91ɫƬ

Trade in software bugs plays into hackers’ hands

The secretive trade in software security holes could encourage "bug hunters" to sell to hackers

WHEN computer security consultant Charlie Miller found a bug in the open-source software program Samba, he tried to sell it to the security firms or agencies who stood to lose out if hackers exploited the weakness. Trouble was, Miller found he had no idea how much it was worth.

As a result he had no way of knowing if he was being offered a fair price for the bug, which could potentially allow malicious hackers to attack any computer running Samba. He was also wary of handing over the information to potential buyers before a sale was agreed, with nothing to stop them stealing his intellectual property. “It was a very anxious time for me,” says Miller, who is also a consultant for Independent Security Evaluators in Baltimore, Maryland. “I had worked hard, so I felt I deserved to be compensated.”

What’s more, the longer Miller spent trying to sell the bug, the greater the likelihood that a software firm would discover the same vulnerability and patch it, devaluing it instantly. A patched vulnerability is worthless as it poses a low security risk, whereas unpatched or “zero-day” bugs can fetch over $100,000 (see Table).

Bug bounty

Vulnerabilities form the basis of almost all malicious computer activity. Hackers typically use these software “holes” to gain access to a victim’s computer memory, where they can install spyware and files that spread viruses and worms, and press-gang the PC into “botnets” that launch spam or denial-of-service (DoS) attacks. “Vulnerabilities are the raw materials of intrusion,” says Eric Rescorla, a security consultant at Network Resonance in Palo Alto, California. They also pose a security threat to countries that rely on the internet for vital services and utilities such as banking and the power grid.

Encouraging researchers to hunt for vulnerabilities and report them before they are spotted by criminals is therefore crucial to the security of the internet, says Miller. “I think if you offer the financial incentive people will do this, and everyone will be more secure,” he says. “But with the way things are, that’s not necessarily going to happen.”

There has long been a debate on the best way to ensure that firms like Microsoft and Apple find out about the worst bugs in their software and patch them before hackers move in. Until recently, “white hat” vulnerability hunters, motivated purely by the kudos of discovering a flaw, would race the malicious “black hats” to find bugs and disclose them to the software firms, who could then develop patches (New Scientist, 25 June 2005, p 30).

However, software has become more complicated, making vulnerabilities harder and more time-consuming to find, so white hats have become less willing to work for kudos alone. As a result, a market in finding bugs has sprung up, with a cluster of firms such as Tipping Point of Austin, Texas, and iDefense of Sterling, Virginia, offering cash in exchange for zero-day bugs.

Tipping Point uses the information to update its anti-intrusion software, which blocks malicious code from entering its clients’ networks. It then notifies the firm that made the software, which issues a patch to protect all computers running the program. Terri Forslof of Tipping Point says it has been responsible for patching 100 vulnerabilities since it launched its “Zero Day Initiative” almost two years ago.

Tipping Point does not disclose how much it offers for bugs, for fear of starting a bidding war that could inflate prices. iDefense has offered up to $24,000 for specific bugs. But Andy Ozment, a computer security researcher at the University of Cambridge, says the going rate offered by these firms is typically between $2000 and $10,000. Miller warns that this isn’t enough to persuade the best researchers to hunt for vulnerabilities. “There are not many people who are willing to do that work for that amount of money.”

Sealing the deal is also risky for the bug hunter. To determine a price for the bug, which will depend on how dangerous the bug could be and which software it affects, the buyer needs to be able to examine it. For this reason, Tipping Point requires hunters to hand over all the information needed to find the vulnerability before it will make an offer. If the company then decides not to buy it, it vows to erase the information from its system, but Miller argues that many researchers are uncomfortable placing so much trust in a company. “I have no leverage at all” in that situation, he says.

The minefield of problems faced by bug hunters may even be prompting some of them to turn to the black market. Hackers are willing to pay high prices for vulnerabilities, as they can make a big profit from the spam and DoS attacks they are able to launch as a result. “I personally would never sell to the black market,” says Miller. “But there are going to be some people who don’t see it the same way.”

“The minefield of problems facing bug hunters may prompt some to turn to the black market”

Miller believes that matching the money available on the black market would persuade more hunters to sell vulnerabilities to computer security firms rather than to hackers. However, not everyone agrees. Forslof argues criminals will always be able to pay more for bugs than the computer security firms, as their returns are higher.

An alternative to outbidding the criminals is for companies to be more open about how much they are willing to pay. A market in which vulnerabilities are traded openly, with transparent pricing, would allow bug hunters to judge for themselves how much a flaw is worth before they try to sell it.

Ultimately this could also help to encourage firms to develop less bug-ridden software in the first place, says Rainer Böhme at Dresden University of Technology in Germany. “Fixing bugs is only one way to achieve better software,” he says.

The idea is that as things stand, software firms do not have enough incentive to develop more secure products because customers have no way to quantify how much more secure one program is than another. However, since bugs in more secure software fetch higher prices, a transparent market in vulnerabilities would provide an indicator of a program’s security. Customers could use these prices to decide which products are more secure, encouraging firms to improve their software. “They need to know there is a return to having a more secure product,” says Ozment.

This vision is a far cry from today’s secretive market. More than a year after finding the Samba vulnerability, Miller eventually sold it to the US government for the respectable sum of $50,000, he told a workshop on the economics of computer security in Pittsburgh, Pennsylvania, last week. However, one company offered him just $10,000, and he still has no idea whether he received a fair price. “While the sale did happen, it was in spite of the market mechanisms in place, not because of them.”

Who will buy my bugs?

Computer security researcher Charlie Miller sold the bug he had discovered in the open-source software program Samba to the US government.

Although there have been rumours in the past that governments buy vulnerabilities, this has never before been confirmed, says Andy Ozment, a security researcher at the University of Cambridge. It remains unclear how the government will use the information, but Ozment suggests it could help the US to protect its financial and military infrastructure from cyber attack. “From my perspective, their motivation is to make sure the infrastructure is as secure as it can be,” he says.

But bugs also allow countries to attack each other’s infrastructure, so selling to governments raises ethical concerns, says Terri Forslof of Tipping Point in Austin, Texas, which buys vulnerabilities from researchers and then discloses them to software firms.

Government purchases could also be bad news for ordinary computer users. Once it had bought the vulnerability from Miller, the government did not disclose the information to Samba. As a result, the bug remained unpatched for a further nine months, during which time a hacker could have spotted the flaw and used it to attack computers. “There were nine months where I knew about it, but no one was protected from it,” says Miller.

Topics: Computer crime