Legitimate Vulnerability Markets

Download Report

Transcript Legitimate Vulnerability Markets

Legitimate Vulnerability
Markets
By: Jeff Wheeler
Introduction
• Software Vulnerability Markets
– Why do they exist?
• Vendors create vulnerable software
– Rush to market
– Inadequate testing
• To make money
– On the Black Market
– In Legitimate Markets
– Who participates?
• White hat parties
• Black hat parties
• Vendors
Introduction
– Who facilitates the transactions?
• Government, Open Market, Software Vendors
– How can these markets operate?
•
•
•
•
Auction based
Computer Emergency Response Team(CERT)
Consortium Based
Federally Funded
– What are the incentives to or not to participate in
these markets?
• Non-disclosure
• Partial-disclosure
• Full-disclosure
A simple Software Lifecycle
Why do Vulnerability Markets
Exist?
• Rush to market
– Software Vendors agendas are not necessarily in our
best interest
• Increasing Software Complexity
• Software Testing only works so well
• Software will have bugs the developer does not
find
• People are willing to pay for bug information
– White Hat
– Black Hat
White Hat versus Black Hat
• White Hat Community
– Exist for the greater good of all or specific groups
– Does not use vulnerability information to harm others
– In general, attempt to bring about more secure
software
• Black Hat Community
– Use vulnerabilities to gain access or harm others
– In general, breaking one or many laws
Liberal Democrats
Bug Lifecycle
Who Facilitates these
Transactions?
• Government Motivation
– National Security
• Prevent Attacks that could leak government
secrets
• Gain access to foreign networks for preventative
information retrieval
• Cyber Warfare
– Espionage, propaganda, DOS
– Social Welfare
Who Facilitates these
Transactions?
• Open Market
– Profit motivation
– Product is unique vulnerability information
• Are not necessarily disclosed to the vendor
– Vendor disclosure is not always the best option
• This information is valuable to companies with
secure infrastructure needs
– Capable of offering the most compensation for
information
• Creates a larger community of software testers
Who Facilitates these
Transactions?
• Software Vendor
– Motivations
• Looks Bad when other markets exist that do better
than the vendor at securing their own product
– Problems
• Do not usually offer money
– It is the right thing to do to submit bugs to the vendor to
fix
– They have not done it in the past
– It will create a battleground for vulnerability information
between them and competition
– Make them subject to blackmail
How can these markets operate?
• Auction Like
– Benefit
• Increases participation
– Fair market price
– Compensation increases based on severity of bug
– A well setup market
• High initial bug value
• Combine monetary and reputation reward
– Monetary reward less if found in forums or black market
• Guaranteed minimum amount of money available to market
• Guaranteed minimum amount of time the market will be open
for participation
How can these markets operate?
•
Computer Emergency Response Team Model
–
Collection - We collect vulnerability reports in two ways: monitoring public sources of
vulnerability information and processing reports sent directly to us. After receiving reports,
we perform an initial surface analysis to eliminate duplicates and false alarms, and then
catalog the reports in our database.
–
Analysis - Once the vulnerabilities are cataloged, we determine general severity,
considering factors such as the number of affected systems, impact, and attack
scenarios. Based on severity and other attributes, we select vulnerabilities for further
analysis. Our analysis includes background research, runtime and static analysis,
reproduction in our test facilities, and consultation with vendors and other experts.
–
Coordination - When handling direct reports, we work privately with vendors to address
vulnerabilities before widespread public disclosure. We have established, secure
communication channels with hundreds of technology producers, both directly and
through relationships with computer security incident response teams (CSIRTs) all over
the world. We have years of experience successfully coordinating responses to
vulnerabilities that affect multiple vendors.
–
Disclosure - After coordinating with vendors, we take steps to notify critical audiences
and the public about the vulnerabilities. To the best of our ability, we produce accurate,
objective technical information focused on solutions and mitigation techniques. Targeting
a technical audience (administrators and others who are responsible for securing
systems), we provide sufficient information to make an informed decision about risk.
How can these markets operate?
• Consortium Model
– Group of organizations gather together funds
to cover expenses involved in the gathering of
vulnerability information
– Not for profit
– Only helps those within the consortiums
members, unless they disclose
How can these markets operate?
• Federally Funded
– Government supplies funds for the purchase
of vulnerability information
– No direct charge to users
– Helps largest amount of users
• Organizations still require the other models
– Makes the public feel safe
– Allows for easier government eavesdropping
if they operate
Incentives and disincentives for
Disclosure
• Non-Disclosure
– Always benefits aware black hat parties
– Individual white hat discovery and disclosure
would cause many systems to become
vulnerable during patching
• Partial Disclosure (vendor disclosure)
– Vendor may determine it will not be found
again, so why patch?
– After patch release, many systems will remain
un-patched and vulnerable
Incentives and disincentives for
Disclosure
• Full-Disclosure
– Ensures black hat and white hat community is
aware of vulnerability
– Gives everyone a fair shot at protecting
themselves
– Vendor patch will be released sooner,
assumption
– Leads to negative software vendor image,
possibly leading to more time testing?