Interview with Kenny Paterson, Professor of Information Security at Royal Holloway, University of London
by Mirko Zorz - HNS Chief Editor - Monday, 12 June 2006.
Bookmark and Share
When commenting your research you said: "The open source nature of Linux made the attacks easier". Does that necessarily mean that closed source is better than open source when it comes to security?

No, not at all! The open source nature of the IPsec implementation we looked at certainly made it easier for us to experiment and to do work on paper before committing to coding. But the attacks we found were not your usual buffer overflows: they required us to build up a detailed understanding of how the Linux IPsec implementation interacted with the IP stack, for example, as well as doing some sophisticated bit manipulations on packets to get the effects we wanted. So our attacks really say very little about the "closed-source versus open-source" debate, which so often focuses only on the number of exploitable buffer overflows and other "standard" vulerabilities that exist in software.

In fact, our work says more about the complexity of the IETF RFCs and how hard it is for a small team to write an implementation that gets absolutely everything right, from the low-level crypto to the implementation of IPsec policy processing.

Are you satisfied with how Microsoft is tackling the problems in their software with monthly patch releases? Some argue that a premium service that releases the patches as they are ready should be in place for large customers. Should they do more?

One problem they do have is that their patches get reversed engineered on a regular basis, and then tools to exploit the vulnerabilway appear quite soon after.

This wouldn't be a problem if everyone applied the patches immediately, but they don't. This is a bit like the concept of "herd immunity" in immunology: an immunization programme only becomes truly effective when above a certain percentage of people have had the jab - sometimes that percentage is as high as 90%. You can't force people to have immunizations. In the same way, Microsoft can't force people to apply the patches. Of course, it can be argued that applying patches on a monthly basis is a lot less pleasaninjection every once in a while!

What advice would you give to security researchers?

Persevere - it often takes time, luck and a lot of dead ends to find something interesting. Think about the wider effects of your research, and consider how you can resolve the apparently conflicting aims of getting headlines and of acting responsibly: if you do things in the right way, there is no real conflict.

Spotlight

Dissecting the unpredictable DDoS landscape

Posted on 23 April 2014.  |  DDoS attacks are now more unpredictable and damaging than ever, crippling websites, shutting down operations, and costing millions of dollars in downtime, customer support and brand damage, according to Neustar.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Wed, Apr 23rd
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //