Zero days are simply software vulnerabilities for which there is no public patch or workaround. They have value because they can allow remote code exploitation or electronic surveillance without detection for long periods of time. On Wednesday, White House Cybersecurity Coordinator, Rob Joyce, issued updated guidance how the U.S. handles zero days.
Zero days are often the result of security research. Automated tools for fuzzing and static analysis are used to examine proprietary code. Whether to disclose a found vulnerability or not is known as an “equities” problem. Put simply, the person or entity in possession of a zero day must decide whether to release it and have it patched, or to retain it.
“Our national capacity to find and hold criminals and other rogue actors accountable relies on cyber capabilities enabled by exploiting vulnerabilities in the digital infrastructure they use,” Joyce said in a statement. “Those exploits produce intelligence for attribution, evidence of a crime, enable defensive investigations, and posture us to respond to our adversaries with cyber capabilities. The challenge is to find and sustain the capability to hold rogue cyber actors at risk without increasing the likelihood that known vulnerabilities will be exploited to harm legitimate, law-abiding users of cyberspace.”
As a result, there is a lucrative zero-day market for criminals, militaries, and even governments, estimated to be between $4 and $10 million dollars annually. There’s an argument that if everyone discloses their zero days, there would be no value in keeping an arsenal. And there’s also an argument for a government such as the U.S. to buy up all the available zero days – it would have the same effect of devaluing the market.
What Joyce’s team has done is update the Vulnerabilities Equities Process (VEP) charter for the U.S. In a press release he said while it’s critical to improve transparency of the process the U.S. government must keep certain vulnerabilities a secret.
“The VEP balances whether to disseminate vulnerability information to the vendor/supplier in the expectation that it will be patched, or to temporarily restrict the knowledge of the vulnerability to the U.S. government, and potentially other partners, so that it can be used for national security and law enforcement purposes, such as intelligence collection, military operations, and/or counterintelligence.”
Such thinking is not new. In a 2014 blog post, Michael Daniel, the former cybersecurity coordinator for the White House under President Obama, said “Building up a huge stockpile of undisclosed vulnerabilities while leaving the Internet vulnerable and the American people unprotected would not be in our national security interest.”
So how does the U.S. VEP work?
The process starts with finding the vulnerability and submitting it to the VEP’s review board, which decides on a case by case basis whether the U.S. government should disclose a zero day or not. The board includes members from the following U.S. agencies:
• Department of Defense (including the NSA)
• Department of Justice (including the FBI)
• Department of State
• Department of Homeland Security
• Office of Director of National Intelligence
• Department of Treasury
• Department of Energy
• Department of Commerce
• Office of Management and Budget
The review board then discusses the newly discovered vulnerability in terms of: how widespread the affected product is, how easy the vulnerability is to take advantage of, how much damage it could cause, and how easily it could be fixed. The government then discusses whether it could use the vulnerability for its own purposes. It then determines what risks the U.S. would face with companies and other countries if it’s revealed that the government knew about the vulnerability all along.
This review happens within five days. The process can be sped up if the vulnerability has become an active exploit in the wild.
If the review board votes to disclose the vulnerability, it has seven business days to inform affected companies. If the board chooses to keep the vulnerability a secret, an annual review is required. “In the vast majority of cases, responsibly disclosing a newly discovered vulnerability is clearly in the national interest,” the policy states.
Just because a zero day is being stockpiled by criminals, a military, or a government doesn’t mean the vulnerability won’t ever go public. In a recent study from the RAND Corporation, Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits aims to shed light on this dark practice. The report authors, Lilian Albon and Andy Bogart, had access to an unnamed private zero-day vulnerability arsenal from 2003-2016. Using that data set they could derive some interesting insights into the zero-day world which they presented at Black Hat USA 2017.
Statistically, someone else will find the same vulnerability. When two or more researchers discover the same vulnerability, the industry uses the term “collision” to describe the event; it is also said there is now an “overlap” when two or more researchers find the same vulnerability. For example, researchers at both Synopsys and Google co-discovered the Heartbleed vulnerability in OpenSSL in April 2014.
The report finds such coincidences have occurred perhaps more often than thought. Within a 90-day interval there’s a .87 percent overlap. Over a 365-day interval, there is a median value of 5.76 percent overlap in vulnerabilities publicly and privately known. Played out against the larger 14-year interval of the data set, this results in a 40 percent overlap. So, after 14 years, almost half the known zero days will be disclosed.
However, just finding a zero-day vulnerability by itself is not enough. There’s a second level of understanding necessary―whether the zero-day vulnerability is even capable of being exploited. Not all vulnerabilities are useful by themselves. Or they require the assistance of other vulnerabilities to become exploitable.
Weaponizing a vulnerability takes additional time. The RAND researchers estimate a median time of 22 days to weaponize any zero-day vulnerability, so there is an expense here. Hiring half a dozen exploit developers, for example, each making in the “mid to high six-figures,” the researchers suggest, might net only $1-2 million on the zero-day market. One company told the researchers that 2015 was in fact a negative payout year―they invested more than they could recoup―yet they continued to create exploits because it was, in their words, “a labor of love.”
Another zero-day question is: Is it stable (will it crash the target system and therefore be found)? Or, more importantly, is it noisy (i.e. detectable)?
Testing an exploitable zero day in an operational setting is not always possible. If you own a secret vulnerability, why risk exposure by trying it out in the real world? Conversely, most people stockpiling zero days don’t have the resources to fully simulate their target environments either. That said, the researchers claim that some zero-day researchers create spreadsheets that matrix different versions of software and various configurations tested, testing each one a thousand times or more.
The RAND researchers also cautioned against calling any zero-day vulnerability “alive” or “dead” because it has been patched. So-called “zombie zero days” can still provide value in that some organizations don’t patch their systems regularly. A vulnerability in a component nestled within a software application might not be patched if the application vendor has not continued its maintenance, known as “software rot.” The report authors did not state it, but software composition analysis is a tool that should be able to determine the known vulnerabilities of any component acquired through the cyber supply chain.
And, as previously noted, a non-exploitable vulnerability today might change status with a combination with another vulnerability – or a platform. The RAND researchers found that legacy software being used on the Internet of Things (IoT) today might be particularly vulnerable in previously unforeseen ways. They note that many IoT devices lack means of updating software, creating possibilities for these zombie zero days in the future.
To summarize the new VEP, the White House also released on Wednesday an FAQ document.
In justifying the need for VEP, Joyce concludes, “Although I don’t believe withholding all vulnerabilities for operations is a responsible position, we see many nations choose it. I also know of no nation that has chosen to disclose every vulnerability it discovers.”