lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu Nov 17 21:55:50 2005
From: dinis at ddplus.net (Dinis Cruz)
Subject: Comment on Microsoft's leaked memos,
	and the unofficial end of Microsoft 'Trustworthy Computing'

[item originally posted yesterday at my Owasp .Net blog (http://owasp.net/blogs/dinis_cruz/archive/2005/11/17/92.aspx) note the comments about Sony's Rootkit case]

The current Microsoft CTO (Ray Ozzie) and Bill Gates published two 'leaked' memos last week (you can read Bill Gates memo here, and Ray's memo here, published by hypercamp ) which generated some interresting comments:  

Leaked Memos Point to a "Disrupted" Microsoft  

Robert Cringely thinks that they were leaked on purpose - I agree, nobody writes internal memos like this  

Mini-Microsoft hits again a hard analysis with A Disruptive Defrag for Microsoft - note in the comments that some Microsofties are starting to lose the patience with Mini (if only they knew who Mini-Microsoft is, read Everybody has their theories, but Mini-MSFT is... for a post saying what I had thought before but didn't want to be the first to post: Mini-Microsoft is probably somebody quite important on Microsoft, if not BG himself)    

Now, I did read the memos, and have to say that they show a good strategy in focusing on Services and highlight the fact that Microsoft has realized that they massive release and development cycles have to be replaced by simpler, effective, practical and secure services.

Talking about security, as news.com noted here (Gates memo: No mention of "trustworthy computing"), one area that there is barely any comment in these memos is security.

First let's analyze Ray's mention of Security in his memo:

"....In 2000, in the waning days of the dot com bubble, we yet again reflected on our strategy and refined our direction.? After taking a more deliberative look at the internet and its implications for software, we came to the conclusion that the internet would go beyond browsing and should support programmability on a global scale.? We observed that certain aspects of our most fundamental platform - the tools and services that developers use when building their software - would not likely satisfy the emerging security and interoperability requirements of the internet.? So we embarked upon .NET, a transformative new generation of the platform and tools built around managed code, the XML format and web services programming model..."

Humm, I wonder if anybody has told Ray that 99% of .Net applications currently deployed have been created for Full Trust environments (which is insecure by default, insecure by design and insecure in deployment). I guess that he also doesn't know that most code that Microsoft produces today is still unmanaged and that the security advantages of the .Net framework can only exist in a Partial Trusted world (see my post What are the 'Real World' security advantages of the .Net Framework and the JVM? and Gunnar Peterson's excellent follow-up .Net and Java "faith-based" security)

"... Complexity kills.? It sucks the life out of developers, it makes products difficult to plan, build and test, it introduces security challenges, and it causes end-user and administrator frustration.? Moving forward, within all parts of the organization, each of us should ask "What's different?", and explore and embrace techniques to reduce complexity...."

Here, I completely agree, but I wonder then why is not Microsoft giving us SIMPLER and LESS COMPLEX products? I want a simpler Windows 2000, 2003 and XP (one without the stuff that I don't need), I want a simpler .Net Framework (one without the stuff that is not needed to execute the relevant application), I want a simper IE (one with less privileges and able to handle malicious code).

The main case today for security issues is complexity, and only by fully understanding an issue and all its connections and interdependencies, can one secure it. This is what worries me about Vista, I see a lot of new 'Security Feature's where I would prefer to see more 'Secure Features' for Windows 2000, 2003 and XP (remember that XP SP2 was only successfully from a security point of view, because it didn't introduce any major new functionality (I have made some more comments about Vista here Security in Longhorn: Focus on Least Privilege))

And now lets look in Bill Gates memo for references about security:

....

none, zero.

Not one mention of Security.

Does this means that for Microsoft the Security problems are all under control and their job is done?

The problem is that Microsoft might have solved quite successfully one category of security vulnerabilities (namely the high number of buffer overflows) but is not paying enough attention for the next wave of attacks and security vulnerabilities.

As the Sony Root kit issue has shown (which I blogged about here:? Sony's DRM rootkit, Follow up on Sony, Sony stops rookit production, ActiveX contains vulnerabilities and 'doing a sony' and Sony ActiveX massive vulnerabilites, CDs recall and 'Where were the AntiVirus?'), the next wave of attacks will be caused by malicious code executed inside the computer.

Let me say this very clearly: Our computer systems MUST be able to SECURELY EXECUTE MALICIOUS CODE!

This is why I have been talking for two year now about the Security Vulnerabilities in Full Trust Asp.Net (see An 'Asp.Net' accident waiting to happen, Microsoft must deliver 'secure environments' not tools to write 'secure code', My experience with the MSRC (Microsoft Security Response Center), Some comments to Misleading and False Information in: 'What ASP.NET Programmers Should Know About Application Domains' , Microsoft's David Treadwell 'almost' admits the problem , Some comments about 'The Six Dumbest Ideas in Computer Security', and my Owasp Presentations:? OWASP AppSec 2005 UK Presentation? and AppSec2004-Dinis_Cruz-Full_Trust_Asp.Net_Security_Issues.ppt).

The only solution for the next wave of malicious code is to be able to execute them in secure run-time environments (i.e. Sandboxes) which will take a huge amount of work, re-engineering and commitment (the new tools in VS 2005 will help). 

But this will not happen until Microsoft acknowledges the problem and says loud and clear in (http://www.microsoft.com/security): Full Trust .Net is a massive security issue and everybody needs to create applications (web and windows based) that execute in partially trusted environments (here is where Microsoft is today on this issue: Current Microsoft info about CAS and Full Trust ).

And lets not forget that the CLR has not been audited by an independent team of security consultants (i.e one without an NDA signed with Microsoft that limited what they could publish). During my Rooting the CLR research I did a quick research of past JVM vulnerabilities and how they relate to the CLR, and, was able to quickly find a Possible Type Confusion issue in .Net 1.1 (only works in Full Trust). Given the fact that SQL Server 2005 is now 100% dependent on the integrity of the CLR and BCL, isn't it about time that an independent security audit is performed?

Microsoft should learn from the current Sony DRM mess and prepare itself for the next wave of exploits (just talking about the good guys, given the current windows security model, without using a partially trusted environment what choices do DRM makers have but to patch the kernel (for example: how can you protect a PDF file from being printed or copied if you don't? enforce it at either kernel level or System Process?)) 

And if Microsoft is not able to make this move, I hope that the Java camp does it.

I also have very high hopes in the Mono project since this (securely executing malicous/untrusted code) could be Mono's killer-application (i.e. the one that makes everybody use it). Here are some links to Mono and Mono's CAS:
   http://www.mono-project.com (main mono website site)CAS - where we standCode Access Security in MonoMono CAS WikiMono Security Manager Part I - Using CAS permissions  

Hope somebody is listening
  Dinis Cruz
 Owasp .Net Project
 www.owasp.net

 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051117/5158cde4/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ