lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: Fri Nov 18 01:17:38 2005
From: dinis at ddplus.net (Dinis Cruz)
Subject: Comment on Microsoft's leaked memos,
	and the unofficial end of Microsoft 'Trustworthy Computing'

From: "James Tucker" <jftucker@...il.com>

>> Here, I completely agree, but I wonder then why is not
>> Microsoft giving us SIMPLER and LESS COMPLEX products?

>Programmatically they generally are.
>Complexity != Feature length, although the two are related.

 You are talking about user APIs, I am talking about what is happening under the hood. 

 Yes developer's APIs have been simplified, but that creates an environment where nobody really knows what is happening and how things work. A lot of security vulnerabilities occur when you glue together two secure objects in ways never predicted by the original developers.

 Take for example the new Vista's AIM: Application Impact Management feature (see Security in Longhorn: Focus on Least Privilege), one of the things that it does is "...Longhorn gives the application its own virtualized view of the resource it's attempting to change, using a copy-on-write strategy. When the application attempts to write to a file in the Program Files directory, Longhorn will give the application its own private copy of the file and it can party on...". Now can you image how complex this code must be? Since the code that supports AIM will be unmanaged (on C or C++) and knowing that it is impossible today to write complex solutions which are 100% free of bugs (and security vulnerabilities) how can we be assured that AIM will not cause as many problems as the ones it is trying to solve?

 We are trying to solve complex problems with more complex solutions, while giving the majority of the user base (including most developers) the perception that everything is getting simpler! (See my OWASP AppSec 2005 UK Presentation - 'The Fog of Software' for more comments on this topic)

 >> I want a simper IE (one with less privileges
>> and able to handle malicious code).

>How many IE security flaws are actually specific to IE?
>Or are they specific to optionally loaded modules that come bundled with IE?
>What is the significance to changes in these modules to other applications?
>And can they be mostly be removed or disabled from IE through the GUI?

 The problem with IE is not the IE code, but its run-time environment. IE is an application that at the same time has to be able to : 
  run untrusted code,? provide that code with an rich programmatic object model, 
  allow dozens and dozens of system objects and component to be used by that malicious code, and 
  provide the users with a very user-friendly GUI.  Bottom line, it is impossible to defend against. There are two many interconnections and possible execution paths to be able to defend them all (which is why the only 'real' solution today (as recommended by Microsoft) is to disable IE's Active Scripting (which is not practical and doable solution))

 And let's not talk about the security vulnerabilities introduced by supposely benign and trustworthy applications and components (see Sony stops rookit production, ActiveX contains vulnerabilities and 'doing a sony')

 The only way to deal with IE is to say: "Ok, I know that malicious code will be executed inside the IE process, so I will either: A) execute that code inside a VM (CLR or JVM) or B) lockdown that process so that there is no impact to the OS and to that user's session". 

 Option B) is what it seems that Microsoft is doing for IE7.0 but I don't understand why that is not done for all other IEs (see Michael Howard's DropMyRights app? in Browsing the Web and Reading E-mail Safely as an Administrator and SetSafer app in Browsing the Web and Reading E-mail Safely as an Administrator, Part 2)

 Note that Firefox (for example) is not that much secure than IE (can we really trust everybody that writes a Firefox plug-in?).

 >> (remember that XP SP2 was only
>> successfully from a security point of view, because it didn't
>> introduce any major new functionality
>
> Apart from DEP, Windows Firewall, a re-vamped TCP/IP stack... Blah, more here:
> http://www.microsoft.com/downloads/details.aspx?FamilyID=7bd948d7-b791-40b6-8364-685b84158c78&DisplayLang=en

I was talking about major non-security features. Also important, most of the SP2's security features and enhancements were on areas with already quite a lot of research done and experience (and even then you can see how long it took SP2 to make). You just need to look at what happen in the transition from NT 4.0 to 2000 to see what happens when you introduce at the same time a huge amount of new features/functionality with a huge amount of new security features (and remember that Windows 2000 was sold as being a 'more secure OS' (when compared with NT 4.0)).

 Don't get me wrong, SP2 was an amazing effort from Microsoft and it showed commitment to security (some say it was massively overdue). It did reduce the overall level of attack surface and created a better, more solid OS.

 My main point is that we need more Simple systems (not simplistic) and today you already have a large number of IT Professionals that have a good understanding of? the architecture of Windows NT/2000/2003 and how it works. So I would much prefer that Microsoft's targeted these group of professionals with more tools, knowledge and information, instead of creating a massive new platform (Vista) which will make everybody a 'Professional Amateur' (since it will take quite a number of years before these IT Professional have the same level of understanding of Vista's architecture)

 The problem is that Microsoft is locked into the business model of selling Operating Systems. 

 So since I know that Microsoft will need to justify to its shareholders the need to invest in simpler solutions for windows NT 4.0/2000/2003/XP I would like to propose to Microsoft that they SELL (i.e. charge) for the products that they develop for those OS. 

 Why don't we have an IIS 7.0 for windows NT? and IE 7.0 for windows 2000? an Windows Firewall for all windows under the sun?

 And if Microsoft changed fair prices for them (for example a fiver ($5) for IE7) I'm sure they would have enough buyers to justify the investment (humm... 200 million users * $ 5 a pop is 1 $billion), and (probably more important to Microsoft) they could give them for free for the companies that subscribe to the 'Microsoft software assurance' licensing model.

 Here would be a nice positive model which would create more secure software, give the users a better deal AND keep the shareholders happy :)

 Just my 10 cents :)

Dinis Cruz
 Owasp .Net Project 
 www.owasp.net


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20051117/ae9be3f5/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ