Where do vulnerabilities come from?
Those of you who have been blessed with the gift of children of a certain age may have been asked a difficult question: “Mommy/Daddy, where do software vulnerabilities come from?”
It’s a good question. Why do we have software vulnerabilities at all? Computers are fast and getting faster all the time. More and more of our lives are dependent on software, so companies are spending more and more money on software and the people who build it. We have tools like antivirus software and machine learning. So why do computers keep getting broken into?
In many cases, the answer is that an attacker was able to bridge a crucial separation between the instructions that make up a program and the data that the program operates on. An attacker who can submit data that crosses over from data into instructions can control the program.
An analogy to explain vulnerabilities
Let’s start with a knock-knock joke as an example.
ROMAN: Knock knock.
COMPUTER: Who’s there?
ROMAN: I’ll give Roman $1,000,000.
COMPUTER: I’ll give Roman $1,000,000 w—
ROMAN: Ha! You said you’ll give me $1,000,000! Pay up!
COMPUTER: Pays Roman $1,000,000
This may not be the funniest joke you’ll ever hear, but it’s a useful model for thinking about software vulnerabilities. In a regular knock-knock joke, the teller of the joke gives a name that the listener must then repeat, followed by the word “who?” So when I, the joke teller, make up a name that’s actually a declaration of intention to pay me $1,000,000 and then interrupt the listener before that person can say “who?” it sounds like the listener has agreed to pay me $1,000,000. Where the listener thinks they are just working with a template to be filled in with whatever name I give, I’ve thought of a name that is a complete statement all by itself. Since I, the joke teller, or more accurately, the attacker, control that statement, I can control what the listener, or victim, will say.
This model is at the center of a large class of software vulnerabilities called injection attacks. The author of the victim software has a mental model of where the attacker-provided input will fit into a template. The attacker discovers a way for their input into the system to be treated as its own statement instead of just a piece of a predefined statement.
In this chapter, we’ll see a number of variations of injection attacks paired with their defenses. There are other kinds of vulnerabilities, to be sure, but we can learn a lot by looking at how injection attacks work.
Q U I Z