rand rr1751

Download Rand rr1751

Post on 22-Jan-2018

193 views

Category:

Software

0 download

Embed Size (px)

TRANSCRIPT

  1. 1. Zero Days, Thousands of Nights The Life and Times of Zero-Day Vulnerabilities and Their Exploits Lillian Ablon, Andy Bogart C O R P O R A T I O N
  2. 2. Limited Print and Electronic Distribution Rights This document and trademark(s) contained herein are protected by law. This representation of RAND intellectual property is provided for noncommercial use only. Unauthorized posting of this publication online is prohibited. Permission is given to duplicate this document for personal use only, as long as it is unaltered and complete. Permission is required from RAND to reproduce, or reuse in another form, any of its research documents for commercial use. For information on reprint and linking permissions, please visit www.rand.org/pubs/permissions. The RAND Corporation is a research organization that develops solutions to public policy challenges to help make communities throughout the world safer and more secure, healthier and more prosperous. RAND is nonprofit, nonpartisan, and committed to the public interest. RANDs publications do not necessarily reflect the opinions of its research clients and sponsors. Support RAND Make a tax-deductible charitable contribution at www.rand.org/giving/contribute www.rand.org For more information on this publication, visit www.rand.org/t/RR1751 Library of Congress Cataloging-in-Publication Data is available for this publication. ISBN: 978-0-8330-9761-3 Published by the RAND Corporation, Santa Monica, Calif. Copyright 2017 RAND Corporation R is a registered trademark. Cover: Composite image by Eileen Delson La Russo. Adapted from images by Agil_Leonardo, Matejmo, and Byakkaya; courtesy of Getty Images.
  3. 3. iii Preface There is an ongoing policy debate over whether the U.S. governmentor any governmentshould retain so-called zero-day software vulnerabilities or disclose them so they can be patched.1 Those who have knowledge of a zero-day vulnerabil- ity may create exploitscode that takes advantage of the vulnerabilityto access other parts of a system, execute their own code, act as an administrator, or perform some other action, but many worry that keeping these vulnerabilities secret can expose people who use the vulnerable software to malware attacks and other attempts to col- lect their private information. Furthermore, cybersecurity and the liability that might result from attacks, hacks, and data breaches using zero-day vulnerabilities have sub- stantial implications for U.S. consumers, companies, and insurers, and for the civil justice system broadly. The debate of whether to retain or disclose these vulnerabilities is often fueled by how much overlap there might be between the zero-day vulnerabilities or exploits the U.S. government keeps and those its adversaries are stockpiling. If both sides have the same stockpiles, then some argue that there is little point to keeping them private whereas a smaller overlap might justify retention. But without information on the over- lap, or concrete metrics based on actual data, it is challenging to make a well-informed decision about stockpiling. To address this question, RAND obtained rare access to a dataset of informa- tion about zero-day software vulnerabilities and exploits. In this report, we explore the dataset using novel applications of traditional statistical methods to reveal a number of insights about the industry and establish some initial metrics regarding the life status, longevity, and collision rates of zero-day vulnerabilities and their exploits. We also touch on the labor time required to create an exploit. The results of this research provide findings from real-world zero-day vulnerability and exploit data that could augment conventional proxy examples and expert opinion, complement current efforts to create a framework for deciding whether to disclose or retain a cache of zero-day 1 Zero-day vulnerabilities are vulnerabilities for which no patch or fix has been publicly released. The term zero- day refers to the number of days a software vendor has known about the vulnerability (Libicki, Ablon, and Webb, 2015). Zero-day vulnerabilities and their exploits are useful in cyber operationswhether by criminals, militar- ies, or governmentsas well as in defensive (e.g., penetration testing) and academic settings.
  4. 4. iv Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits vulnerabilities and exploits, and inform ongoing policy debates regarding stockpiling and vulnerability disclosure. This research could be valuable to a wide variety of stakeholders, chief among them policymakers making decisions about how to reduce the nations vulnerability while still maintaining robust options for cyber operations. Funding for this venture was provided by philanthropic contributions from RAND supporters and from members of the RAND Institute for Civil Justice Board of Overseers and other RAND supporters, as well as income from operations. RAND Institute for Civil Justice The RAND Institute for Civil Justice (ICJ) is dedicated to improving the civil jus- tice system by supplying policymakers and the public with rigorous and nonpartisan research. Its studies identify trends in litigation and inform policy choices about liabil- ity, compensation, regulation, risk management, and insurance. The institute builds on a long tradition of RAND Corporation research characterized by an interdisciplinary, empirical approach to public policy issues and rigorous standards of quality, objectiv- ity, and independence. ICJ research is supported by pooled grants from a range of sources, including cor- porations, trade and professional associations, individuals, government agencies, and private foundations. All its reports are subject to peer review and disseminated widely to policymakers, practitioners in law and business, other researchers, and the public. The ICJ is part of RAND Justice, Infrastructure, and Environment, a division of the RAND Corporation dedicated to improving policy- and decisionmaking in a wide range of policy domains, including civil and criminal justice, infrastructure protection and homeland security, transportation and energy policy, and environmental and nat- ural resource policy. For more information about the RAND Institute for Civil Justice, see www.rand.org/icj or contact the director at icjdirector@rand.org. We welcome your questions and comments, which can be addressed to the lead author, Lillian Ablon (Lillian_Ablon@rand.org). For more information about the RAND Institute for Civil Justice, see www.rand.org/icj or contact the director at icjdirector@rand.org.
  5. 5. v Contents Preface. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . iii Figures and Tables.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . vii Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ix Acknowledgments. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . xvii CHAPTER ONE Introduction. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1 Little Is Known About the Extent, Use, Benefit, or Harm of Zero-Day Exploits . . . . . . . . . . . . . . 1 Should the U.S. Government Disclose Zero-Day Vulnerabilities?. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4 There Are Many Considerations That Stakeholders Want Addressed. . . . . . . . . . . . . . . . . . . . . . . . . . . . 5 Research Questions and the Purpose of This Research.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6 Intended Audience for This Research.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Breaking Down the Zero-Day Space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7 Data for This Research. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11 Methodology of Research and Data Collection. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13 Organization of This Report.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 CHAPTER TWO More Discussion of Zero-Day Vulnerabilities.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Nature of Zero-Day Vulnerabilities.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Exploit Development Basics and Considerations.. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18 Exploit Development Cycle. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 People in the Zero-Day Vulnerability Space. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20 Business Models. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .