lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <4435B582.10502@ddplus.net>
Date: Fri Apr  7 14:04:59 2006
From: dinis at ddplus.net (Dinis Cruz)
Subject: I give up,
 no more posts to Full-Disclosure and DailyDave about Full
 Trust and .Net /Java Sandboxes

First off all, I want to apologize to the Full-Disclosure and DailyDave
readers for the last couple of posts which I CCed to these lists (the
ones about Full Trust, managed browsers, verifier issues in Java/.Net
and Sandboxing)

I know that cross-posting is not good, and that it is quite inconvenient
when you happen to subscribe to more than one of the target lists.

The reason I did it was because I wanted to make sure that several
companies/groups were exposed to it (and give them a chance to respond).
In this case I am talking about Microsoft, Sun, Novell, Apple, IBM,
Adobe, Open Source projects, etc... (basically the major software
development houses and the ones responsible for most of the software
used in the real world).

>From the big ones, only Novell had an entry to talk about AppArmor which
is an interesting process level Sandboxing solution.

But the ones that I was expecting to see in this conversation were
Microsoft and Sun. We were (and still are) discussing the security
advantages of Sandboxing (Partial Trust in .Net and Security Manager in
Java), and given the investment that both companies have made in this
field, I was expecting to see some core/senior members supporting me
(Dinis) in the defense of the need to 'create environments that are able
to securely execute malicious code (i.e. Sandboxes)'.

But no, not a single world. But then I was not surprised since Microsoft
has been ignoring my public comments about this issue for the last two
years.

This means that either A) they don't care any more about this topic
(Partial Trust / Security Manager code) or B) they are just playing the
good old trick to ignore the little guy (which works in environments
like today when the Media and paying clients don't care (read: don't
understand) about the issue discussed).

Option A) is quite realistic since Microsoft (after what happened with
'Longhorn managed code failure' and the Vista's reset to Windows 2003
code) seems to have moved (or kicked) the '.Net guys' to a conner, and
decided to put their bets to create an operating system which delivers a
trustworthy computing environment in the hands of Vista's UAC (User
Access Control) and Vista's capability to run as non-admin (which is a
bad bet in my point of view).

[side note: If the .Net framework is just a nice wrapper on the win32
API (see Richard Grimes articles on this subject) with 99% of its code
executed under a Full Trust environment and never verified, then why the
security overhead of the current versions of .Net framework? (namely 1.1
and 2.0). If CAS and Strong Naming (just to point two examples) don't
really deliver any real security value (just like 'client side data
validation'), then why incur the overhead? Maybe we would get a nice
performance boost in .Net applications if all those security calls were
disabled. (Idea: I want to apply my 'Rooting the CLR' research into the
creation of a patch for the .Net Framework which disables all security
checks and (hopefully) improves the performance of .Net applications
(drop me a line if you are interested in participating in this new Owasp
.Net project))]

After two years of trying, I GIVE UP of trying to bring Microsoft to
this discussion.

Microsoft doesn't care, can't be bothered to participate (or the powers
that be don't authorize the ones that want to participate), maybe
believe that the types of attacks will not continue to evolve (i.e. the
risk will not increase) or maybe is just that inertia that affects large
companies where nobody is really responsible for anything and the key
decision makers are so distant from the real world (or believe in their
own hype and power to manipulate the market) that they don't really
understand the implications of their decisions.

I think that my case is a perfect example of why Microsoft has such a
bad reputation (not just in security), and why the new generation of
developers (and IT professionals) are moving to Open environments (like
Open Source).

In the medium / long term Microsoft cannot afford to continue to ignore
little guys like me (which are trying to do the right thing and help
Microsoft to solve their security problems). They need to show respect
and (at least) publicly talk about the issues raised.

Microsoft and Bill Gates like to talk about trust and trustworthiness.
Well trust is something that is built over time, with respect, dialog
and transparency. Not by ignoring and pretending that one doesn't exist.

Maybe Microsoft's problem with me is the fact that i will NOT work for
them nor sign an NDA (since I know that my independence would disappear
the moment I signed one), or maybe they think that I am not good and
knowledgeable enough for them to spend their 'precious time' with.  They
are wrong in not engaging in this conversation, and in ignoring my
public requests to talk. I might be more vocal than some of my security
consultant friends, but I know that most are as frustrated as me in
Microsoft's attitude to Security.

Memo to Sun: "Java has the same problem, and you should be worried when
senior members of your community are very surprised to discover that
most Java code is executed in -noverify environments"

What I know is that my conscience is clear. Nobody can accuse me of not
trying. Over the last two years I made every ethical effort to call
Microsoft's attention to this problem: I wrote articles, security
guides, security tools, training courses, presentations, collaborated on
.Net Open Source projects (like Owasp), and even had two meetings at
Microsoft Redmond campus with several Key players in Microsoft's
security and .Net teams (it seems, that all that was left to do, was to
bring down a couple ISPs / global companies just to prove my point, but
since I am ethical and a 'good guy', that is something that I will never
do).

>From all this effort, I have very little to show for (except from my
increased knowledge, several good contracts and some raised awareness to
a couple thousand professionals which read or saw my materials or used
my tools).

My main objectives were to get Microsoft to publicly admit that .Net
Framework's Full Trust is a big problem and to start the paradigm change
to a Partially Trusted world.

Unfortunately I failed.

.Net 2.0 was launched and nothing changed.

99% of the applications that exists today and are currently under
development are designed for Full Trust (or equivalent) environments.

So, I will wait patiently for the day that Microsoft (and the others)
decide to join the party. Meanwhile I will continue my discussions on
the webappsec@...urityfocus.com, websecurity@...appsec.org and
owasp-dotnet@...ts.sourceforge.net mailing lists, since at least there
my ideas are debated and challenged by other like minded professionals
(thanks guys).

I will no more initiate another discussion of Full-Disclosure and
DailyDave about Full Trust and .Net /Java Sandboxes because its audience
is not interested in them and the Microsoft's (and others) subscribers
ignore them.

To wrap things up here are a couple quotes from a senior Microsoft
Security employee, given to me in his office in Redmond a couple months
ago (in Feb 2006):

/ "...Dinis, what you are saying is important, but at the moment it is
not one of our main priorities... There are several reasons ... a main
one is the fact that we tried that with Vista and it didn't work... but
probably the main one is that we (Microsoft) don't have client pressure
to deliver it

... basically there is currently no business case to invest in that
since our (Microsoft) clients are not demanding it...

...what needs to happen is that you (Dinis) need to find 5 major
Microsoft's clients which want this, and then we might do something
about it ..."/

My response to this last comment was "/...look, this is not my problem,
this is Microsoft's problem since it is Microsoft who is promising to
deliver 'trustworthy computing environment'. So if Microsoft doesn't
want to do it, and Microsoft's clients don't put pressure, then there is
nothing I can tell you (Microsoft) that will change your mind..."
/
My conversations with Microsoft's employees tend to always end the same
way: I ask them to start by acknowledging the current Full Trust problem
, and they respond by saying/ '... we are working very hard ... or ...
things are better today they they were a couple years ago ...or ... when
compared with the status of the industry we are not that bad ... or ...
we know that we need to do better to educate our developers to write
partially trusted code..'. /Basically just words and no actions,

Sorry for the 'digital noise' of my previous posts.

Best regards

Dinis Cruz
Owasp .Net Project
www.owasp.net




-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20060407/f202b03c/attachment.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ