Part of the book series:Lecture Notes in Computer Science ((LNAI,volume 9862))
Included in the following conference series:
946Accesses
Abstract
Markets for zero-day exploits (software vulnerabilities unknown to the vendor) have a long history and a growing popularity. We study these markets from a revenue-maximizing mechanism design perspective. We first propose a theoretical model for zero-day exploits markets. In our model, one exploit is being sold to multiple buyers. There are two kinds of buyers, which we call the defenders and the offenders. The defenders are buyers who buy vulnerabilities in order to fix them (e.g., software vendors). The offenders, on the other hand, are buyers who intend to utilize the exploits (e.g., national security agencies and police). Our model is more than a single-item auction. First, an exploit is a piece of information, so one exploit can be sold to multiple buyers. Second, buyers have externalities. If one defender wins, then the exploit becomes worthless to the offenders. Third, if we disclose the details of the exploit to the buyers before the auction, then they may leave with the information without paying. On the other hand, if we do not disclose the details, then it is difficult for the buyers to come up with their private valuations. Considering the above, our proposed mechanism discloses the details of the exploit to all offenders before the auction. The offenders then pay to delay the exploit being disclosed to the defenders.
This is a preview of subscription content,log in via an institution to check access.
Access this chapter
Subscribe and save
- Get 10 units per month
- Download Article/Chapter or eBook
- 1 Unit = 1 Article or 1 Chapter
- Cancel anytime
Buy Now
- Chapter
- JPY 3498
- Price includes VAT (Japan)
- eBook
- JPY 5719
- Price includes VAT (Japan)
- Softcover Book
- JPY 7149
- Price includes VAT (Japan)
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
Example such companies include ZeroDium and Vupen [6].
References
Algarni, A.M., Malaiya, Y.K.: Software vulnerability markets: discoverers and buyers. Int. J. Comput. Electr. Autom. Control Inf. Eng.8(3), 71–81 (2014)
Bilge, L., Dumitras, T.: Before we knew it: an empirical study of zero-day attacks in the real world. In: Proceedings of 2012 ACM Conference on Computer and Communications Security, CCS 2012, pp. 833–844. ACM, New York (2012).http://doi.acm.org/10.1145/2382196.2382284
Brams, S.J., Jones, M.A., Klamler, C.: Better ways to cut a cake - revisited. In: Brams, S., Pruhs, K., Woeginger, G. (eds.) Fair Division. No. 07261 in Dagstuhl Seminar Proceedings, Internationales Begegnungs- und Forschungszentrum für Informatik (IBFI), Schloss Dagstuhl, Germany, Dagstuhl, Germany (2007)
Chen, Y., Lai, J., Parkes, D., Procaccia, A.: Truth, justice, and cake cutting. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), Atlanta, GA, USA (2010)
Egelman, S., Herley, C., van Oorschot, P.C.: Markets for zero-day exploits: ethics and implications. In: Proceedings of 2013 Workshop on New Security Paradigms Workshop, NSPW 2013, pp. 41–46. ACM, NewYork (2013).http://doi.acm.org/10.1145/2535813.2535818
Fisher, D.: Vupen founder launches new zero-day acquisition firm zerodium, 24 July 2015.https://threatpost.com/vupen-launches-new-zero-day-acquisition-firm-zerodium/113933/
Goemans, M., Skutella, M.: Cooperative facility location games. J. Algorithms50, 194–214 (2004). Early version: SODA 2000, 76–85
Greenberg, A.: Shopping for zero-days: a price list for hackers’ secret software exploits, 23 March 2012.http://www.forbes.com/sites/andygreenberg/2012/03/23/shopping-for-zero-days-an-price-list-for-hackers-secret-software-exploits/
Guo, M., Conitzer, V.: Computationally feasible automated mechanism design: general approach and case studies. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), Atlanta, GA, USA, pp. 1676–1679 (2010). Nectar Track
Likhodedov, A., Sandholm, T.: Methods for boosting revenue in combinatorial auctions. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), San Jose, CA, USA, pp. 232–237 (2004)
Likhodedov, A., Sandholm, T.: Approximating revenue-maximizing combinatorial auctions. In: Proceedings of the National Conference on Artificial Intelligence (AAAI), Pittsburgh, PA, USA (2005)
Myerson, R.: Optimal auction design. Math. Oper. Res.6, 58–73 (1981)
Procaccia, A.D., Tennenholtz, M.: Approximate mechanism design without money. In: Proceedings of the ACM Conference on Electronic Commerce (EC), Stanford, CA, USA, pp. 177–186 (2009)
Projects, T.C.: Severity guidelines for security issues (2015).https://www.chromium.org/developers/severity-guidelines. Accessed 15 Sept 2015
Author information
Authors and Affiliations
School of Computer Science, University of Adelaide, Adelaide, Australia
Mingyu Guo & Ali Babar
Graduate School of Information Science, Nara Institute of Science Technology, Ikoma, Japan
Hideaki Hata
- Mingyu Guo
You can also search for this author inPubMed Google Scholar
- Hideaki Hata
You can also search for this author inPubMed Google Scholar
- Ali Babar
You can also search for this author inPubMed Google Scholar
Corresponding author
Correspondence toMingyu Guo.
Editor information
Editors and Affiliations
Dipartimento di Informatica, Università degli Studi di Torino , Torino, Italy
Matteo Baldoni
Computing and Communications, Lancaster University, Lancaster, United Kingdom
Amit K. Chopra
Department of Computer Science, New Mexico State University, Las Cruces, New Mexico, USA
Tran Cao Son
Graduate School of Maritime Sciences, Kobe University, Kobe, Japan
Katsutoshi Hirayama
Dept. di Informatica: Sci. e Ingegneria, Universitá di Bologna, Bologna, Italy
Paolo Torroni
Rights and permissions
Copyright information
© 2016 Springer International Publishing Switzerland
About this paper
Cite this paper
Guo, M., Hata, H., Babar, A. (2016). Revenue Maximizing Markets for Zero-Day Exploits. In: Baldoni, M., Chopra, A., Son, T., Hirayama, K., Torroni, P. (eds) PRIMA 2016: Principles and Practice of Multi-Agent Systems. PRIMA 2016. Lecture Notes in Computer Science(), vol 9862. Springer, Cham. https://doi.org/10.1007/978-3-319-44832-9_15
Download citation
Published:
Publisher Name:Springer, Cham
Print ISBN:978-3-319-44831-2
Online ISBN:978-3-319-44832-9
eBook Packages:Computer ScienceComputer Science (R0)
Share this paper
Anyone you share the following link with will be able to read this content:
Sorry, a shareable link is not currently available for this article.
Provided by the Springer Nature SharedIt content-sharing initiative