that could better choose which software con guration is more secure in that particular time-frame; (b) the vendor, that could better allocate human and economic resources by means of a more knowledgeable understanding of actual exploitation risks, thus increasing product security and monetization of e ort.

In the next section I give some brief de nitions helpful in describing vulnerability exploitation. In section 3 I introduce the di erent markets involved in the process and describe the structure supporting it. Finally in section 4 I draw my conclusions and Ph.D. proposals, formulating three hypothesis that, if hold true, could help improve software security and patches scheduling. 2

Vulnerabilities. I use Ozment's de nition of vulnerability [ 6 ], according to which vulnerabilities are mistakes in the code or in the con guration of a software that can cause violations in its security policy. These mistakes can be exploited by an attacker to get access to the vulnerable system.

Exploits. One could identify di erent levels of maturity of an exploit as they usually are born as simple proofs-of-concept, are then scripted and eventually automated [ 7 ]. Frei et al. in [ 8 ] analyzed more than 14 thousand vulnerabilities. Out of these only about 3400 were exploited, most of which within a month from the disclosure of the vulnerability.

Attacks. An attacker needs to exploit (at least) one vulnerability in the system to reach his goal. The relation between exploitation time and vulnerability disclosure date is shown in [ 9 ] by Arora et. al: attacks increase at the time of the vulnerability disclosure. There also seems to be a correlation between randomwide information scans and attack probes, evidencing that untargeted attacks are common practice [ 10, 11 ]. 3

Vulnerability and exploit markets are distinct but related: while the former is divided between legitimate and illegitimate markets [ 12 ], the latter is mostly an underground activity usually labeled as `black market'. On the other hand, the nancial consequences of vulnerability exploitation have been shown to go far from solely their market value [13{15].

The market of vulnerabilities. No extended study exists, to the best of my knowledge, on the value of vulnerabilities in the black market. In [ 12 ] a very interesting insight on the legitimate vulnerability market is given; there are many di culties in the legitimate selling of vulnerabilities to vendors, because of the `secretive' nature of the good. The relationship between the software vendor and the security researcher, especially if independent and external to the company, can be trouble1: the vendor may indeed not appreciate the bad publicity that the disclosure of a vulnerability earns him [ 16 ]. 1 http://news.cnet.com/8301-27076 3-57320190-248/apple- boots- security-guru-whoexposed-iphone-exploit/

The market of attacks. The economical value for the attacker seems significant: in [ 13 ] Franklin et al. investigate the amount of nancial and economicalrelated information that circulate in the market; they calculate the value of the market of the credit cards only to be about 37million USD; if one considers bank data theft and identity theft, their estimation increases up to 93million USD. The magnitude of these estimates is also con rmed in [ 17 ]. Motoyama et al. in [ 14 ] study the dynamics of underground forums, in which these data are actually traded, and show the high interest the criminals put in online payment accounts and stolen nancial information.

The market of exploits. Lately spam has become a way to di use malicious links that drive the user toward domains controlled by the attackers, that can then try (and often succeed) to exploit their systems; very di use vectors for such an activity are porn sites [ 18 ], botnets [ 15, 19, 20 ], and social networks [ 21 ]. Once the attacker gets access to the victim's machine, he can install keyloggers or any kind of malware that will provide him with the victim's private data or `permanent' access to the machine, at his will.

The pro le of the coders that write exploits may vary a lot, ranging from security enthusiasts to professionals. Some coders put a lot of e ort in e ciently exploiting vulnerabilities; these `e cient' exploits are featured in web applications with a MySql backend; the community calls them Exploit Kits.

It is my opinion that the Exploit Kits phenomenon can shed some light on the exploiting economics underlying the whole data-theft market, and due to some of its peculiarities can perhaps be of great value in better evaluating e ective risk. Moreover, it provides preliminary evidence that exploiting activities are governed by an economical process not yet investigated by the scienti c community.

There are many di erent Exploit Kits on the market, very often advertised in underground forums such as exploit.in and vendors.pro. Examples of these are Phoenix, Eleonore, Blackhole, Crimepack. Exploit kits are rented to the interested attacker for di erent periods of time, usually up to an year; a oneyear license would cost from 1000USD to 2500USD2. Perhaps the most popular Exploit Kit around is now Blackhole3, but Phoenix and others have a signi cant market share too. Their coders seem to put a lot of e ort in code obfuscation and encryption4. Even more importantly and perhaps counter-intuitively, but supporting the hypothesis that exploitation is driven by economical processes, the number of exploited vulnerabilities in these packs is in the order of ten or less, and many of them are very old ones.

As an example, these are the softwares exploited in Eleonore v1.6.5, released in March 20115 featuring only 10 exploits, most of which are at least 1-year old and two of which are 5+ years old: MDAC(2006), WMI Object Broke (2006), 2 http://malwareint.blogspot.com/2010/01/state-of-art-in-eleonore-exploit-pack.html 3 http://dvlabs.tippingpoint.com/blog/2011/04/26/blackhole-exploit-kit 4 http://research.zscaler.com/2011/02/blackhole-exploits-kit-attack-growing.html 5 http://exploit.in/forum/index.php?showtopic=46653 (account required to access the page; the reader might want to use a TOR network or a secure proxy to access the page, depending to whom belongs the IP used)

Snapshot (2008), IEpeers (2010), HCP (2010), PDF libti mod v1.0 (2010), Flash <10.2 (2011), Flash < 10.2.159 (2011), Java Invoke (2010), Java trust (2010). Analogous are Blackhole's6 and Phoenix's7 o erings, as many others' too8. The vulnerabilities in those Exploit Kits concern a small set of widely di used and exposed softwares such as Java, Flash, or Adobe Reader plugins; while at the time of writing Java seems to be the main target in the most di used exploit kits9 (Blackhole, Phoenix), in the past were mainly targeted O ce Plugins and Flash10, suggesting there might be additional, software-related trends in the process. Exploit kits are advertised by screenshots and exploiting success rates11.

The actual exploitation takes place when the victim requests the, say, `exploit.php' page on the attacker's domain12. The attacker must fool the user in requesting that web-page: apart from social engineering and direct link spam techniques, the attacker usually compromises one or more hosts (often by means of SQL Injection) and insert an iframe in the domain's homepage that redirects connections towards the attacker's `exploit.php' page; this is a very common practice, as evidenced by sites such as Malware Domain List13 that serve as a database of hosts that have been compromised. Once the victim reaches the attacker's host, a set of exploiting scripts is run; as a consequence, the successful attacker can often execute code on the target machine: install keyloggers, steal data, download malware and/or make the machine part of his botnet. In order to increase the hit rate, the compromised sites might be acquired by somebody else; the attacker could (and this may not be an exhaustive list): { buy a set of hosts compromised by somebody else { rent connections to compromised hosts from whom acquired them { rent connections from tra c brokers14;15 that buy tra c from some third party (2-6USD per 1k connections).

In particular, the second approach is made easier by the existence of trafc dispatchers (e.g. SimpleTDS16), and often augmented by botherders themselves [ 22 ]; the third is widely di used in pay-per-click(-install) scenarios such as porn networks [ 18 ] and others [ 22 ]: the tra c from a compromised host is sold by the `compromiser' to the tra c broker, which will then receive a certain amount of connections from victims that accessed the compromised host. These 6 http://exploit.in/forum/index.php?showtopic=41662 7 http://exploit.in/forum/index.php?showtopic=37627 8 http://vil.nai.com/images/FP BLOG 100527 1.jpg 9 http://www.kaspersky.com/about/news/virus/2011/Ja va the Target of

Choice for Exploit Kits in 2011 10 https://threatpost.com/en us/blogs/carberp-and-black-hole-exploit- kit-wreakinghavoc-120511 11 http://malwareint.blogspot.com/2010/09/black-hole-exploits-kit-another.html 12 http://blog.imperva.com/2011/12/deconstructing-the-black-hole- exploit-kit.html 13 http://www.malwaredomainlist.com/ 14 http://www.tra cshop.com/ 15 http://www.tra cholder.com/ 16 http://www.simpletds.com/ very connections are redirected by the tra c broker to his clients, that in turn have bought a certain amount of `tra c' that will be directed straight to the `exploit.php' page under their control [ 18, 22 ]. 4

From this preliminary analysis, the exploitation market results far from being simply driven by enthusiasts, unorganized hackers or groups of hackers: there is a whole infrastructure supporting both the exploitation of vulnerabilities and the economic investment that the attacker must (and apparently actually do) sustain. This gives preliminary evidence and, to my opinion, a very good reason to further investigate the dynamics of exploitation and the attackers' goals, in order to provide insights about actual security and perhaps, eventually, to better evaluate security metrics, countermeasures, risk assessment and to support vendors' patching behavior.

My research goal is to nd a novel, more precise way to describe vulnerability exploitation, and thus to evaluate the e ective risk factor a ecting a system. In order to accomplish that, I formulate the following three hypotheses: { Hypothesis (1). Attackers are economically rational. { Hypothesis (2). There is a substantial di erence in success rates between public and commercial exploits. { Hypothesis (3). Commercial exploits are not redundant (i.e. not many exploits exist in the same time-frame for the same system con guration).

Therefore by (2) higher risk would come from those vulnerabilities for which a commercial exploit exists; if (1) holds, then the most dangerous vulnerabilities will be those that are e ciently exploitable, because those would optimize the exploitation success rate and thus maximize attackers' return on investment. Following (3) vulnerabilities that provide access to a certain system con guration for which other, easier or more e ciently exploitable vulnerabilities exist would represent a lower risk because of less interest to the attacker.

I'm planning to investigate those hypothesis during my Ph.D. program here at the University of Trento. Hypothesis 3 can be validated by analyzing hackers' exploitation resources; I'm planning to further understand how much di used those tools are as attack vectors. I'm also willing to understand who is behind their development and how pro table this activity is. Hypothesis 2 will involve testing the e cacy of publicly released exploits against the ones featured in exploitation tools from (3). Dulcis in fundo, Hypothesis 1 will be the toughest one to investigate: to collect evidence of the importance of the economic aspects in the attacking process may not be su cient; I'm planning to conduct interviews with (professional) hackers and to design and deploy a social experiment with the purpose of better understanding how much e ort the attackers are willing to put into the exploitation of a system.

The validity of those hypotheses could smooth the way toward a more precise and realistic risk assessment process, and signi cantly improve security metrics's reliability, patching priorities, and system hardening e ciency and e cacy.