An ethical hacking student at the University of Northumbria has claimed that the university's ethics board and the Wassenaar Arrangement have forced him to delete some references to exploits from his final year dissertation.
Grant Willcox, a BSc student studying Ethical Hacking for Computer Security, claimed in a blog post that "the Wassenaar Arrangement and the uni's ethics board [forbid] me from releasing the exploits publicly."
The Wassenaar Arrangement is a multilateral export controls agreement between 41 countries that seeks to stop the spread of conventional arms and dual-use (military and civilian) goods and technologies.
Intended to prevent the proliferation of uranium enrichment and the development of chemical weapons precursors, an update to the arrangement in 2013 added "cyberweapons" to the list.
Errata Security noted that such weapons fall into three categories:
- Intrusion malware such as that sold by FinFisher to states such as Bahrain.
- Intrusion exploits such as zero-day vulnerabilities, often sold to the NSA.
- IP surveillance such as that sold by Italy-based Hacking Team.
Willcox's project report paper (PDF), titled "An Evaluation of the Effectiveness of EMET 5.1 at Protecting Everyday Applications Against Targeted Attacks", unusually does not disclose the exploits he found.
Willcox's research focused on finding out how to bypass Microsoft's Enhanced Mitigation Experience Toolkit, which Microsoft describes as "a utility that helps prevent vulnerabilities in software from being successfully exploited".
It seems as if a combination of both the Wassenaar Arrangement and the university's ethics boards is responsible. An ethics review shot down Willcox's aim of going public with his research as it "would be too risky for the University [if] the exploits were used to attack a company."
Releasing this research by only disclosing the exploits to researchers or companies who have a sense of responsibility was also considered however the Wassenaar Arrangement quickly made this an unethical choice, so it too was eliminated.
Additionally, Willcox noted: "Modified exploits are subject to export control restrictions. Because of this it is not possible to release the exploits publicly or even to other researchers outside the UK without an export license, despite the fact that researchers based in other parts of the world are quite knowledgeable about EMET and would happily provide feedback and insight into the exploits produced."
In the interest of not accidentally breaking any UK laws, it has been decided that it would be best to keep the exploits private until further legal advice can be obtained.
This is not the first time that export regulations have hindered academic research into information security.
Operators of the hacking competition Pwn2Own sent an email warning to researchers attending the event this year. They were worried that the Wassenaar Arrangement could affect the development of exploits for the contest, and encouraged attendees to take legal advice.
In May, US proposals for additional controls on zero-day vulnerabilities and malware were pushed forward.
An analysis of the US rewrite of Wassenaar by El Reg's own Iain Thomson noted that the blanket ban could "cover a multitude of legitimate software tools", despite intending to prevent "repressive regimes around the world from buying sophisticated software that can be used to spy on political opponents and others."
The Ethical Hacking and Computer Security programme administrator at the University of Northumbria had not responded to our request for comment at the time of publication. ®