Unclassified NSA document on .NET 2.0 Framework Security

[steingra at gmail.com (Andy Steingruebl)]

On Tue, Nov 25, 2008 at 9:48 AM, Gunnar Peterson <gunnar at arctecgroup.net>wrote:

> but actually the main point of my post and the one i would like to
> hear people's thoughts on - is to say that attempting to apply
> principle of least privilege in the real world often leads to drilling
> dry wells. i am not blaming any group in particular i am saying i
> think it is in the "too hard" pile for now and we as software security
> people should not be advocating for it until or unless we can find
> cost effective ways to implement it.
I'd love to hear someone from Microsoft talk about the creation of default
ready for shipping service security profiles for Server-2008.   Windows has
lots of services and lots of privileges that can be configured.

Every paper I've generally seen on the subject is about reverse engineering
least privileges by reducing them, checking whether the software still
functions, looking for access violations, and then increasing the privileges
until things start working.  A lot like this Calvin and Hobbes comic:

CALVIN: How do they know the load limit on bridges, Dad?
DAD: They drive bigger and bigger trucks over the bridge until it breaks.
Then they weigh the last truck and rebuild the bridge.

This is what we do with least privilege, but without ever knowing whether
we've really gotten the least privileges, or not.  Hell, in a modern
operating system how the hell do you figure this out anyway?

- Andy
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://krvw.com/pipermail/sc-l/attachments/20081125/b06b91e3/attachment.html