Workshop on Ethics in Computer Security (EthiCS) 2023 Program

Vulnerability research is vital to mitigating cyberattacks, which tries to devise new approaches to discover new vulnerabilities. As an ethical research guideline, researchers are expected to report the found vulnerabilities to the corresponding vendors before disclosing them (e.g., publishing a paper), which is known as the responsible-disclosure process. Undoubtedly, the intention of responsible disclosure is to help improve the security of software. We observe that the current responsible disclosure may not be as effective as expected. In particular, reports can be significantly delayed or completely ignored. Reports for securitycritical vulnerabilities are often publicly disclosed, which can potentially be abused by attackers.

In this work, we plan to study the effectiveness of the existing responsible disclosure. Two major questions we aim to answer are: (1) Are security-critical bug reports commonly disclosed publicly in the first place? (2) What factors of a bug report contribute to delaying or ignoring? By answering the questions, we aim to provide insights into how to improve the quality of bug reports and the effectiveness of responsible disclosure. In this paper, we present our preliminary results of this work. We take the Linux reports and patch history as an example. We found that at least in Linux, most security bugs are publicly disclosed before they are fixed, and that factors such as length of reports, author experience, and author affiliations have an impact on the delay of patching. In the end, we also present our plans for future work.

Public blockchains are the digital infrastructure that powers the multi-trillion-dollar economy in cryptocurrencies. Understanding the security and performance of deployed blockchain networks is critically important, especially when the open-membership nature of blockchain results in a large attack surface. However, measuring operational blockchain networks raises ethical concerns and could interfere with the businesses running atop the blockchains. This work presents a survey of the recent measurement studies on the Ethereum networks and discusses their ethical issues, practices, and solutions. The paper also identifies several open ethical challenges faced by blockchain researchers.

Cybersecurity research involves ethics risks such as accidental privacy breaches, corruption of production services, and discovery of weaknesses in networked systems. Although literature describes these and other issues in some depth, reflection on these issues is not yet well embedded in typical Ethics Review Board procedures. In this paper, we operationalize existing guidance on cybersecurity research ethics into a proposal that can be directly implemented in an Ethics Review Board. We provide a set of self-assessment questions to effectively and efficiently probe the ethics of proposed cybersecurity research, a Coordinated Vulnerability Disclosure procedure for discoveries made in the course of research, and an outline of a university policy to institutionally embed this procedure, which could be adapted and adopted by research institutes. With this paper, we hope to contribute to more Ethics Review Boards taking up the challenge of addressing cybersecurity research ethics in an adequate and productive manner.

Measurement of network data received from or transmitted over the public Internet has yielded a myriad of insights towards improving the security and privacy of deployed services. Yet, the collection and analysis of this data necessarily involves the processing of data that could impact human subjects, and anonymization often destroys the very phenomena under study. As a result, Internet measurement faces the unique challenge of studying data from human subjects who could not conceivably consent to its collection, and yet the measurement community has tacitly concluded that such measurement is beneficial and even necessary for its positive impacts. We are thus at an impasse: academics and practitioners routinely collect and analyze sensitive user data, and yet there exists no cohesive set of ethical norms for the community that justifies these studies. In this work, we examine the ethical considerations of Internet traffic measurement and analysis, analyzing the ethical considerations and remediations in prior works and general trends in the community. We further analyze ethical expectations in calls-for-papers, finding a general lack of cohesion across venues. Through our analysis and recommendations, we hope to inform future studies and venue expectations towards maintaining positive impact while respecting and protecting end users.