Results 1 to 10 of 10

Thread: proof of concept?

  1. #1
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567

    Question proof of concept?

    I know this might be lame but what is a proof of concept! I downloaded one from you guys on here but don't understand what it does/is/etc!..

    thanks

  2. #2
    Doesn't sound lame to me -- I've never heard of a "proof of concept" either! Is this something that popped up when you loaded the page?

  3. #3
    AO übergeek phishphreek's Avatar
    Join Date
    Jan 2002
    Posts
    4,325
    Proof of concept code is code that someone releases to prove that a service/program is exploitable and how it is exploitable. Look over the fulldisclosure archive. You will find tons of it.

    Virus/worm writers/crackers will often use this code that is released to develop exploits or other malware that takes advantage of the security flaw.
    Quitmzilla is a firefox extension that gives you stats on how long you have quit smoking, how much money you\'ve saved, how much you haven\'t smoked and recent milestones. Very helpful for people who quit smoking and used to smoke at their computers... Helps out with the urges.

  4. #4
    I'd rather be fishing DjM's Avatar
    Join Date
    Aug 2001
    Location
    The Great White North
    Posts
    1,867
    A proof of concept, is basically an example. If someone discovers a vulnerability in an OS, they will often develop a 'proof of concept' exploit to prove that the vulnerability is real. This would not only apply to vulnerabilities but also to viruses.

    Cheers:


    /edit
    Damm phish, you beat me again.
    DjM

  5. #5
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Just as Phish said, Proof of concept code is a piece of code that is written to exploit a newly discovered flaw in a software/hardware system. Many times in computer security, people stumble upon theories of "What if" proportions. Like "What if we sent thousands of packets from multiple machines to a single host? (DoS attack). Now that statement is simply a concept that seems logical. No code is yet written for it. (just as an example, in reality this is one of the oldest concepts in the books). Now once someone writes the actual code for this attack and releases it, that is your "Proof of concept".

    Now releasing a proof of concept can be dangerous if the proper steps are not taken first. Anytime you create a proof of concept code, you should always first send that code, with some explanation of it, to the software vendor. This way they can make the proper code adjustments to make the software safe from this attack/bug/error. But, sometimes the software companies deny that these proof of concepts work *cough*microsoft*cough*, and the only way for the hole to be fixed, is by releasing it to the world of hackers, and effectivly forcing the software to be fixed by the vendor. Many, if not all, security professionals frown heavily on this.

    So there is a brief explanation of what "Proof of concept" code is.

    xmad

  6. #6
    the beign of authority kurt_der_koenig's Avatar
    Join Date
    Jan 2004
    Location
    Pa
    Posts
    567
    thanks!

    so this can be anything! any programming language! right? batch programming, c++, vb, etc. ? I'm thinking so!..

  7. #7
    Banned
    Join Date
    Jul 2002
    Posts
    877
    Come on...

    Proof of concept = prototype.

    I have seen plenty of projects pushed past expectations or deeply modified code to give a new spin on things. That really doesn't have to be a bad thing. I really don't see why you would technically have to limit this to exploiting a flaw.

  8. #8
    Senior Member
    Join Date
    Feb 2004
    Posts
    105

    re: PoC

    I agree w/ |The|Specialist...

    Proof of Concept is exactly what is reads...proof that a concept is functional under very base specifications. I wouldn't immediately jump to the conclusion that PoC denotes exploitation, even in the InfoSec world.

    For example, i just finished a PoC for router-based VPN termination. Meaning, and as Specialist pointed out, i constructed a prototype that was operable at a scaled down level.

    So, the phrase is entirely portable. You really have to examine what concept is being presented in the PoC.

    Hope this adds something to the thread or clarifies things for you Kurt.

    Cheers,
    <0
    Ego is the great Logic killer

  9. #9
    Webius Designerous Indiginous
    Join Date
    Mar 2002
    Location
    South Florida
    Posts
    1,123
    Very true and I stand corrected. A proof of concept code can be for something useful also. It just seems that about 90% of the time when I hear "Proof of concept", it is for an exploit of a software/hardware system. Forgive me for forgetting that "technically" any piece of new code is a proof of concept. (So does this mean the function I built last night for a web client of mine is a proof of concept code? And "every" new code written is a "proof of concept" code?) some things to ponder...


    xmad

  10. #10
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834
    I've always looked at it this way, a proof of concept is like a prototype, but it doesn't have to always work completely. Just prove that the conept or theory is valid though some process and has a decent chance of success.
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •