Re: Support the Sasser-author fund started

[Alexander Schreiber <als () thangorodrim de>]

On Tue, May 18, 2004 at 11:01:32PM +1200, Nick FitzGerald wrote:
> Alexander Schreiber <als () thangorodrim de> to me:
>
> > Sorry, in a networked world, C2 ist just a bad joke.  ...
>
> Well, at least "weak"...
>
> > ...  Keep in mind, that
> > you do not get a blank certificate for 'this OS', but the certification
> > always is for the full OS/hardware combo. No, you can't purchase the
> > hardware for C2 certified NT anymore (not new, anyway). Even so, it was
> > a specially patched ...
>
> Really??
>
> I heard it was just a specially prepared machine -- network card, 
> floppy drive pulled, much non-default configuratiuon tweaking, etc.

According to  what I read, it was NT 3.51 with a special service pack 
for this purpose.

> > ...  Windows NT 3.51 that got certified on a (AFAIR)
> > specific Compaq machine. It hat no network card (absolutely great - most
> > Windows security problems could be avoided by ripping out the network
> > cards - too bad that this is unrealistic because it would pretty much
> > reduce the usefulness of the machines to almost zero), no floppy drive,
> > no printer - the only way to get data in was keyboard & mouse, the only
> > way to get data out was the screen. The printer spool system was
> > disabled. The Windows system directory was read-only (not allowing your
> > users to overwrite the system installation is computer security 101, but
> > this _is_ windows, after all) making the installation of MS Office
> > (which wants to dump a metric crapload of stuff there), unfortunately,
> > impossible.  ...
>
> Hmmm -- you're not another "know it all" user/admin who does not know 
> about "setup -a" installs?  (Of course, in a modestly well secured 
> Windows system, a user is expected not to be able to install a complex 
> piece of s/w like Office, so doing this as admin and getting the 
> configuration right is the job of the system admin, not the user...)

In a properly secured system, the user has neither reason nor permission
(administrative and technical) to install anything - thats what the
sysadmin is for. Allowing users to install stuff at random just leads to
spending a lot of time fixing unnecessary problems. 

In a former job, I started to tighten the W2K installs a bit, only to
find out that certain applications would only run with elevated
privileges for the users and just die quietly when run under normal user
accounts - they most likely stumbled over not being able to write to
certain files, but I then didn't have the time to check it out with a
Windows equivalent for strace.

I fortunately no longer have to deal with Windows as an admin.

> BTW, from _extensive_ experience in a university lab setup, the only 
> major problem with Office (95) on NT 3.x systems with "proper" ACL'ing 
> of user and non-user disk areas was that the $%^&%-ing "wizards" in the 
> online help were done by an engine that was hard-coded to write 
> temporary files into the system dir and would fail if it could not 
> write those files.  (MS tech support had no idea what we were talking 
> about when we told them this feature, so widely touted by their sales-
> droids in the Office 95 promos, would not work in a "properly secured" 
> NT setup and a colleague told me one of then actually told him to "fix" 
> the problem by gicing everyone full access to the system dir -- if that 
> tech had been talking to me I'd have been talking very strongly with 
> his supervisor within a few seconds).  We simply told the lecturers 
> (profs in the US) and tutors teaching the classes that used Word to 
> _not_ mention wizards nor expect them to work -- thank-you Microsoft!)

I know that NT and descendants _can_ be properly secured, given an admin
who knows exactly what he is doing and sufficient time - I see our
windows staff doing it. But I _also_ noticed that its a job that, in my
opinion, is a _lot_ harder than locking down a typical UNIX system.
There are just too damn many "helpful" automatics there. You think
you've locked down all network and similiar interfaces ... along comes
somebody with a mobile phone and IR interface and *brrrring* "Windows
has detected an IR device, installing drivers ..." - _that_ one made our
Windows folks curse when we (UNIX staff) tried it. Yes, they got it
locked down now too.

As I wrote, the system _can_ be locked down nicely (and in theory,
probably better than a typical UNIX), but the default configuration is a
desaster. Its too damn open even for corporate use (I'm _not_ talking
security critical stuff!), so you have to go and lock it down. Only to
discover that there are still a lot of monkeys out there programming
windows application who never heard about limited privileges and whose
programs simply crash and burn upon encountering EACCES or mumble about
self invented privilege names when they really mean "Hey, just run me as
Administrator and be done with it, pal, ok?" (yeah, great idea. not.).

> > ...  So you had a system where you could log on, play
> > minesweeper and log off again. Lots of use, that.
>
> Or, where a competent admin could install and rollout dozens and dozens 
> of applications, all appropriately ACL'ed down, after a few days 
> training (we even did systems installation rollouts that were entirely 
> handsfree after the boot disk login prompts had been answered...).



> Or are you talking about NT machines after they had been C2-ed?  Must 
> admit, never tried that -- we were interested in practical security, 
> not some pie-in-the-sky quasi-military stuff...

I'm talking about a C2-secured NT. Hmm, it seems at least Win2K does no
longer ship with the c2conv tool ;-)

> > Besides, the C2 stuff is rather tame, things like no object re-use
> > (clear all memory and disk blocks before handing them to another use,
> > don't re-use user-ids, ...), auditing, identify users (no open system,
> > user have to log in - what everybody else was doing for 30 years at this
> > time), discretionary access control (think chmod - again, what others
> > were doing since probably 30 years then), protected system mode of
> > operation (read: your users are not supposed to able to overwrite kernel
> > memory at will) which is really old stuff too. So, while the marketing 
> > department got a nice spin out of it, everybody with a clue just 
> > shrugged and said "So, you've discovered sliced bread too? What an 
> > _amazing_ discovery, isn't it?".
> >
> > Keep in mind that _high_ grade security (things like mandatory access
> > control, security labels, security levels (and making sure there is no
> > downwriting) and so on) has been understood at this point for quite 
> > some time. Some of this work even went back to the time of MULTICS,
> > which started life in 1965 and was the first OS to get a B2 rating in
> > 1985. And B2 is already really interesting.
>
> Yeah, yeah.  I know all that.  However, note I was responding to a 
> rather ill-informed comment along the line "*nix was always better 
> because Windows can't <a list of things what NT _could_ do>".
>
> So, while I fully appreciate that C2-ish security is not actually much 
> security, it is at or above the level that NT is (was?) capable of and 
> thus beyond where most *nix-ish OSes could ever get certified.
>
> Don't get me wrong -- I'm not defending MS' entirely shoddy effort on 
> the security side of things, but in many senses MS is clearly no worse 
> than that which its traditional loudest critics prefer.
>
> (In fact, IIRC, it was not long after NT's C2 certification was 
> announced that the first "userland to Ring-0" privilege escalation in 
> NT was publicly disclosed, so the quality of what C2 testing was all 
> about was drawn into serious question too...)

C2 testing as such wasn't at fault - they certainly earned that
certification honest enough. The problem is that C2 does _not_ guarantee
you a system free of critical bugs. For that, you basically need a 
A1 - verified protection - certification. And this is _very_ hard, since
it requires - layered on top of everything else below - "Formal methods
and proof of integrity of TCB", i.e. you basically have to formally
prove the correctness of your TCB. You can't "engineer it in later",
a system has to designed right from the start for this.

Regards,
      Alex.
-- 
"Opportunity is missed by most people because it is dressed in overalls and
 looks like work."                                      -- Thomas A. Edison

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html