[Full-disclosure] Comment on Microsoft's leaked memos, and the unofficial end of Microsoft 'Trustworthy Computing'

["Dinis Cruz" <dinis@xxxxxxxxxx>]

[item originally posted yesterday at my Owasp .Net blog 
(http://owasp.net/blogs/dinis_cruz/archive/2005/11/17/92.aspx) note the 
comments about Sony's Rootkit case]

The current Microsoft CTO (Ray Ozzie) and Bill Gates published two 'leaked' 
memos last week (you can read Bill Gates memo here, and Ray's memo here, 
published by hypercamp ) which generated some interresting comments:  

Leaked Memos Point to a "Disrupted" Microsoft  

Robert Cringely thinks that they were leaked on purpose - I agree, nobody 
writes internal memos like this  

Mini-Microsoft hits again a hard analysis with A Disruptive Defrag for 
Microsoft - note in the comments that some Microsofties are starting to lose 
the patience with Mini (if only they knew who Mini-Microsoft is, read Everybody 
has their theories, but Mini-MSFT is... for a post saying what I had thought 
before but didn't want to be the first to post: Mini-Microsoft is probably 
somebody quite important on Microsoft, if not BG himself)    

Now, I did read the memos, and have to say that they show a good strategy in 
focusing on Services and highlight the fact that Microsoft has realized that 
they massive release and development cycles have to be replaced by simpler, 
effective, practical and secure services.

Talking about security, as news.com noted here (Gates memo: No mention of 
"trustworthy computing"), one area that there is barely any comment in these 
memos is security.

First let's analyze Ray's mention of Security in his memo:

"....In 2000, in the waning days of the dot com bubble, we yet again reflected 
on our strategy and refined our direction.  After taking a more deliberative 
look at the internet and its implications for software, we came to the 
conclusion that the internet would go beyond browsing and should support 
programmability on a global scale.  We observed that certain aspects of our 
most fundamental platform - the tools and services that developers use when 
building their software - would not likely satisfy the emerging security and 
interoperability requirements of the internet.  So we embarked upon .NET, a 
transformative new generation of the platform and tools built around managed 
code, the XML format and web services programming model..."

Humm, I wonder if anybody has told Ray that 99% of .Net applications currently 
deployed have been created for Full Trust environments (which is insecure by 
default, insecure by design and insecure in deployment). I guess that he also 
doesn't know that most code that Microsoft produces today is still unmanaged 
and that the security advantages of the .Net framework can only exist in a 
Partial Trusted world (see my post What are the 'Real World' security 
advantages of the .Net Framework and the JVM? and Gunnar Peterson's excellent 
follow-up .Net and Java "faith-based" security)

"... Complexity kills.  It sucks the life out of developers, it makes products 
difficult to plan, build and test, it introduces security challenges, and it 
causes end-user and administrator frustration.  Moving forward, within all 
parts of the organization, each of us should ask "What's different?", and 
explore and embrace techniques to reduce complexity...."

Here, I completely agree, but I wonder then why is not Microsoft giving us 
SIMPLER and LESS COMPLEX products? I want a simpler Windows 2000, 2003 and XP 
(one without the stuff that I don't need), I want a simpler .Net Framework (one 
without the stuff that is not needed to execute the relevant application), I 
want a simper IE (one with less privileges and able to handle malicious code).

The main case today for security issues is complexity, and only by fully 
understanding an issue and all its connections and interdependencies, can one 
secure it. This is what worries me about Vista, I see a lot of new 'Security 
Feature's where I would prefer to see more 'Secure Features' for Windows 2000, 
2003 and XP (remember that XP SP2 was only successfully from a security point 
of view, because it didn't introduce any major new functionality (I have made 
some more comments about Vista here Security in Longhorn: Focus on Least 
Privilege))

And now lets look in Bill Gates memo for references about security:

....

none, zero.

Not one mention of Security.

Does this means that for Microsoft the Security problems are all under control 
and their job is done?

The problem is that Microsoft might have solved quite successfully one category 
of security vulnerabilities (namely the high number of buffer overflows) but is 
not paying enough attention for the next wave of attacks and security 
vulnerabilities.

As the Sony Root kit issue has shown (which I blogged about here:  Sony's DRM 
rootkit, Follow up on Sony, Sony stops rookit production, ActiveX contains 
vulnerabilities and 'doing a sony' and Sony ActiveX massive vulnerabilites, CDs 
recall and 'Where were the AntiVirus?'), the next wave of attacks will be 
caused by malicious code executed inside the computer.

Let me say this very clearly: Our computer systems MUST be able to SECURELY 
EXECUTE MALICIOUS CODE!

This is why I have been talking for two year now about the Security 
Vulnerabilities in Full Trust Asp.Net (see An 'Asp.Net' accident waiting to 
happen, Microsoft must deliver 'secure environments' not tools to write 'secure 
code', My experience with the MSRC (Microsoft Security Response Center), Some 
comments to Misleading and False Information in: 'What ASP.NET Programmers 
Should Know About Application Domains' , Microsoft's David Treadwell 'almost' 
admits the problem , Some comments about 'The Six Dumbest Ideas in Computer 
Security', and my Owasp Presentations:  OWASP AppSec 2005 UK Presentation  and 
AppSec2004-Dinis_Cruz-Full_Trust_Asp.Net_Security_Issues.ppt).

The only solution for the next wave of malicious code is to be able to execute 
them in secure run-time environments (i.e. Sandboxes) which will take a huge 
amount of work, re-engineering and commitment (the new tools in VS 2005 will 
help). 

But this will not happen until Microsoft acknowledges the problem and says loud 
and clear in (http://www.microsoft.com/security): Full Trust .Net is a massive 
security issue and everybody needs to create applications (web and windows 
based) that execute in partially trusted environments (here is where Microsoft 
is today on this issue: Current Microsoft info about CAS and Full Trust ).

And lets not forget that the CLR has not been audited by an independent team of 
security consultants (i.e one without an NDA signed with Microsoft that limited 
what they could publish). During my Rooting the CLR research I did a quick 
research of past JVM vulnerabilities and how they relate to the CLR, and, was 
able to quickly find a Possible Type Confusion issue in .Net 1.1 (only works in 
Full Trust). Given the fact that SQL Server 2005 is now 100% dependent on the 
integrity of the CLR and BCL, isn't it about time that an independent security 
audit is performed?

Microsoft should learn from the current Sony DRM mess and prepare itself for 
the next wave of exploits (just talking about the good guys, given the current 
windows security model, without using a partially trusted environment what 
choices do DRM makers have but to patch the kernel (for example: how can you 
protect a PDF file from being printed or copied if you don't  enforce it at 
either kernel level or System Process?)) 

And if Microsoft is not able to make this move, I hope that the Java camp does 
it.

I also have very high hopes in the Mono project since this (securely executing 
malicous/untrusted code) could be Mono's killer-application (i.e. the one that 
makes everybody use it). Here are some links to Mono and Mono's CAS:
   http://www.mono-project.com (main mono website site)CAS - where we standCode 
Access Security in MonoMono CAS WikiMono Security Manager Part I - Using CAS 
permissions  

Hope somebody is listening
  Dinis Cruz
 Owasp .Net Project
 www.owasp.net


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/