense of history is correct, I consulted the Open Source Vulnerability Database and ran queries like the following:
I chose to run these “August” periods to capture time as it passed since Aleph One’s paper was published in August 1996.
The results were:
Year Vulns 1997 11 1998 10 1999 6 2000 48 2001 41 2002 43 2003 94 2004 127 2005 86 2006 27 2007 29 2008 39 2009 36 2010 48 2011 44 2012 45
As a chart, they looked like this:
I find these results interesting, and I accept I could have run the query wrong by selecting the wrong terms. If I managed to get in the ballpark of the correct query, though, it seems we are not eliminating buffer overflows as a vulnerability.
I suppose one could argue about where researchers are finding the vulnerabilities, but they’re still there in software worth reporting to OSVDB, and apparently trending upward.
My bottom line is to remember that security appears to be a game of and, not a game of or. We just add problems, and tend not to substitute them.