The Benefits of the Pwn2Own Contest and Security Vulnerability Disclosure

With the CanSecWest Pwn2Own security vulnerability discovery contest ending almost 3 weeks ago an interesting question was raised on the Sophos security blog, should this competition continue since some consider that it is over dramatizing the nature of security vulnerabilities?

I thoroughly believe this competition should continue since over the years it has been responsible for valuable progress being made in security defences. Since this competition follows a responsible disclosure model, I believe this is another reason that it should continue.

Re-quoting my full explanation within the comments section of the above blog post:

—————-
I voted Positive for this. I think Pwn2Own is worth every cent/penny. While I acknowledge there is a certain amount of drama/spectacle about the event, the work the security researchers are doing is invaluable. The vendors are essentially having penetration testing carried out and since it’s being done by outsiders it can be more objective than an internal audit (please don’t misunderstand me, internal audits are still worthwhile).

The researchers are putting in the effort, expertize and time into creating these exploits just like a malicious hacker would. While any vendor would state their product is as secure as possible and meets all of their quality assurance checks the researchers can still exploit/pwn them. I believe that the vendors are having flaws found that would not otherwise be found or worse are exploited maliciously before a patch is available i.e. a zero day flaw (alternative definition).

For example in 2013; 2 particularly noteworthy flaws were an exploit for Internet Explorer that raised the exploits integrity level (its permission level or authority level) from low to medium and the LDRHotpatch ASLR/DEP bypass. This latter exploit used an undocumented API call to carry out its malicious intent. This exploit lead to the later development and inclusion of the Banned Functions mitigation into Microsoft EMET. Microsoft even mentioned (in an SRD blog post) how novel/unheard of these exploits really were and how correcting them was far from trivial.

I believe this particular flaw may have been eventually exploited as a zero day flaw rather than being disclosed responsibly. This is the real benefit I see from Pwn2Own. The security researchers think outside of the box in that they come up with exploit methods that the vendors never even thought of or even knew were possible and exploit them. Since they are being disclosed responsibly we all benefit from the experience/knowledge the vendors obtain from the researchers.

I consider this event pivotal to the development/enhancement of security for us all since vendors can and do become complacent in their development practices. It’s only when they are shown how badly a product can be exploited and how vulnerable it really is, only then will the vendor take notice and make the necessary changes and possible improvements to their quality assurance process to protect it, otherwise the product would stay as it is.

I realize many people would not agree with me but I think it is in all of our interests that this competition/event continues. Thank you.
—————-

One point that was not raised within the wider online IT security press coverage of Pwn2Own 2015 was that Microsoft EMET was used to harden each of the devices running Windows. While all of the products within the contest were compromised at least once this does not mean that EMET is of little benefit. Simply that the exploits were sophisticated enough to avoid/bypass EMET to carry out their intended purpose. Moreover, these are not the only examples of exploits being able to successfully bypass EMET, the following 3 links are demonstrate this (for EMET 5.2).

Example 1
Example 2
Example 3

For these reasons it will be interesting to see how Microsoft enhance EMET in the future for EMET version 5.3 or 6.0

When I mention responsible disclosure (above), what exactly is meant by this and how does it differ from the more controversial (but still very important) public/full disclosure and why does the difference between these two matter?

Responsible disclosure occurs when a security researcher discovers a security vulnerability and reports it to the software vendor (the company that commercially produces the software product in question). If after a certain duration of time (e.g. 90 days) the vendor does not respond to the security researcher who reported the flaw to them, the researcher can then fully/publically disclose the flaw to the wider security community.

Responsible disclosure has advantages to the vendor since they have a window of opportunity to resolve the flaw during the duration of time before full disclosure (this duration of time can vary), which protects the vendors customers from ever being exposed to the flaw. In addition, the researcher will very likely be acknowledged by the vendor for taking the time and effort to report the flaw to the vendor. Responsible disclosure is usually preferred since it minimizes the exposure of the vendors customers to security risks. With bug bounty programs becoming more prevalent responsible disclosure remains very popular.

Full/public disclosure reports the discovery of a security flaw to the wider security community (along with information of which versions of the vendors products are affected by this flaw) without first contacting the affected vendor.

Usually the publication of the information concerning this flaw will contain information on how to reduce your exposure to (mitigate) this flaw e.g. changing a setting within the software, not using a certain aspect of the software or not opening suspicious files of a specific file type etc. This is a potential advantage since it allows anyone vulnerable to the flaw to protect themselves before a patch (software fix) is available.

I use the word “potential” above since it is possible that with the details published by the security researcher a person with malicious intent could write the code of an exploit to be used by anyone e.g. malware creators to infect peoples devices using the affected software before a patch is available.

Full disclosure has the potential advantage of motivating the software vendor into quickly resolving the security flaw rather than risk any bad reputation that may develop should some of its customers become compromised because of this security flaw before that vendor has a chance to resolve it.

Since the Pwn2Own contest follows a model of responsible disclosure the security researchers benefit from the prize money, winning the devices they exploit/pwn and being credited with a successful exploit. The software vendors also benefit since they can examine how the exploit was built and create a patch to prevent the exploit having the desired effect in the future as well as having the opportunity to harden the software in other to prevent similar exploits in the future. Such flaws are also unlikely to become zero day flaws. This matters to everyone since the products within the contest are very widely used and being able to strengthen a product that we use each day is always beneficial. Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s