Software as an Exploitable Source of Intelligence
Abstract
Software, even without being installed or used, can reveal information that we do not wish to be disclosed. Our security practices tend to separate data from software. We think of data as content, meaning, something of operational value that can be exploited by an adversary. We tend to think of a computer program as something that performs tasks and manipulates data, not as something that has inherent informational value. But, we can't escape the simple fact that software exists; it is a collection of computer instructions and supporting data. As such, it is a thing, something that has the potential to be broken into, taken apart, scrutinized, cannibalized for parts, or otherwise used for purposes not originally intended. Software vulnerability attacks (SVA) start with software in the same form as it would be given to a legitimate user, then subject it to a number of static and dynamic tests with the intent to yield a description of how the software might be open to unintended use. SVAs are different from the traditional notion of network hacking, where a computer is being broken into over a communication network. SVAs are more subtle in that the attacker has physical possession of the software and is examining it for vulnerabilities in circumstances that are unobserved, and potentially unobservable. SVAs draw from the work of software security, reverse engineering, design reclamation, and software testing to answer the question, "what does the product reveal about itself?" In general, SVAs seek information leading to three forms of software exploitation: intrusion penetration, component penetration, and intellectual property penetration.
Document Details
- Document Type
- Technical Report
- Publication Date
- Jan 01, 2004
- Accession Number
- ADA477205
Entities
Organizations
- Air University