vulnerability coordination and concurrency...this material is based upon work funded and supported...
TRANSCRIPT
![Page 1: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/1.jpg)
© 2015 Carnegie Mellon University
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
© 2015 Carnegie Mellon University
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
RVASec 2015Vulnerability Coordination and ConcurrencyAllen D. Householder@__adh__
![Page 2: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/2.jpg)
2Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Copyright 2015 Carnegie Mellon University
This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center sponsored by the United States Department of Defense.
Any opinions, findings and conclusions or recommendations expressed in this material are those of the author(s) and do not necessarily reflect the views of Department of Homeland Security or the United States Department of Defense.
NO WARRANTY. THIS CARNEGIE MELLON UNIVERSITY AND SOFTWARE ENGINEERING INSTITUTE MATERIAL IS FURNISHED ON AN “AS-IS” BASIS. CARNEGIE MELLON UNIVERSITY MAKES NO WARRANTIES OF ANY KIND, EITHER EXPRESSED OR IMPLIED, AS TO ANY MATTER INCLUDING, BUT NOT LIMITED TO, WARRANTY OF FITNESS FOR PURPOSE OR MERCHANTABILITY, EXCLUSIVITY, OR RESULTS OBTAINED FROM USE OF THE MATERIAL. CARNEGIE MELLON UNIVERSITY DOES NOT MAKE ANY WARRANTY OF ANY KIND WITH RESPECT TO FREEDOM FROM PATENT, TRADEMARK, OR COPYRIGHT INFRINGEMENT.
This material has been approved for public release and unlimited distribution.
This material may be reproduced in its entirety, without modification, and freely distributed in written or electronic form without requesting formal permission. Permission is required for any other use. Requests for permission should be directed to the Software Engineering Institute at [email protected].
CERT® and CERT Coordination Center® are registered marks of Carnegie Mellon University.
DM-0002445
![Page 3: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/3.jpg)
3Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Introduction & Motivations
Survey of Vulnerability Disclosure Models
Modeling Coordination as Concurrency
What We’ve Learned (So Far)
Conclusion
Vulnerability Coordination and Concurrency
![Page 4: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/4.jpg)
4Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
CERT and Vul Disclosure Go Way Back
CERT Advisory
December 1988
ftpd vulnerability
![Page 5: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/5.jpg)
5Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
http://spongebob.wikia.com/wiki/List_of_time_cards
![Page 6: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/6.jpg)
6Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
![Page 7: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/7.jpg)
7Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
“Fandango does not have
a clearly publicized and effective channel for receiving security vulnerability reports,
and instead relies upon its general Customer Service system to escalate security
vulnerability reports to the proper employees.”
![Page 8: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/8.jpg)
8Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
![Page 9: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/9.jpg)
9Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
“Google … released … two days before our planned fix”
![Page 10: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/10.jpg)
10Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
“We now have a 14-day grace period”
![Page 11: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/11.jpg)
11Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Resurgent disclosure kerfuffles
Proliferation of novice vendors• There are more new vendors than there is vulnerability
coordination experience to go around
• Networked services bolted onto existing products• cars, refrigerators, door locks, light bulbs, medical devices, industrial
control systems
• Anyone can become an app creator
MotivationsWhy this? Why now?
![Page 12: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/12.jpg)
12Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vul markets & bug bounties change the flow of informationSee also Katie Moussouris @ OWASP AppSec 2015 https://youtu.be/IPTYYg0OzYQ
Third party libraries are more important than ever• Yet library vuls are significantly harder to coordinate well
See also Kymberlee Price & Jake Kouns @ DerbyCon 4 https://youtu.be/sLxcOtEfGvg
Rampant growth in both awareness of security and the security industry itself
• Vul disclosure discussions are older than today’s participants- “Rogues knew a good deal about lock-picking long before
locksmiths discussed it among themselves, as they have lately done.” – A.C. Hobbs, 1853 (HT: Matt Blaze, Steve Bellovin)
– http://www.crypto.com/hobbs.html
MotivationsWhy this? Why now?
![Page 13: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/13.jpg)
13Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
“We now have multiparty, multifaceted coordination needs. These are cross-industry requirements, which means we need to now consider phasing our disclosures. This requires us to open the genie box and reconsider our approach in a more organized manner. No longer can a researcher jump out and save the Internet from itself, since its complexity is beyond that stage. A researcher may understand the bug, but the system of systems and the interactions require a broader group effort .”
- Peter Allor, Federal Security Strategist, IBM Securityhttp://securityintelligence.com/determining-the-responsibility-of-a-vulnerability-disclosure/
MotivationsWhy this? Why now?
![Page 14: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/14.jpg)
14Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
“We now have multiparty, multifaceted coordination needs. These are cross-industry requirements, which means we need to now consider phasing our disclosures. This requires us to open the genie box and reconsider our approach in a more organized manner. No longer can a researcher jump out and save the Internet from itself, since its complexity is beyond that stage. A researcher may understand the bug, but the system of systems and the interactions require a broader group effort .”
- Peter Allor, Federal Security Strategist, IBM Securityhttp://securityintelligence.com/determining-the-responsibility-of-a-vulnerability-disclosure/
MotivationsWhy this? Why now?
![Page 15: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/15.jpg)
15Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
© 2015 Carnegie Mellon University© 2015 Carnegie Mellon University
Modeling the Process
![Page 16: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/16.jpg)
16Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Why Create Models?
Models enable conversations about the process• without devolving into arguments over the specifics of individual
disclosures.
Models can be subjected to analysis• and are easier to change than day-to-day operations.
Models promote learning and knowledge transfer• by removing unneeded detail
Reasoned disagreement about a model leads to better models.
![Page 17: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/17.jpg)
17Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Birth Discovery Disclosure
Correction
Publicity
Scripting
Death
Arbaugh, Fithen, McHugh (2000)Other models
Arbaugh, William A., William L. Fithen, and John McHugh. "Windows of vulnerability: A case study analysis." Computer 33.12 (2000): 52-59.
![Page 18: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/18.jpg)
18Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Notification Validation Resolution Release Follow-up
Christey, Wysopal (2002)Other models
Christey, Steve, and Chris Wysopal. Responsible vulnerability disclosure process. Internet-Draft. MITRE Bedford, 2002.
draft-christey-wysopal-vuln-disclosure-00.txt
![Page 19: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/19.jpg)
19Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Responsible implies a value judgment
…which turns it into an argument over competing
perspectives
Coordinated Disclosure is our preferred term
…but that doesn’t always mean wait for the vendor to release a
patch
“Responsible” Disclosure?A Quick Aside
![Page 20: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/20.jpg)
20Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
“You're going to find that many of the truths we cling to depend greatly on our own point of view”
![Page 21: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/21.jpg)
21Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
NIAC Vulnerability Disclosure Framework (2004)
Other models
https://www.dhs.gov/xlibrary/assets/vdwgreport.pdf
Chambers, et al.
![Page 22: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/22.jpg)
22Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
OIS Guidelines for Security Vulnerability Reporting and Response (2004)
Other models
http://www.oisafety.org/
![Page 23: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/23.jpg)
23Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Arora, Telang, and Xu (2008)Other models
Arora, Telang, and Xu: Optimal Policy for Software Vulnerability Disclosure Management Science 54(4), pp. 642–656, © 2008 INFORMS
“as long as the vendor does not internalize the entire user loss, the vendor will release the patch later than is socially optimal, unless threatened with disclosure.”
“The more responsive the vendor is to user losses, the more aggressive the social planner can be by setting a shorter protected period.”
“In general, both an instant disclosure and a secrecy policy are suboptimal, although numerical simulations suggest that instant disclosure is particularly inefficient.”
![Page 24: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/24.jpg)
24Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Frei, Shatzmann, Plattner, & Trammell (2009) Other models
Frei, Stefan, et al. "Modeling the security ecosystem-the dynamics of (in) security." Economics of Information Security and Privacy. Springer
US, 2010. 79-106.
![Page 25: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/25.jpg)
25Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
The Wolves of Vuln Street (2015)Other models
https://hackerone.com/news/the-wolves-of-vuln-street
Moussouris, Siegel, Houghton, & Ellis
![Page 26: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/26.jpg)
26Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Early models were primarily narrative, prescriptive advice• Many imply more synchronization than we observe in the wild• “We rarely encounter cases with CERT/CC’s preferred ordering” -
Arbaugh, et al. (2000)
Later models start to incorporate • social cost• participant motives• money and markets
But they don’t illuminate how and why coordinated vulnerability disclosure can fail
What’s missing from prior models?
![Page 27: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/27.jpg)
27Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
© 2015 Carnegie Mellon University© 2015 Carnegie Mellon University
Modeling the Process
Concurrency
![Page 28: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/28.jpg)
28Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Why Create a Concurrency Model?
Vulnerability disclosure is a multiparty, human-centric, concurrent process
• Vendors• Researchers• Coordinators• Other stakeholders
• Service providers• Governments• Users
Each party represents a complex interaction of many people, processes, policies, and procedures
![Page 29: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/29.jpg)
29Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Intro to Petri Nets
Used to model distributed processes as a network of nodes and arcs.Nodes can be either places (circles), or transitions (boxes).
Arcs (arrows) connect places to transitions and vice versa. • Places can't connect to places• Transitions can't connect to transitions
All Petri Net diagrams in this presentation were created using WoPeD
http://www.woped.org/
![Page 30: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/30.jpg)
30Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Intro to Petri Nets
Places can hold tokens, which mark the state of a process.
Transitions represent events that change the state of the process. • A transition can fire when all the places immediately upstream of it
are occupied by tokens (i.e., when it is enabled). • When a transition fires, it consumes tokens from its inputs and places
tokens in its outputs.
![Page 31: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/31.jpg)
31Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
A Simple Model
![Page 32: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/32.jpg)
32Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
A Simple Model
![Page 33: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/33.jpg)
33Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
A Simple Model
![Page 34: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/34.jpg)
34Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
A Simple Model
![Page 35: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/35.jpg)
35Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
A Simple Model
Oh No!
0-Day!
![Page 36: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/36.jpg)
36Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor Model
![Page 37: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/37.jpg)
37Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor Model
![Page 38: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/38.jpg)
38Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor Model
![Page 39: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/39.jpg)
39Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor Model
![Page 40: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/40.jpg)
40Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor Model
![Page 41: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/41.jpg)
41Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor Model
![Page 42: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/42.jpg)
42Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor Model
What if the vendor
publishes report
before fix?
![Page 43: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/43.jpg)
43Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
Researcher
Vendor
![Page 44: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/44.jpg)
44Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 45: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/45.jpg)
45Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 46: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/46.jpg)
46Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 47: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/47.jpg)
47Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 48: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/48.jpg)
48Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 49: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/49.jpg)
49Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 50: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/50.jpg)
50Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 51: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/51.jpg)
51Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 52: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/52.jpg)
52Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher ModelRewind to the
decision to notify
the vendor
![Page 53: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/53.jpg)
53Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 54: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/54.jpg)
54Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 55: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/55.jpg)
55Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Researcher gives up on vendor, Vendor thought it was fixed
“A combination of mis-communication and lack of testing led to this situation today, hopefully it
can be a good learning experience.”
![Page 56: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/56.jpg)
56Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 57: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/57.jpg)
57Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 58: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/58.jpg)
58Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 59: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/59.jpg)
59Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor + Researcher Model
![Page 60: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/60.jpg)
60Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator
Researcher
Coordinator
Vendor
![Page 61: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/61.jpg)
61Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator
![Page 62: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/62.jpg)
62Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator
![Page 63: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/63.jpg)
63Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator
![Page 64: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/64.jpg)
64Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator
![Page 65: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/65.jpg)
65Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator
![Page 66: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/66.jpg)
66Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator
![Page 67: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/67.jpg)
67Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator
![Page 68: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/68.jpg)
68Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator
![Page 69: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/69.jpg)
69Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator
![Page 70: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/70.jpg)
70Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator
![Page 71: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/71.jpg)
71Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Vendor, Researcher, Coordinator, Miscreant
Mis
crea
nt
Res
earc
her
Coo
rdin
ator
Vend
or
CVE & NVD
But this is still just a single vendor vulnerability
![Page 72: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/72.jpg)
72Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Multivendor, researcher, coordinator, miscreantM
iscr
eant
Res
earc
her
Coo
rdin
ator
Vend
or A
CVE & NVD
Vend
or B
![Page 73: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/73.jpg)
73Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Multivendor, researcher, coordinator, miscreant
![Page 74: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/74.jpg)
74Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Limits of Concurrency Modeling using Petri Nets
It’s hard to present this stuff in a way that is understandable once you get so many interactions
State space grows quickly and the model becomes unwieldy
Hard to model history as it evolves• E.g., when something different happens based on whether you
passed through some particular node on the way here
Agent-based models seem promising since they can basically model a state machine per participant and the interactions between them
![Page 75: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/75.jpg)
75Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Other Ways to Think About It: State Machines
![Page 76: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/76.jpg)
76Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
ResearcherResearcherResearcher
VendorVendorVendor
CoordinatorCoordinatorCoordinator
Vendor
CoordinatorResearcher
Modeling Helps You Reason About a Bigger World
Service ProviderService ProviderService ProviderService Provider
![Page 77: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/77.jpg)
77Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
© 2015 Carnegie Mellon University© 2015 Carnegie Mellon University
What we’ve learned so far
Things that break
![Page 78: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/78.jpg)
78Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Have• Knowledge• Motives (fortune, fame, altruism, challenge, spite, pride, etc.)
• Limited attention• Emotions• Biases• Perceptions• Expectations
All of these affect decisions and actions
HumansThings that break
See also Katie Moussouris @ RSA 2013 Flash Talk https://youtu.be/T6e70upcfl4
![Page 79: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/79.jpg)
79Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Channel is never established• Can’t find vendor contact• Contact is nonresponsive
Receiver saturates / Channel capacity exceeded• Usually on recipient end• Human-process / cognitive
load
Channel breaks down• Synchronization is lost• Mismatched expectations• One side goes nonresponsive• One side goes hostile
Chilling effects of prior behavior & experience• See also iterated prisoner’s
dilemma strategies• Nice, retaliating, forgiving,
non-envious
Researcher / Vendor CommunicationsThings that break
https://en.wikipedia.org/wiki/Prisoner's_dilemma
![Page 80: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/80.jpg)
80Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Fuzzing + uniqueness + exploitability analysis = vulplosions
CERT BFF & FOE (fuzzers) highlighted bottlenecks in our own processes and in vendor vul coordination capacity
One Vendor, Many VulsThings that break at scale
![Page 81: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/81.jpg)
81Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
“The more people you tell in advance the higher the likelihood that a leak will occur. We have seen this happen before, both with OpenSSL and other projects.”
[Maintaining vendor contacts] “is a significant amount of effort per issue that is better spent on other things.”
“We have previously used third parties to handle notification for us including CPNI, oCERT, or CERT/CC, but none were suitable.”
“It's in the best interests of the Internet as a whole to get fixes for OpenSSL security issues out quickly. OpenSSL embargoes should be measured in days and weeks, not months or years.”
Many Vendors, One Vul (Type A)Heartbleed draws attention to OpenSSL disclosure policy
Things that break at scale
https://www.openssl.org/about/secpolicy.html
![Page 82: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/82.jpg)
82Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Find one vul in lots of things, in parallel, as fast as you can
Many Vendors, One Vul (Type B)CERT Tapioca and the Android SSL MitM avalanche
Things that break at scale
1
10
100
1,000
10,000
100,000
1,000,000
Apps tested Appsvulnerable
Authorsnotified
Emailresponsesfrom appauthors
Emails with fixdetails
https://www.rsaconference.com/events/us15/agenda/sessions/1638/how-we-discovered-thousands-of-vulnerable-android
![Page 83: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/83.jpg)
83Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
How do you sustainably notify hundreds of vendors per day for 5 months?
• Use email contact from app store, no attempt at crypto• Frustrated known vendors because we didn’t notify their established
security contact
Does the “45 Day Rule” apply to SSL MitM vuls?• In this case, the attacker doesn’t get to pick which apps you use, but
you do. (Advantage is to the defender.) - Plus, MitM already happening (“Active exploitation” policy clause)
• Originally no advance warning- Changed to 7 day advance warning based on vendor feedback
How do you publish 23,000 vulnerability records?• Used a Google Drive Spreadsheet, our own publishing system
couldn’t do it easily
Questions We’ve Asked OurselvesThings that break at scale
![Page 84: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/84.jpg)
84Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
CVE?Things that break at scale
![Page 85: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/85.jpg)
85Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Many Vendors, Many VulsThings that break at scale
![Page 86: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/86.jpg)
86Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
© 2015 Carnegie Mellon University© 2015 Carnegie Mellon University
What we’ve learned so far
Things that work
![Page 87: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/87.jpg)
87Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Clear and findable instructions for reporting vulnerabilities• An email address ([email protected])• Web forms, bug report systems are okay too
• if they allow easy marking of security issues
Acknowledge receipt of reports quickly
Set expectations clearly
Advice for VendorsThings that work
![Page 88: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/88.jpg)
88Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Maintain open communication channel with vulnerability reporters• Occasional “We’re still working on it” notes can keep things from
going sideways
Offer a bug bounty• Be careful to incentivize the right things at the right times
Don’t sue (or threaten to sue) researchers• Publicity works in counterintuitive ways
Have a “cooperation bias”
Advice for VendorsThings that work
![Page 89: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/89.jpg)
89Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Attempt to contact the vendor before going public• If you can’t find vendor contact or vendor is not responsive,
contact a coordinator (like CERT/CC)
Provide clear and concise reports• Steps to reproduce, proof-of-concept code if possible
If you have constraints, articulate them upfront• Conference publication deadlines, etc.
Give vendor a final warning before publishing• Waiting for the vendor is not always possible
Advice for ResearchersThings that work
![Page 90: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/90.jpg)
90Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Don’t assume the vendor is ignoring you intentionally• Tickets get closed by mistake• People change jobs• Priorities shift• Errors happen
Know your rightshttps://www.eff.org/issues/coders/vulnerability-reporting-faq
Have a “cooperation bias”
Advice for ResearchersThings that work
![Page 91: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/91.jpg)
© 2015 Carnegie Mellon University
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
© 2015 Carnegie Mellon University
Software Engineering InstituteCarnegie Mellon UniversityPittsburgh, PA 15213
Conclusion
![Page 92: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/92.jpg)
92Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Average stats (like vul reports/year) hide the structure of the vul coordination picture and can mislead you into thinking that the effort involved is trivial.
It’s not.
You don’t build storm sewers to handle your average daily rainfall.
You build capacity for the worst flood you expect over a given timeframe.
And sometimes you’ll be wrong.
Lies, Damned Lies, and StatisticsConclusion
Photo: Katie Steiner, 2011
![Page 93: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/93.jpg)
93Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Traditional shrink-wrapped software
Enterprise customization
Continuous deployment
Mobile apps, App stores
Cloud services (IaaS, PaaS, SaaS)
Embedded devices and smart things
There Is No One-Size-Fits-All Disclosure PolicyConclusion
![Page 94: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/94.jpg)
94Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Multiple vendors needed to fix• Internet Infrastructure• Third-party libraries
Vendor problems• Non-responsive vendors• Hostile vendors
• or fear thereof
Bug bounties may not apply• The vendor doesn’t offer one• The terms are unacceptable
(or payouts are lame)• You’re otherwise ineligible
Desire to remain anonymous• Either during disclosure
process or long-term
If you have a vulnerability, if no one else can help…Conclusion
![Page 95: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/95.jpg)
95Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
…and you can find them…Conclusion
https://forms.cert.org/VulReport
![Page 96: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/96.jpg)
96Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
…maybe you can coordinate withConclusion
![Page 97: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/97.jpg)
97Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
For more information
https://www.eff.org/issues/coders/vulnerability-reporting-faq
http://blog.osvdb.org/2013/08/07/buying-into-the-bias-why-vulnerability-statistics-suck/
https://www.cert.org/vulnerability-analysis/vul-disclosure.cfm
https://www.cert.org/blogs/certcc/post.cfm?EntryID=202
ISO/IEC 29147 Information technology -- Security techniques --Vulnerability disclosure [Externally focused]
ISO/IEC 30111 Information technology -- Security techniques --Vulnerability handling processes [Internally focused]
![Page 98: Vulnerability Coordination and Concurrency...This material is based upon work funded and supported by Department of Homeland Security under Contract No. FA8721-05-C-0003 with Carnegie](https://reader036.vdocument.in/reader036/viewer/2022081401/5f05c0297e708231d414850a/html5/thumbnails/98.jpg)
98Vulnerability Coordination and ConcurrencyJune 4, 2015© 2015 Carnegie Mellon University
Contact me
Allen D. HouseholderEmail: adh at cert dot orgTwitter: @__adh__