Re: Security discussion: Summary of proposals and criteria (was Re: Security vulnerability process, and CVE-2012-0217)

[Joanna Rutkowska <joanna@invisiblethingslab.com>]

[-- Attachment #1.1: Type: text/plain, Size: 1336 bytes --]

On 07/06/12 18:46, George Dunlap wrote:
> Another question has to do with robustness of enforcement.  If there
> is a strong incentive for people on the list to break the rules
> ("moral hazard"), then we need to import a whole legal framework: how
> do we detect breaking the rules? 

1) Realizing that somebody released patched binaries during embargo is
simple.

2) Detecting that somebody patched their systems might be harder (after
all we're not going to perform pen-tests on EC2 systems and the likes,
right? ;)

3) Detecting that somebody sold info about the bug/exploit to the black
market might be prohibitively hard -- the only thing that might
*somehow* help is the use of some smart water marking (e.g. of the proof
of concept code). Of course, if a person fully understands the
bug/exploit, she would be able to recreate it from scratch herself, and
then sell to the bad guys.

On the other hand, the #2 above, seems like the least problematic for
the safety of others. After all if the proverbial AWS folks patch their
systems quietly, it doesn't immediately give others (the bad guys)
access to the info about the bug, because nobody external (normally
should) have access to the (running) binaries on the providers machines.
So, perhaps #3 is of biggest concern to the community.

joanna.


[-- Attachment #1.2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 455 bytes --]

[-- Attachment #2: Type: text/plain, Size: 126 bytes --]

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel