5 minute read

Zero-Knowledge proofs (ZKPs) for vulnerability disclosure

By Vinoth Venkatesan

Few relationships in cybersecurity are more delicate than the one between a security researcher who discovers a vulnerability in a product and the company they notify.

The company may not care about the vulnerability or impact on customers or downplay the severity to avoid media attention. On its potential for harm, the researcher believes that a timelier public disclosure will incentivise the business to develop a quick patch to protect end-users.

While the industry has managed some of these difficulties through coordinated vulnerability disclosure policies, there’s still a fair amount of disagreement and mismatched motivations that can mistrust the two parties. One of the trickier problems is ethically disclosing a bug to the broader public and putting pressure on an organisation without revealing technical information that might allow malicious hackers to exploit it before a patch becomes available.

Here come the Zero-Knowledge Proofs (ZKPs) from DARPA.

The research and development arm for the Department of Defense has successfully demonstrated zero-knowledge proofs to the software vulnerability disclosure process using the limited set of use cases. A zero-knowledge proof is a cryptographic protocol that allows one entity to create mathematical evidence to demonstrate to another entity that they can answer a question without disclosing their underlying work. In this case, it would allow a cyber researcher to prove that the vulnerability can be exploited without displaying proof of concept exploit, which might provide a road map to bad actors.

This was made possible because of the ongoing cryptocurrency community’s work on developing more efficient zero-knowledge proofs. A paper called “Snarks for C” helped to inspire DARPA researchers to explore ideas for similar applications in other fields that aren’t necessarily connected to the blockchain.

How does it work?

Imagine a graph with several different points, and there are lines between each, and each point is assigned a colour: green, red, yellow, etc. The question here is whether you can conclusively prove that each point is different from the adjacent points without displaying them on the graph.

The answer is yes. It is possible to interpret much of the relevant information about those points, their colours and their connection to each other into numerical values or equations that can be calculated without viewing the original graph. Moreover, this same fundamental model can be expanded and applied to many other situations, usually involving more “points” or relevant variables that interact in predictable ways — like different parts of a software system — to emulate the same mathematical certainties.

The real-world problem DARPA was looking to address in this case is discovering a way for security researchers to alert the public on an ongoing software vulnerability without having to rely on the host organisation’s goodwill or risk tipping off malicious hackers. Last year, DARPA called outside research proposals, and two companies — Galois and Trail of Bits — have already used this framework to create zero-knowledge proofs of their own.

Galois proved proof for a previously disclosed memory safety vulnerability in a Game Boy Advance console. More importantly, they could use that proof to convince another party of the vulnerability’s existence in about eight minutes. In addition, the Trail of Bits developed an innovative model based on Boolean circuitry that creates a binary imitation of systems at the architectural level. It essentially provides a yes or no answer as to whether it’s been compromised/ exploited by code injection, buffer overflows, memory bypass flaws, and format string vulnerabilities.

Right now, these use cases are just the tip of the iceberg, limited to a handful of essential IT hardware and software vulnerabilities. There is also a question about how accurate any particular model may be to its real-life counterpart. Evolving better models that apply to the vulnerability process more generally will require “orders of magnitude more complexity.” Still, DARPA believes it’s only a matter of time before they can be accepted much more widely, both in vulnerability disclosure and other research work areas.

The most significant limitation to more widespread adoption is not technical details. Instead, it’s figuring out a way to interpret the complex mathematical process behind such proofs in a way that doesn’t entail an advanced mathematics degree to comprehend. After all, it does no good to go through all the work of creating an accurate zero-knowledge proof if the person or organisation doesn’t know what that is or why it means they have to believe you. As more and more ZKP based adoptions are growing in the industry, I’m sure we will eventually find a middle ground to make it easy to demonstrate and communicate.

About the Author: Vinoth is a cybersecurity professional by heart with over two decades of experience in Information Technology and Cybersecurity. He is an Australian Computer Society (ACS) Senior Certified Professional in Cybersecurity and holds various industry-leading cybersecurity credentials. Vinoth loves to write about the latest cybersecurity happenings and blockchain-related articles.

This article is from: