06 vulnerabilities

Download 06 Vulnerabilities

Post on 20-Sep-2015

5 views

Category:

Documents

2 download

Embed Size (px)

DESCRIPTION

vul

TRANSCRIPT

  • Vulnerabilites and patches

    Economics of Security and Privacy (BMEVIHIAV15)

    Mark Felegyhazi assistant professor

    CrySyS Lab.

    BME Department of Telecommunications (Hradstechnikai Tanszk)

    mfelegyhazi(atat)crysys(dot)hu

  • Goal of risk management

    vulnerabilities threats incidents losses

    unknown

    Goal: Minimize the costs associated with risks (threats)

    Vulnerabilites and patches 2 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Software vulnerabilities lifecycle

    software contains bugs thorough testing requires strategic interactions uncertainties about system strength

    discovery of vulnerabilities miscreants exploit honest users assess risks

    apply patches questions

    produce secure software discover vulnerabilites patch vulnerabilites

    Vulnerabilites and patches

    Timing in risk management incentive issues

    3 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Incentive issues

    produce secure software discover vulnerabilities apply patches

    Vulnerabilites and patches 4 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Incentive issues

    produce secure software discover vulnerabilities apply patches

    Vulnerabilites and patches 5 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Incentive issues software production

    producing secure software (supply-side) lemon market security investments (demand-side) tragedy of the

    commons and free-riding

    MARKET FAILURE

    Solutions: regulations

    liability (more at the end) new market mechanisms

    feedback on quality prices are indicators

    Vulnerabilites and patches 6 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Incentive issues

    produce secure software discover vulnerabilities apply patches

    Vulnerabilites and patches 7 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Incentive issues Vulnerability discovery

    discovering and reporting security info profitability privacy and sensitive information

    Solution:

    vulnerability markets

    Vulnerabilites and patches

    Bhme, R., A Comparison of Market Approaches to Software Vulnerability Disclosure, ETRICS 2006

    8 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Classification of vulnerability markets

    bug challenges vulnerability brokers exploit derivatives cyber-insurance

    Vulnerabilites and patches 9 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Vulnerability challenges

    also: market price of vulnerability ex: Mozilla security bug bounties

    allocate money for a vulnerability better to get the money than to exploit the bug

    Problems: difficult to get the reward right price as an indicator for

    security incentive issues by selling waiting for the right price are rewards high enough?

    dynamic price setting buyer-driven auctions bug offering seller-driven auctions

    Vulnerabilites and patches 10 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Vulnerability brokers vulnerability sharing circles distribute alerts in a closed circle

    cooperative game member ship control (black hats)?

    examples iDefense Vulnerability Contributor Program TippingPoint/3COM Zero-day Initiative Digital Armaments

    CERTs a non-profit vulnerability broker social planner better than a market approach might need public funding

    Vulnerabilites and patches

    Kannan, K., Telang, R., An economic analysis of markets for software vulnerabilities, WEIS 2004

    11 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Exploit derivatives

    based on option pricing in finance two complementary contracts:

    C theres an exploit of software X on OS Y until date D

    C theres NO exploit of software X on OS Y until date D

    they pay the same money M if fulfilled

    Vulnerabilites and patches

    Matsuura, K.: Security tokens and their derivatives. Technical report, Centre for Communications Systems Research (CCSR), University of Cambridge, UK, 2001

    12 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Exploit derivative market

    exploit derivative = free market to trade such contracts hypothesis:

    market price indicates probability issue such bundles to enable information sharing

    market efficiency! liquidity = high nr. of participants low transaction costs requires a TTP

    - announce results at the end of the contract - can be distributed

    Vulnerabilites and patches

    Matsuura, K.: Security tokens and their derivatives. Technical report, Centre for Communications Systems Research (CCSR), University of Cambridge, UK, 2001

    13 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Exploit derivative market

    demand users and insurance: C type to distribute risks investors: C type to diversify software vendors both types (risk transfer + trust signal)

    - could be an incentive scheme for developers security experts investment depending on their

    assessment

    Vulnerabilites and patches

    Matsuura, K.: Security tokens and their derivatives. Technical report, Centre for Communications Systems Research (CCSR), University of Cambridge, UK, 2001

    14 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Cyber-insurance

    provides a liability proof solution for several issues

    insurance for software vendors insurance for software users

    premiums are adjusted to individual risk profiles unlike vulnerability challenges and exploit derivatives

    more in Chapter 10

    Vulnerabilites and patches 15 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Comparison functions

    information use market price as a signal for quality - measurability accuracy, timeliness and availability separate security effects from the rest

    incentive reward to sec professionals to participate developers + controllers monetary vs. reputation short term vs. long-term

    risk-balancing survive critical events taxes bad security reduces overall risk of large-scale events

    Vulnerabilites and patches 16 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Comparison market efficiency

    market properties liquidity = high number of participants low transaction costs = inexpensive to participate accountability = low default risks transparency = fair rules, public price quotes

    dependencies between properties

    Vulnerabilites and patches 17 Mark Felegyhazi, CrySyS Lab, Department of Telecommunications, BME

  • Comparison of vulnerability markets

    Vulnerabilites and patches

    Table 2. Comparison of Vulnerability Markets

    CriterionRisk-

    Market type Infomation Incentives balancing EciencyBug challenges + Vulnerability brokers Exploit derivatives ++ + + +Cyber-insurance + ++ ++

    Symbols ranging from (poor) to ++ (excellent)

    4.5 A provisional assessment of market types

    Putting the three functions and the eciency property together, gives us a frame-work for a structured comparison of the market types discussed in Section 3. Asummary of the correspondence of each market type to the criteria is given in Ta-ble 2. Note that the evaluation is based on a qualitative assessment and shouldbe regarded as a starting point for exchanges of view rather than as outrightevidence. Some arguments backing the relative assessment of dierent markettypes are given below.

    The incentive function is fulfilled by all market types, though to varyingdegree. The ambivalent evaluation for vulnerability brokers is due to the ques-tionable incentives created for adversaries to join the circle in order to obtainsensitive vulnerability information before the general public [3]. Conversely, weconsider cyber-insurance as particularly good at the incentive function becausethe incentives to give security a higher priority are not limited to bug huntersand developers, but also aect the end user. This fosters security awareness ona large basis.

    As to the information function, bug challenges fail to provide accurate indi-cators when vulnerabilities are reported frequently. Vulnerability brokers do notreveal timely information to the public at all. Even worse, the usual practice ofrequiring vulnerability discoverers to sign non-disclosure agreements hinders thevital exchange of security-relevant information. We consider exploit derivativesas superior to cyber-insurance, because insurance contracts are re-negotiated lessfrequently, which negatively aects the timeliness of a price indicator. And it isquestionable whether price information on actual cyber-insurance contractsnotmerely unspecified oerswill ever be made available to the public on a largeand regular basis. This together with the presumably high transaction costs ofinsurance contracts justifies a slightly negative assessment of cyber-insurancewith respect to eciency.

    Bug challenges and vulnerability brokers provide no risk-balancing instru-ments at all. Exploit derivatives are somewhat worse than cyber-insurance be-

    11

    involves users too timeliness and accuracy

    difficult to manage portfolios

Recommended

View more >