Boffin suggests Trappist monk approach for Spectre-Meltdown-grade processor flaws, other security holes: Don't say anything public – zip it

My first reaction is to smack my forehead, and think, "What an idiot!"

However, a lot of it depends on the company or organisation that owns/maintains the software/service/device upon which the flaw exists.

If the company is known to be responsible and can indicate privately to the whitehat discoverer that the flaw needs X amount of time to fix (where X might be relatively small for software and probably a lot larger where hardware may be involved) then the discoverer should allow the company that amount of time (+ a bit of leeway) if it sounds reasonable to develop and push out the update. For those companies that are known to ignore such things and only react when the faeces hit the rotating blade type air circulating device then public disclosure should not be held back as that is the only way to get the flaws fixed.

In the end the way a flaw should be reported, patched and eventually made public should depend on an agreed, responsibly thought out timeline for that particular flaw that prioritises public security (and doesn't just pay lip service to it).

With regard to Spectre/Meltdown then El Reg's disclosure was probably timely as Intel has, in the past, been known to downplay things until their hand is forced.

the price of zero day vulnerabilities

The price of zero day vulnerabilities has been increasing over the years, very significantly for some platforms.

This suggests that either it's getting harder to find significant vulnerabilities, and/or that the value of a security break-in has increased a lot too.

So even if the "white hats" decided that trying to find vulnerabilities was a bad thing and stopped altogether, the "black hats" have a big financial incentive to carry on, and of course the latter will do their best to keep them secret which makes things less secure for everybody and reduces the chance of a fix.

Personally, I'd prefer to keep going with the good guys finding bugs and getting paid for responsible disclosure, I can't see a better way other than revolutionising the way software is developed so that such bugs are made unlikely or impossible to make!

Security through obscurity

...or in other words, pretending that because you can't see it, there isn't a problem.

With greatest respect to El Reg's team

If they can spot that there is something awry with some unannounced security fixes, professional blackhats would also be aware.

An open letter

I'd like to write an open letter to people who think this professor's approach is the right one.

Dear members of the computing community:

You're wrong. No, really. Completely wrong. I don't know what leap of logic you took, but while there might have been logic when you went up, there is none where you came down. You clearly need to be let in on a few facts of how security vulnerabilities work.

When a researcher finds a vulnerability, they identify it with enough precision, and report it. They could release it publicly, but few do. Usually only if it's a thing that will never be fixed. But they usually don't both because it's a bad idea and because they might get paid for their hard work. So they report it to a company, who hopefully does its homework and figures out how bad a problem this is and how they're going to fix it.

You see that "hopefully"? That's because some times they DON'T. They leave their product vulnerable, keeping the customers at risk, completely ignoring the researcher, and making a mockery of security. And that, my friends in the audience, is not a very nice thing. So sometimes, a bug has to be disclosed so the company will get up and actually do something, or at least they can be held responsible for their negligence. Do you know the word negligence? Do you know that it happens sometimes?

Now, let us surmise that a company has proceeded with our hopefully and fixed their bug. Yay, the patch is released. The vulnerability is gone. Yeah... Do you remember that whole wannacry thing? It was kind of a big deal back in May of 2017, when a lot of things suddenly started breaking? That bug was patched in March, and a lot of people didn't have it. Maybe that is because a lot of people are lazy and incompetent. Actually it definitely was. But another set were unaware how critical the patch was. That's what publicity does. It informs the IT literate that they need to get fixing, and it alerts those who are not IT literate to find someone who is IT literate to fix their stuff because it can be broken. This, in turn, results in less broken stuff.

You can disclose improperly or in a counterproductive way. No contest. So what? You can also drive in an improper way, too, but we don't ban driving because we're better off being able to get places quickly. Having something that can be done improperly isn't fixed by never doing that thing again. It is fixed by finding the ways to do it improperly, and not doing those. If it's critical enough, it's done by putting incentives in place not to do it improperly.

Welcome back to logic. Let me help you up. Now, if you'd like to start researching again, that's fine, but maybe run your output past us next time. After all, you seem to have been doing it improperly, and we don't want anyone hearing about it and deciding there will be no more research.

> "The world has been shaken up by the disclosure; was that necessary and helpful?"

The chaos and loss of trust that would occur if knowledge of such a major vulnerability were actively suppressed and was then later leaked with incorrect information, or worse, some baddie managing to cause real damage and that being what exposed it, seems like it would be far more damaging in the long run.

Famous saying...

See no evil, speak no evil, be a weevil

Should this guy be teaching?

As others have noted in the comments, there are many issues with this proposal, some of which I can think off the top of my head enumerated below:

1) Many bugs only get patched under the threat of public disclosure and shaming of the companies. Therefore if vulnerabilities were kept secret, many of them would only get patched once in-the-wild exploits were found and already being actively exploited.

2) How can you possibly notify all relevant vendors if a bug is found? For example, the Meltdown bug required operating-system software mitigations. From memory, only "the majors" were contacted to patch the issue - Microsoft, Linux, Google, a few others. I don't believe FreeBSD was notified. What about other smaller or niche O/S vendors? In this proposal, these other vendors may never know they need to patch their O/S until an active exploit was detected.

3) Just because no-one knows of an active exploit doesn't mean its not being exploited. If there are local configuration settings that can be done to mitigate the exploit even tho no actual patches have been released, then by this proposal no-one would know to use these settings.

Science 101

Apart from notifying regular users of what bad actors inevitably learn about earlier, and forcing the hand of lazy vendors, there is a pure science argument here. Publishing research spurs further research. It allows results to be replicated, deeper insights to be gained by others, and the frontier of knowledge progresses wider and faster as a result.

Spectre/Meltdown is as an adequate case study for this because new variants have continued to be discovered, in more chips, and the widespread open research into side-channel attacks (and paging specifically) before discovery meant software fixes had already been developed ahead of time. It meant the flaws were discovered several times semi-independently, as is often the case with these things (and highlights the futility of keeping them secret). The end result will be more comprehensive hardware fixes, in more chips, and more secure design practices in future. That even suits Intel because they're less likely to go through another round of bad publicity several years down the line.

Of course conventional wisdom should be challenged but it's surprising to see a research professor of all people advancing these naive, worn-out closed-science arguments.

(Please think of the information Gus, it just wants to be free)

Spectre and Meltdown?

Citing those flaws as a reason to not disclose seems, well, wrong. If ever there were a flaw that needed rapid exposure, Meltdown and Spectre was it. Forget Intel / AMD for a moment; there's probably billions of devices out there (phones) vulnerable to Spectre that are never, ever, going to receive a patch to fix it. For those platforms, the earliest possible disclosure was the only way forward. And from that, disclosure of the rest (Intel / AMD) would have followed anyway.

Ok, so I know that the flaws on x86 platforms were identified before those on ARM, but the x86 community not telling the ARM community about this kind of vulnerability wouldn't have been great. X86bods: "Here's a load of flaws in our hardware, now patched, this is how it works". ARMbods: "Gee well thanks for telling everyone EVENTUALLY, now we've billions of devices that have been vulnerable for yonks and there's nothing we can do to fix it."

Arguably, earliest possible disclosure on Intel platforms was important too; Intel can't fix everything they've built over the past decades. Meltdown was such a monumental clanger of a flaw, so readily exploited, that keeping it quiet was probably a bad idea. I do wonder what Intel were hoping for; unexplained microcode updates not really admitting to the fact that their previous decades' of production had a serious cock-up?

It's far easier with software; one bug, one author, one userbase, one fix easily rolled out to all users in a reliable fashion (apart from Android...).

Money, Money, Money Makes the World go Round and Keeps the Narratives Churning and a'Changing*

There are effectively an infinite number of unknown vulnerabilities ... What then is the point of actively ‘discovering’ new vulnerabilities and disclosing them?

What is the point? Oh please, one point is immediately obvious surely to everybody and anybody.

"Discover" unpluggable vulnerabilities whose stealthy disclosure would crash and crush formerly assumed and presumed invincible systems is a constant source of unbelievably generous fiat wealth which provides bounty with decisions/agreements/promises equally for either disclosure or an extended non-disclosure.

*The magic secret being ..... being able to ensure future directions and/or disclosures are also user friendly rather than simply and exclusively systems catastrophic.

IT aint rocket science. Even SMARTR Humans are easily bought off until such times as their discoveries and exploitation of new vulnerabilities are mitigated or superseded and turned to another more mutually advantageous beneficial direction. But do not be expecting to pay peanuts whenever the cost of failure to engage with such ACTivIT and principals is realistically priced in the trillions.

Capability ..

What price Roger Needham's CAP architecture now .... would have saved us from overflow-type exploits a long time ago ...

He's obviously a tenured academic who has never had to work for a living.

So? Responsible Disclosure?

Isn't what he's arguing for basically the ground rules for responsible disclosure? Keep schtum, report the problem to the company, give them enough time to fix it or at least give you a response and reasoned argument why they need more time or won't fix it. Then if the company is being an arsehat and only AFTER the previously set deadline has expired without action or response do you disclose to put pressure on the company.

I think the professor is being a bit naïeve in his thinking if he's arguing we should wait with disclosing until it's either patched or exploits are out there because the past has shown we won't know of many of the exploits in use until it's far, far too late.

Corporate shill

So who is paying this corporate whore? Intel? Diebold? Oracle?

Insecurity by obscurity

"Professor Gus Uht, engineering professor-in-residence at the University of Rhode Island, USA, argues that everyone would be safer if those who discover serious vulnerabilities refrain from revealing the details to the public, allowing the flaws to be secretly fixed by vendors and developers..."

... or not.

Well the design of my car wheels might make them explode at high speeds but I'm not allowed to know.

Human Behavior

Companies are like people. Some are responsible and will fix a bug when alerted in timely manner. Others are lazy and will only get off their asses when shamed. Finally some are unethical and do not care; again the only hope to getting a bug fixed is public shaming. And of course all kinds of shades of gray in between. So to get bugs fixed there must be the threat of public shaming with the real risk of a law suit if the bug is not fixed. This is the real world.

Also, it is unknown how many unreported bugs are being used in the wild; it is some number greater than 0. Since we do not know what is being used in the wild we do not know their severity as a security risk.

Publicizing bugs does alert the public to be watching for an major update to X or to get the update to X. Keeping it quiet might mean many may not update X.

No news here

Tourist academic writes unreviewed opinion piece on subject he hasn't studied, rehashing arguments that were developed much further by more-knowledgeable commentators years ago. Happens all the time; indeed, this sort of thing makes up the bulk of the letters in CACM, for example.

As the Avett Brothers put it: "Ain’t it like most people? I’m no different / We love to talk on things we don’t know about".

Withdraw his degree

Is he really a professor? How come he is unable to understand how complex is the chain of dependencies in modern software? For every library for every system API there are dozens of dependent modules handled by different teams. It's not just matter of fixing things at the source it's about informing all the parties involved and if something can't be immediately fixed at the source the dependent modules can adopt some mitigation strategies. The case of Spectre and Meltdown is exactly the example he shouldn't have raised. How come he didn't notice that even if the issue was not patched immediately a lot of workarounds were quickly released, first of all all the browsers reduced the accuracy of the system time functions in their Javascript engines, then came all the other patches one by one and the basic compiler changes were among the last to be released.

Furthermore it's not just about the software developed, an enterprise network is a complex environment, the software updates must be properly planned and sysadmins must know what they are dealing with.

FDIV/FaceTime

Way back then, a prof told Intel about flaky FDIV; he was ignored until the web exploded. Not a security issue.

A few weeks ago, a mother told Apple about flaky FaceTime (her son hit the problem); she was ignored ("go pay for a developer license 1st") until the web exploded. Very much a security issue.

A very different perspective, perhaps....

Professor Uht is no dummy, but...is very, very much a HW guy. I think that might color his attitudes towards vulnerability reporting, in terms of how and how quickly remediation might be possible or effective. No

"Dr. Uht has been on journal editorial boards, including the Journal of Instruction-Level Parallelism. He was Co-General Chair and Program Chair of the Boston Area Architecture Workshop (BARC-2006). Prof. Uht has served on several program committees and NSF review panels. He has contributed to many publications, including: COMPUTER magazine, IEEE Micro magazine, IEEE Transactions on Computers, IEEE Transactions on Parallel and Distributed Systems, and various conference and symposia proceedings. In 2001 and 2005 Prof. Uht was recognized for “Outstanding Contributions to Intellectual Property” by URI. He holds eight U.S. Patents and has one patent application filed; these are all in computer architecture, especially instruction-level parallelism and better-than-worst-case design. Dr. Uht is the recipient of the URI 1998 Aurelio Lucci Faculty Excellence Award in Electrical Engineering. Prof. Uht worked for four years at IBM on mainframe main- and extended- memory development. He also worked at the Laboratory of Nuclear Studies at Cornell University. He is a licensed Professional Engineer (P.E.) in the states of New York, Pennsylvania and Rhode Island. Dr. Uht was the College of Engineering representative of the local chapter of the Sigma Xi science honor society, and is also a member of the Eta Kappa Nu electrical engineering honor society, the IEEE (Senior Member), and the ACM."