What should academics do if they come across a hardware 0-day attack? Obviously, disseminate. But before the vulnerability is made public, it is important to responsibly disclose the vulnerability to the vendor to give them a chance to fix it. If the vendor determines that a fix is not possible, researchers may have to anonymize their fundings in research papers. This is generally undesirable but is a small price to pay for getting the word out on the vulnerability.
A few legal/ethical things you may want to think about if you discover a hardware 0-day:
These days most vendors welcome vulnerability reports but some vendors can be prone to sending legal notices for violation of DRM laws (sometimes this is baseless, i.e., even if the attack method did not break require reverse engineering or subverting permissions among other things). In general, it is good to get legal counsel before sending the vulnerability report.
Can academics/universities sell hardware 0-days? I suppose the method for exploitation can be classified as intellectual property and can potentially be commercialized by university technology transfer offices. To be clear, I don’t see university offices selling directly to mafia but it is conceivable that it is sold to some private company which then sells to another questionable entity. This is clearly socially irresponsible and I hope universities do not do it. OTOH, I am not opposed to researchers receiving grants/gifts from vendors for responsibly disclosing vulnerabilities and helping them make their products better.
What do you think of this position? Leave a comment!
In my next post I will discuss what vendors can do to deal with hardware 0-days.
About the author: Simha Sethumadhavan is an associate professor at Columbia University. His interests are in computer architecture and computer security. He is the founder of Chip Scan Inc. His website is: http://www.cs.columbia.edu/~simha