Disclosure/Non-Disclosure Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong

Disclosure/Non-Disclosure

Case Study Observations

Prepared by

Scott Sakai, Mansi Shah,

Kevin Walsh, and Patrick Wong

Disclosure/Non-Disclosure Case Studies

Sakai,Shah, Walsh, Wong

Approach

• Context created by course curriculum

• Disclosure and Non-Disclosure Defined

• Case studies

• Observed practices and “norms”

• Summary and conclusions



Introduction

• Intro to computer security vulnerabilities• To disclose or not?• Is it illegal or unethical not to disclose a

discovered vulnerability?• What practices are observed by

industry in the case studies?• Questions to the audience: What

appear to be the accepted norms?



Introduction (2)• Context of course

– Ethical Codes: acceptable professional behavior in the computer industry

– Lessig: Architecture, Market, Norms, Law– Brin: Transparency, criticism,

accountability, authority, authentication, trust



Full Disclosure – What is it?

A security flaw that is…

• Released to the public immediately

• Developed and discussed in a public forum

• In general, brought to light before the public and vendors simultaneously (often before a vendor fix is available)



Full Disclosure - Pros

• Levels the playing field

• Motivates vendors to fix flaw

• Lets knowledgeable users know what their program is doing



Full Disclosure – Cons

• Makes exploiting vulnerability easier

• Increases chance of compromise or crash

• Potential loss of productivity

• May result in incomplete fix



Non-Disclosure Defined

A security flaw that is…

• Held until the proper fixes are produced

• Not to be shared in the public eye

• Limited disclosure is a medium defined by the company where they disclose some information on the vulnerability



Non Disclosure - Pros

• Potential loss of market share

• Company/product reputation

• Undesirable exposure of underlying technology architecture

• Liability for company (can cut both ways)



Non Disclosure - Cons

• False sense of security

• Potential delay of fixes (both company and client)



Case Study 1Ping of Death - overview

• Exploit: (late 1996) Sending large IP packets to a computer may crash it.

• Stakeholders:– Malicious individuals executing attack– Users who rely on vulnerable systems– Vendors of vulnerable systems– Public (relies on any of the above)



Case Study 1Ping of Death - analysis

• Classification: Full disclosure

• Pros– More stable TCP/IP implementation– Similar exploits prevented

• Cons– Lost data– Vulnerable systems may still exist



Case Study 1 Ping of Death - Issues

• Ethical tests:– Utilitarian: TCP/IP is more stable now – ethical.– Golden Rule: It sucks when someone crashes

your computer, so you shouldn’t do it to them. -- unethical

• Legal issues:– Denial of service attacks are illegal under CFAA– Saw the beginning of contemporary issues

• International boundaries• Data integrity



Case Study 2 Microsoft IIS

June ‘99: eEye/Microsoft IIS Security Vulnerability• eEye finds a serious security flaw in IIS Server• eEye emails Microsoft and places warning

bulletins, along with CERT• Microsoft does not respond to the emails or

warnings• eEye discloses the vulnerability due to

Microsoft’s apathy.



Case Study 2Microsoft IIS (2)

November ‘00: Microsoft’s Anti Disclosure Plan• Microsoft and 5 security companies decide to

create a industry standard for disclosure.• Will draft a standard for notifying the public

about newly-found software security bugs • Leading objective of the group will be to

discourage "full disclosure" of security holes



Case Study 2Microsoft IIS (3)

April ’02: Microsoft’s Practices Today• Trustworthy Computing Initiative started

by a memo from Bill Gates where all employees are being trained in security

• Microsoft placed a bulletin warning on ten of their IIS vulnerabilities

• Both events are high profile in the area of security



Case Study 3Felten vs. RIAA (1)

• Hack SDMI Contest (Fall 2000)– Break 4 watermarks

• Render watermarks undetectable without significantly degrading audio quality

– Edward Felten & Team • Broke all 4 technologies• RIAA threatened team with litigation thru DMCA if team

presented research to public• Felten sued RIAA to allow presentation of research

– Case thrown out since DMCA does not apply to research



Case Study 3Felten vs. RIAA (2)

• Stakeholders– Professor Edward Felten & Team

• Crackers of digital watermark technology

– Other researchers– RIAA

• Record Industry

– Secure Digital Music Initiative (SDMI)• Holders of the watermark contest

– Verance• One of the watermark manufacturers

– Public



Case Study 3 Felten vs RIAA - analysis

• Classification: Full Disclosure• Pros

– Public learns truth; watermark technology fails– Watermark companies can learn from hacks and

develop better technology– SDMI & RIAA learn technology doesn’t work

before full scale release of watermarked Cd’s

• Cons– Verance’s watermark compromised

• DVD-Audio already in use in market, now easily hacked



Case Study 3Felten vs RIAA - Issues

• Ethical tests:– Rights: RIAA threat to sue Felten for presenting

paper on hacking watermarks – unethical – Utilitarian: Public learns that watermark technology

doesn’t work – ethical– Utilitarian: Hackers learn of vulnerability in DVD-

Audio thru paper – unethical

• Legal Issues:– Right to disclose SDMI watermark hack – Fear of litigation due to DMCA



Case Study 4Malformed SNMP

• Simple Network Management Protocol (SNMP)

• Vulnerability reported by the Oulu University Secure Programming Group

• Vulnerability concerned trap and request handling

• Impact included DOS, service interruption, and unauthorized access and control



Case Study 4Malformed SNMP (2)

• Stakeholders: – equipment from over 250 manufacturers involved– 3Com, Cisco, Compaq, Dell, Hewlett Packard,

Lucent, IBM, Iplanet, Larscom, Lotus, Juniper, Nokia, Novell, Microsoft, Red Hat, Sun, Xerox

• Potential impact critical to Internet and majority of government and commercial networks.



Case Study 4Malformed SNMP (3)

• Response and solution• CERT and CVE• Ethical test: text book case of vendor

notification and posted fixes• Majority of vendors post patches within

three weeks of notice• Immediate work around non-

catastrophic



Observed Industry Practices

• Emergence of clearing house and response organizations: Computer Emergency Response Team (CERT), Common Vulnerabilities and Exposure (CVE), Responsible Disclosure Forum

• Accepted as legitimate by industry and the customer



Observed Industry Practices (2)

• Role of industry and mainstream press

• Role university and industry research groups

• Evidence of industry, press, and buying public arriving at a sense of a “norm”

• Norm legitimized through criticism



Summary and Conclusions

From case studies:

• Both non-disclosure and full disclosure can be ethical and unethical depending upon the tests applied

• The rights test is not applicable in most contexts due to the timeliness of the legal system



Summary and Conclusions (2)

Movement of the Industry:• Practices by major software corporations are

moving from non-disclosure (and limited interest in security) towards full disclosure (and a much greater interest in software security).

• Stakeholders following this trend: Microsoft, the 281 manufacturers and organizations like CERT.

Documents

Disclosure/Non-Disclosure Case Study Observations Prepared by Scott Sakai, Mansi Shah, Kevin Walsh, and Patrick Wong