March 11th, 2004, 04:39 PM
proof of concept?
I know this might be lame but what is a proof of concept! I downloaded one from you guys on here but don't understand what it does/is/etc!..
March 11th, 2004, 04:42 PM
Doesn't sound lame to me -- I've never heard of a "proof of concept" either! Is this something that popped up when you loaded the page?
March 11th, 2004, 04:48 PM
Proof of concept code is code that someone releases to prove that a service/program is exploitable and how it is exploitable. Look over the fulldisclosure archive. You will find tons of it.
Virus/worm writers/crackers will often use this code that is released to develop exploits or other malware that takes advantage of the security flaw.
is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.
March 11th, 2004, 04:52 PM
A proof of concept, is basically an example. If someone discovers a vulnerability in an OS, they will often develop a 'proof of concept' exploit to prove that the vulnerability is real. This would not only apply to vulnerabilities but also to viruses.
Damm phish, you beat me again.
March 11th, 2004, 04:57 PM
Just as Phish said, Proof of concept code is a piece of code that is written to exploit a newly discovered flaw in a software/hardware system. Many times in computer security, people stumble upon theories of "What if" proportions. Like "What if we sent thousands of packets from multiple machines to a single host? (DoS attack). Now that statement is simply a concept that seems logical. No code is yet written for it. (just as an example, in reality this is one of the oldest concepts in the books). Now once someone writes the actual code for this attack and releases it, that is your "Proof of concept".
Now releasing a proof of concept can be dangerous if the proper steps are not taken first. Anytime you create a proof of concept code, you should always first send that code, with some explanation of it, to the software vendor. This way they can make the proper code adjustments to make the software safe from this attack/bug/error. But, sometimes the software companies deny that these proof of concepts work *cough*microsoft*cough*, and the only way for the hole to be fixed, is by releasing it to the world of hackers, and effectivly forcing the software to be fixed by the vendor. Many, if not all, security professionals frown heavily on this.
So there is a brief explanation of what "Proof of concept" code is.
March 11th, 2004, 06:57 PM
so this can be anything! any programming language! right? batch programming, c++, vb, etc. ? I'm thinking so!..
March 11th, 2004, 11:25 PM
Proof of concept = prototype.
I have seen plenty of projects pushed past expectations or deeply modified code to give a new spin on things. That really doesn't have to be a bad thing. I really don't see why you would technically have to limit this to exploiting a flaw.
March 12th, 2004, 12:52 AM
I agree w/ |The|Specialist...
Proof of Concept is exactly what is reads...proof that a concept is functional under very base specifications. I wouldn't immediately jump to the conclusion that PoC denotes exploitation, even in the InfoSec world.
For example, i just finished a PoC for router-based VPN termination. Meaning, and as Specialist pointed out, i constructed a prototype that was operable at a scaled down level.
So, the phrase is entirely portable. You really have to examine what concept is being presented in the PoC.
Hope this adds something to the thread or clarifies things for you Kurt.
Ego is the great Logic killer
March 12th, 2004, 03:06 PM
Very true and I stand corrected. A proof of concept code can be for something useful also. It just seems that about 90% of the time when I hear "Proof of concept", it is for an exploit of a software/hardware system. Forgive me for forgetting that "technically" any piece of new code is a proof of concept. (So does this mean the function I built last night for a web client of mine is a proof of concept code? And "every" new code written is a "proof of concept" code?) some things to ponder...
March 12th, 2004, 09:59 PM
I've always looked at it this way, a proof of concept is like a prototype, but it doesn't have to always work completely. Just prove that the conept or theory is valid though some process and has a decent chance of success.
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.