Zero-Knowledge Proofs (ZKPs) for vulnerability disclosure
Few relationships in cybersecurity more delicate than the one between a security researcher who discovers a vulnerability in commercial software or hardware and the company they notify.
The company may not care about the flaw or its impact on customers or downplay the severity to avoid media attention. The researcher on its potential for harm or believe that a timelier public disclosure will incentivise the business to develop a quick patch to protect end-users.
While the industry has addressed some of these problems through coordinated vulnerability disclosure policies, there’s still a fair amount of disagreement and mismatched incentives that can mistrust the two parties. One of the trickier problems is how to ethically disclose a bug to the broader public and put pressure on an organization without revealing technical information that might allow malicious hackers to exploit it before a patch becomes available.
Here comes the Zero-Knowledge Proofs(ZKPs) from DARPA.
The research and development arm for the Department of Defense has successfully demonstrated a limited set of use cases for applying zero-knowledge proofs to the software vulnerability disclosure process. A zero-knowledge proof is a cryptographic protocol that allows one party to create mathematical evidence to demonstrate to another party that they can answer a question without having to show their underlying work. In this case, it would allow a security researcher to prove that the vulnerability can be exploited without having to show a proof of concept exploit that might provide a road map to bad actors.
This was made possible because of the ongoing cryptocurrency community’s work on developing more efficient zero-knowledge proofs, particularly a paper called “Snarks for C,” helping to inspire DARPA researchers to explore ideas for similar applications in other fields that aren’t necessarily connected to the blockchain.
Josh Baron, program manager for DARPA’s Seuring Information for Encrypted Verification and Evaluation program (SIEVE) highlights:
“You take a problem in the real world, you formalize it mathematically, you figure out how to transform it into the relevant format…and then you give the zero-knowledge proof”.
How it works
Imagine a graph with several different points. There are lines between each, and each point is assigned a colour: red, yellow or green. The question at hand is whether you can conclusively prove to someone that each point is a different colour from its adjacent points without actually showing them the graph.
The answer is yes. It’s possible to translate much of the relevant information about those points, their colours and their relation to each other into numerical values or equations that can be calculated without ever viewing the original graph. Moreover, this same fundamental model can be expanded and applied to many other situations, usually involving many more “points” or relevant variables that interact with each other in predictable ways — like different parts of a software system — to emulate the same mathematical certainties.
The real-world problem DARPA was looking to tackle in this case is finding a way for security researchers to alert the public of an ongoing software vulnerability without having to rely on the host organization’s goodwill or risk tipping off malicious hackers. Last year, DARPA put out a call for outside research proposals and two companies — Galois and Trail of Bits — have already used the framework to create zero-knowledge proofs of their own.
Galois proved proof for a previously disclosed memory safety vulnerability in a Game Boy Advance console. More importantly, they could use that proof to convince another party of the vulnerability’s existence in about eight minutes. In addition, the Trail of Bits developed a novel model based on Boolean circuitry that allows researchers to create a binary imitation of systems at the architectural level — essentially providing a yes/no answer as to whether it’s been exploited or compromised by stack and heap overflows, code injection, format string vulnerabilities and memory bypass flaws.
Right now, these use cases are just scratching the surface, limited to a small handful of basic IT hardware products and software vulnerabilities. There are also questions about how accurate any one particular model may be to its real-life counterpart. Developing better models that apply to the vulnerability process more generally will require “orders of magnitude more complexity.” Still, DARPA believes it’s only a matter of time before they can be adopted much more widely, both in the vulnerability disclosure process and in other areas of research.
The biggest obstacle to more widespread adoption is not in the technical details. Instead, it’s figuring out a way to translate the complex mathematical process and jargon behind such proofs in a way that doesn’t require an advanced mathematics degree to understand. After all, it does no good to go through all the work of developing an accurate zero-knowledge proof if the person or organization you’re trying to convince doesn’t know what that is or why it means they have to believe you.
This needs some time for people to understand the approach, and they have to see that math proof and be comfortable with that.
Reference Links :