While Bugs May No Longer Be Free, Exploits Really Want To Be
Earlier this month I stumbled across a quote that caught my attention not because it was insightful but because I felt it was so inaccurate that I read the rest of the article out of pure curiosity to see what other claims would be made. The quote came from Rick Moy, the president of NSS Labs, who claimed that, “a penetration tester is only as good as the exploits he has to work with.”
Mr. Moy cheapened the skill of penetration testing to a bag of tricks, which is how the industry describes script kiddies. But after this initial surprise, I realized that the claim appeared to be an attempt to promote NSS Labs’ upcoming exploit marketplace: Exploit Hub. The message implied that “you’re only worth as much as the exploits that we’re going to be selling.” And Doctor, you’re only as qualified as the stethoscope that you’re planning on using.
So putting aside Mr. Moy’s claim, I curiously read onwards to find out more about the Exploit Hub (EH). Certainly, it seems like a promising idea – to create a place for security researchers and penetration testers to exchange exploits for money – a capitalist, free market for the security community. But in practice I suspect that successfully establishing an exploit marketplace will be challenging for many reasons beyond EH’s control.
Once Bread Becomes Toast, It Can Never Be Bread Again
One difficulty with an exploit marketplace is that the product is software – generally an exploit is a small piece of code designed to take advantage of another piece of code. If we presuppose that an exploit is fundamentally no different than any other program then it follows that we gain the same advantages (e.g. minimal cost to scale and distribute) and disadvantages (i.e. piracy and IP theft) of traditional software.
How do you prevent piracy? This will be perhaps the hardest challenge facing EH since the value of the exploit comes primarily from knowledge of how to trigger and exploit the vulnerability successfully. Once purchased, there will be little to deter an exploit buyer from freely redistributing the code. Moreover, with the exploit in hand, it will also be a simple exercise to extract the intellectual value – the details of the attack (e.g. offset, payload, and trigger). Nothing can prevent someone from rewriting the exploit for broader distribution on free exploit repositories, within existing exploit frameworks, or on public mailing lists.
EH won’t be able to prevent piracy, particularly when it’s occurring underground and perpetrated by intelligent hackers. Alas, on the Internet when something becomes known, you can’t make it unknown.
Uncertain Sellers and Limited Buyers
The lack of deterrence against piracy will undoubtedly dissuade some security researchers from submitting exploits. Yet another factor weighing against the contribution of exploits is the restricted market for exploit writers’ goods.
The target market for exploits will be limited by EH’s buyer qualification process, which purportedly ensures that only the “right” people and organizations are allowed to purchase the exploits. While this approach establishes (somewhat ambiguously) defensible ethical positions and applies a patina of exclusivity, it limits the number of potential buyers for exploit writers. This in turn decreases the potential market value for their goods, and ultimately discourages contribution from researchers desiring remuneration for their efforts.
The test here will be to find enough buyers to make it worthwhile for researchers while simultaneously competing against traditional markets – exploit repositories, exploit frameworks, and mailing lists.
Free is Tough Competition
Existing markets create a high barrier to entry for an exploit marketplace that doesn’t really provide any distinct advantage. The security community has had a long history of contributing to free online repositories and mailing lists including such classics as bugtraq, PacketStorm, rootshell.com, and milw0rm. The more recent inj3ct0r repository claims over fourteen thousand exploits, and the Exploit Database by Offensive Security, with over twelve thousand exploits of which many are verified, is hard to beat.
Stiff competition will also come from the Metasploit Framework , which offers extremely reliable, up-to-date exploits for more than 440 vulnerabilities, at a sum total cost of zero. A commercial version called Metasploit Express is also available that provides additional features for penetration testers at a cost of USD$3,000 (at the time of writing), which averages to approximately USD$6.80 per vulnerability. Immunity’s CANVAS also provides a suite of over 370 reliable exploits with exploits being added for the latest vulnerabilities on a monthly basis. While the cost for Metasploit Express and CANVAS is not zero, it is still well within the range of all but the smallest professional penetration testing organizations. Both tools make it difficult to justify paying for individual exploits, especially when the latest and greatest vulnerabilities are constantly being developed and released for free (i.e. Metasploit Framework) and affordable (i.e. Metasploit Express and CANVAS) exploitation frameworks.
The intractable problem of piracy, a limited set of buyers, and compelling alternatives will make the Exploit Hub a difficult endeavor. One may note that both Metasploit and CANVAS provide the full source code to the exploits, as they know full well that keeping them a secret is a losing proposition. What the open market is willing to pay for comes in the form of support, additional features, and reliable exploits. While EH may be able to claim reliability, it will be challenged to offer additional features or support at a credible price point. Looking forward, one area Exploit Hub and other exploit marketplaces should focus is on creating a community where professional penetration testers can match up with exploit writers; one-off, custom exploit development is an underserved market with limited competition – for now.