Should we talk about security holes? Detractors commonly feel that making attack details public encourages more attacks. Charles Tomlinson, in his 1853’s Rudimentary Treatise on the Construction of Locks, called this line of thinking a fallacy:
“… surely it is in the interest of honest people to know this fact, because the dishonest are tolerably certain to be the first to apply this knowledge practically; and the spread of knowledge is necessary to give fair play to those who might suffer by ignorance.”
I will go further to say that we should not just talk about security holes; we should actively look for them. Yet, there appears to be a distaste towards attack papers in the architecture and the systems community. Based on talking to a statistically insignificant sample of colleagues, we get the sense that attacks are considered brutish and not constructive. There also appears to be some confusion about the how attack work should be evaluated.
In an article we posted on the ACM SigArch website, Professor Simha Sethumadhavan and I discuss the importance of attack research through examples and we will also lay out a framework for thinking about attack research.
Please refer to the full blog post here.