Many system-security technologies have been introduced in recent years, such as address-space layout randomization (ASLR), data execution prevention (DEP), sandboxing or attack-surface reduction. Rather than seeking to eliminate security vulnerabilities, these technologies generally aim to make them harder to exploit. However, so far it has been difficult to measure the effectiveness of these techniques in reducing attacks and in improving security.
We defined several metrics that reflect the state of security in the field, as experienced by end-users [RAID 2014]. These metrics are derived from the typical telemetry collected by security products (e.g. anti-virus software, intrusion-protection systems). The exploitation ratio is the count of vulnerabilities exploited in real-world attacks (not just proof-of-concept exploits) divided by the count of vulnerabilities disclosed publicly for a software product. The exercised attack surface of a host is the number of distinct vulnerabilities (which correspond to distinct intrusion vectors) that are exploited on a host in a given month; in other words, this metric varies from month to month, depending on which fraction of the attack surface is targeted by cyber attackers. The survival probability (or “no exploit” probability) is a time-dependent function describing the likelihood that no exploits will be attempted against the product up to x months after the product was installed.
By evaluating these metrics using data available on the WINE platform, we can observe how the cyber threat landscape has changed following the introduction of certain security technologies. In general, we found that only 15% of the known vulnerabilities are exploited in the wild, and that none of the products we analyzed has an exploitation ratio higher than 35%. While the coexistence of several security mechanisms in a product makes it difficult to measure the individual impact of each mechanism, it is interesting to note that improvements in our metrics are often associated with the introduction of system security technologies. For example, after the release of Internet Explorer 7 and Adobe Reader 10, we observed a notable decrease in the exploitation ratio and an improvement in the survival probability for those products. Both releases introduced a sandbox, which adds an additional layer of defense by containing malicious code and by preventing elevated privilege execution on the user’s system. IE 7 also removed support for older technologies, like DirectAnimation, XBM, DHTML editing control, in an attempt to reduce the attack surface. More findings are included in our paper [RAID 2014].
Interestingly, there is some anecdotal evidence suggesting that cyber criminals are starting to feel the effects of this scarcity of exploits. While zero-day exploits are usually employed in stealthy and targeted attacks, in 2013 the author of the Blackhole exploit kit advertised a $100,000 budget for purchasing zero-day exploits. The zero-day exploit for CVE-2013-3906 was nicknamed the “dual-use exploit” after being employed both for targeted attacks and for delivering botnet-based malware.
Paper: [RAID 2014]
[RAID 2014] K. Nayak, D. Marino, P. Efstathopoulos, and T. Dumitraș, “Some Vulnerabilities Are Different Than Others: Studying Vulnerabilities and Attack Surfaces in the Wild,” in International Symposium on Research in Attacks, Intrusions and Defenses (RAID), Gothenburg, Sweden, 2014.