Comment on Microsoft's leaked memos, and the unofficial end of Microsoft 'Trustworthy Computing'

["Dinis Cruz" <dinis () ddplus net>]

[item originally posted yesterday at my Owasp .Net blog (http://owasp.net/blogs/dinis_cruz/archive/2005/11/17/92.aspx) 
note the comments about Sony's Rootkit case]

The current Microsoft CTO (Ray Ozzie) and Bill Gates published two 'leaked' memos last week (you can read Bill Gates 
memo here, and Ray's memo here, published by hypercamp ) which generated some interresting comments:  

Leaked Memos Point to a "Disrupted" Microsoft  

Robert Cringely thinks that they were leaked on purpose - I agree, nobody writes internal memos like this  

Mini-Microsoft hits again a hard analysis with A Disruptive Defrag for Microsoft - note in the comments that some 
Microsofties are starting to lose the patience with Mini (if only they knew who Mini-Microsoft is, read Everybody has 
their theories, but Mini-MSFT is... for a post saying what I had thought before but didn't want to be the first to 
post: Mini-Microsoft is probably somebody quite important on Microsoft, if not BG himself)    

Now, I did read the memos, and have to say that they show a good strategy in focusing on Services and highlight the 
fact that Microsoft has realized that they massive release and development cycles have to be replaced by simpler, 
effective, practical and secure services.

Talking about security, as news.com noted here (Gates memo: No mention of "trustworthy computing"), one area that there 
is barely any comment in these memos is security.

First let's analyze Ray's mention of Security in his memo:

"....In 2000, in the waning days of the dot com bubble, we yet again reflected on our strategy and refined our 
direction.  After taking a more deliberative look at the internet and its implications for software, we came to the 
conclusion that the internet would go beyond browsing and should support programmability on a global scale.  We 
observed that certain aspects of our most fundamental platform - the tools and services that developers use when 
building their software - would not likely satisfy the emerging security and interoperability requirements of the 
internet.  So we embarked upon .NET, a transformative new generation of the platform and tools built around managed 
code, the XML format and web services programming model..."

Humm, I wonder if anybody has told Ray that 99% of .Net applications currently deployed have been created for Full 
Trust environments (which is insecure by default, insecure by design and insecure in deployment). I guess that he also 
doesn't know that most code that Microsoft produces today is still unmanaged and that the security advantages of the 
.Net framework can only exist in a Partial Trusted world (see my post What are the 'Real World' security advantages of 
the .Net Framework and the JVM? and Gunnar Peterson's excellent follow-up .Net and Java "faith-based" security)

"... Complexity kills.  It sucks the life out of developers, it makes products difficult to plan, build and test, it 
introduces security challenges, and it causes end-user and administrator frustration.  Moving forward, within all parts 
of the organization, each of us should ask "What's different?", and explore and embrace techniques to reduce 
complexity...."

Here, I completely agree, but I wonder then why is not Microsoft giving us SIMPLER and LESS COMPLEX products? I want a 
simpler Windows 2000, 2003 and XP (one without the stuff that I don't need), I want a simpler .Net Framework (one 
without the stuff that is not needed to execute the relevant application), I want a simper IE (one with less privileges 
and able to handle malicious code).

The main case today for security issues is complexity, and only by fully understanding an issue and all its connections 
and interdependencies, can one secure it. This is what worries me about Vista, I see a lot of new 'Security Feature's 
where I would prefer to see more 'Secure Features' for Windows 2000, 2003 and XP (remember that XP SP2 was only 
successfully from a security point of view, because it didn't introduce any major new functionality (I have made some 
more comments about Vista here Security in Longhorn: Focus on Least Privilege))

And now lets look in Bill Gates memo for references about security:

....

none, zero.

Not one mention of Security.

Does this means that for Microsoft the Security problems are all under control and their job is done?

The problem is that Microsoft might have solved quite successfully one category of security vulnerabilities (namely the 
high number of buffer overflows) but is not paying enough attention for the next wave of attacks and security 
vulnerabilities.

As the Sony Root kit issue has shown (which I blogged about here:  Sony's DRM rootkit, Follow up on Sony, Sony stops 
rookit production, ActiveX contains vulnerabilities and 'doing a sony' and Sony ActiveX massive vulnerabilites, CDs 
recall and 'Where were the AntiVirus?'), the next wave of attacks will be caused by malicious code executed inside the 
computer.

Let me say this very clearly: Our computer systems MUST be able to SECURELY EXECUTE MALICIOUS CODE!

This is why I have been talking for two year now about the Security Vulnerabilities in Full Trust Asp.Net (see An 
'Asp.Net' accident waiting to happen, Microsoft must deliver 'secure environments' not tools to write 'secure code', My 
experience with the MSRC (Microsoft Security Response Center), Some comments to Misleading and False Information in: 
'What ASP.NET Programmers Should Know About Application Domains' , Microsoft's David Treadwell 'almost' admits the 
problem , Some comments about 'The Six Dumbest Ideas in Computer Security', and my Owasp Presentations:  OWASP AppSec 
2005 UK Presentation  and AppSec2004-Dinis_Cruz-Full_Trust_Asp.Net_Security_Issues.ppt).

The only solution for the next wave of malicious code is to be able to execute them in secure run-time environments 
(i.e. Sandboxes) which will take a huge amount of work, re-engineering and commitment (the new tools in VS 2005 will 
help). 

But this will not happen until Microsoft acknowledges the problem and says loud and clear in 
(http://www.microsoft.com/security): Full Trust .Net is a massive security issue and everybody needs to create 
applications (web and windows based) that execute in partially trusted environments (here is where Microsoft is today 
on this issue: Current Microsoft info about CAS and Full Trust ).

And lets not forget that the CLR has not been audited by an independent team of security consultants (i.e one without 
an NDA signed with Microsoft that limited what they could publish). During my Rooting the CLR research I did a quick 
research of past JVM vulnerabilities and how they relate to the CLR, and, was able to quickly find a Possible Type 
Confusion issue in .Net 1.1 (only works in Full Trust). Given the fact that SQL Server 2005 is now 100% dependent on 
the integrity of the CLR and BCL, isn't it about time that an independent security audit is performed?

Microsoft should learn from the current Sony DRM mess and prepare itself for the next wave of exploits (just talking 
about the good guys, given the current windows security model, without using a partially trusted environment what 
choices do DRM makers have but to patch the kernel (for example: how can you protect a PDF file from being printed or 
copied if you don't  enforce it at either kernel level or System Process?)) 

And if Microsoft is not able to make this move, I hope that the Java camp does it.

I also have very high hopes in the Mono project since this (securely executing malicous/untrusted code) could be Mono's 
killer-application (i.e. the one that makes everybody use it). Here are some links to Mono and Mono's CAS:
   http://www.mono-project.com (main mono website site)CAS - where we standCode Access Security in MonoMono CAS 
WikiMono Security Manager Part I - Using CAS permissions  

Hope somebody is listening
  Dinis Cruz
 Owasp .Net Project
 www.owasp.net


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/