Zero-day study: Hoarding exploits less harmful than generally thought

Hoarding the newly discovered software vulnerabilities known as zero-days may be less dangerous than generally believed, because the chances of someone else discovering them appear quite small, according to new research.

A RAND Corp. study and statistical analysis of a rare collection of more than 200 zero-days — so-called because the software’s manufacturer has “zero days” to fix the security hole — upends much of the conventional wisdom about vulnerability disclosure and the hoarding of knowledge about software flaws.

If kept secret by the people that find them, zero-days tend to stay viable for many years, and there is only a 5.7 percent chance annually that a hoarded zero-day will be independently found and disclosed by someone else — an event known as a collision or overlap discovery — researchers Lillian Ablon and Timothy Bogart conclude in the research published Thursday.

The study is the first-ever published research to examine a dataset including zero-day vulnerabilities still undisclosed to the public. “We got access to the dataset through a commercial research connection,” Ablon told CyberScoop in an interview.

The dataset spans 14 years, 2002–16, and contains information about the more than 200 exploits and the vulnerabilities that they leverage. Half of them remain unknown to the public.

Although she wouldn’t say more about who collected the datatset, Ablon said she was confident that the collection they analyzed was “very similar to what a government might hold.”

“The decision calculus about whether or not to stockpile, whether or not to disclose, is quite complicated,” Ablon said, “From our data we found that … stockpiling or retention could be a more viable strategy” than commonly believed.

She said the study “didn’t try to answer any questions definitively,” but rather aimed to use the unique access to the dataset they had to “create a baseline metric,” for further study.

“Up ’til now, discussions about these issues relied on expert opinion or data about already known vulnerabilities,” she said.

The study comes at a time when the U.S. government’s process for deciding whether or not to disclose such vulnerabilities is facing calls for reform because of WikiLeaks’ dump of an apparent trove of CIA hacking tools containing many of them.

The U.S. vulnerabilities equity process, revealed in 2014, is built around a bias towards disclosure, one of its architects, former White House Cybersecurity Coordinator J. Michael Daniel told CyberScoop in a recent interview.

When the VEP was first established, he said, “We were mindful of the fact that anything we could discover, someone else might also discover,” he said.

The reasoning is that zero-day vulnerabilities will be found by others sooner rather than later. Since the potential damage from a zero-day found, for example, by a cybercrime organization, is very severe, the advantages of patching them quickly across the whole internet ecosystem would tend, even for governments, to outweigh the advantages of secretly hoarding them and using them for cyber-espionage or other kinds of hacking.

But the study by RAND, a think tank with historic ties to the U.S. military, suggests that the chance of a collision discovery is in fact very low.

“For a given stockpile of zero-day vulnerabilities, after a year approximately 5.7 percent have been discovered by others,” the researchers state, although they note the rate varies depending on the time interval used. After 14 years, the longest time interval available to researchers (because their dataset runs from 2002-2016), the collision rate was still only 40 percent.

And after 90 days — a conventional deadline given by white-hat researchers to vendors during responsible disclosure — the collision rate is only 0.87 percent.

In part for this reason, the average life expectancy of a zero-day — the amount of time before it’s discovered, made public and patched — is 6.9 years, the study found.

But Ablon cautioned that the researchers were only able to measure collision discoveries which were made public — meaning adversary nation-states or others interested in secretly hoarding zero-days might have discovered the vulnerability and be covertly exploiting it.

“We’re only comparing the overlap between what’s in the dataset and what’s been publicly disclosed,” she said.