Grant Willcox, a student studying ethical hacking at the University of Northumbria in the UK, is claiming that the Wassenaar Arrangement, an arms control treaty that was expanded last year to prohibit the export of various kinds of software exploit, is forcing him to censor his dissertation.
Willcox's research investigates ways in which Microsoft's EMET software can be bypassed. EMET is a security tool that includes a variety of mitigation techniques designed to make exploiting common memory corruption flaws harder. In the continuing game of software exploit cat and mouse, EMET raises the bar, making software bugs harder to take advantage of, but does not outright eliminate the problems. Willcox's paper explored the limitations of the EMET mitigations and looked at ways that malware could bypass them to enable successful exploitation. He also applied these bypass techniques to a number of real exploits.
Typically this kind of dissertation would be published in full. Security researchers routinely explore techniques for bypassing system protections, with this research being one of the things that guides the development of future mitigations. Similarly, publishing the working exploit code (with a safe payload, to prove the concept) is standard within the research community.
However, Willcox's paper doesn't do this. Writing on his blog, he explains that some pages have been removed due to a combination of the Wassenaar Arrangement's restrictions, and the university's ethics board forbidding the release of exploits. He says that he will release the exploits only to consultancies within the UK, thereby avoiding any exports.
(Score: 1, Interesting) by FunkyLich on Saturday July 04 2015, @08:24PM
Good idea of ethical hacking, but if he were a bit older, he would know better than to base his dissertation paper on exposing security holes of commercial software.
And not just any software but nothing less than Windows (any version which is still supported and updated). Of all his good intentions, there isn't any which could be worth some amount of lost sale revenue for Microsoft which could be a side effect of the negative propaganda falling in the area labelled: "Look! This operating system is so crap that nowadays students use it as the poster child of security holes and they use it as base for writing dissertation papers on how to make it better. Students nowadays know Windows better then Microsoft does."
The EULAs are there just to cover asses in cases like this. If this wasn't named a dissertation paper but "Security Audit" or something in these waters, I think he'd be faring much much better.
But this is just a theory anyway.
(Score: 1, Interesting) by Anonymous Coward on Saturday July 04 2015, @09:26PM
Or he handled things in the wrong order. Tell Microsoft about the vulnerabilities before the whole publishing, releasing thing. If he found them, then odds are the bad guys have or will find them. Once they are all patched up (and, incidentally, I think EMET should tie into Windows/Microsoft Update once installed, to make this easier), then you can show the actual exploits, talk about them, etc. No ethical issues abound if they are relatively worthless once released.
Also, EMET isn't the only program that offers these kinds of exploit mitigation (MalwareBytes Anti-Exploit and HitmanPro.Alert come immediately to mind). So I can see how maybe he thought he wasn't attacking a particular piece of software or company, but the whole theory of protecting yourself like this.
(Score: 0) by Anonymous Coward on Saturday July 04 2015, @10:22PM
OR HE COULD JUST go for it. Publish and see what happens
Fuck the consequences.
(Score: 1) by redneckmother on Sunday July 05 2015, @03:35AM
well, i dunno... the consequences could be ... extreme ...
I do agree that he should publish.
Mas cerveza por favor.