G2TT
来源类型Research Reports
规范类型报告
DOIhttps://doi.org/10.7249/RR1751
ISBN9780833097613
来源IDRR-1751-RC
Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits
Lillian Ablon; Andy Bogart
发表日期2017
出版年2017
页码132
语种英语
结论

"Alive" Versus "Dead" Is Too Simplistic

  • Vulnerabilities that are alive (publicly unknown) are those that are actively sought out by defenders — called "living" vulnerabilities — or those that will remain in a product in perpetuity because the vendor no longer maintains the code or issues updates — called "immortal" vulnerabilities.
  • Among vulnerabilities that are dead (publicly known), many are disclosed with a security advisory or patch, but in other cases developers or vulnerability researchers post online about a vulnerability but no security advisory is issued.
  • There are still other vulnerabilities that are quasi-alive ("zombies"), because, due to code revisions, they can be exploited in older versions but not the latest version of a product.

Longevity and Discovery by Others

  • Zero-day exploits and their underlying vulnerabilities have a rather long average life expectancy (6.9 years). Only 25 percent of vulnerabilities do not survive to 1.51 years, and only 25 percent live more than 9.5 years.
  • No vulnerability characteristics indicated a long or short life; however, future analyses may want to examine Linux versus other platform types, the similarity of open and closed source code, and exploit class type.
  • For a given stockpile of zero-day vulnerabilities, after a year, approximately 5.7 percent have been publicly discovered and disclosed by another entity.

Time and Costs Involved in Developing Zero-Day Exploits

  • Once an exploitable vulnerability has been found, time to develop a fully functioning exploit is relatively fast, with a median time of 22 days.
  • The cost to develop an exploit can rely on many factors, including the time to find a viable vulnerability, time to develop an exploit, the time and costs involved in testing and analysis, the time to integrate an exploit into other ongoing operations, the salaries of the researchers involved, and the likelihood of having to revisit the exploit and update it in response to code revisions.
主题Computer Viruses ; Cyber and Data Sciences ; Cyber Warfare ; Cybercrime ; Cybersecurity ; The Internet ; Science ; Technology ; and Innovation Policy
URLhttps://www.rand.org/pubs/research_reports/RR1751.html
来源智库RAND Corporation (United States)
引用统计
资源类型智库出版物
条目标识符http://119.78.100.153/handle/2XGU8XDN/108685
推荐引用方式
GB/T 7714
Lillian Ablon,Andy Bogart. Zero Days, Thousands of Nights: The Life and Times of Zero-Day Vulnerabilities and Their Exploits. 2017.
条目包含的文件
文件名称/大小 资源类型 版本类型 开放类型 使用许可
x1543588899137.jpg(7KB)智库出版物 限制开放CC BY-NC-SA浏览
RAND_RR1751.pdf(1710KB)智库出版物 限制开放CC BY-NC-SA浏览
个性服务
推荐该条目
保存到收藏夹
导出为Endnote文件
谷歌学术
谷歌学术中相似的文章
[Lillian Ablon]的文章
[Andy Bogart]的文章
百度学术
百度学术中相似的文章
[Lillian Ablon]的文章
[Andy Bogart]的文章
必应学术
必应学术中相似的文章
[Lillian Ablon]的文章
[Andy Bogart]的文章
相关权益政策
暂无数据
收藏/分享
文件名: x1543588899137.jpg
格式: JPEG
文件名: RAND_RR1751.pdf
格式: Adobe PDF

除非特别说明,本系统中所有内容都受版权保护,并保留所有权利。