The Future of Vulnerability Research and Exploit Development

Since we launched our Advanced Software Exploitation training, we have received dozens of e-mails inquiring about exploit development, vulnerability research, and fuzzing. 

Among the many questions, we have been asked:

How do you see the future of vulnerability research and exploit development considering that most big companies have large fuzzing farms to test their products? Looking at the Google ClusterFuzz, it seems pretty useless to develop your own fuzzer to fuzz Chrome. After years of fuzzing Chrome, shouldn't it be so secure that it can't be exploited anymore?

These are really good questions. Projects such as the Google ClusterFuzz have certainly raised the bar for all security researchers, but we are still far from having a fuzzer capable of finding all the vulnerabilities.

In fact, the main problem with fuzzers is that they are only as effective as their test case generator. If your fuzzer is not able generate good test cases, having thousands of machines will only speed up the process but won't help you to find good vulnerabilities.

That is one of the reasons why several critical vulnerabilities in Google Chrome are still found by external security researchers.

So, what is the future of vulnerability research and exploit development?

Well, popular browsers (e.g. Edge, Chrome, etc.), applications (e.g. Word, Excel, Adobe Reader, etc.) and plugins (e.g. Flash Player, etc.) will continue to be interesting targets due to the fact that they are widely used by corporations all around the world.

Similarly, it is fair to assume that mobile operating systems (iOS, Android, & Windows Phone) and critical IoT devices will receive additional attention by both security researchers and security providers.

From a security researcher's point of view, that means tools and techniques will have to be adapted in order to work on multiple architectures (e.g. x86, x64, ARM, MIPS, etc.) and operating systems (e.g. Windows, Linux, iOS, Android, etc.). Exploit development techniques will continue to evolve and techniques that have proven to be effective on a specific OS/architecture, will be ported and adapted to work on other OSes/architectures. For example, the concept of the well-known Return-Oriented Programming (ROP) technique, very popular on x86/x64, it is the base for the Branch Oriented Programming (BOP) technique used in ARM exploitation.

Having said that, most popular application will (hopefully) implement some kind of sandboxing technology and if everything goes well they will also take advantage of the numerous exploit mitigations available (e.g. ASLR, DEP/NX, stack cookies, etc.), but as we all know too well:

The more software, the more complexity; the more complexity, the more
vulnerabilities!

As security researchers and experts in this field, we expect the future vulnerability discovery methodologies to be a mix of source code review, reverse engineering, and intelligent fuzzing where the key component will be the knowledge and expertise of the researcher. 

Exploits will certainly require a deeper knowledge of the system, but until security products, that are supposed to protect us, can be hacked by simply appending commands to a URL, I am afraid it won't be necessary.