Stockpiling zero-day vulnerabilities

By Jake Edge
August 15, 2012

Zero-day vulnerabilities (aka zero-days or 0days) are those that have not been disclosed, so that they could be exploited before systems can be updated to avoid them. Thus, having a supply of carefully hoarded zero-day vulnerabilities can be advantageous for various people and organizations who might want to attack systems. The market for these zero-days has been growing for some time, which raises some ethical, and perhaps political, questions.

A post to the Electronic Frontier Foundation (EFF) blog back in March was the jumping off point for a discussion of the issue on the DailyDave security mailing list recently. The EFF post highlighted the fact that these vulnerabilities are for sale and that governments are participating in the market. When vulnerabilities have a market value, there is little or no impetus to actually report and fix the problems, but those who buy them are able to protect their systems (and those of their "friends"), while leaving the rest of the world unprotected. The EFF recommended that the US government (at least) ensure that these vulnerabilities be reported:

If the U.S. government is serious about securing the Internet, any bill, directive, or policy related to cybersecurity should work toward ensuring that vulnerabilities are fixed, and explicitly disallow any clandestine operations within the government that do not further this goal. Unfortunately, if these exploits are being bought by governments for offensive purposes, then there is pressure to selectively harden sensitive targets while keeping the attack secret from everyone else, leaving technology—and its users—vulnerable to attack.

In a post about this year's Black Hat security conference, DailyDave list owner Dave Aitel mentioned the EFF post, noting that calls for restricting what zero-day owners can do is "giving up freedom for security". He pointed out that any legislative solution is likely to be ineffective, but, beyond that, it is a question of freedom. Restricting the kind of code that can be written, or what can be done with that code, is not respecting anyone's freedom, he said. He advocated something of a boycott of EFF until it changes its position.

While there was some sympathy for his view of the EFF in the thread, there was also some wider discussion of the implications of zero-day hoarding. Michal Zalewski noted that the practice makes us all less safe:

[...] the side effect of governments racing to hoard 0-days and withhold them from the general public is that this drastically increases the number of 0-day vulnerabilities that are known and unpatched at any given time. This makes the Internet statistically less safe, and gives the government a monopoly in deciding who is "important enough" to get that information and patch themselves. The disparity in purchasing power is also troubling, given that governments have tons of "free money" to spend on defense, and are eager to do so, outcompeting any other buyers.

But Bas Alberts pointed out that vulnerabilities are something of a power-leveler between individuals and larger organizations (like governments):

I would go as far as to say that 0day ownership promotes freedom for the individual, regardless of who is selling or buying it. That's coincidental. It is one of the few areas where a sufficiently motivated individual or group of individuals can find, exploit, and develop an offensive capability that rivals that of a nation state. It represents a right to bear arms (RAWR!) on the Electronic Frontier(tm).

The semi-public markets in vulnerabilities may be relatively new, but using vulnerabilities as commodities is not, as Alberts describes:

Vulnerabilities and exploits have always been a commodity ... a commodity of ego, humor and yes *gasp* money. Exploit developers on both sides of the fence have been commoditizing exploits for close to 2 decades, if not longer. They've been commoditized as marketing tools, network tools, performance art, weapons, and political statements ... regardless of whether they were private or public and regardless of who was using them.

But the focus on zero-days is somewhat misplaced, according to Ben Nagy. While they may be a threat, it is not the primary threat to individuals from governments. There are much simpler ways to compromise a system:

They send their targets stock malware and say 'please install by clicking on this photo, love, er... not the government, srsly'. Or, they leverage the fact that they have physical access to the carrier, the internet cafes and so forth. (Or probably they just use humint [human intelligence] cause it's easier).

Legislation is also something of a slippery slope. For one thing, it will be difficult (or impossible) to enforce, even within a government. But, even if it is only applied to the US government—as the EFF post seems to advocate—these kinds of laws have a tendency to grow over time. As David Maynor put it: "If you apply regulations to one part of an industry, at some point regulations will seep to every part like the stench of rotten eggs." He goes on to describe some—seemingly—unlikely scenarios, but his point is clear: if government is not "allowed" to possess zero-day exploits, who will be allowed to?

It is assumed that governments want these kinds of vulnerabilities to attack other countries (a la Stuxnet). As Nagy pointed out, there are easier ways to attack individuals. Security firms also want to stockpile zero-days to protect their customers. There are other reasons to collect vulnerabilities, though.

There are reports that various folks are stockpiling Linux vulnerabilities so that they can "root" their mobile phones and other devices that use it. Presumably, there are iOS fans doing the same thing. Because some device vendors (Apple is the poster child, but various Android vendors aren't far behind) try to prevent users from getting root access, those that want to be able to do what they want with their devices need to find some kind of vulnerability to do so. That may be a "freedom-loving" example, but it suffers from many of the same risks that other types of vulnerability hoarding do.

Zero-day vulnerabilities lose their zero-day status—along with much of their potency—once they are used, reported, or fixed. Someone holding a zero-day cannot know that someone else hasn't also discovered the problem. Any purchased zero-days are certainly known to the seller, at least, but they could also be sold multiple times. If those vulnerabilities fall into the "wrong hands" (however defined), they could be used or disclosed, which makes secrecy paramount in the eyes of the hoarder.

But if the information is to be used to protect certain systems, it has to be disseminated to some extent. Meanwhile, those on the outside are blissfully unaware of a potential problem. It is a tricky problem, but it is a little hard to see how any kind of legislation is going to "fix" it. It may, in fact, not really be a solvable problem at all. As various posters in the thread said, it is tempting to want to legislate against "bad" things, but when trying to define "bad", the devil is in the details.

Index entries for this article
Security	Bug reporting
Security	Legislation
Security	Vulnerabilty hoarding

Stockpiling zero-day vulnerabilities

Posted Aug 16, 2012 7:41 UTC (Thu) by drag (guest, #31333) [Link] (15 responses)

Just goes to show some more of the nature of governments. Anti-progress, anti-security, and anti-social. They will happily use the money given to them under threat and use that against the security and well being of it's own citizens if it can provide some sort of ancillary benefit for themselves (ie. the people in government)

They probably figure because they have virtually unlimited money to burn and are not operating under the same laws and restrictions that they force everybody else to conform too that they don't need to worry about their security.

Stockpiling zero-day vulnerabilities

Posted Aug 16, 2012 11:32 UTC (Thu) by robert_s (subscriber, #42402) [Link] (6 responses)

Right.

And who are you going to trust over governments? Without government I can guarantee you every freedom you gained would be very quickly clawed back by some corporate monstrosity accountable to nobody but their shareholders (which increasingly nowadays is private equity).

Stockpiling zero-day vulnerabilities

Posted Aug 16, 2012 15:03 UTC (Thu) by drag (guest, #31333) [Link] (3 responses)

The government and 'corporate monstrosity' are the same people. They go hand in hand. This has been going all the way back since the merchant class backed parliament won the civil war in England. In the USA the government established by the constitution is fundamentally a mercantilist establishment following along the same lines.

To think that the government acts as a counter to the monolithic corporate power structure just means that you drank too much cool-aid. Without the government there wouldn't be a monolithic corporate power structure.

Stockpiling zero-day vulnerabilities

Posted Aug 21, 2012 13:56 UTC (Tue) by nim-nim (subscriber, #34454) [Link] (2 responses)

While governments are not especially lovable no-governement is and has been tried regularly all over the world. It's called civil war (different groups competing without any legitimate central power) and by and large, the result is not appealing at all, especially for bystanders.

And I doubt a social animal like man can avoid forming groups once population density gets non-minimal.

Stockpiling zero-day vulnerabilities

Posted Aug 21, 2012 15:48 UTC (Tue) by nybble41 (subscriber, #55106) [Link] (1 responses)

> It's called civil war (different groups competing without any legitimate central power)

Civil war is involves _two_ governments, not "no government". In civil war, two groups are claiming and competing for "legitimate" central power in a given territory. "No government" means just the opposite, that no one has an effective, "legitimate" claim.

> And I doubt a social animal like man can avoid forming groups once population density gets non-minimal.

There's nothing wrong with forming groups. The problem lies in aggressive actions toward people who do not choose to join or remain in your group.

Stockpiling zero-day vulnerabilities

Posted Aug 21, 2012 16:14 UTC (Tue) by Cyberax (✭ supporter ✭, #52523) [Link]

That depends on a civil war. It's certainly not uncommon to have multiple competing pseudo-govenment entities (just look at Russian post-revolutionary civil war as an example).

Stockpiling zero-day vulnerabilities

Posted Aug 17, 2012 3:37 UTC (Fri) by felixfix (subscriber, #242) [Link]

Drag has it perfectly right. Corporate and government leaders are the same people and cycle back and forth. My biggest disappointment with the Occupy protests is their naivete in thinking the government would have any interest in fixing the problems caused by Wall Street.

The solution, or at least a part of a solution, is to stop assuming that governments are the only answer. Especially stop giving them a monopoly on criminal prosecution. When a corporation or government violates the law, or when one of their crony bosses screw up, they usually get off with a pat on the back in the form of a golden parachute because they have buddies in charge of the FBI, SEC, and other enforcement agencies and prosecuting offices who pick and choose who to prosecute and for what.

Instead of letting governments be the sole judge of who to prosecute, let victims also prosecute the case.

To go along with this, you have to prevent malicious prosecution, which is also the second half of the problem as regards government prosecutors. You need to remove all immunity from government prosecutors, agents, chiefs, and all the rest of them, to match private prosecutors. There is no good reason to let them off the hook for ignorance of the law or mistakes which would land ordinary people in prison.

Certainly you'd need some fine tuning, but the basic problem is that governments first choose who to prosecute and not prosecute, and then suffer no consequences for either malicious prosecution or letting their buddies off scot-free. Whatever the problems would be from private prosecution, they'd be minor compared to the problems of government monopoly on prosecution.

Evil governments and corporations

Posted Aug 18, 2012 21:48 UTC (Sat) by giraffedata (guest, #1954) [Link]

Without government I can guarantee you every freedom you gained would be very quickly clawed back by some corporate monstrosity accountable to nobody but their shareholders

I'm not sure what armageddon you're imagining here, because without government, there are no corporations. A corporation is a legal device that allows a government to apply laws to a large group of people (shareholders of a corporation) as simply as to one person, in certain areas (such as enforcing contracts).

Without government, there isn't any entity to be accountable to shareholders. Imagine a thousand people giving someone like Bill Gates money to develop software, with his promise that he'll give them the profits from it. Gates is no more obligated, absent government, to give those shareholders the profits than he is to give a thousand users what they expect.

The freedom-grabbing monstrosities that would exist are strong, selfish individuals. Only people can can be evil.

Stockpiling zero-day vulnerabilities

Posted Aug 16, 2012 14:53 UTC (Thu) by nickbp (guest, #63605) [Link] (4 responses)

I sometimes wonder if you have a spider set up to search LWN articles for any mention of "government".

Stockpiling zero-day vulnerabilities

Posted Aug 16, 2012 15:04 UTC (Thu) by drag (guest, #31333) [Link] (3 responses)

I comment in a lot of articles about different things.

Sometimes I just like to point things out that should be blindingly obvious to everybody

Stockpiling zero-day vulnerabilities

Posted Aug 16, 2012 21:27 UTC (Thu) by nix (subscriber, #2304) [Link] (2 responses)

Clearly the utter evil of all government is *not* 'blindingly obvious to everybody', or the Libertarian Party in the US would not be stuck at around a 3% vote share nor regarded as beyond-the-pale ultra-rightists by 99.9% of the population of Europe (that knows that they exist).

It is pointless wasting your time and ours by trying to convert us to your political religion. Please stop trying.

Stockpiling zero-day vulnerabilities

Posted Aug 16, 2012 22:54 UTC (Thu) by apoelstra (subscriber, #75205) [Link] (1 responses)

> It is pointless wasting your time and ours by trying to convert us to your political religion. Please stop trying.

I don't mean to fan a flame-war, but I enjoy drag's posts, and he does manage to do them politely. A topic such as zero-day markets is naturally politically charged, so given that, it's nice to see some differing opinions.

Stockpiling zero-day vulnerabilities

Posted Aug 17, 2012 13:26 UTC (Fri) by nix (subscriber, #2304) [Link]

It's *because* most of drag's posts are interesting that I'm trying to convince him not to drag his political dragon into the living room rather than just filtering him out: I'd lose too many good comments if I did that.

Dragons are bad companions in living rooms. They spread flames (and eat people).

Not mine

Posted Aug 16, 2012 16:59 UTC (Thu) by man_ls (guest, #15091) [Link]

Just goes to show some more of the nature of governments.

Why do you always put all governments in the same basket as your own? You know, some governments do sometimes care about their people. Strange notion, right? I think that this situation says more about the people that run your current US government than about governments in general.

Not that my own government (Spain) is run by nuns, but it does some good stuff every once in a while. At least it does not work actively against the security of its own people. And I can assure you that it doesn't have unlimited money to burn! So, useless generalization.

Stockpiling zero-day vulnerabilities

Posted Aug 16, 2012 18:30 UTC (Thu) by smoogen (subscriber, #97) [Link] (1 responses)

Here let me fix that:

s/governments/humanity/ig

Just goes to show some more of the nature of humanity.

Doesn't matter what you do.. once you get more than 2 humans together.. they become this way.. which is why I for one look forward to our robotic masters.

Stockpiling zero-day vulnerabilities

Posted Aug 17, 2012 13:22 UTC (Fri) by man_ls (guest, #15091) [Link]

Beware rationality taken to extremes. Just as truth and reality are opposed, so are rationality and justice. Paraphrasing:

As far as the laws of man refer to justice, they are not rational; and as far as they are rational, they do not make justice.

If by "robotic overlords" you mean "hyper-rational entities" then we would be even worse than before.

Stockpiling zero-day vulnerabilities

Posted Aug 16, 2012 19:10 UTC (Thu) by RobSeace (subscriber, #4435) [Link]

I think it's completely misrepresenting that EFF post to characterize it as advocating new legislation of any kind... It mentions a "cybersecurity" bill which is already being discussed in congress, and which they actually OPPOSE, not support... It then goes on to detail how the US government could make the Internet safer for all right now, WITHOUT any new legislation of any kind! Then, there's the bit quoted here in the LWN story, which when taken out of context makes it sound like they WANT new cybersecurity legislation of some kind, but in context is clearly just saying basically, "If the government is really going to introduce cybersecurity legislation, which they seem intent on doing right now, which we don't really support them doing in the first place, then the LEAST they could do is make sure it actually increases actual security!"...

Stockpiling zero-day vulnerabilities

Posted Aug 18, 2012 14:26 UTC (Sat) by kjp (guest, #39639) [Link]

So the US Govt is subsidizing insecurity. Great, what else is new. The article didn't mention the elephant in the room... conflict of interest for developers of linux and other os's. Can't get a raise? 'Accidentally' slip some bad code in and sell it...

War is the health of the state, after all.

Stockpiling zero-day vulnerabilities

Posted Aug 21, 2012 13:08 UTC (Tue) by ortalo (guest, #4654) [Link]

First, for me, this is still part of the security "circus": a way to attract attention and money to security by spending some on marketing issues. (And, by the way, note armies are pretty good at the security circus in peace time...)
What should be valued most by people (and I do not necessarily mean that it should be monetized) are security guarantees, not vulnerabilities.

And investment decisions on such guarantees are much more difficult to do reliably than inventing threat scenarios that can attract attention of... some public.
Personnally, I would even argue that all open-source OSes have avoided taking such decisions since their start (either by taking purely extremist or purely pragmatic directions). But that would just be to start the discussion.

Stockpiling zero-day vulnerabilities

Posted Aug 23, 2012 10:06 UTC (Thu) by reddit (guest, #86331) [Link] (3 responses)

How do you sell a vulnerability?

I mean, what stops the party who trades second from taking either the money or the information and disappearing?

Do people just sell to governments and trust them to pay after they receive the vulnerability information?

Or perhaps there's a trusted middle-man? (but then, how can it be trusted considering he could use or resell the vulnerability with no way to prevent it?)

Also, doesn't this create a great incentive to becoming a valued contributor to Firefox or Chrome just to plant vulnerabilities in them?

Should we perhaps assume that this is happening regularly and thus that any mainstream software should not be trusted to be secure at all?

Stockpiling zero-day vulnerabilities

Posted Aug 26, 2012 14:57 UTC (Sun) by philomath (guest, #84172) [Link] (2 responses)

How do you sell drugs?
I mean, what stops the party who trades second from taking either the money or the drugs and disappearing?

Ah, it's based on trust. If you lie one time, no one will deal with you a second time.

Stockpiling zero-day vulnerabilities

Posted Aug 26, 2012 15:32 UTC (Sun) by viro (subscriber, #7872) [Link] (1 responses)

Trust? What colour is the sky on your planet? On this one it's more like the knowledge that dealer can and will arrange a suitable... chastisement in such case. If nothing else, to discourage other idiots from repeating that kind of faux pas...

Stockpiling zero-day vulnerabilities

Posted Aug 26, 2012 17:54 UTC (Sun) by apoelstra (subscriber, #75205) [Link]

Especially when you're dealing with chemicals that people plan to put in their bodies, trust is crucial. This is indeed why people don't screw each other over. (With the Silk Road, which admittedly a very new invention, this is the only way to prevent foul play.)

Violence is even worse for business that unfair dealing, and everyone involved knows this. So maybe for large bulk deals between criminal enterprises, this is a factor, but certainly not for ordinary everyday drug deals.