In the world of Information Security, there is great potential for conflict between the research aims of academics on the one hand, and the interests of industry and government on the other. As just one example, consider the implications of publishing an academic research paper describing a cryptographic flaw in the Data Encryption Standard (DES). Even today, with DES in its original form gradually being phased out in most applications, this would be headline news in the academic community. If this event had occurred 10 or 20 years ago, then a good deal more might have been at stake: assuming the flaw to be sufficiently serious, such a paper would have had a potentially major commercial and financial impact, and could have dented public confidence in the development and standardization processes that produced DES.
Faced with such a situation how should academic researchers behave? Should they avoid sensitive targets where the discovery of flaws would have more than simply academic consequences? Or should they home in on targets of this type, taking the view that the sooner we know the weaknesses, the sooner they will be rectified? If they choose the former path and do find a flaw, what is the best route to publicize their findings? After all, the dictum “publish or perish” was never more true for academics than it is today, with enormous pressures on them to produce high-impact research. What then is the best way to advise interested parties in industry and government so they can react? How can these parties even be identified? Is it a good idea to attempt to generate press headlines so as to spread the news as quickly as possible, or would this simply smack of irresponsible scare mongering? And what is the role of the press in all this?
These are all important questions to which there is no clear cut simple “correct’ answer. However, we will describe one way that a balance can be struck between the competing interests of academics (wishing to publish their findings) and other parties needing to react to news of a flaw (by deploying patches, updating systems, and so on).
The case study that we describe next is based on our own recent experiences in working on IPSec, a set of secure protocols standardized by the Internet Engineering Task Force (IETF). IPSec is used for building virtual private networks to provide secure communications over untrusted networks. Today it is widely deployed in operating systems and networking hardware. Unfortunately, the IPSec standards are notoriously complex with many, many configuration options possible. In the Information Security Group (ISG) at Royal Holloway, we found attacks against the Linux kernel implementation of IPSec in a particular configuration, widely known as “encryption-only”. Our attacks showed this mode to be completely insecure in the Linux implementation. And these were not just “attacks on paper”: we wrote an attack client and demonstrated the attacks in the laboratory with a realistic network set-up and operating conditions.
Naturally, we then asked ourselves the questions: What is the real-world impact of our attacks, and how should we spread the news? Even answering the question of whether the encryption-only mode was in wide use or not was not simple. The IETF standards clearly advise against using it, and yet the same standards mandate that this mode be supported by implementations! We found several on-line configuration guides for IPSec that showed how to configure IPSec in encryption-only mode in a step-by-step manner. Industry contacts also suggested that this mode might well be in fairly widespread use. However, it was not even clear at that point (in early 2005) whether our attacks would work against other implementations.
Given our uncertainty about the true impact of our research, we felt that headline grabbing would have been easy but irresponsible. Our solution was to contact staff at the UK’s National Infrastructure Security Co-ordination Centre (NISCC) and invite them to Royal Holloway for a demonstration of our attacks and a discussion about the best way forward. That meeting took place in mid-April 2005. We immediately began work with NISCC’s vulnerability team to write a vulnerability announcement; this was released by NISCC to the vendor and user communities in late April and generated enquiries from around a dozen companies, large and small. We worked with NISCC to assess the impact of our research for each of these companies on an individual basis.
Then, on May 9th 2005, NISCC made a High Severity Vulnerability Announcement about our IPSec work. This announcement was relayed by US-CERT, Aus-CERT, and other agencies, and picked up by the likes of zdnet, eweek, The Register, and cnet news. It then went on to generate plenty of speculation and conspiracy theory on slashdot and other on-line discussion sites. Also on May 9th, a research paper describing our attacks was circulated to selected researchers and submitted to a major international conference. A revised version of the research paper was later posted on the web; this improved version incorporated significant feedback from vendors, standards writers and the academic community.
From our perspective, working through NISCC gave us an improved understanding of the impact of our research. It also acted as a valuable relationship building exercise for us, both with NISCC and the Information Security industry. For vendors and users, our choice to work with NISCC ensured they had prior knowledge of the IPSec vulnerabilities before any public announcement was made, and gave them a head start in assessing the impact on their IPSec products and deployments.
This partnership approach required a bit more time and effort on our part. But with national and commercial security interests potentially at stake, applying a precautionary principle seemed to us to be the right way forward. Ultimately, the approach we took had the unexpected benefit of generating feedback that improved the quality our research. And we are now, literally and metaphorically, on the Christmas card lists of a few more important commercial and governmental organizations.