Thursday, February 11, 2016


Via Nicholas Weaver

From his latest post on "Trust and the NSA Reorganization":
Put simply, a zero-day is just more powerful than an older exploit. When the offense team knows the value is about to rapid diminish—and the time dimension means IA is more likely to bear a temporary risk—and it’s not difficult to imagine the efforts taken to exploit the vulnerability while it is still unpatchable. It is true that, in this scenario, the damage of early disclosure through offensive use is limited, because another attacker would need time to weaponize the exploit before a patch is released publically, and there is little such an attack could do to change the patch schedule.
So many over-simplifications in one paragraph, and normally I wouldn't care, but people keep doing it and so I want to move us forward a bit. (Excuse the pun :>)

0days, like atoms, are not simplistic and contain many mysterious and fun moving parts!

For anyone who has lived with 0days their whole adult life, listening to lawyers pontificate about them is painfully awkward, like a modern physicist trying to discuss wave-particle interactions with a Middle Ages alchemist.

Clearly 0days are an intoxicant of the highest order, but I'd like to demonstrate some quick subtleties that tie to their underlying wave-particle nature that the simplistic views of them cannot capture.

Let's play, like Einstein did, a quick mind game, that even lawyers can understand. :) I chose for this example the simplest thing I could imagine, but it still demonstrates the complexity of modern day 0day physics.

You have a piece of code with a null pointer deference in it. This code is in a library that handles images or some other common utility, and is widely shared.

The following things are all true:

  • When in the Kernel, this is a local privilege escalation (with a high criticality!)
  • But in modern Windows kernels, this may be entirely mitigated to a local crash (or not, hard to know without close investigation by a super-expert)
  • In a remote service, this vulnerability can only cause a crash
  • Except on certain architectures that sometimes map things at very low addresses (MIPS, for example), in which case it can allow remote code execution (very highest criticality!)
  • In userspace, this null pointer dereference is usually just a crash of the lowest criticality
In the same way that particles can decay into many different other particles and energies, we can track how that vulnerability changes over time. The most simplistic, and completely wrong, view is "Windows of Vulnerability". This the the one lawyers and defenders often cling to, as they don't know any better.

Let's say, for example, Microsoft fixes the null pointer dereference in their kernel, but that code is shared and continues to exist in a media player that many people use on Linux. In addition, they fix it, not with a security advisory, but in a service pack, while continuing to maintain and patch systems running under the older service pack, which is in common use.

Is that vulnerability an 0day, because on systems running the old service pack, it continues to be of high criticality? 

What if Microsoft, instead of fixing the null pointer dereference itself, removes the path of code that reaches that code from userland. Is that vulnerability fixed, or still an 0day? 

What if they DO issue an advisory for it, but Linus Torvalds completely ignores it, and continues to ship mainline kernels with the buggy code, which are exploitable but only on certain Linux kernel configurations? Is that still an "0day" in your terms? Did the bug "die"? 

What if they fix it on all versions of Windows, and issue an advisory, but completely fail to properly patch it? So it is known but unknown? Or is that a new vulnerability spawned out of the destruction of the old one?

What if no patch is ever issued, and nobody ever fixes it, but the product goes out of maintenance and is replaced by other products?

What if only the NSA and the Russians and Chinese know about this null pointer dereference, is it still an 0day?

What if I told you that 0day-reality was more complex and interesting than it first appeared?

Until you have asked all these questions in all their forms - crashed thousands of vulnerability-particles together to understand their underlying nature, it is impossible to make informed decisions as to what to do with them to protect yourself or build cool nano-machines out of them or even what words to use when talking about them. Basically, if you are still talking about archaic "Windows of vulnerability" or "Weaponization" you are wrong at the vocabulary and conceptual level, before you even reached the policy decisions you're trying to offer.

This is the metric you can use to see where you're at: Do you know what a write4 primitive is? Can you tell me how you would transform that into an information leak primitive?

The offensive community is happy to help, so come find us at INFILTRATE and we'll start the process. :)

1 comment:

  1. Love the application of the Feynman diagram to depict interaction but like all overlaps, it only partly explains interaction. Same issue with the observer effect (sometimes confused with the uncertainty principal), knowing about the 0day changes it to some degree including legal status.