proof of concept?

I know this might be lame but what is a proof of concept! I downloaded one from you guys on here but don't understand what it does/is/etc!..

thanks

Doesn't sound lame to me -- I've never heard of a "proof of concept" either! Is this something that popped up when you loaded the page?

Proof of concept code is code that someone releases to prove that a service/program is exploitable and how it is exploitable. Look over the fulldisclosure archive. You will find tons of it.

Virus/worm writers/crackers will often use this code that is released to develop exploits or other malware that takes advantage of the security flaw.

A proof of concept, is basically an example. If someone discovers a vulnerability in an OS, they will often develop a 'proof of concept' exploit to prove that the vulnerability is real. This would not only apply to vulnerabilities but also to viruses.

Cheers:


/edit
Damm phish, you beat me again. ;)

Just as Phish said, Proof of concept code is a piece of code that is written to exploit a newly discovered flaw in a software/hardware system. Many times in computer security, people stumble upon theories of "What if" proportions. Like "What if we sent thousands of packets from multiple machines to a single host? (DoS attack). Now that statement is simply a concept that seems logical. No code is yet written for it. (just as an example, in reality this is one of the oldest concepts in the books). Now once someone writes the actual code for this attack and releases it, that is your "Proof of concept".

Now releasing a proof of concept can be dangerous if the proper steps are not taken first. Anytime you create a proof of concept code, you should always first send that code, with some explanation of it, to the software vendor. This way they can make the proper code adjustments to make the software safe from this attack/bug/error. But, sometimes the software companies deny that these proof of concepts work *cough*microsoft*cough*, and the only way for the hole to be fixed, is by releasing it to the world of hackers, and effectivly forcing the software to be fixed by the vendor. Many, if not all, security professionals frown heavily on this.

So there is a brief explanation of what "Proof of concept" code is.

xmad

thanks!

so this can be anything! any programming language! right? batch programming, c++, vb, etc. ? I'm thinking so!..

Come on...

Proof of concept = prototype.

I have seen plenty of projects pushed past expectations or deeply modified code to give a new spin on things. That really doesn't have to be a bad thing. I really don't see why you would technically have to limit this to exploiting a flaw.

I agree w/ |The|Specialist...

Proof of Concept is exactly what is reads...proof that a concept is functional under very base specifications. I wouldn't immediately jump to the conclusion that PoC denotes exploitation, even in the InfoSec world.

For example, i just finished a PoC for router-based VPN termination. Meaning, and as Specialist pointed out, i constructed a prototype that was operable at a scaled down level.

So, the phrase is entirely portable. You really have to examine what concept is being presented in the PoC.

Hope this adds something to the thread or clarifies things for you Kurt.

Cheers,
<0

Very true and I stand corrected. A proof of concept code can be for something useful also. It just seems that about 90% of the time when I hear "Proof of concept", it is for an exploit of a software/hardware system. Forgive me for forgetting that "technically" any piece of new code is a proof of concept. (So does this mean the function I built last night for a web client of mine is a proof of concept code? And "every" new code written is a "proof of concept" code?) some things to ponder...


xmad

I've always looked at it this way, a proof of concept is like a prototype, but it doesn't have to always work completely. Just prove that the conept or theory is valid though some process and has a decent chance of success.