Available as an ebook at:
Amazon Kindle
Google Play

Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits

by Lillian Ablon and Andy Bogart

RAND Corporation, 2017
Paper: 978-0-8330-9761-3 | eISBN: 978-0-8330-9779-8
Library of Congress Classification MLCM 2021/43545 (QA)

ABOUT THIS BOOK | TOC

ABOUT THIS BOOK
Zero-day vulnerabilities—software vulnerabilities for which no patch or fix has been publicly released—and their exploits are useful in cyber operations, as well as in defensive and academic settings. This report provides findings from real-world zero-day vulnerability and exploit data that can inform ongoing policy debates regarding stockpiling (i.e., keeping zero-day vulnerabilities private) versus disclosing them to the public.

TABLE OF CONTENTS

Cover

Title Page

Preface

Contents

Figures and Tables

Summary

Acknowledgments

Little Is Known About the Extent, Use, Benefit, or Harm of Zero-Day Exploits

Should the U.S. Government Disclose Zero-Day Vulnerabilities?

There Are Many Considerations That Stakeholders Want Addressed

Research Questions and the Purpose of This Research

Breaking Down the Zero-Day Space

Data for This Research

Methodology of Research and Data Collection

Organization of This Report

Nature of Zero-Day Vulnerabilities

Exploit Development Basics and Considerations

People in the Zero-Day Vulnerability Space

Business Models

CHAPTER THREE: Analysis of the Data

1. Life Status: Is the Vulnerability Really a Zero-Day? Is It Alive (Publicly Unknown) or Dead (Known to Others)?

2. Longevity: How Long Will the Vulnerability Remain Undiscovered and Undisclosed to the Public?

3. Collision Rate: What Is the Likelihood That Others Will Discover and Disclose the Vulnerability?

4. Cost: What Is the Cost to Develop an Exploit for the Vulnerability?

Finding #1: Declaring a vulnerability as alive (publicly unknown) or dead(publicly known) may be misleading and too simplistic

Finding #2: Exploits have an average life expectancy of 6.9 years after initial discovery; but roughly 25 percent of exploits will not survive for more than a yearand a half, and another 25 percent will survive more than 9.5 years

Finding #3: No characteristics of a vulnerability indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and various groupings of exploit class type

Finding #4: For a given stockpile of zero-day vulnerabilities, after a yearapproximately 5.7 percent have been discovered and disclosed by others

Finding #5: Once an exploitable vulnerability has been found, time to develop afully functioning exploit is relatively fast, with a median time of 22 days

Other Recommendations for Defense

Other Recommendations for Offense

To Stockpile or Not to Stockpile?

Some Caveats About Our Data

Follow-On Research

A. The Exploit Development Cycle

B. The Vulnerability Researchers: Who Looks for Vulnerabilities?

C. How Mitigations Have Affected Exploitability: Heap Versus Stack Exploitation Case Study

D. Close Collisions

E. Purchasing a Zero-Day Exploit: Some Cost and Pricing Considerations

F. Additional Figures and Tables

G. More Information About the Data

H. Glossary

References

See other books on: Computer networks | Internet | Prevention | Security | Security measures
See other titles from RAND Corporation

Nearby on shelf for :