Does Anything Really “End” In Digital Security?

Adam Shostack wrote an interesting post last week titled Smashing the Future for Fun and Profit. He said in part:

15 years ago Aleph One published “Smashing the Stack for Fun and Profit.” In it, he took a set of bugs and made them into a class, and the co-evolution of that class and defenses against it have in many ways defined Black Hat. Many of the most exciting and cited talks put forth new ways to reliably gain execution by corrupting memory, and others bypassed defenses put in place to make such exploitation harder or less useful. That memory corruption class of bugs isn’t over, but the era ruled by the vulnerability is coming to an end.

Now, I’m not a programmer, and I don’t play one at Mandiant. However, Adam’s last sentence in the excerpt caught my attention. My observation over the period that Aleph One’s historic paper was written is this: we don’t seem to “solve” any security problems. Accordingly, no “era” seems to end!

Is this true? To get a slight insight into whether my sense of history is correct, I consulted the Open Source Vulnerability Database and ran queries like the following:

Query for all vulnerabilities of attack type “input manipulation,” with “buffer overflow” in the text, from time 1 Aug 96 to 1 Aug 97

I chose to run these “August” periods to capture time as it passed since Aleph One’s paper was published in August 1996.

The results were:


Year Vulns
1997 11
1998 10
1999 6
2000 48
2001 41
2002 43
2003 94
2004 127
2005 86
2006 27
2007 29
2008 39
2009 36
2010 48
2011 44
2012 45

As a chart, they looked like this:


I find these results interesting, and I accept I could have run the query wrong by selecting the wrong terms. If I managed to get in the ballpark of the correct query, though, it seems we are not eliminating buffer overflows as a vulnerability.

I suppose one could argue about where researchers are finding the vulnerabilities, but they’re still there in software worth reporting to OSVDB, and apparently trending upward.

My bottom line is to remember that security appears to be a game of and, not a game of or. We just add problems, and tend not to substitute them.



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s