From Coordinated Disclosure to Cooperative Vulnerability Research When Dealing with Critical Software Stacks

Presented at Black Hat Europe 2021, Nov. 10, 2021, 1:30 p.m. (40 minutes)

When it comes to critical software stacks (like embedded network libraries or real-time OSs), is it time to change the way we, as researchers, approach vendors when disclosing vulnerabilities? Shouldn't we start cooperating with them before disclosing vulnerabilities, as early as when the research begins, so that they have both a chance to learn and to help security researchers in finding more vulnerabilities?

What is needed is more of a relationship between the security research industry and those developing and deploying critical software components. The current status quo is that of conflicting parties trying to become friends, often during the disclosure phase by means of an intermediary broker. Unlike more traditional vulnerabilities reported in Operating Systems or Application stacks, mitigation of vulnerabilities found in critical software components often means the chance of easily patching is a task many shy away from. This is where adopting a shifting left approach might be the right path to take. Patching equipment with a lifespan of between 10-20 years is not possible. Currently, we have seen from experience where responsible disclosure is often delayed, or in a worst-case scenario cancelled, due to the impact that it might have.

While this approach doesn't scale for mainstream software, for which continuous security testing (e.g., fuzzing) and auto-updates work very well, recent researches have showed that the most impactful vulnerabilities found in critical software components require custom tooling and substantial research effort. This cannot simply be streamlined and should not be streamlined (or the most interesting bugs will remain undetected). This implies that we as researchers should focus on a few, but very high-impact targets, as early as possible in the SDLC, secure good communication with the developers, to the extent that the developers will disclose to the security researchers where they think the weakest spots of their software is. In other words, the attacker model of a vulnerability research should consider a better-informed, and thus more powerful, attacker than the real one.

Presenters:

• Daniel Cuthbert - Global Head of Security Research, Banco Santander
  Daniel Cuthbert is the Global Head of Security Research for Banco Santander. With a career spanning over 20 years on both the offensive and defensive side, he's seen the evolution of hacking from a small groups of curious minds to organized criminal networks and nation state we see today. He is the original co-author of the OWASP Testing Guide, released in 2003 and now the co-author of the OWASP Application Security Verification Standard (ASVS).
• Federico Maggi - Senior Researcher, Trend Micro Research
  Federico Maggi has more than a decade of research experience in the cybersecurity field and has done offensive and defensive research on web applications, network protocols and devices, embedded systems, radio-frequency control systems, industrial robots, cars, and mobile devices. Some of his research work has been featured on mainstream and media outlets such as Wired, Reuters, Forbes, Hackread, ZDNet, and MIT Technology Review. Federico is currently employed as a Senior Researcher with security giant Trend Micro (https://trendmicro.com), and was an Assistant Professor at Politecnico di Milano, one of the leading engineering technical universities in Italy. Aside from his teaching activities, Federico co-directed the security group and has managed hundreds of graduate students. Federico has given several lectures and talks as an invited speaker at international venues and research schools, and also serves in the review or organizing committees of well-known conferences. More information about Federico and his work is available online at https://maggi.cc
• Marina Krotofil - Security Researcher,  
  Marina Krotofil is a cyber security professional with over a decade of hands-on experiences in securing Industrial Control Systems (ICS) who held leading engineering roles with the industry. Throughout her career she discovered numerous novel attack vectors with associated exploitation techniques as well as designed novel defence methods for critical infrastructures. Marina is an experienced threat analyst, incident responder and forensic investigator of ICS attacks. She frequently collaborates with international organizations on the topics of critical infrastructure security and is a regular speaker at the leading conference stages worldwide.
• Kelly Jackson Higgins - Executive Editor, Dark Reading
  Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise Magazine, Virginia Business magazine, and other major media properties. Jackson Higgins was recently selected as one of the Top 10 Cybersecurity Journalists in the US, and named as one of Folio's 2019 Top Women in Media. She began her career as a sports writer in the Washington, DC metropolitan area, and earned her BA at William & Mary. Follow her on Twitter @kjhiggins.

Links:

• https://www.blackhat.com/eu-21/briefings/schedule/#from-coordinated-disclosure-to-cooperative-vulnerability-research-when-dealing-with-critical-software-stacks-25298

Similar Presentations:

• Black Hat USA 2011 / Familiarity Breeds Contempt: The Honeymoon Effect and the Role of Legacy Code in Zero-Day Vulnerabilities
• AppSec USA 2013 / Go Fast AND Be Secure: Eliminating Application Risk in the Era of Modern, Component-Based Development
• Black Hat Europe 2020 Virtual / How Embedded TCP/IP Stacks Breed Critical Vulnerabilities