Interview with Kenny Paterson, Professor of Information Security at Royal Holloway, University of London
by Mirko Zorz - HNS Chief Editor - Monday, 12 June 2006.
When commenting your research you said: "The open source nature of Linux made the attacks easier". Does that necessarily mean that closed source is better than open source when it comes to security?

No, not at all! The open source nature of the IPsec implementation we looked at certainly made it easier for us to experiment and to do work on paper before committing to coding. But the attacks we found were not your usual buffer overflows: they required us to build up a detailed understanding of how the Linux IPsec implementation interacted with the IP stack, for example, as well as doing some sophisticated bit manipulations on packets to get the effects we wanted. So our attacks really say very little about the "closed-source versus open-source" debate, which so often focuses only on the number of exploitable buffer overflows and other "standard" vulerabilities that exist in software.

In fact, our work says more about the complexity of the IETF RFCs and how hard it is for a small team to write an implementation that gets absolutely everything right, from the low-level crypto to the implementation of IPsec policy processing.

Are you satisfied with how Microsoft is tackling the problems in their software with monthly patch releases? Some argue that a premium service that releases the patches as they are ready should be in place for large customers. Should they do more?

One problem they do have is that their patches get reversed engineered on a regular basis, and then tools to exploit the vulnerabilway appear quite soon after.

This wouldn't be a problem if everyone applied the patches immediately, but they don't. This is a bit like the concept of "herd immunity" in immunology: an immunization programme only becomes truly effective when above a certain percentage of people have had the jab - sometimes that percentage is as high as 90%. You can't force people to have immunizations. In the same way, Microsoft can't force people to apply the patches. Of course, it can be argued that applying patches on a monthly basis is a lot less pleasaninjection every once in a while!

What advice would you give to security researchers?

Persevere - it often takes time, luck and a lot of dead ends to find something interesting. Think about the wider effects of your research, and consider how you can resolve the apparently conflicting aims of getting headlines and of acting responsibly: if you do things in the right way, there is no real conflict.


How security pros deal with cybercrime extortion

1 in 3 security professionals recommend negotiating with cybercriminals for the return of stolen data or the restoration of encrypted files. 86% of security professionals believed their peers at other organizations have brokered deals with cybercriminals.

Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.

Daily digest

Receive a daily digest of the latest security news.

Wed, Apr 1st