UNIVERSITY PARK — From the Heartbleed bug that infected many popular websites and services, to the Target security breach that compromised 40 million credit cards, malicious hackers have proved to be detrimental to companies’ financial assets and reputations. To combat these malevolent attackers, or “black hats,” a community of benign hackers, i.e., “white hats,” has been making significant contributions to cybersecurity by detecting vulnerabilities in companies’ software systems and websites and communicating their findings. Researchers at Penn State’s College of Information Sciences and Technology (IST) are studying white hat behaviors and how the talents of the white hat community can be most effectively used.
“Our focus is to understand how this market functions,” said Jens Grossklags, an assistant professor at the College of IST.
Grossklags, along with Mingyi Zhao, a doctoral student at the College of IST, and Kai Chen, a postdoctoral scholar at the College of IST, report their findings in their paper, “An Exploratory Study of White Hat Behaviors in a Web Vulnerability Disclosure Program.” In their paper, they study white hat behaviors by analyzing a 3.5-year dataset which documents the contributions of 3,254 white hats and their submitted 16,446 Web vulnerability reports. The researchers collected their dataset from Wooyun, the predominant Web vulnerability disclosure program in China.
According to the researchers, undisclosed vulnerabilities in publicly and privately deployed software systems are a significant contributing factor to potentially damaging security incidents. Black hat hackers search for unknown software vulnerabilities and attempt to derive benefit by either exploiting such vulnerabilities to steal data and damage service availability or by selling information about such vulnerabilities on black markets. A recent example is the Heartbleed security bug that was discovered in April and dubbed one of the biggest security threats the Internet has ever seen. Heartbleed’s target is an open-source software called OpenSSL that’s widely used to encrypt Web communications. Heartbleed can reveal the contents of a server’s memory, where sensitive data such as usernames, passwords and credit card numbers are stored.
“How can we make sure we detect the vulnerabilities and find them before a major security incident?” Zhao said.
A further complication, he added, is the interconnected nature of the Internet — an attack on an individual website or server has the potential to affect numerous websites. For example, in August 2013, a group claiming to be the Syrian Electronic Army was able to take down theNew York Times by hacking into a website in Australia. According to media reports, the group gained control of the Times’ domain name registrar, Melbourne IT. A domain name registrar is a site that sells domain names and controls a domain name server (DNS). By hacking into the DNS server, the group could redirect the traffic going to nytimes.com. The Syrian Electronic Army also said it hacked Twitter, which also reportedly uses Melbourne IT.
“We have to worry about Web security to an increasing degree,” Grossklags said. “Websites are essentially living in an ecosystem where they are all somewhat related.”
The white hat community has emerged as a formidable force in the cybersecurity field, according to Zhao, Grossklags and Chen, by submitting vulnerability discovery reports to public vulnerability disclosure programs (VDPs) and company-initiated vulnerability award programs (VRPs). Companies such as Facebook, Google and Mozilla have established VRPs that pay white hats to hack. A study based on the Google VRP and the Mozilla VRP, according to a previous study, has shown that harvesting vulnerabilities from the white hat community is cost-effective and compares favorably to hiring full-time vulnerability researchers. In addition, startup companies such as HackerOne and BugCrowd, act as brokers between white hats and software companies.
“This trend clearly shows that the white hat community is an important force to improve cybersecurity,” Zhao said.
In their study, the researchers identified several trends of Web vulnerability disclosure and white hat behaviors on Wooyun, which launched in 2010 and is continuously attracting more white hats who submit more vulnerability reports on an increasingly broader range of websites. They explored white hat behaviors along the following three dimensions: vulnerability counts, vulnerability types and vulnerability discovery strategies.
Wooyun offers a platform on which white hats can submit any type of vulnerability report without direct compensation, Grossklags said. When a white hat finds a website vulnerability, he or she can submit a report to Wooyun. After an inspection of the report, Wooyun will inform the administrators of the vulnerable website about the report and give them two months to fix it. After the vulnerability is fixed, a report will be disclosed to the public. The motivation for white hats in disclosing the vulnerability, Grossklags said, is knowledge sharing, community learning and building reputations within the white hat community.
A major part of Zhao’s, Grossklag’s and Chen’s research involved examining the relationship between diversity in the white hat community and vulnerability discovery. The researchers discovered that the top contributors to Wooyun constituted only a small fraction of all vulnerability reports, and that less active hackers also contribute high-quality vulnerability reports across a broad spectrum of websites. Grossklags and his colleagues concluded that the community as a whole, rather than a few expert white hats, plays a key role for vulnerability discovery.
“While rewarding top contributors may be beneficial, attracting more white hats to participate is equally helpful,” Zhao said.
Based on the preliminary results of their research, Grossklags, Zhao and Chen suggest that managers of VDPs and VRPs should not only focus on the top contributors but also try to attract as many white hats as possible as contributors. However, they added, drawing more participation might require the design of new mechanisms for organizing and rewarding white hats. For example, Grossklags said, greater entry rewards could not only widen the white hat community but also provide incentive to not “drift off into the black hat community.”
A larger issue in vulnerability discovery, Grossklags said, is that no matter how many vulnerabilities are reported, it is virtually impossible to eradicate all of them.
“The pool of potential vulnerabilities is unlimited,” he said.