Dinis Cruz Blog

This post is a variation of an email that I sent before I had a meeting last Friday (2nd March 2007) with 4 senior technical Microsoft employees (two from the .NET Security side and two from the office security team)

As with all my previous meetings/lunches with Microsoft employees, it was an interesting intellectual discussion but with no tangible results or actionable actions since they (and Microsoft) are currently not focused on this problem (or don’t think that Partial Trust Managed Code is a valid solution). I also think that I need to speak with their bosses, but unfortunately their bosses are not talking to me.
—————————————

There are numerous reasons that explain the current lack of focus (and faith) by Microsoft (and others) on Partial Trust Managed Code (PTMC), the main ones being:

• the lack of attacks to Full Trust environments (think of all those ISPs selling Full Trust ASP.NET accounts which are trivial to exploit and 0wn)
• the failure by Microsoft’s .NET team to implement certain types of applications and OS components in Partial Trust Managed Code (you can just hear the C++ crowd saying “man those guys can’t even do it in Full Trust!!!”)
• the non existent of public attacks that exploit the fact that our “main security defence method is the reliance of the non execution of malicious code in our environments” (this would had changed if WinZip, Flash or Adobe (for example) had been infected with malicious code that was successfully exploited in a spectacular and public way)
• (from Microsoft’s point of view) the fact that it’s main competitors are also in denial and not going in that direction

To solve it, changes will need to occur in multiple areas (and will need to address them all in order to have a real solution)

• Technological
• Political
• Strategical
• Economical
• Social
• Educational

Technological

We need better tools to write Partial Trust Managed Code (PTMC), manage its environment and prevent/detect/stop malicious code. For example:

• Dynamically calculate required CAS permissions (don’t get me started on PermCalc)
• Refactor code that requires higher permissions into separate assemblies (so that only 1% of the code will need to run outside the Sandbox)
• Converters of unmanaged code to managed code (i.e. C++ to C#, VB6 to VB.Net, etc…)
• Source code audit tools that identify vulnerabilities or areas that might have vulnerabilities
• “.Net Time-machine (ala Flight Recorder)” - ability to record the entire state of all objects during a .Net Execution and allow the execution, debugging and fuzzing from any arbitrary point (see Java’s DeJaVu and JaRec Projects (I remember seeing another PoC of this type of tool, but can’t seem to be able to find the link))
• Smart fuzzers (to find run-time vulnerabilities)
• ‘Security rating calculators’ which will give a product (or dll) a rating based on the ‘threat profile of that application’ (for example the more unmanaged code, the worse rating) . This will be a very important part of the ‘Partial Trust Brand’
• Development environments that allow the development of complex and feature rich partial Trust applications like IE in managed code
• New execution environments (aka mini CLRs) that allow the execution of Managed/Verifiable code in : Services, Drivers, plug-ins etc…
• New Virtual PC Execution environments that allow the safe execution of ‘potential malicious applications’ whose interface with the user’s assets are controlled by a managed/verifiable application (and CAS policies)
• ‘What is going on’ tools. When I run an application I need to know EVERYTHING it does. And if the application somehow escapes the ‘execution monitoring system’ I want to know that it did. Now that Microsoft bought SysInternals, can we have a massive boast on those tools capabilities?. This tools must also build CAS polices based on what they detected the target application needs.
• Tools that allow the easy development and use of CAS and RBS (Role Base Security) and frameworks for securing an application’s Business-Logic (for example using a CAS to prevent the user account’s from being changed, or an bank account from being accessed)
• Code Coverage Tools - To know how much of an application has been tested, fuzzed or executed
• ‘Real time Hot Patching of Jitted methods (without using the .NET profiler)’ - For advanced defence solutions we will need the capability to make changes to jitted code (i.e . writing patches in C#)
• For ASP.NET we need:
  • WAF (Web Application Firewalls) with pluggable modules for: Data Validation, Authentication, Authorization, Anti-CSRF, DoS, Business-Logic vulnerabilities, etc…
  • A framework similar to Struts (which force the developers to do the right thing (i.e. explicitly define all inputs into their application)
  • IDS (Intrusion Detection Systems) with the capability to change the application’s behaviour when under attack
  • Native Http Pipeline for IIS 5 and 6 (similar to what seems that will happen in IIS 7)
    • This will be very important to protect ASP Classic pages . I know several companies that are trying to implement such modules, and they will not have the resources and knowledge to implement a comprehensive and secure solution
  • CAS demands for dangerous methods (for example methods and classes that allow SQL Injections, XSS, etc…)
    • The current CAS permission’s model is designed to protect the server and the other co-hosted applications. This needs to be extended so that CAS can be used to protect the actual application from vulnerabilities in its code
  • CAS demands for methods or code that ’should’ exist (for example data valiation checks, authorization, etc….)

We also need to normalize the windows security features into a common framework. I would propose that we used the current CAS model for all security related decisions and configurations (for example using CAS to define: Windows ACLs, Firewall rules, UAC settings, etc..). But for this to be practical, CAS (and all it’s pluming) should be removed from the .NET Framework’s BLOB and be implemented as a separate, de-coupled module

Political

Microsoft needs to come out loud and clear and say ‘Managed Verifiable code is the way to go, and we all (MS and its community) need to go that way’

The fact that Sun, Apple, Google and the Linux crowd are not doing this should not be seen as an excuse but it should be seen as an opportunity.

We need a ‘Towards a Managed and Verifiable world’ memo (Ray are you listening?)

Strategic

Microsoft needs to change its core business model from selling massive highly-coupled applications (best examples are OSes the .NET Framework and the online web services: MSN, Live , etc..) and go to a model where each application and component is developed, executed and sold separately (note that online services need even MORE security than normal software packaged applications).

For this to work, Microsoft would need to ‘really’ embrace open standards and multi-layer application models where each layer (or component) is 100% independent and the only communication channels between layers are simple, open and well documented.

Economical

It must make commercial sense to write managed/verifiable code (in both Windows and ASP.NET worlds). Which means that the paying clients that are purchasing software/applications/services MUST demand such code (and MUST reward the companies that write them)

It also must make commercial sense (and be realistic) for companies to provide ‘Application security verification services’ . And this is a big opportunity for security vendors: “give me a service that checks and certifies applications and I will pay for it (as a monthly subscription).”

Social

We have to stop blaming the users for using our products the way they where supposed to be used. The current security model where the user is expected to make a major security decision on every prompt doesn’t work (and will not hold much longer).

It is not the User’s responsibility to restrict malicious code execution, it is the OS (and application audit security teams) responsibility.

Also remember that the browser is becoming the target, and for example:

• the users will not care if their OS (or kernel) is not compromized if they just lost their assets
• the attackers will not care if their exploit doesn’t survive a reboot if they are able to steal/exploit the user’s assets

Educational

There will need to be a big push on how to program for Partial Trust environments, and there must be a special focus in teaching the Network and Infrastructure teams since they should be the ones that define the CAS policies (not the developers)

This entry was posted on Monday, March 5th, 2007 at 5:49 pm and is filed under Uncategorized. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.