6 minute read
Whose afraid of Zero Day
by Stuart Corner
WHO’S AFRAID OF ZERO DAY?
We fear the unknown. And zero day exploits are scary unknowns. They are vulnerabilities in software and devices that only attackers know about. So there’s no patch you can apply to protect your systems. There’s no antivirus signatures that will alert you about the attack.
But there is Google Project Zero, a team of security analysts employed by Google and tasked with finding zero-day vulnerabilities and researching and publicly documenting how they can be exploited.
Maddie Stone, a security researcher from Project Zero, in a presentation, A World where 0day is Hard, at the AusCERT2021 conference, sought to allay fears about zero day attacks, dispel the myth of the zero day attacker as supersmart, to present a realistic assessment of the dangers of zero day attacks, and describe progress being made to counter them.
“The mission of my work is to learn from zero days exploited in the wild in order to make zero day hard. I do technical analyses of vulnerabilities and their exploits, perform variant analysis and patch analysis to make sure things are actually fixed,” she told the AusCERT2021 audience in the Star Hotel on Queensland’s Gold Coast, and online.
MAKING ZERO DAY HARD
The motto of Project Zero is ‘make zero day hard’, but Stone said this concept was not well understood. “I think we can break ‘make zero hard’ into two categories. First, we want to increase the cost per exploit. And second, we want to increase the number of exploits required for a functional capability.”
As an example she said, for an attacker to gain root equivalent privileges on a cellphone via a website using zero day vulnerabilities, would require them to successfully exploit a chain of three vulnerabilities.
Reducing the time taken to detect and mitigate zero day vulnerabilities would greatly increase the number of exploits an attacker would need to have available in order to maintain their capability.
And Stone was able to demonstrate that the efforts of Project Zero and others in recent years have achieved considerable success in making zero day harder, at least for Android attackers.
THE $2.5M ZERO DAY EXPLOIT
Zerodium bills itself as “The world’s leading exploit acquisition platform for premium zero-days and advanced cybersecurity capabilities.” It pays substantial bounties to security researchers to acquire their original and previously unreported zeroday research.
“In 2016, Zerodium would pay up to $[US]1.5 million for a full chain capability for an iPhone, and for Android up to $[US]200,000,” Stone said. “In 2091 Zerodium upped their prices for iPhone full chain capability from $1.5 million to $2 million, and for Android from $200,000 to $2.5 million.”
She attributed the 1000 percent plus increase in the price Zerodium was willing to pay for an Android vulnerability in part to steps taken to make exploiting Android much more difficult, but with the caveat that “Things like demand from attackers, more folks wanting to get into exploitation game can also raise a price without us as defenders ever making it harder.”
She listed the steps that have been taken to make zero day harder for Android attackers as being “regular security updates, which decrease the life of a vulnerability … and the application sandbox, which means you need more exploits in a chain to go from remote to root … some exploit mitigations introduced that require additional and novel exploit techniques to be developed … [and] a much more mature software development lifecycle, which often means that fewer bugs make it into production devices, which also would increase the cost per exploit.”
PATCHING FAR FROM PERFECT
However, Stone said there was a much easier way to make zero day hard: good patching practice. “In 2020 25 percent of the zero days known to have been exploited in the wild were closely related to previously publicly-disclosed vulnerabilities. … So one out of every four zero days detected in 2020 could potentially have been avoided with better patching practices.”
She said these exploits were either variants of previously public disclosed vulnerabilities, or the result of inadequate patching. “Maybe the same bug pattern was copied to another place in the code, or the previous vulnerability was not actually fixed, so the attacker could just change a few lines of code and have another functioning zero day capability.” She has posted on the topic, on the Project Zero blog.
Effective patching, Stone said was not easy, “especially with how teams are currently set up and incentivised,” and needed to improve. “Tech really needs to do better, Customers and users deserve to have vendors correctly and comprehensively patch vulnerabilities they know about.”
Greater transparency also offers another opportunity to combat zero day attacks, she said, rejecting the argument that releasing details of a vulnerability prior to a patch becoming available would only increase the danger.
MAKE ZERO DAY PUBLIC
“With information about exploitation, folks can assess their own personal threat models, whether that’s at the individual or the organisational level. And even if there is no technical solution to mitigate the vulnerability, they still have the power to mitigate the effect.
“They can stop using the device or software. They can immediately disconnect from all networks, and begin the process of assuming that all their data or info has been compromised and start whatever response that might look like.
“When we provide information, even if it’s just that there’s an active exploit in the wild in a product, I think we’re respecting users and their safety and their autonomy to keep themselves or whatever entity they’re responsible for, safe.”
She added: “Having the facts, the technical details and the context about exploits in the wild, allows more defenders to work on the problem from the many different perspectives we have in this industry.”
Another sign of progress in combating zero day attacks, at least on cellphones, is a change in policy last November by both Apple and Android to start annotating their security advisories on new vulnerabilities to indicate that they may have been exploited. Having this information, Stone said, enabled patching to be prioritised, antivirus developers to work on detecting signatures and software researchers to look more closely at patching for specific vulnerabilities.
She said this information was leading to a significant increase in zero day detection. Extrapolating the current number for 2021 to year end gives a total of 67, compared to 25 in the whole of 2020. “That might seem ominous and terrifying,” Stone said. “But
“The mission of my work is to learn from zero days exploited in the wild in order to make zero day hard. I do technical analyses of vulnerabilities and their exploits, perform variant analysis and patch analysis to make sure things are actually fixed.” I don’t believe there are suddenly more exploits being used. Instead, I believe that we’re finally detecting and learning about the exploits that have been used.” ZERO DAY INFO ON GITHUB Another initiative to increase transparency about zero day exploits Stone is working on is a public repository of technical information maintained by Project Zero on GitHub of zero days exploits in the wild. “The goal of this is that, ultimately, there will be RCAs [resolved component analyses] up and technical information about every in-the-wild zero day. Not only does it provide technical details on the vulnerability and the exploit method, but hopefully people can use that data to brainstorm ideas for system improvements, and new zero day detections and stuff like that.”
