From mboxrd@z Thu Jan  1 00:00:00 1970
From: Joanna Rutkowska <joanna@invisiblethingslab.com>
Subject: Re: Security discussion: Summary of proposals and
 criteria (was Re: Security vulnerability process, and CVE-2012-0217)
Date: Mon, 09 Jul 2012 15:25:38 +0200
Message-ID: <4FFADBD2.6070502@invisiblethingslab.com>
References: <CAFLBxZZKoVfyKuN7_kW_+mJ69PmXwUvukXBK3rpD+we8c-wvXA@mail.gmail.com>
	<4FF93711.6020108@invisiblethingslab.com>
	<CAFLBxZYW0xbOnD-Giah8TLsKBfLWJDHQuAA54wwmrXztteRt3Q@mail.gmail.com>
	<4FFAC0FF.6040206@invisiblethingslab.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============2118499618434182795=="
Return-path: <xen-devel-bounces@lists.xen.org>
In-Reply-To: <4FFAC0FF.6040206@invisiblethingslab.com>
List-Unsubscribe: <http://lists.xen.org/cgi-bin/mailman/options/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=unsubscribe>
List-Post: <mailto:xen-devel@lists.xen.org>
List-Help: <mailto:xen-devel-request@lists.xen.org?subject=help>
List-Subscribe: <http://lists.xen.org/cgi-bin/mailman/listinfo/xen-devel>,
	<mailto:xen-devel-request@lists.xen.org?subject=subscribe>
Sender: xen-devel-bounces@lists.xen.org
Errors-To: xen-devel-bounces@lists.xen.org
To: George Dunlap <George.Dunlap@eu.citrix.com>
Cc: Lars Kurth <lars.kurth@xen.org>, "xen-devel@lists.xen.org" <xen-devel@lists.xen.org>, Matt Wilson <msw@amazon.com>, Jan Beulich <JBeulich@suse.com>, Stefano Stabellini <stefano.stabellini@eu.citrix.com>
List-Id: xen-devel@lists.xenproject.org

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--===============2118499618434182795==
Content-Type: multipart/signed; micalg=pgp-sha1;
 protocol="application/pgp-signature";
 boundary="------------enigBCE243E3C38C2AAD0FE7F9D5"

This is an OpenPGP/MIME signed message (RFC 2440 and 3156)
--------------enigBCE243E3C38C2AAD0FE7F9D5
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 07/09/12 13:31, Joanna Rutkowska wrote:
> On 07/09/12 11:23, George Dunlap wrote:
>> > On Sun, Jul 8, 2012 at 8:30 AM, Joanna Rutkowska
>> > <joanna@invisiblethingslab.com> wrote:
>>> >> On 07/06/12 18:46, George Dunlap wrote:
>>>> >>> Another question has to do with robustness of enforcement.  If t=
here
>>>> >>> is a strong incentive for people on the list to break the rules
>>>> >>> ("moral hazard"), then we need to import a whole legal framework=
: how
>>>> >>> do we detect breaking the rules?
>>> >>
>>> >> 1) Realizing that somebody released patched binaries during embarg=
o is
>>> >> simple.
>>> >>
>>> >> 2) Detecting that somebody patched their systems might be harder (=
after
>>> >> all we're not going to perform pen-tests on EC2 systems and the li=
kes,
>>> >> right? ;)
>>> >>
>>> >> 3) Detecting that somebody sold info about the bug/exploit to the =
black
>>> >> market might be prohibitively hard -- the only thing that might
>>> >> *somehow* help is the use of some smart water marking (e.g. of the=
 proof
>>> >> of concept code). Of course, if a person fully understands the
>>> >> bug/exploit, she would be able to recreate it from scratch herself=
, and
>>> >> then sell to the bad guys.
>>> >>
>>> >> On the other hand, the #2 above, seems like the least problematic =
for
>>> >> the safety of others. After all if the proverbial AWS folks patch =
their
>>> >> systems quietly, it doesn't immediately give others (the bad guys)=

>>> >> access to the info about the bug, because nobody external (normall=
y
>>> >> should) have access to the (running) binaries on the providers mac=
hines.
>>> >> So, perhaps #3 is of biggest concern to the community.
>> >=20
>> > The reason I brought up the issue above didn't so much have to do wi=
th
>> > the risk of people leaking it, but to help evaluate the proposals th=
at
>> > had "No roll-out is allowed until the patch date".  There's probably=

>> > little incentive or ability for the average programmer / IT person t=
o
>> > sell the bug on the black market.  (I have no idea how I would begin=

>> > to go about it, for instance.)
> If you're into security industry (going to conferences, etc) you
> certainly know the right people who would be delight to buy exploits
> from you, believe me ;) Probably most Xen developers don't fit into thi=
s
> crowd, true, but then again, do you think it would be so hard for an
> interested organization to approach one of the Xen developers on the
> pre-disclousure list? How many would resist if they had a chance to cas=
h
> in some 7-figure number for this (I read in the press that hot
> bugs/exploits sell for this amount actually)?

(Correction: I meant a 6-figure number)


--------------enigBCE243E3C38C2AAD0FE7F9D5
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----

iQEcBAEBAgAGBQJP+tvSAAoJEDaIqHeRBUM0TtkH/0poGo3uKBylTmiwaDbkqIDm
U8U43rqND3fYno2EGA/I2HAUy+bngloVQwV1hQVL8yj12VR2/OvzaKtZklWeCMlm
WayTSclJNzzPe+ksmZy48qinuvc48hLHrZT7ZKeYibT8xHO8Hs1i2PQhW8WSQGdX
AEAbXlmmzhZcYs+Gfx7A5i7vob+Ad513qZxTbmJE8nQF/X50GYwd8lVkOJYFc9zm
KDfFiOK2KSvEeQCJVi5sYEJ5chXgVCLGdybg//M9r4BRZoenitLTlEUWx7tdqv3D
MCnzVlCwKfafuUUZH956gFnfZqItG+TN1ql97SHEhGpw4wAae7CA8Se9VB37LQc=
=WtEe
-----END PGP SIGNATURE-----

--------------enigBCE243E3C38C2AAD0FE7F9D5--


--===============2118499618434182795==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

_______________________________________________
Xen-devel mailing list
Xen-devel@lists.xen.org
http://lists.xen.org/xen-devel

--===============2118499618434182795==--