Slashdot Mirror
Microsoft's Larry Osterman On Threat Modeling
Schneier has pointed out an excellent series of blog posts about threat modeling by Microsoft's Larry Osterman. The series focuses on the PlaySound API as an example. "As you go about filling in the threat model threat list, it's important to consider the consequences of entering threats and mitigations. While it can be easy to find threats, it is important to realize that all threats have real-world consequences for the development team. At the end of the day, this process is about ensuring that our customer's machines aren't compromised. When we're deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage."
Consumer: My company doesn't need Vista, we're using Linux which has about the same amount of bumps and hiccups. ... ... ... well, no reason to get into details. Have a nice day!
Microsoft: You mean you're using an operating system that validates over 450 of our patents?
Consumer: Well, I know that isn't true but
Microsoft: But it'd be a shame if your company was ever engaged with our world class legal team instead of being a 'partner' with the largest software maker ever?
Consumer: But we only have 20 employees.
Microsoft: We know--perhaps you'd be interested in purchasing a copy of our lap dog here, Novell's SUSE?
Consumer: But we already use Red Hat
Microsoft: We heavily suggest you re-evaluate SUSE and when you do your trade study please do note that it's the only Microsoft Certified Genuine Linux. Also, it would be a shame if we had to exercise our patent portfolio on Red Hat and subsequently
My work here is dung.
Try to imagine this guy's work day: He gets to wake up in the morning, hug his kids and then go into work and spend all day trying to figure out the right combination of security defaults that will (a) let people go out and do stuff while (b) protecting them from their own "I'm a average Windows user" level of abject stupidity.
Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.
As much as it's fun to give MS shit for their products, I think I'd last about two hours in that position before I went into the executive washroom and slashed my wrists.
Every year during my review, I just pray the words "slashdot.org" aren't mentioned.
I guess "threat mitigation" is more cost-effective than "writing code that doesn't suck".
Support NYCountryLawyer RIAA vs People
No folly is more costly than the folly of intolerant idealism. - Winston Churchill
What he's really saying is they ran out of fingers to plug the holes in the dike,they have their dicks plugging the holes in their customer's ass, and the water is STILL rising.
Down With Slashdot BETA!!! I've been around the corner and seen the oliphant; you can only abuse me from your perspecti
http://en.wikipedia.org/wiki/Attack_tree
By Bruce Schneier.
Face it, no matter how secure your little bit of code is, if the SYSTEM is vulnerable, your little bit of code is vulnerable.
Which is where Larry goes wrong in TFA.
You can put all the locks you want on your front door. But if you don't fix the huge hole in the wall next to it, you aren't improving your security at all. No matter what you claim.
Microsoft made a big mistake when creating Windows, though not one most of us would have foreseen in the early '90s-- they made Windows 3.1 a single-user OS and thanks to their dedication to backwards-compatibility ended up being stuck with it. Now this poor guy has to figure out a way to make Microsoft software secure by default, even though they have 1) lots of idiots in their customer base to deal with and 2) too many legacy applications expecting root privileges to break backwards compatibility and set the OS up with Unix-style permissions.
For high reliability code, you write code on the assumption that other code may have problems. You write code defensively. For any kind of complex system, people will make mistakes. Thus you have to continually verify program integrity and security in a multiply redundant manner. You don't wait until a trust barrier is crossed.
For example, if I have an application controlling a power plant, even if the computer is already running "foreign" code at my privilege level, the control application may still be up. It isn't until the foreign code impacts on the control application that a major security problem exists. Unfortunately, Microsoft makes it easy for the foreign code to impact the control application. The code could consume all available CPU resources, it can consume almost all available disk bandwidth, it can run Windows out of Virtual Memory or Handles. None of these attacks are easily blocked by existing Windows security. Of course, when the ability to inject code into the control system is considered, rogue program security gets worse.
Microsoft's threat model does not even consider the effect of "friendly" code, to impact on critical code. If you can't detect adverse interactions with friendly code, then I really question the ability to survive malicious code impacts.
At least two levels of redundancy are required. Malicious code almost always starts as an unexpected consequence of a friendly application, and the first level of redundancy is that the authors write the friendly application in a secure manner. In practice, relying solely on this level of redundancy is fraught with peril. As such, additional levels of redundancy are required. A key second level of redundancy is that even if a friendly application runs amok, the control system should keep running. This implies isolation between applications running at the same privilege level.
The intent of multi-tasking operating systems is to prevent applications at the same privilege level from affecting each other both directly and indirectly. Applications should not be able to affect each other either directly (application to application) or indirectly (via slowing the computer to a crawl.) By only looking at trust escalation issues, Microsoft has a key areas of redundancy and security.
"this process is about ensuring that our customer's machines aren't compromised."
I cried tears of joy when I read about Microsoft dedicating so many of their resources to securing one customer's machines. It just shows how Steve "Big Hearted" Ballmer is steadily filling what was once a cold, impersonal monopolist with people who are willing to go not just an extra mile, but several extra parsecs to ensure that every one of their customers feels loved and cared for. I'm so very, very glad that there's a still place for wonderful people-oriented guys like this in the cynical cut-throat world of big business. Please excuse me while I throw myself face down on a bed and sob uncontrollably for several days.
I'm not going to change your sheets again, Mr. Hastings.
If it's so idiotic to "integrate the browser into the OS", then why does Apple do it with OSX and why does the KDE team do it with their desktop environment?
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Even if you were correct, it should not be that difficult for a company with Microsoft's money and personnel to solve.
Just license some tech from VMWare or such.
Build the NEW system to that it CORRECTLY conforms to security "best practices" and then incorporate "virtual machines" that can run those "legacy" apps under the OS they were designed for.
Microsoft has already sort of tried this with "compatibility mode" and things like that. The problem is NOT the apps (as people claim). The problem is Microsoft's continued focus on "user friendly" as opposed to security.
There are SO MANY problems with Microsoft's approach to their systems that just looking at making a bit of code "secure" is laughable. We've gone through this with Java and Firefox and so forth. If the SYSTEM is not secure, then your apps CANNOT be secured.
When Linus puts a web browser in Linux, then you'll have a point.
I think we can all agree that actions have consequences, especially in an over-engineered software environment with layers upon layers of APIs and legacy code. - AH4H
Clearly you've never used OS X if you think Safari is integrated in any way. I haven't tried, since it's nice to have a Safari around for testing new web page layouts, but I would not be surprised at all if it could be completely removed from the system just by dragging it to the trash as one would any other OS X application.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
I don't believe that Safari can be said to integrated into OS X. It's a built in component, but that's not the same thing. When you open "My Computer" or "Windows Explorer" or even "Control Panel" on a Windows box you're opening IE. The browser is "integrated" in the sense of "If you remove this, you remove a significant portion of OS functionality." I might be wrong, I'm just basing this on look and feel, but I don't think "Safari", "Finder", and "System Preferences" are essentially the same thing the way they are in Windows. Similarly, while KDE does integrate Konqueror directly into the desktop interface (it does in fact run the file browser, like IE does in Windows), in a desktop Unix you can simply choose not to use KDE at all. You're not limited to one supplied UI, and at any rate the UI only has OS hooks as deep as normal file system access and controls. When you do something in KDE, you are doing it (for whatever the value of $USER is as "you"), when you do something in IE, sometimes it's the "system" doing it. That's a lot more dangerous.
While I might be wrong about OS X (I don't think I am though), your point about KDE is totally bunk.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Put another way, imagine that instead of just setting up a computer for your parents, you had to set one up for *everybody's* parents. All at once.
I'd get them a Mac.
Unfortunately, Microsoft can't get there from here.
Microsoft *could* reinvent the wheel 20 times in order to make sire every single app has their own libraries tpo use, but that would be stupid.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Yes, because explorer has the ability to call the same libraries (dlls) that IE uses to render web pages. Other OS's exhibit the exact same ability/behavior.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Yeah, you could "remove" Safari but the libraries that provide all of Safari's functionality would remain. You could also remove IE from Windows, but most of it's functionality would remain as IE most just calls external dlls - dlls that other parts of the system share.
If you really wanted to remove Safari from OSX, you would have to remove the entire webkit framework that it and many other OSX applications rely on, and I really don't think you would want to do that.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Or rather for the use of ActiveX in the HTML control, particularly security zones.
"Storing a file in the wrong place can lead to complete compromise... that's OK, if you download a file you really meant to run it anyway, so that's the user's fault."
I have servers running Linux without Konqueror.
I have workstations running Linux without KDE.
Your point will be valid when (and only when) Linus puts a browser into Linux. Until then, I can (and do) run Linux WITHOUT a browser.
And that is only ONE of the reasons that Linux more secure than Windows.
Which ones? I just tried unsuccessfully to access the web through Finder, and when I try to access the local file system through Safari it was smart enough to call Finder, but doesn't access the file system itself. I mentioned KDE in my original post, which does integrate the browser and UI tools, but since that's a desktop, not an OS, it's a different matter. I suppose it's arguable that "Explorer" is only a UI level system in Windows, but that seems disingenuous since unlike in Linux Windows has only one supported UI, and the UI is coded and provided by the OS maker as part of the OS. It's also true that unlike in KDE where nothing can execute with elevated privileges without a password being entered (either the user's password through sudo or the root password through an su), Explorer can and has been known to execute code as 'system' without checking first. It seems Vista may have finally really fixed that last bit, but I haven't worked with it much.
I'm also not clear on how two different executables that access the exact same dlls, and perform in an identical fashion are not the same thing. The fact that Internet Explorer loads the "bookmark" module, and the "Google Search Bar" module, and Windows Explorer loads the "jump around the file system" module doesn't make them different software. They are functionally identical except for a few modules that are loaded differently depending on how they are called.
I don't need a million points of light, just two points of multi-mode fiber and a 10 Gig-E router.
Back in the day [about 11 or 12 years ago], you could run Windows NT 3.51 as a shell - it looked just like DOS, except that there was a true multi-user, multi-tasking kernel underneath.
To go into Windows, you typed "WIN" [or "WIN.EXE"], just like you would in Windows 3.10/3.11.
It wasn't until NT 4.0 [circa 1996] that you were required to run Windows.
NT 3.51 was a really cool operating system - e.g. everything had to go through the client/server model, which meant that video was really slow, so video was brought into the kernel in NT 4.0, resulting in myriad BSODs until the video card manufacturers were capable of producing "6-Sigma" [or "7-Sigma" or "Whatever-Sigma"] drivers.
Which actually took a surprisingly long time - several years of driver improvements & Service Packs were required before you could boot NT 4.0 reliably [without the omnipresent threat of a BSOD], by which time Windows 2000 was here.
One of the important jobs of any operating system is to isolate and protect applications from one another. To assume the so-called "Immutable Law #1" is to pretend that this responsibility doesn't exist.
I'm sure they've heard of encapsulation, right? Defense in depth? How about the principle of least privilege? The thinking behind Law #1 -- that when a user runs a program, that program automatically gets full rights to pull all the user's privileges out of thin air and exercise them in whatever way it wants -- runs counter to all of these fundamental security concepts.
A revision of the Law that's somewhat closer to the truth would be something like: "If a bad guy can persuade you to run his program on your computer, and your operating system allows that program to damage the system, other programs, or your data, it's not your computer anymore." The operating system does not get a free pass.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
Some improvements that could help:
a)The default action for opening a document ( double click ) should not be the same as the default action for executing a binary ( double click ) and installing software ( yep, another double click ).
b)Don't offer the option to execute binaries when you hit a link in the web browser. If the user wants to run a binary it goes: download -> execute ( again, not double click ).
c)Try to avoid a situation which encourages the user to hit "Allow" without thinking.
Oh, and finally, when it becomes apparent that a program is full of bugs because "features" were pushed in favor of bug fixes...
"BAD PROJECT MANAGER! NO BISCUIT!"
Absolute class - thanks. It made me laugh.
:-).
We have to be honest here - this IS innovation! Have you ever heard such quality BS from *any*, and I mean *any* other company? I mean, it's been tough since Enron's "I feel you pain" Shilling went the way of the Dodo, but Thank God we still have Microsoft churning out new way of selling complete and utter BS.
I think we will all feel the loss when the EU finally hangs all of them (at least, that's what they make their conviction sound like
Insert
Actually, removing IE from Windows is a hell of a challenge and breaks stuff. Hell, even Mozilla says not to do it. Removing Safari, on the other hand, can be done by simply dragging the icon to the trash. I was unsure about this when I posted earlier, but confirmed with a friend who had removed Safari from his first OS X install that there were no ill effects.
Yes, webkit still remains, but it can also be removed if one so desires, as long as one is aware of how many OS X applications use it just because it's there. The same applies to IE on Windows of course, but on Windows many parts of the system actually depend on IE so removing it can break a base install, where on OS X you may break third party applications that depend on Webkit but you won't break the main system.
I used to get high on life, but I developed a tolerance. Now I need something stronger.
I'd love to take a poll and see how many OSX users have removed webkit from their OSX installs.
I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
As Euclid said, "as you go about proving a theorem, it's important to consider the consequences of examining various cases. While it can be easy to find cases that need to be examined, it is important to realize that all cases have real-world consequences for the theorem. At the end of the day, this process is about ensuring that the time the theorem is mostly true at those time when it's most important to be true. When we're deciding which cases be tested, we concentrate our efforts on those where the theorem's being false would cause the most damage."
:-) ------- (denotes irony).
Actually proving a theorem true, for all cases, is a nice aspirational goal, not a realistic one.
Smiley ---->
"How to Do Nothing," kids activities, back in print!
When we're deciding which threats need mitigation, we concentrate our efforts on those where the attacker can cause real damage
Well, yeah, but there are so many threats against Microsoft software. So, why not just do it right in the first place? Why not create software without the possibility of buffer overflows and most other avoidable issues in the first place?
Which ones? I just tried unsuccessfully to access the web through Finder, and when I try to access the local file system through Safari it was smart enough to call Finder, but doesn't access the file system itself.
Explorer doesn't "access the web", either, it just loads up the IE components inside the Explorer window (in the same way you can embed an Excel spreadsheet into a Word document and it fires up Excel from within Word).
I mentioned KDE in my original post, which does integrate the browser and UI tools, but since that's a desktop, not an OS, it's a different matter.
No, it's exactly the same "matter". You are creating a false dichotomy.
I suppose it's arguable that "Explorer" is only a UI level system in Windows, but that seems disingenuous since unlike in Linux Windows has only one supported UI, and the UI is coded and provided by the OS maker as part of the OS.
You are conflating a marketing issue (Windows only comes with one shell) with a technical issue (how the various components run and interact).
It's also true that unlike in KDE where nothing can execute with elevated privileges without a password being entered (either the user's password through sudo or the root password through an su), Explorer can and has been known to execute code as 'system' without checking first.
That's a pretty serious bug. Evidence ?
I'm also not clear on how two different executables that access the exact same dlls, and perform in an identical fashion are not the same thing. The fact that Internet Explorer loads the "bookmark" module, and the "Google Search Bar" module, and Windows Explorer loads the "jump around the file system" module doesn't make them different software. They are functionally identical except for a few modules that are loaded differently depending on how they are called.
Try thinking about how many different programs do exactly the same thing using glibc (because, well, that's the point of having a shared library to do it).
Care to cite any example of how removing IE will break the base install?
There are quite a few things in Windows that use the IE components. The Add/Remove Programs applet, for example. Any time Explorer shows you a thumbnail or media preview. The help system. Etc.
Of course, code re-use is, well, kind of the *point* of having a modular system, so it's a struggle to see why any rational person would consider doing that to be bad. Unless, of course, they were blinded by their anti-Microsoft zealotry (like a sizable proportion of Slashdot) that anything Microsoft did was bad, even when it was the same thing as everyone else.
Finally, I'm pretty sure there are a handful of OS X "base install" components that use WebKit (the help system springs to mind) - and if not, there certainly will be soon since, as I said, the whole point of having a chunk of modular code is so that you can re-use it.
I'd have to agree with this guy:
http://taosecurity.blogspot.com/2007/10/someone-please-explain-threats-to.html