Vulnerability Research and Ethics

“It seemed that when people entered the computer center they left their ethics at the door”
Donn Parker, “Rules of Ethics in Information Processing”, 1968

“It seems that when people entered the computer center, they left their ethics at the door”
Donn Parker, "Rules of Ethics in Information Processing", 1968

There are weaknesses in everything: in our bodies before viruses and the passage of time, in our memory and mind. The software we create is also imperfect.

In this article I will try to consider the issue of ethics of search and research of vulnerabilities.

Probably, humanity throughout its history has sought vulnerabilities in various fields. For example, medicine. In the picture below, medical scientists study the body of the deceased in order to understand how the human body works or works.


Dr. Tulp's Anatomy Lesson. 1632. Rembrandt

In my opinion, the history of medicine and the history of vulnerability research in software have a lot in common. Not so long ago, medical scientists could be found guilty of conducting medical research, because such works were contrary to the ideology of the church state. Over time, mankind became convinced of the need for medical research and experiments, but at the same time certain rules were developed, recommendations for such studies. For example, the Nuremberg Code (1947) (1) or The Belmont Report. Ethical Principles and Guidelines for the Protection of Human Subjects of Research ", 1979. (2)

Information technology is so closely intertwined with all aspects of our lives that it is absolutely impossible to imagine modernity without them. However, in all technologies there are vulnerabilities, the use of which is a threat to humans.

Why are we looking for vulnerabilities?

People can have completely different motives for searching for vulnerabilities; we list some of them:

- curiosity;
- research interest;
- selfish interest;
- the desire to become famous, to earn a reputation;
- a range of personal motives;
- do a good deed.

An ethical situation looks interesting when a person has the appropriate qualifications to search for vulnerabilities, but does not do this, and circumstances may force him to do so.

To find the answer to this question, I propose to consider the slightly modified Heinz dilemma:
A woman dies from a particular form of cancer. There is only one medicine that, according to doctors, could save her. This is a recently discovered drug. Making a medicine is expensive. But the pharmaceutical company set a price 10 times higher.

The sick woman’s husband, Heinz, went around all his friends, borrowed as much as he could and used all legal means, but collected only about half the amount. He turned to a pharmaceutical company for help and asked to lower the price of the medicine, or to sell it by installments. But the company replied that it was not going to change its pricing policy.
And then Heinz decided to hack into the company's corporate network, steal the formula of the drug and the method of its manufacture, pass this information on to someone who could make the medicine for his wife.

Should Heinz steal the medicine? Why?
If Heinz did not love his wife, would he have to steal medicine for her?
Suppose that it was not his wife who was dying, but a stranger. Should Heinz sneak a cure for a stranger? Why yes or no?

Most important: there is no “right” solution to this dilemma! If a person believes that a pharmaceutical company needs to be hacked, it cannot be called more moral or less moral. The whole question is how decisions are made (3)

In this regard, the position of Bruce Schneier (4) is interesting, he says:

To me, the question isn't whether it's ethical to do vulnerability research. If someone has the skill to analyze and provide better insights into the problem, the question is whether it is ethical for him not to do vulnerability research.

For me, the question is not whether exploration of vulnerability is ethical. If someone has the ability to analyze and better understand the problem, the question is whether it is ethical for him not to conduct vulnerability research.

Perhaps one can partially agree with the opinion that the central question is not: to investigate or not to investigate software for vulnerabilities, but how ethical for this researcher to conduct such work, whether he can conduct such studies, and how ethical the study itself, while there is still of course the question of the applicability of the law.

What codes of ethical conduct exist in IT?

- "IEEE Code of Ethics" ; (5)
- “ACM Code of Ethics and Professional Conduct” ; (6)
- “Software Engineering Code of Ethics” . (7)

Principles for Ethical Vulnerability Research

The authors of the article “Empirical Research and Research Ethics in Information Security” (8) provide the following list of principles of ethical research in the field of information security:

- Do Not Harm Humans Actively;
- Do Not Watch Bad Things Happening;
- Do Not Perform Illegal Activities to Harm Illegal Activities;
- Do Not Conduct Undercover Research.
-------------------------------------------------- -------------------------------------
- Do not harm people;
- Do not stay away;
- Do not take illegal actions to terminate illegal acts;
- Do not conduct covert research.

The Australian Council for International Development (ACFID) lists ten questions (9) that must be answered before starting a general study:

When planning research, consider:

1. Is the study necessary and reasonable? What are you looking for to study and why is it important?
2. Is the study well planned? Does it connect with a specific work program in your organization? Do researchers have the appropriate knowledge to conduct research?
3. What is the context in which the research will be conducted? How will this context affect research design?
4. How do methodology and analysis fit the context and what is being researched?
5. What are the potential harms and benefits for researchers and participants that may result from research?
6. What research information will be provided to participants? How to obtain and ensure free and informed consent throughout the research process?
7. Are there any other parties or partners involved in the study? What are their interests in the study? Who will benefit directly or indirectly from research?
8. How do you plan to protect privacy and anonymity? What will happen to the data? How will they be organized and protected?
9. Have researchers received training, information, and assistance related to ethical issues?
10. How will the results be disseminated and used? Will participants have access to review and obtain research results? What happens when the study is completed?

It is also worth quoting a number of questions from the article “Towards Community Standards for Ethical Behavior in Computer Security Research” (10):

- Are the research results intended to protect a specific population, and if so, which population? (Eg, the owners of infected hosts, the victims of secondary attacks using a botnet, the researchers' own institution, or the general internet user.)
- Is there a way to achieve multiple benefits to society simultaneously when studying criminal botnet behavior? (Eg, developing new defenses, while aiding investigation of criminal acts and assisting victimized network sites?)
- Who will benefit more from publication of research findings, and in which order: Victims of criminal acts; authorities responsible for protecting their citizens; the researchers themselves; or the criminals who are perpetrating computer crimes?
-Is there any other way to accomplish the desired research result (s)?

• The research results are designed to protect a certain circle of people, and if so, who are they? (For example, owners of infected hosts, victims of secondary botnet attacks, their own research institution, or Internet user?)
• Is there a way to simultaneously obtain multiple benefits to society when studying the behavior of a criminal botnet? (For example, to develop new remedies to help investigate criminal acts and help infected network sites?)
• Who will benefit most from the publication of research results and in what order: victims of criminal acts; bodies responsible for protecting their citizens; the researchers themselves; or criminals committing computer crimes?
• Is there any other way to achieve the desired research results?

Some conclusions and suggestions

Analyzing the above, we can say that there are at least two categories of questions that need answers.

Researcher ethics

Before starting, the researcher needs to ask himself the question: “ Will I hurt ?”
After all, let’s say, an interface of a working technological system that is accidentally “exposed” to the Internet becomes an object of research. An attempt to search for vulnerabilities, in one case, can lead to a short-term malfunction at work, in another, to an accident and, as a result, to possible human casualties.

The second important issue, in my opinion, is the “conflict of interest” of the researcher.

I’ll try to clarify this message: it is worth abandoning the study if the researcher himself is interested in certain results of the study. For example, a well-known specialist in information security conducts an audit of the security of a company whose controlling stake is owned by his close relative - the possible interest of such a specialist is obvious.

Third, privacy .
The information received by the researcher should not be used for personal purposes or used in any other way that is contrary to the law.

Fourth, professionalism- how competent the researcher is in the issue of searching and researching vulnerabilities. For example, is it possible to consider a first-year student of a technical university or an information security specialist with five years of experience "on paper" to be an expert in this matter?

I think that a minimum independent assessment is required, say, a certain “passing score” in the field of work. Indeed, no one allows a student studying as a surgeon to perform operations on patients without accumulating certain experience, including life experience.

The ethics of the study

In terms of the study itself, in my opinion, it is worth considering a group of questions.

• Purpose of the study. How well the goal meets the criteria for ethical research.
• For example, it is difficult to consider the purpose of the study of the safety of pacemakers as ethical, when, according to the researchers themselves, the goal of the study is to influence the value of the stock price of the manufacturer of pacemakers and make a profit and pay off the difference in the difference. Interview with MedSec Holdings CEO Justine Bone.
• Selected research methodology - how much will achieve research objectives
• The boundaries of the study . The researcher needs to understand exactly at what point it is worth stopping the work.
• Objectivity and completeness of the study . The study should take into account factors relevant to the study, as well as use scientifically sound methods. The financial model of the research company cannot provide a full guarantee regarding the objectivity of the research, although it will allow you to make a profit in short positions, which in practice can lead to the transformation of security research into a competitive tool. Although it should be noted that the conclusions about the vulnerabilities of St. Jude Medical, Inc., has been verified by an independent expert in a US court. (see case materials Appendix A) (11)
• Selected research methodologies - as far as it will achieve the research objectives, observe the principles of objectivity and completeness for this kind of research.
• Confidentiality study . If the “bad guys” get even incomplete research results, this can lead to sad consequences.
• And the most important question is how much research violates human rights in the field of privacy and its security . People with pacemakers, having learned about their vulnerability, are unlikely to remain indifferent to this circumstance, but on the other hand, information about the vulnerability cannot be prohibited from being distributed. This is directly indicated by the court decision:

“The Plaintiff’s injunction request (Note Per: regarding such information) is not satisfied ... allowing Plaintiff to continue to sell products with significant security vulnerabilities, as detailed in the Muddy Waters reports and confirmed by Bishop Fox analysis, see Appendix A. Thus, any such an injunction that endangers life and risks the health of thousands of unsuspecting consumers. ”

Given the above, it is possible to use the following research checklist:

1. Is this research necessary: ​​what are the arguments for and which are against?
2. What is the true purpose of the study?
3. If you work in a company in the field of information security, are the objectives of the study consistent with the goals of the company?
4. Do researchers have the appropriate knowledge to conduct such a study?
5. Is the design adequate and does the methodology correspond to the internal content of the study?
6. Is there any other way to get similar research results?
7. What is the potential harm and benefit to researchers and participants that may result from research?
8. Are there any other parties or partners participating in the study? What are their interests in the study? Who will benefit directly or indirectly from research?
9. Is there a “conflict of interest” around the study?
10. How do you plan to protect confidentiality and anonymity? What will happen to the data? How will access be provided to them? How do you plan to organize data protection?
11. Have researchers received training, information, and assistance related to ethical issues?

The questions of search and research ethics will always be, as the history of medical research shows, at least a public institute of control over research of vulnerabilities in information technologies will have to be formed.

It may also be worth expanding the review of the boundaries of the ethics of vulnerability research in terms of working systems for their reliability and continuity of operation, because if the degradation of the IT service occurs in a controlled research environment, then it will be better if the same happens with a real unexpected attack by attackers.

It is worth expressing the hope that social processes in the direction of ethics of vulnerability research will only develop. I believe that we can already observe this process in terms of disclosing information about vulnerabilities.

In the next article I’ll try to talk about approaches and existing practices in disclosing information about software vulnerabilities.