U.S.-based security researchers may soon be championing the case of Grant Wilcox, a young U.K. university student whose work is one of the few publicly reported casualties of the Wassenaar Arrangement.
Wilcox last week published his university dissertation, presented earlier this spring for an ethical hacking degree at the University of Northumbria in Newcastle, England. The work expands on existing bypasses for Microsoft’s Enhanced Mitigation Experience Toolkit (EMET), free software that includes a dozen mitigations against memory-based exploits. Microsoft has on more than one occasion recommended use of EMET as a temporary stopgap against publicly available zero-day exploits.
Wilcox’s published dissertation, however, is missing several pages that describe proof-of-concept exploits, including one that completely bypasses a current EMET 5.1 installation running on a fully patched Windows computer. He said last Wednesday in a blogpost that the missing pages and redactions within the text happened partly because of the Wassenaar Arrangement.
Since late May when the U.S. Commerce Department announced its proposed U.S. rules for Wassenaar, researchers have been vocal about the potential impact on new vulnerability research and the security of software moving forward. At issue is vague language in the U.S. rules against intrusion software that goes beyond the use of surveillance software such as HackingTeam for which the rules and export controls were written.
Various interpretations put legitimate vulnerability research and proof-of-concept exploit development under the thumb of Wassenaar, as well as the use of certain dual-use tools that encompass various scanners, forensics, and penetration-testing software. Even submissions to bug bounty programs, which fund many research efforts, would be put in jeopardy under the rules.
Wilcox said that while a pair of FAQs from the Commerce Department’s Bureau of Industry and Security helped clarify some of the residual confusion over the U.S. rules, they came after the university’s decision to prohibit release of his research, even via open source—which is not a Wassenaar violation. Wilcox said he considered this avenue, but the university’s ethics board stepped in and prohibited him from publicly releasing the code; since the public release of exploits is a university ethics violation and could have put Wilcox’s degree in jeopardy. Wilcox said that the code will be made available to security consultancies inside the United Kingdom, and those companies must demonstrate their intent to use them solely to improve security for the public. Also, had the university had the time to review the FAQs, its hesitancy to publicly release exploits may have led to the same result, Wilcox said.
“Whilst it has impacted the release of my research it has not impacted my passion and I plan to continue researching such material as and when I feel like, though in an ideal world I would like clearer instructions so I can figure out how to do this appropriately (of which there seems to be some confusion),” Wilcox said in an email to Threatpost.
Wilcox said he has not abandoned the idea of publishing the exploits, and is working with the university’s ethics board and the HMRC, the U.K. entity enforcing the WA rules. Wilcox said today that his first response from the HMRC referred him to the Department for Business, Innovation and Skills without providing any clarity into his case.
Wilcox said Wassenaar surfaced on his radar when exploit vendor VUPEN announced last November it was shuttering operations in France, a Wassenaar country, and moving to Singapore, a non-Wassenaar participant. Then prior to the Pwn2Own contest, held in March during the CanSecWest conference, organizers warned entrants to check with local laws for Wassenaar violations before submitting to the contest.
“To be clear I did all the research into the Wassenaar Arrangement and then submitted my findings to my supervisor and the ethics board,” Wilcox said. “The section I was and still am concerned about is on page 212 of this document, under part B, where they say: ‘The modification of the standard execution path of a program or process in order to allow the execution of externally provided instructions.’ This combined with the uni’s decision and the possibility of having my degree taken away from me where the main decisions for my hesitation.”
The 131-page PDF was submitted to the Newcastle school as part of Wilcox’s fulfillment of the requirements needed to receive a Degree of Ethical Hacking. Within it, he explains his goal of creating three exploits that could modify Microsoft EMET 5.1’s application-level protections, therefore bypassing its mitigations against memory-based attacks.
Wassenaar prevents sharing of exploit code outside the country in which the researcher is located without the purchase of an export license. The U.K. is one of 41 countries that participates in Wassenaar. The U.S. Commerce Department is in the midst of a 60-day comment period—which ends July 20—before a final ruling is made on its proposed Wassenaar rules governing exploits and so-called dual-use software.
In his paper, Wilcox explains what he believes to be some of the limitations imposed upon him by Wassenaar. For example, only one of the three exploits triggered a bypass of all of EMET’s protections; the others were able to bypass most, but not all, protections. He said in the paper that further detailed research would be required to understand how EMET worked in order to satisfy his objective. Working with a team familiar with EMET—some members would likely not be located in the U.K.—would violate Wassenaar because the rules prohibit sharing of modified exploits outside the U.K. without a license.
He wrote in his paper:
“Because of this it is not possible to release the exploits publicly or even to other researchers outside the UK without an export license, despite the fact that researchers based in other parts of the world are quite knowledgeable about EMET and would happily provide feedback and insight into the exploits produced, helping other learn about EMET 5.1’s security in the process. In the interest of not accidentally breaking any UK laws, it has been decided that it would be best to keep the exploits private until further legal advice can be obtained.”
Wilcox went at it alone, operating under the Wassenaar Arrangement rules, which were ratified in 2013 in most of the other participating countries—some 18 months ahead of the U.S.