SoylentNews

AnonTechie writes:

Grant Willcox, a student studying ethical hacking at the University of Northumbria in the UK, is claiming that the Wassenaar Arrangement, an arms control treaty that was expanded last year to prohibit the export of various kinds of software exploit, is forcing him to censor his dissertation.

Willcox's research investigates ways in which Microsoft's EMET software can be bypassed. EMET is a security tool that includes a variety of mitigation techniques designed to make exploiting common memory corruption flaws harder. In the continuing game of software exploit cat and mouse, EMET raises the bar, making software bugs harder to take advantage of, but does not outright eliminate the problems. Willcox's paper explored the limitations of the EMET mitigations and looked at ways that malware could bypass them to enable successful exploitation. He also applied these bypass techniques to a number of real exploits.

Typically this kind of dissertation would be published in full. Security researchers routinely explore techniques for bypassing system protections, with this research being one of the things that guides the development of future mitigations. Similarly, publishing the working exploit code (with a safe payload, to prove the concept) is standard within the research community.

However, Willcox's paper doesn't do this. Writing on his blog, he explains that some pages have been removed due to a combination of the Wassenaar Arrangement's restrictions, and the university's ethics board forbidding the release of exploits. He says that he will release the exploits only to consultancies within the UK, thereby avoiding any exports.