Adobe Calls For Defensive Approach In Security Research

CANCUN, MEXICO -- Kaspersky Security Analyst Summit 2012 -- Adobe Software's product security executive here today urged security researchers to consider focusing on coming up with defensive strategies for stopping attacks rather than just on finding new offensive attacks.

Brad Arkin, senior director of security for Adobe products and services, says Adobe's goal is not to address each and every vulnerability that's discovered in its software, but instead to build mitigations that drive up the cost of writing exploits: "It's how to drive up the cost [for attackers] to write exploits, versus making the [Adobe] software perfect," he said here on the first day of the Kaspersky Security Analyst Summit.

Offensive security research does the reverse, sometimes making it easier for potential attackers: Offensive research actually drives down the cost for attackers, he said. "The skill of writing something first is very high, but the cost to adapt a proven [attack] is a lot easier to do," Arkin said.

That doesn't mean offensive research isn't part of the equation, but there's a big need for new technologies to deflect today's advanced attacks, according to Arkin. Adobe has deployed sandboxing in the newest versions of its products, as well as Microsoft's Data Execution Prevention (DEP) and Address Space Layout Randomization (ASLR). "ASLR, DEP ... and sandboxing are driving up the cost for the bad guys," he said.

Only about two dozen vulnerabilities in Adobe products during the past 24 months actually ended up with exploits, he says. "Finding a bug is fairly straightforward ... writing an exploit against it is a lot harder, and writing a reliable exploit that works 100 percent of the time is even harder," Arkin said.

Arkin said as a software vendor tasked with protecting and defending its products, new offensive methods make its job more difficult. Defensive research is a way to "make a difference" for software vendors, Arkin told the attendees, which include security researchers from Kaspersky and other firms. "Finding new offensive techniques honestly doesn't help us with anything," he said.

Recent data showed that the biggest jump in attacks against Adobe applications occurs after an attack method goes public or a Metasploit penetration-testing module is written, he said. "There's a heavy correlation between a broader release of information and more people getting attacked."

Roel Schouwenberg, senior antivirus researcher for Kaspersky Lab, agreed. "It's a trickle-down effect," he said. "It becomes mainstream."

Defensive research is essential, Schouwenberg said. "Offensive is going lower and lower [in the stack]. There's a lot of room for defensive strategies [for this]," he said.

Taking the approach of fixing every possible bug, many that aren't exploitable, can backfire. "When I look at how to defend our users or our technology, spinning our wheels on CVEs doesn't help anything," Arkin said. "We fixed thousands of bugs in Adobe 9, screwing up a lot of the code that should have stayed where it was."

Adobe since reallocated its investment to mitigations such as sandboxing, for example, rather than emphasizing just discovering and remedying bugs.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.