Secure Coding mailing list archives

Previous By Date Next
Previous By Thread Next

Comment on Microsoft's leaked memos, and the unofficial end of Microsoft 'Trustworthy Computing'

From: dinis at ddplus.net (Dinis Cruz)
Date: Fri, 12 May 2006 09:57:35 +0100
[Due to the relevance to the current discussion on Java Verifier, here 
is a blog entry that I wrote 
<http://owasp.net/blogs/dinis_cruz/archive/2005/11/17/92.aspx>last 
November (also posted on Full Disclosure 
<http://lists.grok.org.uk/pipermail/full-disclosure/2005-November/038869.html> 
)]

_______________________________________________


        Comment on Microsoft's leaked memos, and the unofficial end of
        Microsoft 'Trustworthy Computing'

The current Microsoft CTO (Ray Ozzie 
<http://spaces.msn.com/members/rayozzie/Blog/cns%211pyct_cYtbBtOBPDVAumMEdw%21147.entry>) 
and Bill Gates published two 'leaked' memos last week (you can read Bill 
Gates memo here <http://www.scripting.com/disruption/mail.html>, and 
Ray's memo here 
<http://www.scripting.com/disruption/ozzie/TheInternetServicesDisruptio.htm>, 
published by hypercamp <http://www.hypercamp.org/2005/11/09#a43> ) which 
generated some interresting comments:

    *

      Leaked Memos Point to a "Disrupted" Microsoft
      <http://redmondmag.com/news/article.asp?editorialsid=7030>

    *

      Robert Cringely thinks that they were leaked on purpose
      <http://www.pbs.org/cringely/pulpit/pulpit20051110.html> - I
      agree, nobody writes internal memos like this

    *

      Mini-Microsoft hits again a hard analysis with A Disruptive Defrag
      for Microsoft
      <http://minimsft.blogspot.com/2005/11/disruptive-defrag-for-microsoft.html>
      - note in the comments that some Microsofties are starting to lose
      the patience with Mini (if only they knew who Mini-Microsoft is,
      read Everybody has their theories, but Mini-MSFT is...
      <http://blogs.msdn.com/jledgard/archive/2005/09/23/473511.aspx>
      for a post saying what I had thought before but didn't want to be
      the first to post: Mini-Microsoft is probably somebody quite
      important on Microsoft, if not BG himself)

Now, I did read the memos, and have to say that they show a good 
strategy in focusing on Services and highlight the fact that Microsoft 
has realized that they massive release and development cycles have to be 
replaced by simpler, effective, practical and *secure *services.

Talking about security, as news.com noted here (Gates memo: No mention 
of "trustworthy computing" 
<http://news.com.com/2061-10805_3-5942082.html>), one area that there is 
barely any comment in these memos is security.

*First let's analyze Ray's mention of Security in his memo:*

/"....In 2000, in the waning days of the dot com bubble, we yet again 
reflected on our strategy and refined our direction.  After taking a 
more deliberative look at the internet and its implications for 
software, we came to the conclusion that the internet would go beyond 
browsing and should support programmability on a global scale.  We 
observed that certain aspects of our most fundamental platform -- the 
tools and services that developers use when building their software -- 
would not likely satisfy the emerging *security *and interoperability 
requirements of the internet.  So we embarked upon .NET, a 
transformative new generation of the platform and tools built around 
managed code, the XML format and web services programming model..."

/Humm, I wonder if anybody has told Ray that 99% of .Net applications 
currently deployed have been created for Full Trust environments (which 
is insecure by default, insecure by design and insecure in deployment). 
I guess that he also doesn't know that most code that Microsoft produces 
today is still unmanaged and that the security advantages of the .Net 
framework can only exist in a Partial Trusted world (see my post What 
are the 'Real World' security advantages of the .Net Framework and the 
JVM? <http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/03/5.aspx> 
and Gunnar Peterson's excellent follow-up .Net and Java "faith-based" 
security 
<http://1raindrop.typepad.com/1_raindrop/2005/11/net_and_java_fa.html>)

/"... Complexity kills.  It sucks the life out of developers, it makes 
products difficult to plan, build and test, it introduces *security 
*challenges, and it causes end-user and administrator frustration.  
Moving forward, within all parts of the organization, each of us should 
ask "What's different?", and explore and embrace techniques to reduce 
complexity...."
/
Here, I completely agree, but I wonder then why is not Microsoft giving 
us *SIMPLER *and *LESS COMPLEX *products? I want a simpler Windows 2000, 
2003 and XP (one without the stuff that I don't need), I want a simpler 
.Net Framework (one without the stuff that is not needed to execute the 
relevant application), I want a simper IE (one with less privileges and 
able to handle malicious code).

The main case today for security issues is complexity, and only by fully 
understanding an issue and all its connections and interdependencies, 
can one secure it. This is what worries me about Vista, I see a lot of 
new 'Security Feature's where I would prefer to see more* 'Secure 
Features'* for Windows 2000, 2003 and XP (remember that XP SP2 was only 
successfully from a security point of view, because it didn't introduce 
any major new functionality (I have made some more comments about Vista 
here Security in Longhorn: Focus on Least Privilege 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/14/70.aspx>))

*And now lets look in Bill Gates memo for references about security:

*....

none, zero.

Not one mention of Security.

Does this means that for Microsoft the Security problems are all under 
control and their job is done?

The problem is that Microsoft might have solved quite successfully one 
category of security vulnerabilities (namely the high number of buffer 
overflows) but is not paying enough attention for the next wave of 
attacks and security vulnerabilities.

As the Sony Root kit issue has shown (which I blogged about here:  
Sony's DRM rootkit 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/07/31.aspx>, 
Follow up on Sony 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/10/39.aspx>, Sony 
stops rookit production, ActiveX contains vulnerabilities and 'doing a 
sony' <http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/14/64.aspx> 
and Sony ActiveX massive vulnerabilites, CDs recall and 'Where were the 
AntiVirus?' 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/16/86.aspx>), the 
next wave of attacks will be caused by malicious code executed inside 
the computer.

Let me say this very clearly: *Our computer systems MUST be able to 
SECURELY EXECUTE MALICIOUS CODE!
*
This is why I have been talking for two year now about the Security 
Vulnerabilities in Full Trust Asp.Net (see An 'Asp.Net' accident waiting 
to happen 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/16/80.aspx>, 
Microsoft must deliver 'secure environments' not tools to write 'secure 
code' 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/16/81.aspx>, My 
experience with the MSRC (Microsoft Security Response Center) 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/14/67.aspx>, Some 
comments to Misleading and False Information in: 'What ASP.NET 
Programmers Should Know About Application Domains' 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/16/82.aspx> , 
Microsoft's David Treadwell 'almost' admits the problem 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/16/84.aspx> , 
Some comments about 'The Six Dumbest Ideas in Computer Security' 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/14/68.aspx>, and 
my Owasp Presentations:  OWASP AppSec 2005 UK Presentation 
<http://www.owasp.org/docroot/owasp/misc/OWASP_UK_2005_Presentations/AppSec2005-Dinis_Cruz-Full_Trust_Asp.Net_Insecurity.ppt>
  
and AppSec2004-Dinis_Cruz-Full_Trust_Asp.Net_Security_Issues.ppt 
<http://prdownloads.sourceforge.net/owasp/AppSec2004-Dinis_Cruz-Full_Trust_Asp.Net_Security_Issues.ppt?download>).

The only solution for the next wave of malicious code is to be able to 
execute them in secure run-time environments (i.e. Sandboxes) which will 
take a huge amount of work, re-engineering and commitment (the new tools 
in VS 2005 will help). *
*

*But this will not happen until Microsoft acknowledges the problem* and 
says loud and clear in (http://www.microsoft.com/security): *Full Trust 
.Net is a massive security issue and everybody needs to create 
applications (web and windows based) that execute in partially trusted 
environments *(here is where Microsoft is today on this issue: Current 
Microsoft info about CAS and Full Trust 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/03/7.aspx> ).

And lets not forget that the CLR has not been audited by an independent 
team of security consultants (i.e one without an NDA signed with 
Microsoft that limited what they could publish). During my /Rooting the 
CLR/ research I did a quick research of past JVM vulnerabilities and how 
they relate to the CLR, and, was able to quickly find a Possible Type 
Confusion issue in .Net 1.1 (only works in Full Trust) 
<http://www.owasp.net/blogs/dinis_cruz/archive/2005/11/08/36.aspx>. 
Given the fact that SQL Server 2005 is now 100% dependent on the 
integrity of the CLR and BCL, isn't it about time that an independent 
security audit is performed?

Microsoft should learn from the current Sony DRM mess and prepare itself 
for the next wave of exploits (just talking about the good guys, given 
the current windows security model, without using a partially trusted 
environment what choices do DRM makers have but to patch the kernel (for 
example: how can you protect a PDF file from being printed or copied if 
you don't  enforce it at either kernel level or System Process?))

And if Microsoft is not able to make this move, I hope that the Java 
camp does it.

I also have very high hopes in the Mono project since this (securely 
executing malicous/untrusted code) could be Mono's killer-application 
(i.e. the one that makes everybody use it). Here are some links to Mono 
and Mono's CAS:

    * http://www.mono-project.com (main mono website site)
    * CAS - where we stand
      <http://pages.infinit.net/ctech/20051005-0314.html>
    * Code Access Security in Mono
      <http://tirania.org/blog/archive/2005/Apr-20.html>
    * Mono CAS Wiki <http://www.mono-project.com/CAS>
    * Mono Security Manager Part I - Using CAS permissions
      <http://pages.infinit.net/ctech/20050623-0432.html>

Hope somebody is listening

Dinis Cruz
Owasp .Net Project
www.owasp.net

_______________________________________________


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20060512/2687177e/attachment.html
Previous By Date Next
Previous By Thread Next

Current thread: