Second to last place is not good enough anymore
They say that if you’re running from a hungry bear, you only need to be the second slowest person in the group.
I’m taking a Secure Programming course and my professor said basically the same thing: that you only need to be marginally better than the worst guy to discourage many attacks. To put this into context, he was talking about using canaries to detect heap overflows. This would make your program slightly harder to exploit and you would hope an unskilled attacker would just move on.
Then, I was reading about how Google is redirecting it’s .cn site to .hk to route around censorship and I was thinking about how we got here. Basically, Google claimed it was the target of a sophisticated hacking effort coming from the Chinese mainland, and at the very least tacitly approved by the PRC government.
Putting these two thoughts together, I’ve come to the conclusion that I don’t think my professor’s advice holds anymore in the era of the Advanced Persistent Threat (APT)*.
Back when the only threats to computers and networks were botnets, being slightly above the lowest common denominator worked. Exploits were generally pretty poorly written and would only exploit a single hole that Microsoft released a patch for a year earlier and people failed to apply the update.
But APT actors are specifically out to get their target. They would exploit any hole they can find so the entire application must be secure. The advice given by my professor simply would not work in such a threat context. You have to make sure every stack of the software is secure, so you can’t rely on a canary to detect a heap overflow caused by an unbounded buffer copy. Since the existence of one security hole is a great predictor of more security holes, either the actor will work around the canary or find another hole. You can’t rely on the actor throwing up his hands in disgust and moving on.
So I hope companies like Google and governments don’t rely on lame patches like canaries to solve their security problems. They need to look at their entire software stack and erase vulnerabilities from the code itself because APTs will find their way around patches. That is their job.
*I’ve been reading too many security blogs. I promise I’ll put some of them up on the blogroll when I find time. But the most helpful two that I read are Taosecurity and Schneier.