Sunday, April 19, 2015

Silk Road for Zero Day

I had to be amused after hearing about the TheRealDeal, a Silk Road for 0-day. First, that there really isn't anything illegal about selling a zero day - but I can understand the concerns about liability. Back in 2002 I had proposed starting a site called ZeroBay that would auction working 0day, but the possible liability scared me off the project. But for a few years afterward I privately worked with many 0day and I have to say, these RealDeal guys have a load of problems to deal with.

First, there are the 0day researchers who won't trust the site operators enough to hand over the goods for verification prior to a sale. Without third party verification and escrow the whole model will break down.

Next, most of the exploits will only work on a certain VM and only when the moon is full. They will inevitably broker a deal where the buyer can't get it to work and the seller vanishes or becomes unresponsive after stating "Works for me!".

Also, the sellers are going to sell it to multiple parties. I see Internet Explorer client side exploits listed at $17,000 - this is about 1/4 of what an 0day like that is worth, so they must be uninformed or planning on selling to multiple parties. Or, it's not theirs to begin with and it's already being shared in closely knit circles. 

Here is a big gotcha - some of the people selling bugs are going to be actual employees of the vendor, possibly working in the QA lab - so they are 100% insider threats and a huge amount of liability is backpacking on those exploits.

Be aware that finding a crash bug is a heck of a lot easier than writing reliable shellcode - and I wonder how many sellers on the site have the skills, procedures, or willpower to craft reliable payloads?  The number of people that can find bugs outnumbers the number who can make reliable exploits by several orders of magnitude.

Let me suggest something - if you want to make an 0day deal work, first you enter into a legal contract with the seller that absolves you of liability if the seller is breaking any laws or contracts (i.e., non disclosure, employee intellectual property agreements, etc). Second, you broker the deal so the seller receives a portion of the total payment per month as long as the 0day remains an 0day - if any disclosure or patch occurs, the payments stop early. This keeps sellers financially motivated to stay honest. Finally, don't ever pay up front for something that hasn't been vetted -- under no circumstance trust some video of the guy running it against a VM - you will end up with broken unreliable code.

0day sales have been around a long time and it's a trust-based business - it doesn't really need some weird blacknet site on Tor to work - it's silly. Start a legitimate above-the-line business doing the same thing and it would work better and provide contractual legal protection to all parties. My conclusion is this: trust is hard to come by - making a darknet anonymized brokerage is just making a hard problem harder.