Friday, September 18, 2015

Some notes on NSA's 0day handling process

The EFF got (via FOIA) the government's official policy on handling/buying 0days. I thought I'd write up some notes on this, based on my experience. The tl;dr version of this post is (1) the bits they redacted are the expected offensive use of 0days, and (2) there's nothing surprising in the redacted bits.

Before 2008, you could sell 0days to the government many times, to different departments ranging from the NSA to Army to everybody else. These government orgs would compete against each other to see who had the biggest/best cyber-arsenal.

In 2008, there came an executive order to put a stop to all this nonsense. Vuln sellers now only sold 0days once to the government, and then the NSA would coordinate them with everyone else.

That's what this "VEP" (Vuln Equities Process) document discusses -- how the NSA distributes vulnerability information to all the other "stakeholders".

I use "stakeholders" loosely, because there are a lot of government organizations who feel entitled to being part of the 0day gravy train, but who really shouldn't be. I have the impression the NSA has two processes, the real one that is tightly focused on buying vulns and deploying them in the field, and a notional one where they deal with the bureaucratic nonsense that is government. This VEP document is probably the second one.

I don't think the redactions hide anything of consequence. For example, take a look at the first redaction:

The missing words are "Offensive Capabilities", and this isn't too hard to figure out.

The next redaction is refers to paragraph 49 of NSPD-54/HSPD-23. Well, EPIC got this document a while ago, and it's here ( (also here). Though paragraph 49 is redacted here, we can read it form the original document there.

Activists have pointed out this unhelpful part of the document:

But as the text says, these parts redacted here are simply a summary for what is detailed in the sections below. Those are mostly not redacted. So we can reconstruct the process:

a. All 0days must first be sent through this process before anything else (with exceptions).
b. Each department involved will designate a point-of-contact who ensures their organization is represented in the process.
c. This process applies only 0days (newly discovered vulns that aren't publicly known).
d. The NSA is in charge of this process.
e. Any organization that gets an 0day gives it to the NSA, then the NSA distributes that 0day to all the member organization point-of-contacts.
f. Organizations will then evaluate the 0day, and then have their point-of-contact report what the organization believes should be done (e.g. use for cyber-offensive, or contact vendor and have them patch it).
g. The executive board made up of all organizations will decide what to do with the 0day.

The organizations involved are intelligence (NSA, CIA, etc.), military (Army, Air Force, JSOC, etc.), Departments of State, Justice, Commerce, Treasury, Energy, and of course, Homeland Security.

I'm not sure what the word "equities". I think it means anybody who has an "ownership interest" in an 0day. These are listed in Appendix A, but most are redacted. They show the "defensive" need and essentially nothing else.

But we know what the redacted equities are about "offensive" use of vulns, in particular, for intelligence and for military operations.

Whatever this policy states, I'm sure practically things are handled much differently. For 0days in SCADA/ICS equipment, for example, they go directly to the Department of Energy, and the focus will be on getting those things patched.

On the other hand, the NSA has its offensive programs. Every time Apple updates iOS with new Safari protections, they'll buy the first 0day that gets around it. I suspect there's just a standing item of "iPhone 0days" where all departments have agreed that go to the NSA for offensive exploitation, since the particulars (other than iPhone version) never change. Indeed, the NSA has a whole class of similar bugs, bought from the 0day market that flow through to their tools for exploitation.

Moreover, as I read the document, the NSA (at its discretion) can trump the entire process and keep things secret. For example, if somebody sold a way to factor 2048 bit numbers to the NSA for $1 billion, they'd keep that secret from everyone in the government except maybe the President. It'd be interesting knowing how often this has happened.

Note that this document is phrased in terms of 0days the government just happens to come across. To some extent this is valid, where the Department of Energy and DHS comes across 0days in industrial systems. But mostly what's talked about here is where the NSA buys 0days in the shady underground vulnerability market. Again, this shows a difference between the claimed process in the document, and what's really happening.


So in summary, as we reverse engineer the redacted bits, we see just what we'd expect for offensive use of 0days. As we read the document, we see just what we'd expect from bureaucracy. The missing bits aren't the redaction themselves, but what practically happens in the real world: this policy seems aspirational, what everyone agrees is the official policy, and how 0days are handled that nobody really cares about. But for the real 0days that the NSA uses, like whichever latest iPhone 0day that exists, I suspect in practice there's a very different process.

Update: Kim Zetter has discussions of the "equities" process in her Stuxnet book. Where this post just reflects my experiences with the government, her book is researched talking to lots of people.

Op-ed: By the way, I disagree with most privacy/security activists. I think it's nonsense that the NSA buying 0day makes our computers less safe; I suspect quite the opposite is true. I do think the NSA has gone too far and needs to be reigned in a bit, but there's nothing special about 0days in this regard.

No comments: