Source Code Doesn’t Matter, Take N

Thomas Ptacek | July 1st, 2005 | Filed Under: Uncategorized

Via DailyDave, at SecurityLemos,

Security companies have frequently pointed to circumstantial evidence that the time between the release of a patch and the publication of an exploit has decreased. The increase in binary difference analysis could explain that trend, even though there is no evidence connecting the two. After the first papers discussing the techniques were published over a year ago, there was no large spike in attacks, said SABRE Security’s Flake.

In the end, whether better binary analysis means that more companies will inadvertently be disclosing flaws by publishing patches should not matter, Flake said.

“Many people seem to pour time into the disclosure debate that should be spent elsewhere,” he said. “It’s fruitless and boring and has been for a few years.”

Though, to be fair, Halvar, so are debates about how to handle the security of patches. Doesn’t this article miss the point somewhat? BinDiff closes the gap between machine code and source code. Patches aren’t the only, or even the best, place that that gap matters. The vendors aren’t usually the ones finding the vulnerabilities. It’s not as if patches are the primary source for black hat researchers.