Familiarity Breeds Contempt

Presented at DEF CON 19 (2011), Aug. 5, 2011, 4 p.m. (50 minutes)

"Good programmers write code, great programmers reuse" is one of the most well known truisms of software development. But what does that mean for security? For over 30 years software engineering has focused on writing the perfect code and reusing it as often as they can, believing if they can just get the bugs out, the system will be secure. In our talk we will demonstrate how the most prominent doctrine of programming is deadly for security. Analysis of software vulnerability data, including a full decade of data for several versions of the most popular operating systems, server applications and user applications (both open and closed source), shows that properties extrinsic to the software play a much greater role in the rate of vulnerability discovery than do intrinsic properties such as the actual software quality. We show that (at least in the first phase of a product's existence), software vulnerabilities have different properties from software defects. Our analysis of attacker tools and popular exploits shows that the attacker's learning curve determines when and which particular products are likely to be attacked. Improvements in those tools affect the frequency of attack, and the ultimate result is point-and-click usability. We will present several examples from both the defender and the attacker perspective illustrating how dangerous familiarity is for security. We will demonstrate that the more familiar an attacker is with your product, the more likely you are to be attacked and the more likely an attacker will succeed.


  • Brad Haines / RenderMan - Chief research monkey, Renderlab.net   as Brad "RenderMan" Haines
    Brad Haines (RenderMan) is a Whitehat by trade, Blackhat by fashion. A very visible and well known member of the wardriving and hacker community, he does whatever he can to learn how things work, how to make them better and to teach people the same. A firm believer in the hacker ethic of openess , sharing, and collaboration. Never afraid to try something new, he can usually be found taking unnessecary risks for the sake of the experience. Author of several computer security books and a frequent presenter at hacker, security and privacy conferences, he can usually be found investigating something interesting, scanning the air for any WiFi data, and trying to find new and interesting beers. Twitter: @Ihackedwhat
  • Sandy Clark / Mouse - University of Pennsylvania   as Sandy "Mouse" Clark
    Sandy Clark (Mouse) has been taking things apart since the age of two, and still hasn't learned to put them back together. An active member of the Hacker community, her professional work includes an Air Force Flight Control Computer, a simulator for NASA and singing at Carnegie Hall. She is currently fulfilling achildhood dream, pursuing a Ph.D. in Computer Systems and Security at the University of Pennsylvania. Her research explores the vulnerability lifecycle, human scale security and the unexpected ways that systems interact. A founding member of Toool-USA, she also enjoys puzzles, toys, Mao (the card game), and anything that involves night vision goggles.