Uncertainty around newly introduced export controls for exploit software has forced a British researcher to censor details of his exploits in a dissertation over fear of falling foul of the law.
Grant Willcox wrote the dissertation [pdf] as part of his ethical hacking for computer security bachelor of science honours degree at the University of Northumbria at Newcastle, United Kingdom.
He explored the effectiveness of Microsoft's Enhanced Mitigation Experience Toolkit (EMET) version 5.1, a set of security utilities aimed at systems administrators.
Microsoft claims EMET "helps protect your computer systems even before new and undiscovered threats are formally addressed by security updates and antimalware software".
Willcox set out to create three modified existing exploits taken from the Exploit-DB.com repository which could bypass all of EMET 5.1 application level protections with the toolkit configured with Microsoft's recommended profile.
He succeeded in creating three exploits against EMET 5.1, and told iTnews he wanted to release them as part of his dissertation publication.
But his university supervisor and second marker for the dissertation were concerned the exploits could be used against companies and opted initially against releasing them publicly.
"Upon further review it was decided that either they would be released to Microsoft so that they could improve their products - or [the exploits] would not be released at all," Wilcox said.
No legal consultation on the matter took place, but Wilcox noted that exploit vendors such as Vupen had started to restrict sales of their products and services because of new export control and licensing provisions under the Wassenaar Arrangement.
"When the whole situation with the Wassenaar Arrangement started to come about and companies like Vupen started to close down shop because of it, I decided that it was in my best interest to not release the exploits publicly at all lest I happened to violate some law or arrangement details," Wilcox said.
Willcox investigated the export control regulations but was unable to clarify whether it applied to his academic work. The university did not take part.
He said the provisions defining which type of exploits and software are and aren't controlled were written in ambiguous language and appeared to contradict each other.
"It leaves me and other researchers a little confused as to exactly what is intended. I understand that they need to cover a lot of different angles and exceptions but I believe better documentation could be done to clarify what is prohibited and what is not," he said.
He said the lack of clarity on exploits in the Wassanaar Arrangement was "creating a chilling effect on the security research community, as people are unsure if their research/company's work/interests will violate the arrangement or not".
"I would prefer exploits not to be regulated in such a tight manner as it prohibits people from learning and improving their security,"Willcox said.
The researcher is currently seeking advice from UK Customs to clarify if the new provisions under the Wassenaar Arrangement apply to his dissertation, and will withhold the details of his exploits until this becomes clear.