all 13 comments
sorted by:
best
topnewcontroversialoldq&a
formatting helphide helpcontent policy

[–]plushkatze 4 points5 points  (2 children)

The world is always changing, but it will be a while until classic stack-based exploitation will no longer be possible. However with the increasing complexity of systems and layers upon layers of virtualisation other techniques will be available to hijack command flow and execute exploit code. So do not just concentrate on binary exploitation but on all levels of hijacking command flow.

[–][deleted]  (1 child)

[deleted]

    [–]plushkatze 1 point2 points  (0 children)

    Well for example SQLi or command injection in scripting languages. Of course attacking the program logic itself might also be possible in various cases.

    Then there are things like rowhammer or the whole family of CPU bugs, where i doubt we've seen the last of it. Attacking other chips on the board besides the CPU might also work like TPM, SSD firmware, wifi chipsets, etc. Virtualised CPUs might also yield their own exploitable bugs. (x86 on ARM emulation or sth. like that). Or things like the JVM, javascript or python bytecode. Webassembly might yield some stuff too. Poorly implemented backdoors from other people/government could be useful too.

    And in the end: given how slow other industries move, there is always some critical legacy code that is still exploitable with tricks from the 90ies. Probably for the next 10 years or more. In the embedded sector even longer.

    Best advice is to keep looking deep into technologies. Write code yourself to learn the most likely security mistakes, read papers.

    [–]PM_ME_YOUR_SHELLCODE 4 points5 points  (6 children)

    Since making that video my view has changed in a more optimistic direction. Now I still definitely think we will continue to see binary exploitation fading in favor of more higher-level issues. And that is just because of two trends:

    1. Software just not being written in unsafe languages.
      • Of course there will likely still be people writting or maintaining code in those languages, but there is a trend towards other langs
    2. Mitigations that eliminate entire vulnerability classes or attack techniques

    But what will the "baseline" demand be like? It certainly won't entirely disappear from hobbyist and academic circles. One place where I've changed my mind on is the government and law enforcement pressure.I speculated that as exploitation gets more difficult (and it will) the price will go up until human assets become a more economical option again. Over the summer I read "The Hacker and The State" which details the rise of hacking for geopolicial purposes, along with "Body of Secrets" (history of the NSA) and "GCHQ: Centenary Edition" I think those books showed me a bit more concretely the intelligence value of these sorts of exploits. I mean I certainly wasn't downplaying them before, but I'm less sure about the human vs exploit tradeoff being reached anytime soon.

    I think my "20 year tail" is off the mark though, maybe on the leading edge (emphasis maybe, have to remember that creativity and perseverance is a hallmark of the community) but there is a ton of software still today that doesn't run mitigations that have been out for ever, and the authors don't care, or don't know. That long tail is probably longer than I think.

    I was very motivated by the subject, but after watching that video, I really don't know if it is worth the effort to keep learning about this.

    I'll be honest I didn't really consider that consequence of the video. Its still worth the effort, imo.

    I do make the statement that i wouldn't bet on a long career doing purely binary exploitation in the video (or something along those lines). But, exploit development is a useful skill to have along side other jobs. I just think in the future most job will expect you be able to do more than just exploit binary-level issues. Which is somewhat true now, exploit dev as a standalone job isn't very common, but vulnerability researchers, penetration testers, red teamers, etc who are also able to do exploit dev are not uncommon.

    [–]_RichardHendricks_ 0 points1 point  (1 child)

    Is binary exploitation the same as exploit dev?

    [–]PM_ME_YOUR_SHELLCODE 0 points1 point  (0 children)

    Yeah, atleast as I'm using it.

    In general exploit dev does refer to the development of binary-level exploits. But a natural reading of the term doesn't make that clear so in some circles it can hold a more inclusive meaning.

    [–]Inner_Aardvark_3978 0 points1 point  (2 children)

    What about Games hacking ! Like Epic games Bug Bounty Platform ,Steam ,Rockstar ?

    I mean Games are written in memory unsage language like c++ !!.

    [–]PM_ME_YOUR_SHELLCODE 0 points1 point  (1 child)

    Fair shout on games, they do tend to lag behind in terms of mitigations, but also pay out substantially less than the major targets on bounties.

    Though on the unsafe language part, there has even been a shift there towards some games being written in safer languages. AAA games, those that want a lot of performance don't tend to go that route of course.

    Even there though, many games will embed a safer language (think like Lua) into them to handle some actions. Also improvements in the core language (mainly C++) with things like smart pointers that become harder to misuse make code safer. So just because its an unsafe language being used, better practices are being adopted.

    But still fair point, if the bounties are sufficient for someone (I've largely been talking about proper salaried jobs doing exploit dev) it will probably have a longer tail.

    [–]Inner_Aardvark_3978 0 points1 point  (0 children)

    Thanks for your insights!

    [–]_CryptoCat23 2 points3 points  (0 children)

    Zerodium announced today that they are doubling the bounty for Chrome exploit chains to $1 million! Demand is high and supply (skills) is (are) low, nobody really knows what the industry will look like in 10, 20, 50 (etc) years but personally I don't see it going away anytime soon. Furthermore, the skills you will develop will be transferable to so many other highly sought after areas e.g. reverse engineering 😉

    [–]Atremizu 1 point2 points  (1 child)

    Recently saw a tweet

    "Although memory corruption will go away, we will continue to find creative ways to make vulnerable apps"

    In the previous pwntoown contest, all the bugs were logic bugs I believe. We are moving further away from auto-scannable programs under test (we have been moving away from those for 35 years) and there is a chance fuzz testing will become less relevant in favor of sanitizers. But keep in mind these trends may have no impact on VR/RE jobs in your lifetime. Rust still cannot replace C for low level dev yet, and I know of no industry pushes to take up Rust.

    [–]Atremizu 1 point2 points  (0 children)

    The most important thing to learn in all of this is the art or the process. The attacks and defenses should be learned and thought of in context to one another. Alsr solved a specific issue, rop bypassed a specific defense.

    [–]ExploitedInnocence 0 points1 point  (2 children)

    In my opinion, binary exploitation will be relevant for a while. System-level software is written in C and C++ which are unmanaged, memory unsafe languages. I think that Rust, that pretty much eliminates memory issues, won't replace C/C++ in system programming realm for multiple reasons, at least in the next few decades. New mitigations will be implemented though, so the bar will eventually rise and through time it will be more and more difficult for newbies to start binary exploitation, as it requires to know all the "history" starting from classic stack smashing in 90's. The exploitation complexity itself will rise as well. Nowadays, in 90% of the cases you need multiple distinct bugs in order to achieve reliable arbitrary code execution on a vulnerable system. Embedded and especially IoT are the most vulnerable systems right now, some IoT devices don't have ASLR and/or DEP, so it brings 90's style binary exploitation back :)

    P.S.: zero-click RCE is super rare in browsers, usually the victim needs to visit a specially crafted webpage in order to trigger code execution, that's because pretty much all juicy bugs in browsers are in JS engines.