From: Paul Koning <paulkoning@comcast.net>
To: Jason Long <hack3rcon@yahoo.com>
Cc: Eli Zaretskii via Gdb <gdb@sourceware.org>
Subject: Re: Is GDB just for bug hunting?
Date: Wed, 14 Apr 2021 14:02:53 -0400 [thread overview]
Message-ID: <6D6283C4-4860-48E3-B01F-B6C7687A300D@comcast.net> (raw)
In-Reply-To: <581661034.1177110.1618422536149@mail.yahoo.com>
I'll give some comments from the point of view of a user of gdb.
paul
> On Apr 14, 2021, at 1:48 PM, Jason Long via Gdb <gdb@sourceware.org> wrote:
>
> Hello,
> I have some questions and I'm thankful if someone answer to them clearly:
>
> 1- I want to know, is GDB just useful for bug hunting or a security researcher can use it to find vulnerabilities too?
>
> 2- Is bug vs vulnerability? Consider someone that find an exploit in a program. He/she found a bug or Vulnerability? He/she used a debugger to find that or any special tool?
A bug is any unintended behavior of a program, and more specifically an unintended behavior that has "bad" consequences. So a vulnerability is a bug -- obviously by the first definition and almost certainly by the second as well. But a lot of bugs are not vulnerabilities in the sense that the word is typically used.
I don't know what tools are specific to vulnerability search. GDB does several things. It lets you examine and modify a running process, and control the execution of a process (via breakpoints or stepping or the like) to find defects and especially to identify the exact cause of a previously observed defect.
It seems to me that finding a vulnerability (exploit) is more like discovering a bug (learnings of its existence) in the first place. That's more likely to involve test tools or code reviews rather than GDB sessions. Once a vulnerability (bug) has been recognized, the debugger can help understand the precise mechanism that caused it to exist, and suggest a solution.
I suppose another thing a GDB session could do is show sensitive data exposure; if a program handles sensitive data and allows that to exist in memory longer than strictly necessary, that's a risk and examining memory with GDB may be an easy way to spot such mistakes. That would show potential risks like missing zeroization, though it would not necessarily tell you whether that's merely sloppy code or an actual weakness.
> 3- A debugger could be a Vulnerability researcher or vice versa?
I think mostly not. While there's an overlap in tools and in what you look for, it seems to me the mindset of the two are rather different. As an analogy, there's some overlap between cryptographers and programmers, but very few programmers are cryptographers.
paul
next prev parent reply other threads:[~2021-04-14 18:02 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <581661034.1177110.1618422536149.ref@mail.yahoo.com>
2021-04-14 17:48 ` Jason Long
2021-04-14 18:02 ` Paul Koning [this message]
2021-04-14 18:37 ` Jason Long
2021-04-14 18:48 ` Paul Koning
2021-04-14 19:05 ` Joel Sherrill
2021-04-15 8:24 ` Jason Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6D6283C4-4860-48E3-B01F-B6C7687A300D@comcast.net \
--to=paulkoning@comcast.net \
--cc=gdb@sourceware.org \
--cc=hack3rcon@yahoo.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).