View
219
Download
1
Tags:
Embed Size (px)
Citation preview
Disclosure/Non-Disclosure
Case Study Observations
Prepared by
Scott Sakai, Mansi Shah,
Kevin Walsh, and Patrick Wong
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Approach
• Context created by course curriculum
• Disclosure and Non-Disclosure Defined
• Case studies
• Observed practices and “norms”
• Summary and conclusions
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Introduction
• Intro to computer security vulnerabilities• To disclose or not?• Is it illegal or unethical not to disclose a
discovered vulnerability?• What practices are observed by
industry in the case studies?• Questions to the audience: What
appear to be the accepted norms?
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Introduction (2)• Context of course
– Ethical Codes: acceptable professional behavior in the computer industry
– Lessig: Architecture, Market, Norms, Law– Brin: Transparency, criticism,
accountability, authority, authentication, trust
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Full Disclosure – What is it?
A security flaw that is…
• Released to the public immediately
• Developed and discussed in a public forum
• In general, brought to light before the public and vendors simultaneously (often before a vendor fix is available)
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Full Disclosure - Pros
• Levels the playing field
• Motivates vendors to fix flaw
• Lets knowledgeable users know what their program is doing
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Full Disclosure – Cons
• Makes exploiting vulnerability easier
• Increases chance of compromise or crash
• Potential loss of productivity
• May result in incomplete fix
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Non-Disclosure Defined
A security flaw that is…
• Held until the proper fixes are produced
• Not to be shared in the public eye
• Limited disclosure is a medium defined by the company where they disclose some information on the vulnerability
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Non Disclosure - Pros
• Potential loss of market share
• Company/product reputation
• Undesirable exposure of underlying technology architecture
• Liability for company (can cut both ways)
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Non Disclosure - Cons
• False sense of security
• Potential delay of fixes (both company and client)
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 1Ping of Death - overview
• Exploit: (late 1996) Sending large IP packets to a computer may crash it.
• Stakeholders:– Malicious individuals executing attack– Users who rely on vulnerable systems– Vendors of vulnerable systems– Public (relies on any of the above)
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 1Ping of Death - analysis
• Classification: Full disclosure
• Pros– More stable TCP/IP implementation– Similar exploits prevented
• Cons– Lost data– Vulnerable systems may still exist
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 1 Ping of Death - Issues
• Ethical tests:– Utilitarian: TCP/IP is more stable now – ethical.– Golden Rule: It sucks when someone crashes
your computer, so you shouldn’t do it to them. -- unethical
• Legal issues:– Denial of service attacks are illegal under CFAA– Saw the beginning of contemporary issues
• International boundaries• Data integrity
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 2 Microsoft IIS
June ‘99: eEye/Microsoft IIS Security Vulnerability• eEye finds a serious security flaw in IIS Server• eEye emails Microsoft and places warning
bulletins, along with CERT• Microsoft does not respond to the emails or
warnings• eEye discloses the vulnerability due to
Microsoft’s apathy.
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 2Microsoft IIS (2)
November ‘00: Microsoft’s Anti Disclosure Plan• Microsoft and 5 security companies decide to
create a industry standard for disclosure.• Will draft a standard for notifying the public
about newly-found software security bugs • Leading objective of the group will be to
discourage "full disclosure" of security holes
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 2Microsoft IIS (3)
April ’02: Microsoft’s Practices Today• Trustworthy Computing Initiative started
by a memo from Bill Gates where all employees are being trained in security
• Microsoft placed a bulletin warning on ten of their IIS vulnerabilities
• Both events are high profile in the area of security
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 3Felten vs. RIAA (1)
• Hack SDMI Contest (Fall 2000)– Break 4 watermarks
• Render watermarks undetectable without significantly degrading audio quality
– Edward Felten & Team • Broke all 4 technologies• RIAA threatened team with litigation thru DMCA if team
presented research to public• Felten sued RIAA to allow presentation of research
– Case thrown out since DMCA does not apply to research
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 3Felten vs. RIAA (2)
• Stakeholders– Professor Edward Felten & Team
• Crackers of digital watermark technology
– Other researchers– RIAA
• Record Industry
– Secure Digital Music Initiative (SDMI)• Holders of the watermark contest
– Verance• One of the watermark manufacturers
– Public
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 3 Felten vs RIAA - analysis
• Classification: Full Disclosure• Pros
– Public learns truth; watermark technology fails– Watermark companies can learn from hacks and
develop better technology– SDMI & RIAA learn technology doesn’t work
before full scale release of watermarked Cd’s
• Cons– Verance’s watermark compromised
• DVD-Audio already in use in market, now easily hacked
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 3Felten vs RIAA - Issues
• Ethical tests:– Rights: RIAA threat to sue Felten for presenting
paper on hacking watermarks – unethical – Utilitarian: Public learns that watermark technology
doesn’t work – ethical– Utilitarian: Hackers learn of vulnerability in DVD-
Audio thru paper – unethical
• Legal Issues:– Right to disclose SDMI watermark hack – Fear of litigation due to DMCA
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 4Malformed SNMP
• Simple Network Management Protocol (SNMP)
• Vulnerability reported by the Oulu University Secure Programming Group
• Vulnerability concerned trap and request handling
• Impact included DOS, service interruption, and unauthorized access and control
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 4Malformed SNMP (2)
• Stakeholders: – equipment from over 250 manufacturers involved– 3Com, Cisco, Compaq, Dell, Hewlett Packard,
Lucent, IBM, Iplanet, Larscom, Lotus, Juniper, Nokia, Novell, Microsoft, Red Hat, Sun, Xerox
• Potential impact critical to Internet and majority of government and commercial networks.
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Case Study 4Malformed SNMP (3)
• Response and solution• CERT and CVE• Ethical test: text book case of vendor
notification and posted fixes• Majority of vendors post patches within
three weeks of notice• Immediate work around non-
catastrophic
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Observed Industry Practices
• Emergence of clearing house and response organizations: Computer Emergency Response Team (CERT), Common Vulnerabilities and Exposure (CVE), Responsible Disclosure Forum
• Accepted as legitimate by industry and the customer
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Observed Industry Practices (2)
• Role of industry and mainstream press
• Role university and industry research groups
• Evidence of industry, press, and buying public arriving at a sense of a “norm”
• Norm legitimized through criticism
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Summary and Conclusions
From case studies:
• Both non-disclosure and full disclosure can be ethical and unethical depending upon the tests applied
• The rights test is not applicable in most contexts due to the timeliness of the legal system
Disclosure/Non-Disclosure Case Studies
Sakai,Shah, Walsh, Wong
Summary and Conclusions (2)
Movement of the Industry:• Practices by major software corporations are
moving from non-disclosure (and limited interest in security) towards full disclosure (and a much greater interest in software security).
• Stakeholders following this trend: Microsoft, the 281 manufacturers and organizations like CERT.