From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from resqmta-po-06v.sys.comcast.net (resqmta-po-06v.sys.comcast.net [IPv6:2001:558:fe16:19:96:114:154:165]) by sourceware.org (Postfix) with ESMTPS id 6A604385E007 for ; Wed, 14 Apr 2021 18:02:59 +0000 (GMT) DMARC-Filter: OpenDMARC Filter v1.3.2 sourceware.org 6A604385E007 Received: from resomta-po-14v.sys.comcast.net ([96.114.154.238]) by resqmta-po-06v.sys.comcast.net with ESMTP id WivXlY5NvskgGWjqrlliOP; Wed, 14 Apr 2021 18:02:57 +0000 Received: from pkoning.akdesign.com ([73.60.223.101]) by resomta-po-14v.sys.comcast.net with ESMTPSA id Wjqolaaduq8J6WjqpljmN2; Wed, 14 Apr 2021 18:02:57 +0000 X-Xfinity-VAAS: gggruggvucftvghtrhhoucdtuddrgeduledrudeluddguddvudcutefuodetggdotefrodftvfcurfhrohhfihhlvgemucevohhmtggrshhtqdftvghsihdpqfgfvfdppffquffrtefokffrnecuuegrihhlohhuthemuceftddunecunecujfgurheptggguffhjgffgffkfhfvofesthhqmhdthhdtvdenucfhrhhomheprfgruhhlucfmohhnihhnghcuoehprghulhhkohhnihhnghestghomhgtrghsthdrnhgvtheqnecuggftrfgrthhtvghrnhepvddtveejueehhfeivdetffejueffheekgfduuedtvefffeekieejleefveeuhfegnecukfhppeejfedriedtrddvvdefrddutddunecuvehluhhsthgvrhfuihiivgeptdenucfrrghrrghmpehhvghlohepphhkohhnihhnghdrrghkuggvshhighhnrdgtohhmpdhinhgvthepjeefrdeitddrvddvfedruddtuddpmhgrihhlfhhrohhmpehprghulhhkohhnihhnghestghomhgtrghsthdrnhgvthdprhgtphhtthhopehhrggtkhefrhgtohhnseihrghhohhordgtohhmpdhrtghpthhtohepghgusgesshhouhhrtggvfigrrhgvrdhorhhg X-Xfinity-VMeta: sc=0.00;st=legit Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.17\)) Subject: Re: Is GDB just for bug hunting? From: Paul Koning In-Reply-To: <581661034.1177110.1618422536149@mail.yahoo.com> Date: Wed, 14 Apr 2021 14:02:53 -0400 Cc: Eli Zaretskii via Gdb Content-Transfer-Encoding: quoted-printable Message-Id: <6D6283C4-4860-48E3-B01F-B6C7687A300D@comcast.net> References: <581661034.1177110.1618422536149.ref@mail.yahoo.com> <581661034.1177110.1618422536149@mail.yahoo.com> To: Jason Long X-Mailer: Apple Mail (2.3445.104.17) X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00, DKIM_SIGNED, DKIM_VALID, DKIM_VALID_AU, DKIM_VALID_EF, FREEMAIL_FROM, JMQ_SPF_NEUTRAL, RCVD_IN_DNSWL_LOW, SPF_HELO_NONE, SPF_PASS, TXREP autolearn=ham autolearn_force=no version=3.4.2 X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on server2.sourceware.org X-BeenThere: gdb@sourceware.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: Gdb mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 14 Apr 2021 18:03:00 -0000 I'll give some comments from the point of view of a user of gdb. paul > On Apr 14, 2021, at 1:48 PM, Jason Long via Gdb = wrote: >=20 > Hello, > I have some questions and I'm thankful if someone answer to them = clearly: >=20 > 1- I want to know, is GDB just useful for bug hunting or a security = researcher can use it to find vulnerabilities too? >=20 > 2- Is bug vs vulnerability? Consider someone that find an exploit in a = program. He/she found a bug or Vulnerability? He/she used a debugger to = find that or any special tool? A bug is any unintended behavior of a program, and more specifically an = unintended behavior that has "bad" consequences. So a vulnerability is = a bug -- obviously by the first definition and almost certainly by the = second as well. But a lot of bugs are not vulnerabilities in the sense = that the word is typically used. I don't know what tools are specific to vulnerability search. GDB does = several things. It lets you examine and modify a running process, and = control the execution of a process (via breakpoints or stepping or the = like) to find defects and especially to identify the exact cause of a = previously observed defect. It seems to me that finding a vulnerability (exploit) is more like = discovering a bug (learnings of its existence) in the first place. = That's more likely to involve test tools or code reviews rather than GDB = sessions. Once a vulnerability (bug) has been recognized, the debugger = can help understand the precise mechanism that caused it to exist, and = suggest a solution. I suppose another thing a GDB session could do is show sensitive data = exposure; if a program handles sensitive data and allows that to exist = in memory longer than strictly necessary, that's a risk and examining = memory with GDB may be an easy way to spot such mistakes. That would = show potential risks like missing zeroization, though it would not = necessarily tell you whether that's merely sloppy code or an actual = weakness. > 3- A debugger could be a Vulnerability researcher or vice versa? I think mostly not. While there's an overlap in tools and in what you = look for, it seems to me the mindset of the two are rather different. = As an analogy, there's some overlap between cryptographers and = programmers, but very few programmers are cryptographers. paul