Stockpiling 0-Day Bugs Not So Dangerous After All, RAND Study ShowsA RAND Corp. study of more than 200 zero-days shows that benefits of disclosure can often be more modest than perceived.
The practice by US intelligence agencies and presumably of other governments to stockpile zero-day vulnerabilities for use in offensive cyber operations may not always pose as much of a risk to general technology users as once thought.
In fact, the tactical and strategic benefits that governments can gain from stockpiling vulnerabilities sometimes outweigh the security benefits of public disclosure, according to a new report by RAND Corp.
The report is based on a study of more than 200 zero-day flaws obtained from a vulnerability research group, many of whose members have worked for nation-state actors. The group, which RAND calls BUSBY to protect its anonymity, has also supplied exploits to nation-state actors, according to the think-tank.
RAND’s study revealed that arguments for or against the stockpiling of zero-days for defensive purposes like penetration testing or for use against adversaries, are not always clear-cut.
One major contention against stockpiling zero-days is that adversaries often may have knowledge about the same vulnerabilities, and therefore keeping the flaws secret would prevent the software from being patched, resulting in needless risks for users.
The recent dump of the CIA's malware arsenal and exploit kits on WikiLeaks and the similar leak of the US National Security Agency (NSA) confidential hacking tools last year raised considerable concerns about government stockpiles of zero-day flaws in widely used network and security products. Some have argued the intelligence agencies have a responsibility to American business and citizens to disclose discovery of such flaws so technology users can be better protected.
But The RAND study showed that concerns about an overlap between US vulnerability stockpiles and those maintained by others are likely overstated.
For one thing, most zero-day vulnerabilities typically remain undetected for a long time. Based on the dataset that the RAND researchers inspected, the average life expectancy of a zero-day vulnerability—or the time between when it was first discovered privately and when it was publicly disclosed—is 6.9 years.
During that period, the chances of another researcher finding that exact same flaw were relatively low, at around 5.7% per year.
While that number is not insignificant, it also means the chances of two people finding the same zero-day flaw is lower that many might perceive. As a result, the gains from publicly disclosing a zero-day flaw may not be all that significant a majority of the time, the RAND report said.
"Looking at it from the perspective of national governments, if one's adversaries also know about the vulnerability, then publicly disclosing the flaw would help strengthen one's own defense," said Lillian Albion, lead author of the RAND report and information scientist. "On the other hand, publicly disclosing a vulnerability that isn’t known by one's adversaries gives them the upper hand, because the adversary could then protect against any attack using that vulnerability," while still retaining their own.
Albion says that conversations with researchers show that in a majority of instances, vulnerabilities are discovered due to code churn - and less often by another vulnerability researcher performing a code audit.
"None we spoke to believed that their vulnerabilities or exploits died or were discovered due to use by a customer in some operational campaign, or by information leakage," such as those by WikiLeaks or Shadow Brokers, Albion says.
In general, black hats and cybercriminals tend to focus more on known vulnerabilities rather than 0-day flaws, she says. "Only a very small portion of the black markets deals with zero-day vulnerabilities and exploits—which have little value for mass market malware, much less ordinary cybercrime."
The RAND study also unearthed some other interesting nuggets. For instance, of the more than 200 vulnerabilities that RAND inspected, about 40% remain undisclosed. Fully functioning exploits for zero-day flaws tend to get developed very quickly with a median time of 22-days.
About 25% of all zero-day flaws get discovered within 18 months, while another 25% live on for more than nine years on average. Significantly, there were no specific characteristic or marker to indicate the longevity of a zero-day bug.
Jai Vijayan is a seasoned technology reporter with over 20 years of experience in IT trade journalism. He was most recently a Senior Editor at Computerworld, where he covered information security and data privacy issues for the publication. Over the course of his 20-year ... View Full Bio