Agreed. If you had a tool which could detect all of a particular class of exploits in your software one could just add it to your compiler so it would throw an error.
Of course this assumes that automated discovery is not very computationally intensive, which in some cases it appears to be. The search space of a program is enormous. Instead one possible world is one in which exploits can be found automatically, but discovery requires massive computational effort. This seems extremely likely to me because exploits that don't require massive computational effort will be found and limited quickly eliminating the low hanging fruit.o
Thus governments with the best algorithms and the most money/powerplants/datacenters/fabs have an advantage because they can patch their own software while developing exploits for other peoples software.
The strategy comes in at:
1. how many exploits do you keep in reserve given a particular rate of discovery, and how and when do you use exploits?
2. How do you handle the case when you and the target are using the same software? If you start to patch it, the exploit might leak to the target. If you use the exploit before patching, the target might use it against you.
Operationally protecting exploits from spies seems hard. A government with a technical advantage might well be a disadvantage to a less technically savvy government with a human intelligence advantage.
To quote the Honey Badger video:
>"You do all the work for us, honey badger, and we'll just eat whatever you find, how's that? What'daya say, stupid?"
To avoid this a government might use the exploit development capability only defensively in peace time, keeping no reserve of exploits, until they have an immediate need. Of course this might weaken deterrence.
it isn't like there's "Google Chrome" and "Russian Chrome", everyone in the world runs the same software with global distribution channels. and if the solution is "well, we'll make software distribution tied to geographic regions" how well do you think that's going to work, especially when there's a dynamic of "if you can get the Chinese Internet Explorer it will have way fewer bugs than the American one, and you can diff the two to find the bugs?"
1. US military hardware runs different software than Russian military hardware.
2. There are major geographic differences in the software, hardware and architecture of Industrial Control Systems. Not to mention vulnerabilities that might only exist in certain configurations which are common to the contractors building those systems.
3. Major powers are developing their own GPS satellite constellations. Some countries develop their own satellite software.
4. Most web applications are customized to the client.
5. Due to fears of hardware backdoors, it is looking like we might seen a balkanization of communication hardware (internet routers, etc). Note that their are already geographic and regional differences in cell and phone communications.
6. S. Korea's legally mandated https encryption, SEED, is not used outside of S. Korea. An attack on SEED software would be very specific to that country.
You are correct though in the notion that much of the consumer OTS software is global in scope. It really depends on the vertical you are attacking.
> This has an end condition, of course - and that is the total loss of control over our technological infrastructure.
Why can't you use the same technology to defend your software?