Governance & Risk Management , Patch Management
Making Zero-Day Flaws Disappear
Maddie Stone of Google Describes Ways to Foil Exploit WritersThis year is on track to be a record one for zero-day vulnerabilities, the term for software flaws that are being actively exploited in the wild and do not have a fix.
About 21 have been discovered so far, and if that pace continues, the year could end with more than 60, says Maddie Stone, a security researcher with Google's Project Zero bug hunting team. That compares with 24 zero-day flaws found all of last year. Why such big growth?
"I believe we are simply having a better view into what's actually happening rather than just only seeing a small portion of the picture," says Stone, who gave a keynote presentation remotely on Friday for the AusCERT computer security conference in Australia.
A zero-day flaw, or increasingly, a chain of such flaws, can be the skeleton key into an organization's network or a device. Google's Project Zero, which was launched in 2014, is a team of researchers that focuses on finding these high-impact flaws before they're maliciously exploited. The group's motto is "make zero-day hard."
The key in battling against zero-day exploits, Stone says, is to raise defensive barriers and use new techniques that require exploit writers to work harder.
"Those behind zero days really aren’t anything special," Stone says. "We can disrupt them. We can approach this problem.”
Some signs have emerged of how improved defenses have raised the market prices for exploits or exploit chains. Zerodium, an exploit broker, offered $200,000 in 2016 for a full remote exploit chain for the Android mobile operating system. Three years later, Stone says that rose to $2.5 million, a sign that the task of finding an exploit chain had become much more difficult.
In those three years, security in Android changed, she says. That included regular security updates, application sandboxing and a more mature software development life cycle. Also, the introduction of new exploit mitigations required "additional and novel techniques to be developed, thus raising the cost per exploit compared to not have those mitigations," she says.
Raising Attacker 'Costs'
There are a variety of ways to increase the "cost" that a malicious researcher needs to put into an exploit, Stone says.
On the defensive side, software developers need to write better patches to ensure that related bugs are covered by one patch, Stone says. Current patch development practices are not making further zero-days harder to find, she contends.
About 25% of the zero-day vulnerabilities found in 2020 were closely related to previously disclosed vulnerabilities. Attackers could change a few lines in their exploit code to create another working zero-day exploit. The solution is to conduct more complete and comprehensive patching, she says.
"This is a giant opportunity," Stone says. "We don't have to come up with new ways to solve this or have no idea to even approach it."
Another critical move is addressing the vulnerable window between when a zero-day flaw is detected and when a patch is released. This can often stretch from a few weeks to a couple of months.
"That timeline absolutely needs to be shrunk," Stone says. And that, she says, requires reimagining how vulnerabilities can be mitigated in software and devices. Stones says that within seven days, mitigation options should be available to blunt the impact of the flaw.
Some mitigations might temporarily hamper users but with help prevent successful attacks before a patch is available she says. Performance could be sacrificed in ways that break exploit techniques, Stone adds. Also, software could be designed in a more modular way so that only a vulnerable software component could be shut off until a patch is ready.
Another area of opportunity is memory-safe languages, such as Rust and Go, which are designed to prevent programmers from introducing memory bugs, Stone says.
Buffer overflows are still far from dead. Some 64% of the bugs found so far in 2021 involved memory corruption issues, she says. Eliminating a class of bugs such as memory corruption that attackers find at scale will force them to develop new tooling, she says.
"It is completely attainable to get to a point where zero day is much harder than it is today," Stone says. "So let's do it."