[Due to the relevance to the current discussion on Java Verifier, here
is a blog
entry that I wrote last November (also posted on Full
Disclosure )]
_______________________________________________
The current Microsoft CTO (Ray
Ozzie) and Bill Gates published two 'leaked' memos last week (you
can read Bill
Gates memo here, and Ray's
memo here, published by hypercamp
) which generated some interresting comments:
Now, I did read the memos, and have to say that they show a good
strategy in focusing on Services and highlight the fact that
Microsoft has realized that they massive release and development
cycles have to be replaced by simpler, effective, practical and
secure services.
Talking about security, as news.com
noted here (Gates
memo: No mention of "trustworthy computing"), one area
that there is barely any comment in these
memos is security.
First let's analyze Ray's mention of
Security in his memo:
"....In 2000, in the waning
days of the dot com bubble, we yet again reflected on our strategy
and refined our direction. After taking a more deliberative
look at the internet and its implications for software, we came to
the conclusion that the internet would go beyond browsing and should
support programmability on a global scale. We observed that
certain aspects of our most fundamental platform – the tools and
services that developers use when building their software – would
not likely satisfy the emerging security and interoperability
requirements of the internet. So we embarked upon .NET, a
transformative new generation of the platform and tools built around
managed code, the XML format and web services programming
model..."
Humm, I wonder if anybody has told Ray that
99% of .Net applications currently deployed have been created for Full
Trust
environments (which is insecure by default, insecure by design and
insecure in
deployment). I guess that he also doesn't know that most code that
Microsoft produces today is still unmanaged and that the security
advantages of the .Net framework can only exist in a Partial Trusted
world (see my post
What are the 'Real World' security advantages of the .Net Framework
and the JVM? and Gunnar Peterson's excellent
follow-up .Net
and Java "faith-based" security)
"...
Complexity kills. It sucks the life out of developers, it makes
products difficult to plan, build and test, it introduces security
challenges, and it causes end-user and administrator
frustration. Moving forward, within all parts of the
organization, each of us should ask “What’s different?”, and
explore and embrace techniques to reduce complexity...."
Here,
I completely agree, but I wonder then why is not Microsoft giving us
SIMPLER and LESS COMPLEX products? I want a simpler
Windows 2000, 2003 and XP (one without the
stuff that I don't need), I want a simpler .Net Framework (one
without the stuff that is not needed to execute the relevant
application), I want a simper IE (one with less privileges and able to
handle malicious code).
The main
case today for security issues is complexity, and only by fully
understanding an issue and all its connections and interdependencies,
can one secure it. This is what worries me about Vista, I see a lot
of new 'Security Feature's where I would prefer to see more 'Secure Features'
for Windows 2000, 2003 and XP
(remember that XP SP2 was only successfully from a security point of
view, because it didn't introduce any major new functionality
(I have made some more comments about Vista here
Security in Longhorn: Focus on Least Privilege))
And now
lets look in Bill Gates memo for references about
security:
....
none, zero.
Not one mention
of Security.
Does this means that for Microsoft the Security
problems are all under control and their job is done?
The
problem is that Microsoft might have solved quite successfully
one category of security vulnerabilities
(namely the high number of buffer overflows)
but is not paying enough attention for the next wave of attacks and
security vulnerabilities.
As the
Sony Root kit issue has shown (which I blogged
about here: Sony's
DRM rootkit, Follow
up on Sony, Sony
stops rookit production, ActiveX contains vulnerabilities and 'doing
a sony' and Sony
ActiveX massive vulnerabilites, CDs recall and 'Where were the
AntiVirus?'), the next wave of attacks will be caused by malicious
code executed inside the computer.
Let me say this very
clearly: Our computer systems MUST be able to SECURELY EXECUTE
MALICIOUS CODE!
This is why I have been talking for two
year now about the Security Vulnerabilities
in Full Trust Asp.Net (see An
'Asp.Net' accident waiting to happen, Microsoft
must deliver 'secure environments' not tools to write 'secure code',
My
experience with the MSRC (Microsoft Security Response Center),
Some
comments to Misleading and False Information in: 'What ASP.NET
Programmers Should Know About Application Domains' , Microsoft’s
David Treadwell 'almost' admits the problem , Some
comments about 'The Six Dumbest Ideas in Computer Security', and
my Owasp Presentations: OWASP
AppSec 2005 UK Presentation and
AppSec2004-Dinis_Cruz-Full_Trust_Asp.Net_Security_Issues.ppt).
The
only solution for the next wave of malicious code is to be able to
execute them in secure run-time environments (i.e. Sandboxes) which
will take a huge amount of work, re-engineering
and commitment (the new tools in VS 2005 will help).
But this will
not happen until Microsoft acknowledges the
problem and says loud and clear in
(http://www.microsoft.com/security): Full Trust .Net is a massive
security issue and everybody needs to create applications (web and
windows based) that execute in partially trusted environments (here
is where Microsoft is today on this issue:
Current Microsoft info about CAS and Full Trust ).
And
lets not forget that the CLR has not been audited by an independent
team of security consultants (i.e one without an NDA signed with
Microsoft that limited what they could publish). During my Rooting
the CLR research I did a quick research
of past JVM vulnerabilities and how they relate to the
CLR, and, was able to
quickly find a Possible
Type Confusion issue in .Net 1.1 (only works in Full
Trust).
Given the fact that SQL Server 2005 is now 100% dependent on the
integrity of the CLR and BCL, isn't it about time that an independent
security audit is performed?
Microsoft should learn from the current Sony DRM
mess and prepare itself for the next wave of exploits (just talking
about the good guys, given the current windows security model,
without using a partially trusted environment what choices do DRM
makers have but to patch the kernel (for example: how can you protect a
PDF file from
being printed or copied if you don't
enforce it at either kernel level or System Process?))
And if Microsoft is not able to make this move, I hope that the Java
camp does it.
I also have very high hopes in the Mono project since this (securely
executing malicous/untrusted code) could be Mono's killer-application
(i.e. the one that makes everybody use it). Here are some links to Mono
and Mono's CAS:
Hope somebody is listening
Dinis Cruz
Owasp .Net Project
www.owasp.net
_______________________________________________