Wednesday, February 28, 2018

A non-debate on the EU VEP process

VEPfest EU! Watch the whole show here

I know not many people watched the VEPFest EU show yesterday, but I wanted to summarize it. First, I want to comment on the oddity that Mozilla is for some reason leading the charge on this issue for Microsoft and Google and the other big tech companies. Of course, this was not a "debate" or even a real discussion. It was a love-in for the idea of a platonic ideal of the Vulnerability Equities Process, viewed without the actual subtleties or complexities other than in passing mention.

To that end, it did not have opposing views of any kind. This is a pretty common kind of panel setup for these sorts of organizations on these issues and it's not surprising. Obviously Mozilla would prefer a VEP enshrined in EU law, since they have had no success making this happen in the US. Likewise, he really hates the part of the VEP that says "Yes we obey contract law when buying capabilities from outside vendors".

It's impossible to predict the direction of Europe since this issue is a pet project of one of their politicians but an EU-wide VEP runs into serious conflict with reality (i.e. not all EU nations have integrated their defense/intelligence capabilities) and a per-country VEP would err on "WE NEED TO BUILD OUR OFFENSIVE PROGRAMS STAT!" Unless the 5eyes are going to donate tons of access and capability to our EU partners, they're going to be focusing hard on the "equities" issue of catching up in this space for the foreseeable future.

I was of course annoyed, as you should be, by Ari Schwartz deciding to make up random research about things he knows nothing about. At 1:45:00 into the program he claims that bug classes have been experiencing more parallel discovery than before.

To be completely clear, there has been no published research in "Bug class collision", which would be extremely rare, like studying supernovae collision. Typically "bug class spectrum analysis" is useful to do attribution from a meta-technical standpoint, which is the subject of a completely different blog post on how toolchain-timelines are fingerprints, specifically because new bug classes are among the most protected and treasured research results.

There has been some work on bug collision, but at very preliminary stages due to the lack of data (and money for policy researchers). Specifically:

  • Katie's RSA paper (Modeled) - PDF  
  • Lily's RAND paper (small data set) - PDF
  • Trey/Bruce's paper (discredited/faked data set) - PDF
There's also quite a lot of internal anecdotal evidence and opinions at any of the larger research/pen-test/offensive shops. But nothing about BUG CLASSES, as Ari claims, and definitely nothing about a delta over time or any root causes for anything like that. Bug classes don't even have a standard definition anyone could agree on.

Anecdotally though, bug collisions are rare, full stop. You cannot secure the internet by giving your 0day to Mozilla, is what every expert knows, even if you are the USG and have a wide net. Literally Google Project Zero had Natalie do a FULL AND COMPREHENSIVE review on Flash vulnerabilities and almost no difference in adversary collections was made, despite huge efforts and mitigation work, and automated fuzzer work, etc.

But let's revisit: Ari Schwartz literally sat on stage and MADE UP research results which don't exist to fit his own political view. Who does that remind you of?


No comments:

Post a Comment