CybersecurityZero-Knowledge Proofs in Vulnerability Disclosure
Today, the disclosure process for software vulnerabilities is fraught with challenges. Cybersecurity researchers and software security analysts are faced with an ethics versus efficacy dilemma when it comes to reporting or sharing discovered bugs. Revealing a vulnerability publicly may get the attention of the program’s developers and motivate a timely response, but it could also result in a lawsuit against the researcher. Researchers develop capability to mathematically prove exploitability of vulnerable software without revealing critical information.
Today, the disclosure process for software vulnerabilities is fraught with challenges. Cybersecurity researchers and software security analysts are faced with an ethics versus efficacy dilemma when it comes to reporting or sharing discovered bugs. Revealing a vulnerability publicly may get the attention of the program’s developers and motivate a timely response, but it could also result in a lawsuit against the researcher. Further, public disclosure could enable bad actors to exploit the discovery before a patch or fix can be applied. Sharing the vulnerability directly with the software maker on the other hand is ethically sound, but may not necessarily prompt action. As history has shown, software makers are often reluctant or unwilling to engage with outside security teams and the disclosed vulnerabilities are frequently ignored, or corrective action is dangerously delayed.
DARPA’s Securing Information for Encrypted Verification and Evaluation (SIEVE) program is exploring potential solutions to this problem through the use of zero-knowledge proofs (ZKPs). ZKPs are mathematically verifiable problem statements that can be used to reason about software or systems. The proofs can be used publicly without giving away sensitive information. SIEVE is focused on developing computer science theory and software capable of increasing the expressivity of problem statements for which ZKPs are constructed while also making it easier to use the cryptographic method.
“Prior to SIEVE, one primary focus of applying ZKP research had been on maximizing the speed of communicating and verifying proofs – sometimes called ‘succinct zero-knowledge’,” said Josh Baron, the program manager leading SIEVE. “For applications like cryptocurrency and blockchain transactions, prioritizing communication and verification efficiency is essential. However, for many potential defense applications, including for highly complex proof statements like those that the Department of Defense may wish to employ, achieving total efficiency and optimization across all metrics may be needed.”
In the case of vulnerability disclosure, ZKPs could allow a vulnerability researcher (the prover) to convince a software maker (the verifier) that they possess a piece of information – such as a bug or an exploit – without revealing so much information that their potential for a reward is ruined or requiring that they divulge how the information was uncovered. One year into the SIEVE program, two research teams have demonstrated the first-ever capability to mathematically prove the exploitability of vulnerable software without revealing critical details around the vulnerability itself or the exploit.