auscert20150daymarket

....

The Bazaar, the Maharaja’sUltimatum, and theShadow of the Future:

.

Extortion and Cooperationin the Zero-day Market

.

Alfonso De Gregorio

.

Founder, BeeWise

.. AusCERT 2015, Gold Coast, Australia, June 4th, 2015

..

Discuss

.

/me @secYOUre

#0DayDilemma#AusCERT2015

..

Agenda

.

1. The Zero-day MarketA hairy business

2. RelevanceShould I care?

3. The Zero-day DilemmaExtortion and Cooperation in the Zero-day Market

4. Recommendations to Zero-day tradersHow tomaximize the payoff?

...The Zero-day Market

.1/112

..

TheZero-dayMarket

..

..

..

..

..

..

..

...

Meet Ty

..

..

..

..

..

..

...

Meanwhile...

..

..

..

..

..

..

..

..

..

..

..

..

Inherent obstacles

.The Zero-day Market

.28/112

1. Time-sensitiveness of traded commodities2. Trust3. Price fairness4. Possibility of defection

..

A hairy business

.29/112

..

..

The Legitimate VulnerabilityMarket

.30/112

..

..

Time-sensitive commodity

.31/112

..

. Valuable only when they are notwidely known

. Value drops to zero, as soon as thevulnerability is disclosed or amitigation is released

. Transactions should complete inshort times

. Discretion required

...

Every day can be the last day for a 0-day sale

..

Trust

.33/112

..

. No centralized way to locate itsplayers

. Finding buyers and sellers istime-consuming

. Unfamiliar business partners

. Hard to verify intentions

...

Oh, grandmother, what a horribly big mouth you have!

..

Lack of transparency and price fairness

.35/112

..

. Adoption levels of the vulnerablecomponent

. Presence within a given attacksurface

. Level of authentication required toexploit it

. Difficulty of independentrediscovery

. Exploit reliability

...

Difficult to measure

..

Tension

.37/112

..

. Disclose and lose?

. Proving without disclosing

. Two approaches: reveal ordemonstrate

. Both undesirable

..

..

Reveal

.39/112

..

. Whoever moves first and lose yourasset

. Buyer steals the vulnerability, if theseller reveals it before the sale

. Seller runs away with the money, ifthe buyers pays in advance

..

Demonstrate

.40/112

..

. Whoever controls the computingenvironment has an edge

. Does the seller tampers with thecomputing environment?

. Does the buyer records the workingof the exploit and steal it?

...

Any vulnerability claim can’t be ensured

..

...

Enforce contracts

..

Exclusive rights to the buyer

.44/112

..

. Grant exclusive rights, to receive thelargest payoffs

. What if the seller defects, selling the samezero-day to multiple parties?

. This time are the buyers to lack a mean toprotect themselves

. Forcing to return the funds?

. Difficulty to identify sellers, to attributemultiple transactions to the samesupplier, and to enforce contracts helpsthe seller willing to betray

..

..

Proposed solutions

.46/112

. Use punishment (i.e., public disclosure of vulnerabilities) to discourage abuyer from defecting;

. Resort to the use of trusted-third parties (e.g., escrow services), as crucialentities for enabling cooperation of market participants;

. Build a reputation system (e.g., reputation score) as an instrument toestablish trust relationships between distrustful players.

..

Proposed solutions

.46/112

..

Proposed solutions

.46/112

..

...

PHEW!

..

Motivating questions

.49/112

1. Can the zero-day market achieve cooperation and efficiency even inabsence of trusted-third parties?

2. Can punishment discourage the buyer from defecting?3. Under which conditions a player can extort the opponent?4. Can cooperation be sustained also in fully anonymous settings?5. What about semi-anonymous settings?

..

.49/112

2. Can punishment discourage the buyer from defecting?

3. Under which conditions a player can extort the opponent?4. Can cooperation be sustained also in fully anonymous settings?5. What about semi-anonymous settings?

..

.49/112

2. Can punishment discourage the buyer from defecting?3. Under which conditions a player can extort the opponent?

4. Can cooperation be sustained also in fully anonymous settings?5. What about semi-anonymous settings?

..

.49/112

2. Can punishment discourage the buyer from defecting?3. Under which conditions a player can extort the opponent?4. Can cooperation be sustained also in fully anonymous settings?

5. What about semi-anonymous settings?

..

.49/112

2. Can punishment discourage the buyer from defecting?3. Under which conditions a player can extort the opponent?4. Can cooperation be sustained also in fully anonymous settings?5. What about semi-anonymous settings?

...

Which trading strategy to employ?

...Relevance

.51/112

..

Relevance

..

/me

.Relevance

.52/112

At the intersection of so ware security and security so ware,exploring, and trying to contain, the space of unanticipated state.

..

Market failure

.Relevance

.53/112

...

..

Inability to self-correct

.Relevance

.54/112

..

. So ware manufacturers will notforgo market shares

. So ware users will not forgofeatures

. Attackers will not forgo attackingtens of millions of vulnerablesystems

..

Information Security PredictionMarket

.Relevance

.55/112

..

..

Should I care?

.Relevance

.56/112

1. More interconnected

2. More interdependent3. Greater dynamic range of possible failure4. Vulnerability information is key to both offensive and defensive purposes5. Prominent role in modern-day intelligence, national security, and law

enforcement operations

..

Should I care?

.Relevance

.56/112

1. More interconnected2. More interdependent

3. Greater dynamic range of possible failure4. Vulnerability information is key to both offensive and defensive purposes5. Prominent role in modern-day intelligence, national security, and law

..

Should I care?

.Relevance

.56/112

1. More interconnected2. More interdependent3. Greater dynamic range of possible failure

4. Vulnerability information is key to both offensive and defensive purposes5. Prominent role in modern-day intelligence, national security, and law

..

Should I care?

.Relevance

.56/112

1. More interconnected2. More interdependent3. Greater dynamic range of possible failure4. Vulnerability information is key to both offensive and defensive purposes

5. Prominent role in modern-day intelligence, national security, and lawenforcement operations

..

Should I care?

.Relevance

.56/112

1. More interconnected2. More interdependent3. Greater dynamic range of possible failure4. Vulnerability information is key to both offensive and defensive purposes5. Prominent role in modern-day intelligence, national security, and law

..

Nation-state actors

.Relevance

.57/112

..

..

LEAs

.Relevance

.58/112

..

..

Vendors

.Relevance

.59/112

..

..

Where the results find application?

.Relevance

.60/112

... Over-the-counter zero-day trading

. Boutique exploit providers offeringzero-day vulnerabilities for asubscription fee

. Service models for vulnerabilityresearch

..

.Relevance

.60/112

... Over-the-counter zero-day trading. Boutique exploit providers offering

zero-day vulnerabilities for asubscription fee

..

.Relevance

.60/112

... Over-the-counter zero-day trading. Boutique exploit providers offering

zero-day vulnerabilities for asubscription fee

...The Zero-day Dilemma

.61/112

..

TheZero-dayDilemma

...

The Bazaar

...

The Maharaja’s Ultimatum

...

The Shadow of the Future

..

UltimatumGame

.The Zero-day Dilemma

.65/112

..

. A game in economic experiments

. Proposer: receives a sum of moneyand propose how to divide the sumbetween himself and anotherplayer

. Responder: chooses to eitheraccept or reject the proposal

. If he accepts, the money is splitaccording to the proposal

. If he rejects, neither player receivesany money

..

Prisoner’s Dilemma

.66/112

..

. Two purely “rational” individuals mightnot cooperate, even if it appears that it isin their best interest to do so

. Two prisoners that commited a crime

. If they both do not confess, they get a lowpunishment

. If they both confess, they get a moresevere punishment

. If one confesses and the other does not,then the one that confesses gets a very lowpunishment and the other gets a verysevere punishment

..

IPD

.67/112

The Iterated Prisoner’s Dilemma (IPD) is a repeated game, where the PD is thestage game. Agents play the PD game an indefinite number of times.

..

The 0-Day Dilemma

.68/112

..

..

Submissive scenario

.69/112

..

. Traders are playing the standard PD

. R > P implies that mutualcooperation is superior to mutualdefection

. T > R and P > S imply that defectionis the dominant strategy for bothagents

. Or, defection is better thancooperation for one player, nomatter how that player’s opponentmay play

..

Adaptive scenario

.70/112

..

. Neither the buyer nor the seller have adominant strategy, if we assume Z > S andthe U < R

. If the betryed seller has the ability to closealternative deals for the same exploit (i.e.,1-Day FUD, 1-Day private exploits), thendefection would not be a dominantstrategy anymore

. The market nature plays a role

. Today not a monopsony and weaklyregulated. Tomorrow rules andregulations may emerge in this area (e.g.,Wassenaar Arrangement) andmay impactthe market liquidity

..

MAD scenario

.71/112

..

. A variant of the standard PD, where theseller has the ability to negate the buyerthe temptation to defect

. Just make sure T approaches P

. Hence, defection is not a dominantstrategy for the buyer

. If factors such as market liquidity,export/trade regulations, mean-time toclose a deal prevent the Adaptiveretaliation approach from beingundertaken, then the seller shouldconsider disclosing publicly the exploit orthe vulnerability.

..

MAD scenario

.72/112

..

. This would not make herself worse off

. The seller would reduce the buyerincentives to defect in the first place

..

FD&Brinkmanship

.73/112

..

. To this end, it is important for the0-Day sellers to have an efficientmean for doing full-disclosure

. Not for the sake of bragging rightsanymore, but for modern-daybrinkmanship

. As faster the disclosure of thevulnerability, as shorter thewindow of opportunity to theexploiter and the smaller theResidual payoff (V)

..

FD&Brinkmanship

.73/112

..

..

FD&Brinkmanship

.73/112

..

..

Fair share of troubles

.74/112

..

. Since July 2002 the Full-Disclosurelist experienced a “fair share oflegal troubles along the way.”

. Posting on amailing list maytransalte in an OPSEC failure, if theanonymity of the submitter is notprotected

..

WhistleDay or ZeroLeaks

.75/112

. A 0-Day disclosure platform

. Researchers could use it for full-disclosure

. Players in the Zero-day market could use to retaliate against buyers whodefect

. Insiders would turn to it to expose the secretive trade in intrusion andsurveillance technologies

. Dub it WhistleDay or ZeroLeaks, if you like

..

Cooperation is possible

.76/112

. As long as the seller doesn’t play in the Submissive scenario, the buyer isnot better off defecting

. In the one-shot sequential 0-Day Dilemma cooperation is possible

. If this is not the case, the rational outcome is the action profile of mutualdefection

. “We have to distrust each other. It’s our only defense against betrayal.” —Tennessee Williams

. “The dilemma then is that mutual cooperation yields a better outcome thanmutual defection but it is not the rational outcome because the choice tocooperate, at the individual level, is not rational from a self-interested pointof view.”

..

.76/112

..

.76/112

..

.76/112

..

.76/112

..

Cooperation as an Equilibrium

.77/112

If no form of punishment can beundertaken by the seller, can the

cooperative outcome still be sustainedas an equilibrium?

..

Iterated 0-Day Dilemma

.78/112

. The Iterated 0-Day Dilemma (I0DD) is a repeated game, where the 0-DayDilemma is the stage game. Agents play the 0-Day Dilemma game anindefinite number of times

Remark: Whenever the Submissive scenario applies, the I0DD reduces tothe Iterated Prisoner’s Dilemma

..

Iterated 0-Day Dilemma

.78/112

. . The Iterated 0-Day Dilemma (I0DD) is a repeated game, where the 0-DayDilemma is the stage game. Agents play the 0-Day Dilemma game anindefinite number of timesRemark: Whenever the Submissive scenario applies, the I0DD reduces tothe Iterated Prisoner’s Dilemma

..

Three settings

.79/112

. ..

. Onymous: The traders know theidentity of the party they aredealing with

. Anonymous: Trades takes placeamong strangers

. Semi-anonymous: Either the buyeror the seller is anonymous

..

Three settings

.79/112

..

..

Three settings

.79/112

..

..

Cooperation is possible in onymous economies

.80/112

..

Aumann, Robert (1959). “Acceptable pointsin general cooperative n-person games”. InLuce, R. D.; Tucker, A. W. Contributions tothe Theory 23 of Games IV. Annals ofMathematics Study 40. Princeton NJ:Princeton University Press. pp. 287–324.MR 0104521.

..

WilliamPress and FreemanDyson

.81/112

...

..

Sentient Player

.82/112

..

. Power granted to a sentient player

. A player with a theory of mind

. Who realize that her behavior caninfluence her opponents’ strategies

..

Zero Determinant (ZD) Strategies

.83/112

...

..

Extortion

.84/112

..

If one trader is aware of ZD strategies, butthe opponent is an evoutionary player thenthe former can choose to extort the latter

..

Evolutionary players

.85/112

..

A player is said to be evolutionary is sheposses no theory of mind and insteadsimply seeks to adjust her strategy tomaximize her own score in response towhatever the adversary is doing

..

Extortion strategies

.86/112

. Grant a disproportionate number of high payoffs to the extortionist

. It is the victim’s best interest to cooperate with the extortionist, because sheis able to increase her score by doing so

. In so doing, she ends up increasing the extortionist’s score evenmore thanher own

. She will never catch up to the extortionist, and she will accede to herextortionist because it pays her to do so

..

An extortionist relation

.87/112

Sx − P = 3(Sy − P)

..

Extortionist strategy: Example

.88/112

..

. Let R = 3, T = 5, P = 1, S = 0

. Let the desired payoff relation beSx − P = 3(Sy − P)

. If we both cooperated last time, then Icooperate with probability 11/13

. If I cheated you last time (you cooperatedand I defected), then I cooperate withprobability 7/26

. If you cheatedme last time (I cooperatedand you defected), then I cooperate withprobability 1/2

. If we both defected last time, I defect

. On average over the long run, my scoreminus one will be thrice your score minusone

..

Press andDyson

.89/112

..

..

IPD ==UltimatumGame

.90/112

..

If both players are sentient, but only one isaware of ZD-Strategies, then the IPDreduces to the Ultimatum Game

..

IPD ==UltimatumGame

.91/112

..

. Let’s suppose both players are sentient

. Let’s suppose the buyer only knows aboutZD-strategies

. The buyer tries to extort the seller

. The seller eventually notice

. The seller decide to sabotage the scores ofboth

. This is an Ultimatum Game. The buyerproposes an unfair ultimatum. And theseller respond.

..

Generous ZD-Strategies

.92/112

..

. If both players are sentient and witting ofZD-Strategies, then they can agree onplaying a Generous ZD-Strategy

. In fact any tentative to extort the opponentwould result in a low payoff for both

. It is rational to agree on a fair cooperationstrategy

. They agree to unilaterally set the other’sscore to an agreed value (presumably themaximum possible)

. Neither player can then improve her scoreby violating the strategy

. Each is punished for any purely maliciousviolation

..

.92/112

..

..

.92/112

..

..

.92/112

..

..

.92/112

..

..

.92/112

..

..

A generous relation

.93/112

Sx − R = 2(Sy − R)

..

Generous ZD-strategy: Example

.94/112

..

. Let R = 3, T = 5, P = 1, S = 0

. Let the desired payoff relation beSx − R = 2(Sy − R)

. If we both cooperated last time, then Icooperate

. If I cheated you last time (you cooperatedand I defected), then I cooperate withprobability 8/10

. If you cheatedme last time (I cooperatedand you defected), then I cooperate withprobability 3/10

. If we both defected last time, I cooperatewith probability 2/10

. On average over the long run, my scoreminus three will be twice your score minusthree

..

Under the assumption...

.95/112

..

. Ascribe past actions to the samemarket participants

. Choose strategies according to theoutcome of past interactions

..

Anonymous BlackMarket

.96/112

..

. Is cooperation possible inanonymous zero-day markets?

. Do you believe it is?

. If yes, which institutions formonitoring and enforcementpromote cooperation in thissetting?

..

.96/112

..

..

.96/112

..

..

Cooperation among Strangers

.97/112

..

..

Anonymous Economies: Camera and Casari 1

.98/112

..

. Cooperation is high and increaseswith experience

. Low degree of cooperation whensubject see aggregate outcomeswithout observing identities (e.g.,as might result from discussingtrading experiences in anonymousfora)

. Costly personal punishmentsignificantly promotes cooperation

..

.98/112

..

..

.98/112

..

..

.99/112

..

. Subject were given the possibilityto observe actions and outcomes intheir game and to inflict, at a cost, aloss in the earnings of the defectingopponent

. Camera and Casari added a secondstage in the one-shot game

. The retaliation stage resembles infull the Adaptive and MADscenarios in the 0-Day Dilemma

..

.99/112

..

..

.99/112

..

..

.100/112

..

. The player who obseverd theopponent defect sometimesemployed personal punishment(i.e., in-match retaliation), whilestaying in cooperative mode in thefollowing periods

. Players show preference forin-match retaliation over the(equilibrium) informal retaliation

. Efficiency: defectors who had beenpunished by a cooperator weremore likely to cooperate in thefollowing periods (34.5% vs 24.1%)

..

.100/112

..

..

.100/112

..

..

Punishment as a Public Good

.101/112

..

. It significantly increasescooperation

. The subject that benefit the mostare cooperator who punish little ornot at all

..

Punishment as a Public Good

.101/112

..

. It significantly increasescooperation

. The subject that benefit the mostare cooperator who punish little ornot at all

..

Semi-anonymous Zero-daymarkets

.102/112

..

. If only one party is anonymous, theonymous counterpart has not ability toknow if she already had any deals with thesame participant

. The latter can’t benefit from being sentientand is forced to choose her strategies as anevolutionary player would do

. If the anonymous party knows about theZD-strategies, she can choose to extort theopponent

. Hence, while cooperation can emerge infully-anonymous markets, extortion canprofilate in the semi-anonymouseconomies

..

.102/112

..

..

.102/112

..

..

.102/112

..

..

To sumup

.103/112

. Zero-day markets can achieve cooperation even in absence of trusted-thirdparties

. Cooperation can be sustained even when traders are anonymous

. Punishment is an effective instrument to discourage traders from defecting

. It is possible to get extorted, if the adversary knows about ZD-Strategiesand we simply seek to adjust our strategy to maximize our own profit

..

To sumup

.103/112

..

To sumup

.103/112

..

To sumup

.103/112

...Recommendations

.104/112

..

Recommendations

..

Recommendations

.Recommendations

.105/112

1. Do not deal with anonymous traders, if you cannot ensure your ownanonymity

2. Discourage defection by practicing brinkmanship or casting the shadow ofthe future in every decision of your counterpart

3. Respond: Consider punishing defection to promote cooperation4. Let the seller supply the vulnerability first, if interested in a one-time deal5. Learn about Zero Determinant strategies, if playing in an onymous market6. Grim trigger: forever defect, if you see defection while playing in an

anonymous market and have no ability to punish the opponent

..

Recommendations

.Recommendations

.105/112

..

Recommendations

.Recommendations

.105/112

3. Respond: Consider punishing defection to promote cooperation

4. Let the seller supply the vulnerability first, if interested in a one-time deal5. Learn about Zero Determinant strategies, if playing in an onymous market6. Grim trigger: forever defect, if you see defection while playing in an

..

Recommendations

.Recommendations

.105/112

3. Respond: Consider punishing defection to promote cooperation4. Let the seller supply the vulnerability first, if interested in a one-time deal

5. Learn about Zero Determinant strategies, if playing in an onymous market6. Grim trigger: forever defect, if you see defection while playing in an

..

Recommendations

.Recommendations

.105/112

3. Respond: Consider punishing defection to promote cooperation4. Let the seller supply the vulnerability first, if interested in a one-time deal5. Learn about Zero Determinant strategies, if playing in an onymous market

6. Grim trigger: forever defect, if you see defection while playing in ananonymous market and have no ability to punish the opponent

..

Recommendations

.Recommendations

.105/112

..

Experimental verification

.Recommendations

.106/112

If interested, please be in touch

..

Spring 2015: Speaking Dates

.Recommendations

.107/112

. May 26th, PHDays V, Moscow, Russian Federation

. May 28th, HITBSecConf 2015, Amsterdam, Netherlands

. June 4th, AusCERT 2015, Gold Coast, Australia

..

..“ Though I am o en in the depths of misery, there is still calmness, pure harmonyandmusic inside me.

Vincent van Gogh..”

..“ Though we are o en in the depths of insecurity, there is still calmness, pureharmony andmusic inside us. ..”

..THANK YOU

Q ?

...Backup

.113/112

..

Backup

..

BeeWise

.Backup

.114/112

..

. BeeWise is the first prediction market forforecasting security events and trends

. More specifically, it is a security-eventfutures exchange where participants tradecontracts whose payoffs are tied to futureevents in information security, such as thediscovery of a given so ware vulnerability,a security incident, or the diffusion of newmalware

..

BeeWise

.Backup

.114/112

..

. With a large enough number of peoplebetting on the outcome of selected events,the prices of the contracts will be anapproximate measure of the probability ofthe underlying events at any time. Theability to use market prices asforward-looking indicators of securityproperties will help in establishinginformation symmetry between buyersand sellers (ie., build a quality signal), andhelp security stakeholders to make betterandmore informed decisions, by tellingmediocre security products from goodones

auscert20150daymarket

Documents

day market

day sale

day traders

day dilemma extortion

seller tampers

seller willing

seller defects

hairy business