ҹ1000

Mathematical trick lets hackers shame people into fixing software bugs

Security researchers who find a flaw in software normally privately inform the developers of it in the hope of prompting a fix, but now a mathematical trick can let them apply public pressure without releasing dangerous details of the bug
Software bug
Software bugs can be exploited to steal people’s data
vchal/Getty Images/iStockphoto

A method to mathematically prove that a hacker has found a software bug, without revealing details of how the exploit works, could prevent companies from ignoring security vulnerabilities.

It is generally considered good practice for security researchers and ethical hackers who find a bug to disclose it to the software’s creator before going public, ensuring there is time to fix it. Many companies have launched bounty programmes that reward those who discover flaws in their systems to incentivise reporting and improve security.

However, things aren’t always so simple. Companies can deem a submitted vulnerability to be trivial and refuse to either fix it or pay a reward. In that scenario, the person who found the bug faces an ethical dilemma: do nothing and leave a vulnerability unfixed, or publicly disclose the details to force the company’s hand and put users at even greater risk temporarily.

Now, at software company Galois and his colleagues have developed a system that they say solves this problem. They use a method called a (ZKP) to verify that there is a vulnerability in a certain program, while keeping details secret. This would create public pressure for a fix without allowing hackers to exploit it in the meantime.

ZKPs were discovered in the 1980s and provide a mathematically verifiable way for one person to prove knowledge of a certain thing, without revealing any details. It has been suggested that they could be used by states to prove that nuclear warheads had been destroyed or to protect banking transactions.

“You can shame them into doing it, basically,” says Cuéllar. “There are a lot of frustrated people trying to disclose vulnerabilities, or saying ‘I found this vulnerability, I’m talking to this company and they’re doing nothing’.”

The team created a piece of software that analyses the source code of a program, along with details of how a flaw in the code can be exploited to extract data that should be protected. This software then produces a mathematical proof that the flaw exists, without giving any details. By running the ZKP through the software again, anyone can verify that the flaw in the original program exists.

has been an active bug bounty hunter for 15 years, submitting those he finds to the bug bounty scheme HackerOne. He says that ZKPs are a clever solution to specific problems, but he does have concerns that they could create a “ransom effect”.

“I can tell you ‘here’s the zero-knowledge proof that I found the vulnerability, now pay me’. And now there’s negotiation over how much they pay. It gives power to the attacker, but it also maybe gives too much power,” he says.

Others are sceptical that the tool, which adds a layer of complexity to reporting bugs, is needed at all. at Old Dominion University in Norfolk, Virginia, says he struggles to see a scenario where a ZKP of a vulnerability is more useful than the details of the vulnerability itself.

“Everyone who’s introduced to zero-knowledge proofs falls in love with them,” he says. “So, as I read this paper, on one hand, I’m fascinated: this seems like it would work, it’s cool, I’m excited. On the other hand, it seems like a solution in search of a problem.”

Reference:

Topics: Mathematics / security