Class Central is learner-supported. When you buy through links on our site, we may earn an affiliate commission.

YouTube

Zero Days, Thousands of Nights - The Life & Times of Zero-Day Vulnerabilities and Their Exploits

Black Hat via YouTube

Overview

Explore the life cycle and impact of zero-day vulnerabilities in this 56-minute Black Hat conference talk. Dive into a rare dataset of over 200 zero-day software vulnerabilities and their exploits, many still undisclosed publicly. Gain insights into the zero-day vulnerability research and exploit development industry, including vulnerability types, development times, and longevity. Examine the decision-making process behind retaining or disclosing vulnerabilities, and understand their effects across various sectors. Learn about the characteristics of long-lived vulnerabilities, the impact of patches and code revisions, and the implications for both offensive and defensive cybersecurity strategies. Analyze survival probabilities, collision rates, and key findings that inform policy discussions surrounding zero-day vulnerabilities in this comprehensive exploration of their life and times.

Syllabus

Intro
The decision calculus is complicated
We focus on characteristics of the vulnerabilities
Various groups search for vulnerabilities
BUSBY finds zero-day vulnerabilities, and develops exploits for them
Data stats: three main types of vulnerabilities
Vulnerability Sub-Type: Memory Corruption
Vulnerability Sub-Type: Memory Mismanagement
Vulnerability Sub-Type: Logic
Data stats: number of vulnerabilities per source code type
Data stats: number of vulnerabilities found and exploited, by vendor
Some other observations about the data
Exploit development time is relatively short
Mitigations have affected exploitability (e.g., heap vs stack overflow)
Exploit development career lengths vary
There are some caveats to our research
Life Status
About 1 in 6 of the alive are immortal
Patches killed most of the dead
Code revisions created a bunch of code refactored "zombies"
Longevity
We plotted the survival probability of our data
Average life expectancy is nearly 7 years
Do certain characteristics indicate a long or short life?
Does life expectancy or survival probability change over time?
Collision Rate
Clarity about time intervals is important
Implications and recommendations of findings
Our findings can help inform the retain vs. disclose discussions
Zero-days affect many sectors, and raise policy questions
Key findings

Taught by

Black Hat

Reviews

Start your review of Zero Days, Thousands of Nights - The Life & Times of Zero-Day Vulnerabilities and Their Exploits

Never Stop Learning.

Get personalized course recommendations, track subjects and courses with reminders, and more.

Someone learning on their laptop while sitting on the floor.