Microsoft's Larry Osterman On Threat Modeling

Schneier has pointed out an excellent series of blog posts about threat modeling by Microsoft's Larry Osterman. The series focuses on the PlaySound API as an example. "As you go about filling in the threat model threat list, it's important to consider the consequences of entering threats and mitigations. While it can be easy to find threats, it is important to realize that all threats have real-world consequences for the development team. At the end of the day, this process is about ensuring that our customer's machines aren't compromised. When we're deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage."

Standard Microsoft Threat Modeling Dialog

[eldavojohn]

Consumer: My company doesn't need Vista, we're using Linux which has about the same amount of bumps and hiccups.
Microsoft: You mean you're using an operating system that validates over 450 of our patents?
Consumer: Well, I know that isn't true but ...
Microsoft: But it'd be a shame if your company was ever engaged with our world class legal team instead of being a 'partner' with the largest software maker ever?
Consumer: But we only have 20 employees.
Microsoft: We know--perhaps you'd be interested in purchasing a copy of our lap dog here, Novell's SUSE?
Consumer: But we already use Red Hat ...
Microsoft: We heavily suggest you re-evaluate SUSE and when you do your trade study please do note that it's the only Microsoft Certified Genuine Linux. Also, it would be a shame if we had to exercise our patent portfolio on Red Hat and subsequently ... well, no reason to get into details. Have a nice day!

Re:Standard Microsoft Threat Modeling Dialog

'validates' should be 'violates'

ARGH! Out of coffee!!!!

Re:Standard Microsoft Threat Modeling Dialog

[pembo13]

one can only hope that such never takes place. but posters are always quick to remind others that businesses are profit oriented only, yet seemingly reluctant to believe that such conversations are likely.

Re:Standard Microsoft Threat Modeling Dialog

Given that the article talks about the audio api, it probably went more like this:

Threat: User may play a song without paying for it.
Mitigation: Render the internet useless while playing music.

Threat: User may complain about the network being crippled while playing music.
Mitigation: Blame hardware, blame drivers, then make up some excuse that playing audio requires super-low latency priority for the audio playing app and the network is sacrificed to ensure smooth playback.

Threat: User may notice that the network is not crippled when playing video with audio and complain that the argument about priority is bogus, etc.
Mitigation: Ignore any users that claim this while rolling out a patch to cripple the network when playing video, then return to blaming hardware and/or drivers.

Re:Standard Microsoft Threat Modeling Dialog

[packetmon]

Slashdotter: Windows!@ You obviously didn't RTFM or the FP we don't do Windows here
Microsoft: You obviously are spending too much time on forums, games and caffeine... Did you know Vista..
Slashdotter: I don't live in San Diego...
Microsoft: No, not the town, I mean Vista...
Slashdotter: dewd!!!!!!! I don't even speak Spanish
Microsoft: *gives up*

Re:Standard Microsoft Threat Modeling Dialog

[frank_adrian314159]

Consumer: Google?

Microsoft: ?? [Throws chair...]

That's got to be a hell of a job

[Skyshadow]

Try to imagine this guy's work day: He gets to wake up in the morning, hug his kids and then go into work and spend all day trying to figure out the right combination of security defaults that will (a) let people go out and do stuff while (b) protecting them from their own "I'm a average Windows user" level of abject stupidity.

Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.

As much as it's fun to give MS shit for their products, I think I'd last about two hours in that position before I went into the executive washroom and slashed my wrists.

Re:That's got to be a hell of a job

[ScytheBlade1]

I've got his RSS feed in my RSS reader (http://blogs.msdn.com/larryosterman/rss.xml). I enjoy reading about the details of what goes on inside of MS, and I really do enjoy getting the story straight from the horse's mouth. For example, the whole "playing a video kills my network performance" thing. Slashdot is, well, Slashdot. It'll spin it how it wants to.

Larry started doing this threat modeling bit a while back, as the first article is dated some time ago. He's taken his time, and demonstrated what to do and how to do it in great detail. It's perfectly clear that he actually knows how to program things, correctly. And securely. This series of posts on threat modeling was wonderfully insightful into how things should be done.

Just because it's MS doesn't mean that it needs to be senselessly bashed. This would be one of the reasons as to why it shouldn't be. This guy knows what he's doing, and he does it well. Gasp, he works for MS.

Re:That's got to be a hell of a job

[pembo13]

well, they built that type of user, they get to deal with it

Re:That's got to be a hell of a job

[beckerist]

Meh, I'm a newb to advanced security. For the rest of you (like me:) http://en.wikipedia.org/wiki/Threat_model

Basically, in a nutshell, a "threat model" is a designers / programmers way of saying "all potential flaws in our application." An example: a 1 meter hole in the side of the Death Star.
Just thought I'd pass that along as I learned it...eh...3 minutes ago.

Re:That's got to be a hell of a job

[beckerist]

Actually, I can be more concise: it's a way of LOOKING at your application (or creation, period) and trying to discern all potential ways of attacking it. It's not necessarily a list of bugs, but a list of potential ways to find or exploit the "bugs" in the system.
--beckerist

Re:That's got to be a hell of a job

[suv4x4]

Try to imagine this guy's work day: He gets to wake up in the morning, hug his kids and then go into work and spend all day trying to figure out the right combination of security defaults that will (a) let people go out and do stuff while (b) protecting them from their own "I'm a average Windows user" level of abject stupidity.

Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.

As much as it's fun to give MS shit for their products, I think I'd last about two hours in that position before I went into the executive washroom and slashed my wrists.

Uhmm, dude, you're giving him way too much props. I don't know anything about the guy in PARTICULAR, he's probably great professional, and does his job very well.

I as an average web dev, have to deal with similar security issues every time I design a simple site with a CMS. What user types I have? What each type does? How do I make it flexible for the limited users to do their job but not mess with stuff that might prove problematic?

And I don't have the convenience of Ring 0, 1, 2 or built-in system ACL for any of this. I code it from scratch, since on the web, the existing systems are either outdated, messy (don't wanna touch ready-made PHP CMS with a twenty foot pole), insecure, have too much of the wrong features or not enough of the right ones. Or a combination of all those.

Also, not to turn it into flamewar, so I'll try to express myself subtly. If this guy was setting the default security for Windows so far (oversimplified but just example), then he was waaay on the one extreme with Windows 95/98/ME/2000, hit a sweet spot with Windows XP SP2, and got waaaaay on the other extreme with Vista.

Someone didn't do their job quite right on those defaults and features there.

Re:That's got to be a hell of a job

[suv4x4]

Just because it's MS doesn't mean that it needs to be senselessly bashed. This would be one of the reasons as to why it shouldn't be. This guy knows what he's doing, and he does it well. Gasp, he works for MS.

He may know what he's doing, but here's what he has to say about his colleagues in Microsoft:


"Developers tend to think in terms of what a customer needs. But many times, the things that make things really cool for a customer provide a superhighway for the bad guy to attack your code. "

"It's ad-hoc. Microsoft asks every single developer and program manager to threat model (because they're the ones who know what the code is doing). Unfortunately that means that they're not experts on threat modeling."

"I can't think of the number of times I had to tell developers on my team ``It doesn't matter that you've checked the value on the client, you still need to check it on the server because the client that's talking to your server might not be your code.``"
:P

Re:That's got to be a hell of a job

[hxnwix]

He gets to wake up in the morning, hug his kids and then go into work and spend all day trying to figure out the right combination of security defaults that will (a) let people go out and do stuff while (b) protecting them from their own "I'm a average Windows user" level of abject stupidity. WARNING: This operation may or may not be vital and normal and correct / extremely dangerous and certain to result in fraud. Cancel/Allow?

Indeed, this guy takes his job seriously and is proud of the fact that he has never copped out nor abdicated his responsibilities. We should also respect him for his excellent & highly informative work on theoretical physics titled This Exercise Left To The Reader.

Re:That's got to be a hell of a job

[everphilski]

meh, its only the size of a womp rat.

Re:That's got to be a hell of a job

[i]Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once. [/i]

That's why it used to be the system administrators job to change a bare operating system into something suitable for the application. Microsoft, in all its arrogance, thought they knew better.

I wonder how many heart attacks MS has caused by this ..

Re:That's got to be a hell of a job

[blhack]

"playing a video kills my network performance" I just want to let everybody know that I had this exact problem on several different linux boxes running gentoo. We (being me and the folks in #gentoo on freenode.net) finally figured out that it was due to an IRQ conflict between the soundcard and the wireless card.

Remapping IRQs in the bios didn't fix it....so i sacrificed both cards to the thermite gods.

Re:That's got to be a hell of a job

[sconeu]

Can we put some plywood over it or something?

Re:That's got to be a hell of a job

[everphilski]

eeeeeeh, it'll lower the resale value...

Re:That's got to be a hell of a job

Not to mention the tremendous strain of having to duck all those flying chairs!

Double-plus ungood

I guess "threat mitigation" is more cost-effective than "writing code that doesn't suck".

Re:Double-plus ungood

[kamochan]

It is, for the software vendor. The software vendor gets to push the cost of un-sucking the code to the consumers who actually need suck-less code. Of course the consumers never get that, they get to mitigate threats instead, which is almost as good. Sort of.

Funny that "threat mitigation" doesn't exist in the aerospace industry...

Re:Double-plus ungood

[Mongoose+Disciple]

Funny that "threat mitigation" doesn't exist in the aerospace industry...

What would you call passing through airport security to fly on a passenger aircraft?

Airplanes typically don't stand up to serious attacks. I'm not sure where you're trying to go with this analogy.

Re:Double-plus ungood

[ThwartedEfforts]

Yeah, this was covered in Fight Club.

Re:Double-plus ungood

[MeBot]

Threat modeling is usually more of a review of a feature design, and less about individual lines of code. The point is there *will* be bugs in any reasonably complex piece of code... how do you design in such a way that when those bugs do surface (or some of your design assumptions are proven false) there isn't a vulnerability there. That's where threat mitigation comes in. Just look at the WMF vulnerability. No matter how good or bad the code was for that feature, the design was flawed and that's what caused the main issue.

Re:Double-plus ungood

[kamochan]

Airplanes typically don't stand up to serious attacks. I'm not sure where you're trying to go with this analogy.

I was actually thinking more of the space part of aerospace... sort of trying to make a point that when cost of software failure is sufficiently high, the software will be very rigorously un-sucked prior to launch. Whereas in non-space-exploration kind of thing the cost of failure is typically less than what decent testing would have cost in the first place -- except when people die, and stuff -- and in any case the cost is carried by the software user and not the vendor.

Re:Double-plus ungood

[swillden]

Funny that "threat mitigation" doesn't exist in the aerospace industry...

It damned well does. What mechanisms are in place to ensure that a malicious attacker can't take control of the avionics in-flight? What mechanisms exist to ensure that failure of one component doesn't crash the plane? What mechanisms exist to ensure that metal fatigue doesn't cause a wing to snap, since redundant wings to backstop the primary ones aren't practical?

All of the above mechanisms -- some of which are implemented in software, some in hardware and some in maintenance processes -- are threat mitigation mechanisms, and the FAA has an extremely thorough and detailed model of the threats to aircraft security and reliability, with detailed requirements and processes in place to mitigate each significant threat. The TSA has some more, though I'm less confident of the rigor that has been applied to their modeling and countermeasures.

Threat modeling is a reality in any mature industry where anything can go wrong (i.e. any industry). In many cases it doesn't have a formal name, but it's there nonetheless.

Re:Double-plus ungood

[drsmithy]

Funny that "threat mitigation" doesn't exist in the aerospace industry...

I think (hope) you have made a gross misinterpretation of the term "threat mitigation".

Re:Double-plus ungood

[Allador]

Funny that "threat mitigation" doesn't exist in the aerospace industry Of course it does. Just because *gasp* a different industry doesnt use exactly the same terms, doesnt mean the practice isnt there.

Things like redundancy and backup systems are a perfect example of this. The threat analysis has to be done up front to understand what failures cause death, which cause inconvenience, and the redundancies and backup efforts go into those that have the more unfortunate outcome. Also just like software, system interdependency analysis is a big part of this.

This is just basic logic. No engineer/designer/implementer can make everything perfect, everything perfectly redundant, and everything with perfect contingencies.

And even if you could, it would weight-too-much-to-launch/be-too-bloated-to-use.

Heck, even the engineering differences between USSR and USA aerospace is a perfect example of two divergent points on that spectrum. The US folks would tend to get much closer to perfect across the whole artifact, and at 100x the cost. The Russian folks would take a much more tightly targeted optimization, and only do that work where absolutely critical, at some loss of perfection/redundancy.

A great example of this was the MiGs vs US jets. The US folks would create a nearly perfect aerodynamic surface across the whole craft. The Russians, however, would do the aerodynamic tests, and only optimize the points on the craft that were the most critical. Other parts still had bolt heads sticking out and such.

(mind you, I'm horribly paraphrasing this study which I read many many years ago, but the gist is there)

Pity about your Secrecy

You have to figure this guy might have a point but if everything that he does, or reacts to is hidden from public scrutiny it doesn't really matter what he says.

"I am very serious and methodical with great tested approaches to security" - Goes to hidden security place and brings back threats.

"I pick one threat that starts with the letter of the week or my kids birthday" - Goes to hidden security place and brings back threats.

Without public accountability they are the same to me. Certainly there are enough security threats announced outside of Microsoft about Windows etc... that I can't have too much faith in this process.

Without accountability this guy is left to blow hot air.

Re:Pity about your Secrecy

Accountability you say. Maybe you'd like to know that this is actually the guy who fessed up to being responsible for the Speech Recognition bug that was so widely reported just before Vista's release.

Wait, that was MY bug? Ouch!

If there is one person that's actually very trustworty inside Microsoft it's this guy. I highly suggest you read his blog.

I have no words for this statement

[zappepcs]

At the end of the day, this process is about ensuring that our customer's machines aren't compromised. When we're deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage." but I'm certain that the folks who wrote the blaster worm, and those that run huge botnets would like to buy this guy a beer or 12.

Re:I have no words for this statement

[jofny]

Im just replying randomly to this post since it's as good as any other: Why do Slashdotters so often fail to differentiate between a company's business decisions and its technical capabilities? MS has a mature, well-developed threat modeling processes that works fine. That has little to do with which features are implemented in which time-frames, how well the QA on the final code is, whether or not they have to maintain backward compatitibility to feature sets and software which require old (bad) security models, etc. It's a bit more complicated than "Microsoft Baaaaaad. Linux Goooooood"

Re:I have no words for this statement

[Ajehals]

Not sure why you are modded as 'Troll' but hey.

I guess the issue at hand is that MS may well have a brilliant threat modelling process, it could be the best in the world for all I know, but it should feed back into all the areas it impacts upon (not saying it doesn't, just addressing your post.). It is not sufficient to have one or even a few great security procedures and practices if you are unable or unwilling to apply them consistently, or if they fail to address any given known or predictable issue. It comes back to the fact that 'security is everyone's responsibility' if one person or group drops the ball due to other pressures (or any reasons at all) then all the other work done relating to security is significantly diminished, if not totally invalidated.

As for the Microsoft is Bad, Linux is good question, it depends on what you are testing for, and most importantly what 'good' and bad' are relative to.

Re:I have no words for this statement

[jofny]

Completely agree with you. (And yeah, I thought I was making a legit point...but thats how Slashdot goes.) I guess I was arguing the same point from reverse: Yes, they dont put their whole package together very well (resulting in obvious defects), but that doesn't mean their threat modeling process is automatically junk - especially when so few organizations follow any sort of threat modeling process whatsoever. Everyone should!

Re:I have no words for this statement

[drsmithy]

Why do Slashdotters so often fail to differentiate between a company's business decisions and its technical capabilities?

For the same reason they don't differentiate between "security problems" that are the result of actual design and/or coding flaws and "security problems" that are the result of end-user and developer error.

The Biggest Threat

is this thug.

I hope this helps the criminal indictments.

Yup, it's job one.

[$RANDOMLUSER]

At the end of the day, this process is about ensuring that our customer's machines aren't compromised.

<HEAD ASPLODES>

Little Dutchboy Mode

[rts008]

What he's really saying is they ran out of fingers to plug the holes in the dike,they have their dicks plugging the holes in their customer's ass, and the water is STILL rising.

Look at how YOU would do it.

[khasim]

Don't concern yourself with Larry's thoughts on the subject.

Look at how YOU would design a system from the ground up.

Larry has some good points, but having good points is meaningless when your company is focused on maintaining its monopoly. Remember the Netscape trial and how EVERYONE with a clue about security said that it was IDIOTIC to "integrate" the browser into the OS?

Re:Look at how YOU would do it.

[toadlife]

If it's so idiotic to "integrate the browser into the OS", then why does Apple do it with OSX and why does the KDE team do it with their desktop environment?

Re:Look at how YOU would do it.

[wolrahnaes]

Clearly you've never used OS X if you think Safari is integrated in any way. I haven't tried, since it's nice to have a Safari around for testing new web page layouts, but I would not be surprised at all if it could be completely removed from the system just by dragging it to the trash as one would any other OS X application.

Re:Look at how YOU would do it.

[DrgnDancer]

I don't believe that Safari can be said to integrated into OS X. It's a built in component, but that's not the same thing. When you open "My Computer" or "Windows Explorer" or even "Control Panel" on a Windows box you're opening IE. The browser is "integrated" in the sense of "If you remove this, you remove a significant portion of OS functionality." I might be wrong, I'm just basing this on look and feel, but I don't think "Safari", "Finder", and "System Preferences" are essentially the same thing the way they are in Windows. Similarly, while KDE does integrate Konqueror directly into the desktop interface (it does in fact run the file browser, like IE does in Windows), in a desktop Unix you can simply choose not to use KDE at all. You're not limited to one supplied UI, and at any rate the UI only has OS hooks as deep as normal file system access and controls. When you do something in KDE, you are doing it (for whatever the value of $USER is as "you"), when you do something in IE, sometimes it's the "system" doing it. That's a lot more dangerous.

While I might be wrong about OS X (I don't think I am though), your point about KDE is totally bunk.

Re:Look at how YOU would do it.

[toadlife]

When you open "My Computer" or "Windows Explorer" or even "Control Panel" on a Windows box you're opening IE. No, you are not. Explorer is explorer, not internet explorer. It uses some of the same dlls that Internet explorer uses, but that kind of library sharing is standard practice in any large desktop enviroment, weather it be OSX or KDE or Gnome.

Microsoft *could* reinvent the wheel 20 times in order to make sire every single app has their own libraries tpo use, but that would be stupid.

Re:Look at how YOU would do it.

[DrgnDancer]

Yes, it is. Seriously, open "My Computer" and in the address bar type www.google.com, now open IE and type "My Computer". It's the same thing. The same Window will open the same "pages" whether they be HTML or file browsers. At least this was the case last time I used Windows consistently. That's why MS claims that they "can't" remove IE, it's a significant part of the UI of their OS.

Re:Look at how YOU would do it.

[toadlife]

Yes, because explorer has the ability to call the same libraries (dlls) that IE uses to render web pages. Other OS's exhibit the exact same ability/behavior.

Re:Look at how YOU would do it.

[toadlife]

Yeah, you could "remove" Safari but the libraries that provide all of Safari's functionality would remain. You could also remove IE from Windows, but most of it's functionality would remain as IE most just calls external dlls - dlls that other parts of the system share.

If you really wanted to remove Safari from OSX, you would have to remove the entire webkit framework that it and many other OSX applications rely on, and I really don't think you would want to do that.

Re:Look at how YOU would do it.

[DrgnDancer]

Which ones? I just tried unsuccessfully to access the web through Finder, and when I try to access the local file system through Safari it was smart enough to call Finder, but doesn't access the file system itself. I mentioned KDE in my original post, which does integrate the browser and UI tools, but since that's a desktop, not an OS, it's a different matter. I suppose it's arguable that "Explorer" is only a UI level system in Windows, but that seems disingenuous since unlike in Linux Windows has only one supported UI, and the UI is coded and provided by the OS maker as part of the OS. It's also true that unlike in KDE where nothing can execute with elevated privileges without a password being entered (either the user's password through sudo or the root password through an su), Explorer can and has been known to execute code as 'system' without checking first. It seems Vista may have finally really fixed that last bit, but I haven't worked with it much.

I'm also not clear on how two different executables that access the exact same dlls, and perform in an identical fashion are not the same thing. The fact that Internet Explorer loads the "bookmark" module, and the "Google Search Bar" module, and Windows Explorer loads the "jump around the file system" module doesn't make them different software. They are functionally identical except for a few modules that are loaded differently depending on how they are called.

Re:Look at how YOU would do it.

[toadlife]

From the opening paragraph of webkit.org

WebKit is an open source web browser engine. WebKit is also the name of the Mac OS X system framework version of the engine that's used by Safari, Dashboard, Mail, and many other OS X applications. WebKit's HTML and JavaScript code began as a branch of the KHTML and KJS libraries from KDE. This website is also the home of S60's S60 WebKit development. I guess finder doesn't use it, but the built in mail does. Much like IE vulnerabilities in Windows have usually affected outlook express as well, Safari vulnerabilities usually affect mail too.

Re:Look at how YOU would do it.

[wolrahnaes]

Actually, removing IE from Windows is a hell of a challenge and breaks stuff. Hell, even Mozilla says not to do it. Removing Safari, on the other hand, can be done by simply dragging the icon to the trash. I was unsure about this when I posted earlier, but confirmed with a friend who had removed Safari from his first OS X install that there were no ill effects.

Yes, webkit still remains, but it can also be removed if one so desires, as long as one is aware of how many OS X applications use it just because it's there. The same applies to IE on Windows of course, but on Windows many parts of the system actually depend on IE so removing it can break a base install, where on OS X you may break third party applications that depend on Webkit but you won't break the main system.

Re:Look at how YOU would do it.

[toadlife]

If you had actually bothered to read the link you posted, you would see that Mozilla recommends you not remove IE because it can break many third party programs - the same reason you gave for not removing webkit from OSX.

but on Windows many parts of the system actually depend on IE so removing it can break a base install, where on OS X you may break third party applications that depend on Webkit but you won't break the main system. Care to cite any example of how removing IE will break the base install?

I'd love to take a poll and see how many OSX users have removed webkit from their OSX installs.

Re:Look at how YOU would do it.

[drsmithy]

Which ones? I just tried unsuccessfully to access the web through Finder, and when I try to access the local file system through Safari it was smart enough to call Finder, but doesn't access the file system itself.

Explorer doesn't "access the web", either, it just loads up the IE components inside the Explorer window (in the same way you can embed an Excel spreadsheet into a Word document and it fires up Excel from within Word).

I mentioned KDE in my original post, which does integrate the browser and UI tools, but since that's a desktop, not an OS, it's a different matter.

No, it's exactly the same "matter". You are creating a false dichotomy.

I suppose it's arguable that "Explorer" is only a UI level system in Windows, but that seems disingenuous since unlike in Linux Windows has only one supported UI, and the UI is coded and provided by the OS maker as part of the OS.

You are conflating a marketing issue (Windows only comes with one shell) with a technical issue (how the various components run and interact).

It's also true that unlike in KDE where nothing can execute with elevated privileges without a password being entered (either the user's password through sudo or the root password through an su), Explorer can and has been known to execute code as 'system' without checking first.

That's a pretty serious bug. Evidence ?

I'm also not clear on how two different executables that access the exact same dlls, and perform in an identical fashion are not the same thing. The fact that Internet Explorer loads the "bookmark" module, and the "Google Search Bar" module, and Windows Explorer loads the "jump around the file system" module doesn't make them different software. They are functionally identical except for a few modules that are loaded differently depending on how they are called.

Try thinking about how many different programs do exactly the same thing using glibc (because, well, that's the point of having a shared library to do it).

Re:Look at how YOU would do it.

[drsmithy]

Care to cite any example of how removing IE will break the base install?

There are quite a few things in Windows that use the IE components. The Add/Remove Programs applet, for example. Any time Explorer shows you a thumbnail or media preview. The help system. Etc.

Of course, code re-use is, well, kind of the *point* of having a modular system, so it's a struggle to see why any rational person would consider doing that to be bad. Unless, of course, they were blinded by their anti-Microsoft zealotry (like a sizable proportion of Slashdot) that anything Microsoft did was bad, even when it was the same thing as everyone else.

Finally, I'm pretty sure there are a handful of OS X "base install" components that use WebKit (the help system springs to mind) - and if not, there certainly will be soon since, as I said, the whole point of having a chunk of modular code is so that you can re-use it.

Taking secure coding advise from microsoft

is like taking ship design lessons from William Pirrie

I like the rest of you that have

[jsse]

misinterpreted 'threats modeling' as "a business modeling about threating the customers with the FUD against their competitors".

In the article:

Threat modeling is an analysis process that helps you better understand the attack surface of your component so you can understand what you need to do to ensure that your code is more secure. Apparently he's just talking about releasing service patches every time after being attacked.

What a relief!

I prefer Attack Trees.

[khasim]

http://en.wikipedia.org/wiki/Attack_tree
By Bruce Schneier.

Face it, no matter how secure your little bit of code is, if the SYSTEM is vulnerable, your little bit of code is vulnerable.

Which is where Larry goes wrong in TFA.

You can put all the locks you want on your front door. But if you don't fix the huge hole in the wall next to it, you aren't improving your security at all. No matter what you claim.

Re:I prefer Attack Trees.

[pegr]

Face it, no matter how secure your little bit of code is, if the SYSTEM is vulnerable, your little bit of code is vulnerable.
 
No way, baby! Larry did his homework! That PlaySound API is rock solid!

Um, did anybody else notice that the PlaySound API doesn't actually play any sounds? It just passes data to the APIs that actually do play sounds. So WTF does the PlaySound API do, really? To me, it doesn't really do anything at all...

Re:I prefer Attack Trees.

wrapper and/or backcompat cruft

Re:I prefer Attack Trees.

[n0-0p]

Uh, attack trees are one of several techniques used in threat modeling. And the whole point of the exercise is to identify the security aspects of a system. That means understanding the trust relationships, attack surface, and associated threats. So, the threat model should be helping you identify if the lock on the front door really helps or if there's a big gaping hole in the wall next to it.

That said, a threat model isn't a panacea. It doesn't replace good coding practices, code reviews, testing, or anything else. But it can help show the big picture and prioritize security efforts.

Re:I prefer Attack Trees.

[adonoman]

Well, ultimately it's going to be the sound card driver that eventually gets called with the sound to play. The playsound API should really only care about the capabilities of the soundcard, not the details of the hardware interface.

Re:I prefer Attack Trees.

[jabuzz]

Rather than spending large chunks of time trying to work out where you don't need to bother testing your inputs you can just be paranoid from day one and trust nothing.

A threat model is about admitting we have a bad product, saying that fixing it properly is too hard /expensive so we will try and work out what the largest holes are and fix those first.

Re:I prefer Attack Trees.

[davester666]

Um, did anybody else notice that the PlaySound API doesn't actually play any sounds? It just passes data to the APIs that actually do play sounds. So WTF does the PlaySound API do, really? To me, it doesn't really do anything at all...

It makes the API copyright by Microsoft so nobody else can implement it?

Re:I prefer Attack Trees.

[swillden]

A threat model is about admitting we have a bad product, saying that fixing it properly is too hard /expensive so we will try and work out what the largest holes are and fix those first.

Nonsense.

Threat modeling is a crucial exercise for any system that wants to be secure. Note that "system" is more than just "software", so just testing your software against all possible inputs is insufficient, even if it were actually possible.

For example, let's suppose the system under consideration is the Windows access control system, responsible for ensuring that only authorized users can read/write files. What are the attack vectors? How many of them can be addressed with input validation testing? How can your approach to security analysis/testing address an attacker who reads/writes data from the disk directly, bypassing your software (assuming you're writing Windows) entirely? Is this a threat that you need to mitigate? If so, what can you do to address it? Encrypt the data? Fine, where do you put the keys? Or, if the user enters the decryption key, how do you ensure that an attacker can't get that key? Can the attacker spoof the key entry screen? Why or why not? Can the attacker get it by shoulder surfing? Is that a threat you need to mitigate? What other ways might the attacker get the key?

Obviously, filesystem access control is a complex system and there are multiple software, hardware and social engineering attacks against it. Some can be mitigated by properly-implemented software, some can be mitigated (or, more accurately, shifted) by appropriate application of cryptography, some might require hardware modification and some might simply be out of scope. Threat modeling allows you to clearly define and document all of the analysis you have done, and all of the decisions you have made. It provides the basis for design and implementation -- which must both then be done properly or the other analysis was all irrelevant. The sort of testing you described is just one piece of proper implementation.

Security is much harder than you seem to think it is, and threat models are a key component of doing it right. I find it rather nice that Microsoft seems to be learning this lesson, even if it is something they should have done 10+ years ago.

Re:I prefer Attack Trees.

[cooldev]

A threat model is about admitting we have a bad product, saying that fixing it properly is too hard /expensive so we will try and work out what the largest holes are and fix those first.

Do you mean to say that you are against looking for security weaknesses in a product's design during the design phase, with a focus on untrusted input and data crossing trust boundaries? Ahahahahaha. Hahahaha. *Snorgahah*. Haha. Knowing how much open source there is in use today, especially on the server, I sincerely hope that your attitude doesn't reflect that of the typical OSS developer.

Perhaps the worst (or best, depending on your perspective) thing about OSS advocates is that unlike Microsoft they fail to even recognize that they have a security problem. They're still in the denial stage.

I feel sorry for the guy

[qweqwe321]

Microsoft made a big mistake when creating Windows, though not one most of us would have foreseen in the early '90s-- they made Windows 3.1 a single-user OS and thanks to their dedication to backwards-compatibility ended up being stuck with it. Now this poor guy has to figure out a way to make Microsoft software secure by default, even though they have 1) lots of idiots in their customer base to deal with and 2) too many legacy applications expecting root privileges to break backwards compatibility and set the OS up with Unix-style permissions.

Re:I feel sorry for the guy

[andrewzx1]

without Win3.0, there would never have been any subsequent versions on Windows. And for those of us who were Win3.0 adopters, I can tell you that is was a better OS in terms of cost, hardware, and applications than many of its peers: DOS, Novell, UNIX, MacOS5.

Re:I feel sorry for the guy

[TheNetAvenger]

Microsoft made a big mistake when creating Windows, though not one most of us would have foreseen in the early '90s-- they made Windows 3.1 a single-user OS and thanks to their dedication to backwards-compatibility ended up being stuck with it.

I will introduce you to a new technology for you to research. It is called NT and is over 15years old. Why the introduction, well if you are so stupid to still correlate Windows with 3.1 concepts then you obviously have no freaking idea what NT is.

The argument you make could be said of Unix of 1969 compared to BSD or Linux of today. Do you really think they haven't changed either?

How crazy is your life to even correlate thoughts like this? Let me guess...
As you say, "Windows is still like 3.0," you run around in circles and scream 'dee dee dee'?

Re:I feel sorry for the guy

[Allador]

... set the OS up with Unix-style permissions. Why would anyone want to do that? Real ACLs are far superior to the old-fashioned (and overly simplistic and limiting) traditional unix permissions system.

About the only downside to full ACLs is that the complexity is slightly higher.

This is a poor security model

[Cassini2]

For high reliability code, you write code on the assumption that other code may have problems. You write code defensively. For any kind of complex system, people will make mistakes. Thus you have to continually verify program integrity and security in a multiply redundant manner. You don't wait until a trust barrier is crossed.

For example, if I have an application controlling a power plant, even if the computer is already running "foreign" code at my privilege level, the control application may still be up. It isn't until the foreign code impacts on the control application that a major security problem exists. Unfortunately, Microsoft makes it easy for the foreign code to impact the control application. The code could consume all available CPU resources, it can consume almost all available disk bandwidth, it can run Windows out of Virtual Memory or Handles. None of these attacks are easily blocked by existing Windows security. Of course, when the ability to inject code into the control system is considered, rogue program security gets worse.

Microsoft's threat model does not even consider the effect of "friendly" code, to impact on critical code. If you can't detect adverse interactions with friendly code, then I really question the ability to survive malicious code impacts.

At least two levels of redundancy are required. Malicious code almost always starts as an unexpected consequence of a friendly application, and the first level of redundancy is that the authors write the friendly application in a secure manner. In practice, relying solely on this level of redundancy is fraught with peril. As such, additional levels of redundancy are required. A key second level of redundancy is that even if a friendly application runs amok, the control system should keep running. This implies isolation between applications running at the same privilege level.

The intent of multi-tasking operating systems is to prevent applications at the same privilege level from affecting each other both directly and indirectly. Applications should not be able to affect each other either directly (application to application) or indirectly (via slowing the computer to a crawl.) By only looking at trust escalation issues, Microsoft has a key areas of redundancy and security.

My kingdom for a properly placed apostrophe

[Weedlekin]

"this process is about ensuring that our customer's machines aren't compromised."

I cried tears of joy when I read about Microsoft dedicating so many of their resources to securing one customer's machines. It just shows how Steve "Big Hearted" Ballmer is steadily filling what was once a cold, impersonal monopolist with people who are willing to go not just an extra mile, but several extra parsecs to ensure that every one of their customers feels loved and cared for. I'm so very, very glad that there's a still place for wonderful people-oriented guys like this in the cynical cut-throat world of big business. Please excuse me while I throw myself face down on a bed and sob uncontrollably for several days.

What are the specs for Vista?

[khasim]

Even if you were correct, it should not be that difficult for a company with Microsoft's money and personnel to solve.

Just license some tech from VMWare or such.

Build the NEW system to that it CORRECTLY conforms to security "best practices" and then incorporate "virtual machines" that can run those "legacy" apps under the OS they were designed for.

Microsoft has already sort of tried this with "compatibility mode" and things like that. The problem is NOT the apps (as people claim). The problem is Microsoft's continued focus on "user friendly" as opposed to security.

There are SO MANY problems with Microsoft's approach to their systems that just looking at making a bit of code "secure" is laughable. We've gone through this with Java and Firefox and so forth. If the SYSTEM is not secure, then your apps CANNOT be secured.

Re:What are the specs for Vista?

[cnettel]

Apps are supposed to read and write user data. I can agree that this concept is flawed, it should be much more prevalent that an app defines a manifest or locks down its own token on load time to only be able to access things that really are relevant (possibly with some special breakout directly connected to the file chooser widget of choice). This is not common in any OS today. Most web browsers run with the full permissions of the user running them, enough to make it very hard for that user to create a botnet node or whatever. There are exceptions to this, but they are rare.

Permissions should always be a result of both the code that's running, and the user that runs it. Specific executables might get extra permissions relative to the baseline of the user (i.e. sudo access for a limited subset of binaries and scripts), but the other way round is far more important: defence in depth by making sure that programs that have no reason to access everything you have access to are indeed denied that access once they are compromised. IE in Vista is one example of this, but it's far from perfect. After all, we want the user to be able to download files, and once we've hijacked the browser process address space, we can start playing around with all the cues in the UI that the user is relying on to tell what's happening and what actions to really approve.

Re:What are the specs for Vista?

[Allador]

Most web browsers run with the full permissions of the user running them, enough to make it very hard for that user to create a botnet node or whatever. There are exceptions to this, but they are rare. Actually, this functionality you're describing has been present in Windows XP for years. Right click on IE, choose RunAs, and just leave the default and hit OK.

You've not spawned an IExplore.exe process with very specific security tokens. Basically restrict it from writing anything at all to the registry, and nothing expect a very few locations on the hard drive (temp & cache space, basically).

Vista makes it more prevalent, but its been there for years.

Vista and Win2008 server also has a limited form of MAC (what you're describing) as part of the services permissions. Basically, its an extra set of limitations you can make to services, and limit file permissions to just the very few that the service needs, regardless of what user account its running.

These are widely available in *nix as well, but they're not much used. I think SELinux includes this (amongst other) functionality, but I'm not an expert here.

Because KDE is not an OS.

[khasim]

When Linus puts a web browser in Linux, then you'll have a point.

Re:Because KDE is not an OS.

[Gregb05]

When FSF puts a web browser in GNU, then you'll have a point.
Fixed for you.

Re:Because KDE is not an OS.

[toadlife]

What point would that be? Internet explorer is not in the Windows kernel.

A brilliant statement of the obvious, LO0G

[andrewzx1]

I think we can all agree that actions have consequences, especially in an over-engineered software environment with layers upon layers of APIs and legacy code. - AH4H

You can't get there from here...

[argent]

Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.

I'd get them a Mac.

Unfortunately, Microsoft can't get there from here.

I'd like to see their threat model for IE

[argent]

Or rather for the use of ActiveX in the HTML control, particularly security zones.

"Storing a file in the wrong place can lead to complete compromise... that's OK, if you download a file you really meant to run it anyway, so that's the user's fault."

I can run Linux without KDE.

[khasim]

What point would that be? Internet explorer is not in the Windows kernel.

I have servers running Linux without Konqueror.

I have workstations running Linux without KDE.

Your point will be valid when (and only when) Linus puts a browser into Linux. Until then, I can (and do) run Linux WITHOUT a browser.

And that is only ONE of the reasons that Linux more secure than Windows.

Re:I can run Linux without KDE.

[toadlife]

Your point will be valid when (and only when) Linus puts a browser into Linux. Until then, I can (and do) run Linux WITHOUT a browser. Great. Except that was not my point at all.

My point was that the integration of IE into Windows is nothing special, and the security implications of it are nothing special either. It is perfectly possible to run Windows without explorer.exe or IE or any of the dlls that they both share. You won't get any of the integrated goodness (or badness, depending on your view) and you will have to rely instead on third party apps, and glorious command line to do things like file management and administration, but it can be done. Most people don't do it because if they really wanted all that flexibility, they would not be running Windows in the first place.

Yours and other's complaints in this thread all read like, "Windows is not UNIX, therefore it is bad.". Sprinkle in ignorance of how Windows works, and in some cases ignorance of how UNIX works, and you get misinformed opinions on the issue if IE's integration.

And comparing the Linux kernel to the entirety of Windows as a whole is about a stupid as it gets.

Re:I can run Linux without KDE.

If you want to run Windows without a UI, you can get Windows Server 2008 (in RC0 now) and install Server Core. For the first time ever, its shell will be a command prompt. It will have no browser or even Explorer. Just expect to admin it remotely.

dom

Re:I can run Linux without KDE.

[oldstrat]

No expect me to admin it locally as a VM.

NT 3.51 was Shell Only

[mosel-saar-ruwer]

Back in the day [about 11 or 12 years ago], you could run Windows NT 3.51 as a shell - it looked just like DOS, except that there was a true multi-user, multi-tasking kernel underneath.

To go into Windows, you typed "WIN" [or "WIN.EXE"], just like you would in Windows 3.10/3.11.

It wasn't until NT 4.0 [circa 1996] that you were required to run Windows.

NT 3.51 was a really cool operating system - e.g. everything had to go through the client/server model, which meant that video was really slow, so video was brought into the kernel in NT 4.0, resulting in myriad BSODs until the video card manufacturers were capable of producing "6-Sigma" [or "7-Sigma" or "Whatever-Sigma"] drivers.

Which actually took a surprisingly long time - several years of driver improvements & Service Packs were required before you could boot NT 4.0 reliably [without the omnipresent threat of a BSOD], by which time Windows 2000 was here.

Re:NT 3.51 was Shell Only

WinNT *always* had a GUI shell. For versions 3.1-3.51 it was Progman/Fileman, and from 4.0 on it was Explorer. Server 2008 is the first version of Windows that can be installed without a GUI shell.

And contrary to popular belief, moving the video drivers into the kernel did NOT make Windows any less stable. Why? Because the user-mode component of the video drivers would bring down CSRSS when they crashed. And what happens when CSRSS goes down? BSOD. Since buggy video drivers can always bring down the computer, it doesn't really matter what mode they run in. Even Linux can kernel panic (or hang) due to bad video drivers.

dom

Re:NT 3.51 was Shell Only

[mosel-saar-ruwer]

WinNT *always* had a GUI shell. For versions 3.1-3.51 it was Progman/Fileman, and from 4.0 on it was Explorer. Server 2008 is the first version of Windows that can be installed without a GUI shell.

But you could kill the GUI in NT 3.51, and just run stuff from the shell prompt.

Re:NT 3.51 was Shell Only

[oldstrat]

"Server 2008 is the first version of Windows that can be installed without a GUI shell."

Man are you ever wrong, you just didn't know how.

Law #1 is a lie.

[zestyping]

I see they're still using the old, tired, "Immutable Law #1" that Scott Culp made up many years ago.

Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore
[...]
When you choose to run a program, you are making a decision to turn over control of your computer to it. Once a program is running, it can do anything, up to the limits of what you yourself can do on the computer.

It's simply wrong, and it's deceptively named.

One of the important jobs of any operating system is to isolate and protect applications from one another. To assume the so-called "Immutable Law #1" is to pretend that this responsibility doesn't exist.

I'm sure they've heard of encapsulation, right? Defense in depth? How about the principle of least privilege? The thinking behind Law #1 -- that when a user runs a program, that program automatically gets full rights to pull all the user's privileges out of thin air and exercise them in whatever way it wants -- runs counter to all of these fundamental security concepts.

A revision of the Law that's somewhat closer to the truth would be something like: "If a bad guy can persuade you to run his program on your computer, and your operating system allows that program to damage the system, other programs, or your data, it's not your computer anymore." The operating system does not get a free pass.

Re:Law #1 is a lie.

Did you read the "up to the limits of what you yourself can do on the computer" part?

Re:Law #1 is a lie.

[zestyping]

Yes. Did you read this part of my comment?

The thinking behind Law #1 -- that when a user runs a program, that program automatically gets full rights to pull all the user's privileges out of thin air and exercise them in whatever way it wants -- runs counter to all of these fundamental security concepts.

Running a program should not mean handing over rights to everything "you yourself can do on the computer."

Re:Law #1 is a lie.

what with all the surreptitious updates maybe they should update the law to say "microsoft" instead of "a bad guy"

Re:Law #1 is a lie.

I don't think you understand how computers work. I *myself* can do very little to the computer besides apply power, provide input, and rearrange the hardware. The only we as users can do to affect the operation of the computer is to run programs. Anything I want the computer to do must actually be done by a program on my behalf. If I want to be able turn images from web pages into desktop backgrounds, my web browser must have the ability to change my desktop background, for example.

Of course I could choose to run certain programs with fewer privileges, but it's pretty damn complicated to do that. MS implemented that for Vista and as far as I know IE7 is the only program that uses it because it requires having a separate proxy process that *does* have the ability to do anything the user can do with a communication channel to the browser.

Another option for least privilege is for the user to specify exactly which privileges each program should have. Do you want to do that? I find it a pain in the ass just to specify what local resources each RDP connection should have! Well, it turns out that most users are not capable of making security decisions, so you can't ask them. The other option is to have the program specify what rights it needs. This doesn't work because honest programmers can't be bothered to sift through the list of checkboxes (.Net has this feature and nobody uses it), while dishonest programmers just request all rights.

dom

Re:Law #1 is a lie.

[LO0G]

The reason that Law #1's written the way that it is is because it's written with the assumption that the attacker knows more than you do.

To be more specific, the bad guy knows about the as of yet undiscovered security hole that renders all of your OS level sandboxing moot. That's why when the bad guy gets to run code on your computer, it's not your computer any more.

And there have absolutely been such flaws in Windows (the windows manifest file vulnerability for example), OSX (the .DMG file vulnerability for example) and Linux (the ELF file core dump issue for example), so this isn't just wild speculation (I found all 3 of those by simply typing in "<os> elevation of privilege" to my favorite search engine).

Re:Law #1 is a lie.

If an OS has a yet undiscovered elevation of priv bug, and they all do, then the statement Culp made is correct.

If there is an OS out there that will have zero exploits found in the next 50 years, then of course your statement is correct. When you find that OS, be sure to purchase it and a few extra bucks for it, Tiger.

Re:Law #1 is a lie.

[zestyping]

You appear to be saying that it's infeasible to limit the privileges of programs just because it's inconvenient in Vista. I hope you don't expect anyone to take that argument seriously -- "Microsoft did it poorly" is hardly evidence that something isn't possible.

Re:Law #1 is a lie.

[zestyping]

Culp says, "When you choose to run a program, you are making a decision to turn over control of your computer to it."

That is a design decision they made, not an immutable law of the universe. Windows is intentionally designed so that when you run a program, it runs with your identity and all your privileges. It is conceivable that one could design a system that handled privileges differently, and of course people have designed such systems. (One of them is the browser you are using right now, if it supports JavaScript.) Therefore, this is not a "law." It's a design flaw. To call it a "law" is to evade responsibility for making that design decision.

I'm not saying operating systems have no bugs. There's a big difference between creating a system that is broken by design, and a system that happens to have a bug in it. The unattainability of perfection is no reason to ignore security altogether. Consider the context here -- Larry is citing this "law" as a reason to ignore threats. In doing so, he is ignoring defense in depth. The operating system should isolate and protect applications, AND applications should be written defensively.

Re:Law #1 is a lie.

[QuietObserver]

I agree with you completely. Part of the core problem that MS has, is that they write Windows to allow drivers to run in ring 0; no decent operating system should allow anything to run in ring 0 except its own MM (memory management, which includes the scheduler) and its primary IO controller (which is not the driver component). All drivers should be run in ring 1, and programs should be run in ring 3. I know all this because I've designed a completely different CPU of my own which is laid out differently -- the modes are numbered by the power they provide, and there are only three, User (0/1; doesn't really matter which, as the first bit is the decider for that mode), System 1/Interrupt (2), and System 2/Administrator (3) -- so I've had to study about what a decent processor should make possible on each security level. As far as I am aware, neither the Mac OS kernel nor the Linux/BSD kernels allow this type of activity. Besides, how much power does a driver require other than to talk with the hardware it was designed to interface with and translate that information into something the OS can understand; it doesn't need administrator rights to do any of that, and can easily be organized to flag the OS when it's got information ready. Anyway, nice post.

Improvements

[BlueParrot]

Some improvements that could help:
a)The default action for opening a document ( double click ) should not be the same as the default action for executing a binary ( double click ) and installing software ( yep, another double click ).
b)Don't offer the option to execute binaries when you hit a link in the web browser. If the user wants to run a binary it goes: download -> execute ( again, not double click ).
c)Try to avoid a situation which encourages the user to hit "Allow" without thinking.

Oh, and finally, when it becomes apparent that a program is full of bugs because "features" were pushed in favor of bug fixes...
"BAD PROJECT MANAGER! NO BISCUIT!"

Mod parent up for sarcasm

[cheros]

Absolute class - thanks. It made me laugh.

We have to be honest here - this IS innovation! Have you ever heard such quality BS from *any*, and I mean *any* other company? I mean, it's been tough since Enron's "I feel you pain" Shilling went the way of the Dodo, but Thank God we still have Microsoft churning out new way of selling complete and utter BS.

I think we will all feel the loss when the EU finally hangs all of them (at least, that's what they make their conviction sound like :-).

Re:Mod parent up for sarcasm

[Weedlekin]

"Lots of people did stick to Win2K instead of going to XP, and they were right to do so, XP was flaky."

No, but that's only because there aren't any companies who've achieved Microsoft's level of success that need to explain why their entire product range has been so bad for so many years.

"I mean, it's been tough since Enron's "I feel you pain" Shilling went the way of the Dodo, but Thank God we still have Microsoft churning out new way of selling complete and utter BS."

MS have to keep producing BS screens like this to distract shareholders and PHBs in their big corporate customer base, who might otherwise get around to wondering how they managed to spend five years and untold billions of dollars producing the endlessly polished turd called Vista, who the hell thought the Zune was a good idea, and why 30% of XBox-360s have to be repaired or replaced under warranty (i.e. at Microsoft's expense). When the only real success story the biggest software company on the planet has had in the last few years is a remake of a game written by a company they bought just to get previous versions of that game, the BS machine gets put into overdrive to try and prevent too many influential people from having the time to start thinking that whoever's making key decisions for Microsoft these days is an idiot.

"I think we will all feel the loss when the EU finally hangs all of them (at least, that's what they make their conviction sound like :-)."

That's because they know that whining about it all being a pinko commie plot to punish a successful US company for simply being successful will make many of those who usually rant about how terrible "Microsucks" is start demanding that Europe be bombed and invaded for thinking that their silly foreign laws apply to the European bits of US companies who operate there. BS works, hence the fact that MS spend so much on it, and the fact that this particular bit of BS doesn't gel with geeks only indicates that geeks aren't the intended audience for it, unlike their "damned pinko commie Europeans picking on the US" ploy (which isn't only aimed at geeks, but is notably successful at getting the majority of the American ones on their side).

Euclid: As we go about proving a theorem,

[dpbsmith]

As Euclid said, "as you go about proving a theorem, it's important to consider the consequences of examining various cases. While it can be easy to find cases that need to be examined, it is important to realize that all cases have real-world consequences for the theorem. At the end of the day, this process is about ensuring that the time the theorem is mostly true at those time when it's most important to be true. When we're deciding which cases be tested, we concentrate our efforts on those where the theorem's being false would cause the most damage."

Actually proving a theorem true, for all cases, is a nice aspirational goal, not a realistic one.

Smiley ----> :-) ------- (denotes irony).

why not just do it right?

[m2943]

When we're deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage

Well, yeah, but there are so many threats against Microsoft software. So, why not just do it right in the first place? Why not create software without the possibility of buffer overflows and most other avoidable issues in the first place?

Re:why not just do it right?

[Allador]

Are you kidding me?

Probably the closest thing our race has ever seen to engineering that always 'does it right' the first time is NASA. And plenty of people have DIED on their ships. And they are arguably the most overfunded, overengineering, overly conversative R&D/engineering organization in the history of mankind.

Bottom line is that 'doing it right' perfectly is not possible, at least not for larger-than-tiny systems. At least not in the current state of the art in systems software. If nothing else, as long as we have to use C/C++ for systems software, its nearly impossible to automatically eliminate ALL classes of buffer overflows.

I wish I could pull up some examples quickly, but not all buffer overflows are obvious. Some of them are very much NOT obvious, and involve 3rd order effects. (yes, I realize this implies that the software was too complex, and thats arguable, but the point is still made that its not as simple as 'just do it right'.)

Many millions of dollars per year flow into software/os/systems R&D to find a way to make a system impervious to these types of attacks, while still having an O/S that runs at a useful speed.

But over top of all that, you run into the single most important reason why you cant do everything perfect every time. They're just people. It's not possible for any organization (whether for-profit corp or non-profit org) to hire only people good enough to always 'do it right'. In fact, the people capable of performing close to perfection are very rare. And not all of them are willing to work on boring software. So you always end up with 'mere mortal' developers working on something. And your real gurus/superstars try to oversee the design, but a full consumer operating system is too big for any one person to control all aspects.

What you say sounds great, and does a good job of making you sound appropriately self-righteous to the /. crowd, but it has very little basis in reality. As a perfect validation, try to find a piece of software of non-trivial size/complexity that has no bugs, and never has had a buffer overflow.

Re:why not just do it right?

[m2943]

I wish I could pull up some examples quickly, but not all buffer overflows are obvious.

Buffer overflows are completely avoidable by using a language with bounds checks.

Many millions of dollars per year flow into software/os/systems R&D to find a way to make a system impervious to these types of attacks, while still having an O/S that runs at a useful speed.

The techniques for making buffer overflows impossible are well understood, and switching to languages that implement them does not cost you anything in terms of performance (the few percent overhead of bounds checking is more than made up for by better opportunities for optimization). The only thing you can't do is prevent them and stay backwards compatible with C or C APIs.

Some of them are very much NOT obvious, and involve 3rd order effects. (yes, I realize this implies that

"3rd order effects"? Did you learn programming on Star Trek?

As a perfect validation, try to find a piece of software of non-trivial size/complexity that has no bugs, and never has had a buffer overflow.

Of course, software will have some kinds of bugs, but it does not have to have buffer overflows.

Re:why not just do it right?

[cepayne]

Simply have microsoft make its slaves "code in" proper error checking for their routines in the first place... Then they won't have to issue hundreds of patches every week, and the users PC's just might be a little more secure.

Re:why not just do it right?

[Allador]

Buffer overflows are completely avoidable by using a language with bounds checks. I notice that you dont actually name this language. Can you?

What classes of buffer overflows does it protect against? Do you still have full access to pointers and memory reads/writes/copies? Do you have to give up direct manipulation of the stack?

While I agree that it should (and will, eventually) be possible to write an operating system without the insanities of C-based languages, I'm definitely not aware of one. The only languages I'm aware of that even try to minimize the possibility are languages like Java and .NET, and then the horde of interpreted languages. But these are not appropriate for an operating system, at least not for another 10 years.

Maybe I'm wrong, show me up here. If you can name such a beast, I'd definitely be curious why the BSDs arent using it, or experimental O/S's like Hurd. Microsoft (and I'm sure others) have research projects to try building an O/S kernel in a managed language, but its very much in early research.

"3rd order effects"? Did you learn programming on Star Trek? Yes, thats right. Took lessons from 7of9 on distributed computing between make-out sessions.

Seriously though, what I mean by this is: A coding choice produced an unexpected side effect in another module, which caused an unexpected side-effect, which caused the actual stack overflow in yet a 3rd section. The example I saw (which I'm not able to find a reference for, unfort) looked to me like it would be literally computationally impossible to catch with static analysis. You'd have to drastically restrict the structures allowed in C to catch something like this.

Now its very arguable that the reason this stuff happens is because programmers are being 'tricky' and that is backfiring on them. But its also arguable that such programmers have to be tricky still to get the performance needed in some cases.

Re:why not just do it right?

[m2943]

I notice that you dont actually name this language. Can you?

There are so many: Object Pascal, Oberon, Cedar/Mesa, Modula-3, and on and on.

What classes of buffer overflows does it protect against?

The memory corrupting kind.

Do you still have full access to pointers and memory reads/writes/copies?

Of course, you do. Safe programming languages don't prevent you from doing unsafe things, they merely make you ask for them explicitly.

Do you have to give up direct manipulation of the stack?

There is no "direct manipulation of the stack" in C.

Yes, thats right. Took lessons from 7of9 on distributed computing between make-out sessions.

You lucky bastard... but, wait: I knew it! You have been assimilated! No wonder!

Now its very arguable that the reason this stuff happens is because programmers are being 'tricky' and that is backfiring on them. But its also arguable that such programmers have to be tricky still to get the performance needed in some cases.

I don't think that's arguable: I have yet to see a single inter-module interface that needed to be "tricky" or "unsafe" in order to gain performance.

In my experience, most C and C++ programmers simply are incapable of making rational performance decisions, spending excessive amounts of time "optimizing" code that makes no difference to overall performance, and often not even knowing which constructs actually work faster.

Microsoft (and I'm sure others) have research projects to try building an O/S kernel in a managed language, but its very much in early research.

The term "managed language" is some bizarre Microsoft neologism, and I have no idea what it's even supposed to mean.

In any case, people have written operating systems in Object Pascal, Cedar/Mesa, Oberon, Modula-3, Lisp, Smalltalk, and other languages. Several of those languages even have garbage collection and dynamic typing. It's not rocket science and it doesn't require new research.

Re:why not just do it right?

[Allador]

There are so many: Object Pascal, Oberon, Cedar/Mesa, Modula-3, and on and on. Well, I guess we'll just be in fundamental disagreement there. Not sure I agree that you're going to be able to effectively write an O/S in object pascal. About the only thing going for it in this space is that you can include raw assembly in with it (IIRC) as part of the language.

In fact, at least in its Delphi/Kylix form, this is much more of a user-space apps development language than a systems development language.

The term "managed language" is some bizarre Microsoft neologism, and I have no idea what it's even supposed to mean. Hardly. Java would qualify as such. The defining characteristic is that its inteded to be run inside a VM.

And even Java has had the occasional (though rare and obscure) buffer overflow in its implementation.

In any case, people have written operating systems in Object Pascal, Cedar/Mesa, Oberon, Modula-3, Lisp, Smalltalk, and other languages. Several of those languages even have garbage collection and dynamic typing. It's not rocket science and it doesn't require new research. You mean like SPIN and Native Oberon? These are hardly real operating systems, they are research experiments done by academics. Those things are 5-10 years of work away from even knowing whether a full operating system can be developed in them (at least based on my reading from their websites).

Mind you, I'm in complete agreement that our development tools and languages are primitive. Things should be that easy, but they certainly are not at the moment, certain academic research projects notwithstanding.

The OP that started this was basically claiming that companies should just 'do it right' as if thats a magic wand you can wave and make it happen. This is a common trap, often completed by stating, 'if they would just use [insert your favorite niche language here]'. Heck, some companies even tried this, most notably NeXT. And they didnt stray far, only to Objective-C. And even with this, it took 12 years and the financial weight of apple to turn into a successful consumer operating system.

Is it possible that writing an O/S using Object Pascal would be safe? Possibly, but I think you'd find that you'd have large sections hand written in assembly or unsafe code, and then you're back at square one again.

Re:why not just do it right?

[m2943]

Is it possible that writing an O/S using

Go read up on your OS history: the majority of commercial server and desktop operating systems over the last 50 years have been written in high level languages. We don't have to "guess" whether it's fast enough--it is. We don't have to guess how much assembly language it takes--we know (it takes very little). We don't have to guess whether it prevents buffer overflows and many of the ills that afflict Windows, UNIX, and Linux--it does.

Hardly. Java would qualify as such. The defining characteristic [of a managed language] is that its inteded to be run inside a VM.

Those kinds of languages have been around since the 70's, so there was no reason for Microsoft to invent a new name for them. And I have no idea why you brought this into this discussion, since I didn't suggest using VM-based languages, I suggested using safe languages. Or do you labor under the misconception that only VM-based languages can be safe?

The OP that started this was basically claiming that companies should just 'do it right' as if thats a magic wand you can wave and make it happen. This is a common trap, often completed by stating, 'if they would just use [insert your favorite niche language here]'

I don't advocate particular languages. As long as a language is reasonably designed, it doesn't matter which one you use. You can write a good, safe, commercial, high-performance OS in Pascal, Modula-2, Modula-3, Oberon, Cedar/Mesa, PL/I, Smalltalk, Lisp, Algol, and many other languages, and people have. You can't do it in C-derived languages because C is fundamentally defective. That's another thing we don't have to guess about, the data on that is in, people like you just refuse to accept it.

Re:why not just do it right?

[QuietObserver]

I don't disagree with you completely, but while C's lack of natural bounds checking is a major weakness, bounds checking can easily be designed into the architecture using a simple "if (OFFSET_EXPRESSION BUFFER_LIMIT) PERFORM_BUFFER_OPERATION (buffer [OFFSET_EXPRESSION]);" where OFFSET_EXPRESSION is whatever the expression that determines the offset is, excluding any offset advance codes, and adding a "+ VALID_OFFSET_INCREASE" to the end if the advance code is done before the expression is used, and PERFORM_BUFFER_OPERATION ... is the operation dealing with the buffer. Yes, I might have gone a little overboard in presenting my example, but the principle works, and implements a fully functional bounds checking procedure.

Wrong terminology

[Arkaic]

I'd have to agree with this guy:

http://taosecurity.blogspot.com/2007/10/someone-please-explain-threats-to.html