Credit and progress in computer security
June 30, 2015  

In any field of human endeavor, the goal is not so much about advancing the field, but rather about getting credit for advancing the field. Once recognized, this fact, which I call the Core Hypocrisy, is an endless source of hilarity. My favorite recent example is this short blog post by Tyler Cowen, which consists of a paragraph excerpted from a paper, plus the following comment:

Economists knew or figured that to be the case a while ago, I am glad to see it being relearned.

This single sentence represents an advance of at least ten years in the hyper-competitive field of passive aggression.

Of course, I pay the most attention to the Core Hypocrisy as it occurs in my own field, computer security.

Masters of the form: Academia

As Charlie Miller wisely tweeted,

Reading the iOS cross-app resource paper. Gotta love how academics do not reference any work by non-academic researchers.

This is true. Academics do a poor job citing prior work. There is a perverse incentive: in order to publish, you need to do original work, and the more diligently you cite prior work, the less your own work seems original. In fact, it might not be original at all.

Moreover, there are page limits that prevent comprehensive citations, pressures to cite reviewers of your paper, and on and on.

(By the way, Daniel Lemire has some amusing research on how to find out which citations in a paper are the really important ones.)

Academia claims that its central purpose is advance the state of knowledge, so it is particularly infuriating to see the Core Hypocrisy at work there—burying prior work can only be to the detriment of knowledge. But the Core Hypocrisy is practiced widely outside of academia as well.

Attackers gonna attack

Here's an example from another tweet, this one less wise:

Offensive security research is where the real innovation happens in cybersecurity and is where the true pioneer spirit exists in our field. — Dino A. Dai Zovi

Or this one:

If you shame attack research, you misjudge its contribution. Offense and defense aren’t peers. Defense is offense's child. — John Lambert

There are so many things wrong with this that I don't know where to start. Let me just say that it's weird that attack researchers seem to have an inferiority complex, given that they get all the attention.

And let's take a look at how this game of credit worked out in one famous episode, the “Kaminsky Bug” of 2008. Dan Kaminsky found a serious bug in most implementations of the Domain Name System that would allow “cache poisoning,” in which an attacker could choose the IP address of a host name—for example, “google.com” would go to an address of their choice. Kaminsky took this bug to the vendors of the software, convinced them of its seriousness, and got them to fix it while keeping the vulnerability (mostly) secret. All of that is outstanding.

When it comes to the question of credit things are more confusing. Here's Kaminsky himself:

Oh wait this was suggested 5 years ago by Dan J. Bernstein, the infamous djb. An ornery guy, but man the guy can code. And you know what, djb was right—we should have done what he said years ago.

So this is also good, Kaminsky gives the nod to relevant prior work. The way it plays out subsequently, however, is less great. Here's Bruce Schneier:

Years ago, cryptographer Daniel J. Bernstein looked at DNS security and decided that Source Port Randomization was a smart design choice. That's exactly the work-around being rolled out now following Kaminsky's discovery. Bernstein didn't discover Kaminsky's attack; instead, he saw a general class of attacks and realized that this enhancement could protect against them. Consequently, the DNS program he wrote in 2000, djbdns, doesn't need to be patched; it's already immune to Kaminsky's attack.

So let me get this straight: Bernstein didn't discover Kaminsky's attack. He just discovered an infinite set of attacks that happened to include Kaminsky's attack, and acted on it by designing his software to foil all of those attacks.

That's nuts, but it seems to be the view that has prevailed, which is why people talk about the “Kaminsky Bug” rather than the “Bernstein Defense.” And note that contrary to the tweets above, Bernstein is both a defender (in this case) and an academic.

Attack researchers do this all the time. For example, a great many security vulnerabilities are buffer overflows and so on—bugs that can be completely prevented by using a memory safe language such as LISP, invented by John McCarthy in 1959. In other words McCarthy (and many others) discovered an infinite class of bugs and implemented a defense against all of them. Yet today, when an attack is announced, this fact is hardly ever mentioned. And most attack researchers continue to write their tools in unsafe languages like C/C++.

Moving forward

Attack researchers, defense researchers, academics, and practioners all fail to credit others' work. This impedes progress: those who forget history are condemned to repeat it.

If you see this happening, don't just complain in a tweet. Tell me the proper cite. If the author is honest and was unaware of the work, they'll be glad to know it. Otherwise, they deserve to be shown up.