100 likes | 117 Views
Miles McQueen, Jason Wright, Lawrence Wellman Idaho National Laboratory and University of Idaho. September, 2011 Banff. Metrisec Are Vulnerability Disclosure Deadlines Justified? Critical Infrastructure and Control Systems Security. How long should vendors be given? Security firm positions….
E N D
Miles McQueen, Jason Wright, Lawrence WellmanIdaho National Laboratory and University of Idaho September, 2011 Banff Metrisec Are Vulnerability Disclosure Deadlines Justified?Critical Infrastructure and Control Systems Security
How long should vendors be given?Security firm positions… • “…Rapid7, where HD Moore is Chief Security Officer and Chief Architect of Metasploit, recently revamped their disclosure policy. In short, they will hold a vulnerability for 15 days after contacting the vendor, before sending it to CERT, who will give the vendor another 45 days to address the issue….” ---The Tech Herald, August 2010 • “…the Zero Day Initiative (ZDI), part of Hewlett-Packard / TippingPoint, has announced that, with immediate effect, it will limit the period for developing security updates to six months. However, the ZDI says that it will grant extensions to this deadline in special cases….” --- The H Security, August 2010 • “Serious bugs should be fixed within a reasonable timescale. Whilst every bug is unique, we would suggest that 60 days is a reasonable upper bound for a genuinely critical issue in widely deployed software. This time scale is only meant to apply to critical issues. “ --Chris Evans etal, Google security Team, July 2010 • “All vulnerabilities reported to the CERT/CC will be disclosed to the public 45 days after the initial report, regardless of the existence or availability of patches or workarounds from affected vendors. Extenuating circumstances, ” --CERT/CC 2008 • "The best way is to quietly disclose the problem to the vendor and then allow the vendor 30 days to fix the problem. Then go public,“ --Phil Zimmermann 2005
How long before reported vulnerabilities have patches made available? (1)Pwn2Own 2007-20010 • Daniel Veditz (Security Group Moderator, Mozilla Corporation) 2009-03-23 14:17:16 PDT jst said to start with Neil. Since this is a high profile bug (Firefox cracked during a public hacking contest) we need to focus on it. If we had a fix I'd like to shoehorn it into 1.9.0.8 even though we're past code freeze (April release) but May's 1.9.0.9 is more realistic. Needs to make 3.5b4. Table Note: +These vulnerability are not listed in ZDI and each of their NVD descriptions indicate different situations e.g. CVE-2010-1118 indicates “Unspecified Vulnerability in …” while CVE-2010-1117 indicates “Heap-based buffer overflow… via unknown vectors…”. Thus it is not at all clear what is happening with these vulnerabilities. 45 60 180 Hmmm
How long before reported vulnerabilities have patches made available? (3) Summary: Pwn2own---high visibility, few vulnerabilities---quick fix ZDI and iDefense--- some visibility, many vulnerabilities---slower fix Others vulnerabilities---little if any visibility, large number of vulnerabilities---slowest fix?
ZDI announces 6 month grace period, Effective immediately August 4, 2010 Initial pool of 172 previously reported vulnerabilities ~6 months Time February 4, 2011 August 4, 2010 ZDI imposes a 6 month Grace Period (1a) What happened to initial pool of unresolved vulnerabilities? Grace period is the amount of time the security researcher allots to the vendor for providing a fix, after which the researcher may independently announce the vulnerability.
August 4, 2010 ZDI imposes a 6 month Grace Period (1b) What happened to initial pool of unresolved vulnerabilities?
August 4, 2010 ZDI imposes a 6 month Grace Period (2a) Did more vulnerabilities have patches available within 6 months?
August 4, 2010 ZDI imposes a 6 month Grace Period (2b) Did more vulnerabilities have patches available within 6 months?
August 4, 2010 ZDI imposes a 6 month Grace Period (2c) Did more vulnerabilities have patches available in 6 months?
Conclusion and future work • Conclusion • The 6 month imposed grace period did impact vendor patch creation time • There may be some end user cost associated with the imposed grace period • 45 and 60 day grace periods are problematic • Future Work • Are statistics stable over time • Embracing diversity • Implications to control system disclosure process