TRUST Security Seminar Series: 0Day and Undiscovered Software Vulnerabilities

Seminar | December 3 | 1-2 p.m. | Soda Hall, Wozniak Lounge

Speaker/Performer: Miles McQueen, Idaho National Lab and University of Idaho

Sponsor: Team for Research in Ubiquitous Secure Technology

Software vulnerabilities may be undiscovered, discovered but not publicly announced (0Day), publicly announced but not patched, or patched. Vulnerabilities which have been patched pose no risk to the system. Vulnerabilities which have been publicly announced but not patched pose a risk, but the system owners are easily aware of the vulnerability and may implement appropriate mitigations. Unfortunately, 0Day vulnerabilities represent an understudied and potentially significant threat to systems, including those responsible for operating our critical infrastructure, and undiscovered vulnerabilities are the pool from which 0Days are drawn. This presentation will discuss a method for estimating how many 0Day vulnerabilities are in existence at any given moment in time, review and comment on the literature related to whether finding (and patching?) software vulnerabilities makes systems more secure, and ends by asking whether the government should fund the discovery of vulnerabilities in deployed software or would be better served by focusing those precious security resources on research into more foundational solutions such as system resilience.

Event Contact: 510-643-5105