“A lot of people pursue a strategy based on dogma, which is not necessarily based on the facts,” explained Brad Arkin, Adobe's chief security officer, speaking at May’s Security Development Conference in San Francisco. “This idea that we make software more secure by finding and fixing all of the vulnerabilities in the code is a distraction that’s not correlated with making people safer.”
He said that clients often think locating vulnerabilities is just like spell checking – but the reality is far more complex. “I was in a meeting in 2010 with the CIO of one of the biggest banks in the world, and he wanted to know, ‘can’t you just look at it and fix it?’” Arkin said. “I had to explain that it’s tens of millions of lines of code and you can’t just ‘look at it.’”
The problem is not just the sheer volume, it’s also the fact that the bug-fixing process itself introduces new bugs, creating an infinite loop. “My assertion is that there’s always another bug,” Arkin noted. “And the cost is two or three orders of magnitude to fix a bug instead of just finding it. You can’t achieve perfect software in a commercial environment. You are just asymptotically approaching good enough.”
For hackers, they only need to find one vulnerability to create an exploit. “We have put hundreds of man-hours of effort into finding and fixing,” Arkin said. “But that doesn’t move the dial for the bad guys. There’s always a next vulnerability.”
Instead, he postulates, a better thing to do is to focus on exploits and ignore the vulnerabilities. “Don’t be distracted by the shiny object,” he implored. “Focus instead on what the attackers are actually doing and work to make it harder for them, and to change the cost equation.”
Attackers are economically rational – they take scarce resources and apply them efficiently to achieve a desired outcome. As a defender, making the target less attractive or too expensive for that economically rational actor means they will go after something else. “It’s like the old saying: you don’t have to outrun the bear. You just have to outrun your friend.”
Adobe Flash and Adobe Reader have “both experienced a lot of interest from hackers,” he acknowledged, including a rash of zero-day exploits in the first part of the year. But he illustrated by way of a case study how his approach can be effective.
Version 9 of Adobe Reader was popular with hackers, who created several exploits over the course of its life. But in version 10, Adobe introduced sandboxing, effectively making an attack on Reader into a multistage attack. And the exploits stopped appearing. To boot, hackers also realized that millions of machines were upgraded to version 10 when it came out – making version 9 a much less attractive target to put resources into.
“The bad guys moved on,” Arkin said. “It’s too much work, and there are too many moving pieces now, and it’s not worth the time to the crime kids and financially motivated hackers.” One attack, which involved inserting malicious code into PDFs, has now morphed. That same code is now popping up in Office files. In other words, Adobe has outrun Microsoft in front of the bear.
Arkin also said that the initial work of creating that first exploit targeting a product – adapting it, tweaking it and getting it to work through different vectors – is almost always performed by state-funded adversaries that can make the initial development investment. From there, criminals and hackers can simply evolve them – which is the easy part that doesn’t require the same level of skills.
“So we’re defending against the high-level adversary with mitigations, because if they move on, none of the guys lower down on the bad-guy food chain are going to make the investment,” Arkin said.
The takeaway for IT administrators and staff? Being successful against the hacker onslaught, he concluded, “means challenging one’s assumptions, understanding the real threats, and being honest about whether your current strategy is really going to get you where you want to be. Then, reframe the task and come up with a new approach.”