February 2005 - Posts
Daniele Muscetta (of Microsoft) posted a nice summary of some recent articles on Rootkits. He also included information on SysInternals' latest tool:
Also, Sysinternals has released today a Rootkit detector (looks like RootKits are finally getting a lot of attention these days...)
Nice tool. The RootKit Detector looks like it performs similar to GhostBuster, except without the CD reboot. It does a Windows API scan and then compares results to a file scan, all within the same OS session. While this is a good attempt to catch Rootkits, it can be argued it is not as ideal a solution as the CD reboot/offline scan found with GhostBuster. Here is an interesting blurb from the RootKit Detector's documentation:
Is there a sure-fire way to know of a rootkit's presence?
In general, not from within a running system. A kernel-mode rootkit can control any aspect of a system's behavior so information returned by any API, including the raw reads of Registry hive and file system data performed by RootkitRevealer can be compromised. While comparing an on-line scan of a system an off-line scan from a secure environment such as a boot into an CD-based operating system installation is more reliable, rootkits can target such tools to evade detection by even them.
The bottom line is that there will never be a universal rootkit scanner, but the most powerful scanners will be on-line/off-line comparison scanners that integrate with antivirus.
Unfortunately, the on-line/off-line method used by GhostBuster is not publically available from Microsoft Research (see Bruce Schneier's request for this). Hopefully we will have this kind of version available from someone soon.
I saw this last night, and Dana Epp has posted a pointer:
Peter Torr has done it again. He has written an EXCELLENT article on writing a practical threat model... getting rid of the cruft of useless theory and applying real-world experience to how to get it done. If you are part of a team that needs a no nonsense approach to threat modeling, you should read his article on "Guerrilla Threat Modelling". Well worth the investment in time.
I agree -- this is excellent! Read it, learn it, and think about how to apply it to your own projects.
By now, I am sure you have seen or heard the news about SHA1 being broken.
In a somewhat timely fashion, I had been (re)reading Bruce Schnier and Niels Ferguson's book Practical Cryptography and Bruce Schnier's Applied Cryptography book (both excellent resources) for a couple of weeks for one of my projects before the SHA1 news. Schnier and Keith Brown have both been saying for awhile we should avoid SHA1 and go with SHA256 or SHA512. Now, from what I have heard/read, the government is advocating this as well.
What do we do now? Obviously, there are a lot of solutions already built using SHA1, and since these are one-way hashes, you can't easily "decrypt" a value to get the original value back.
Looking around, I notice a lot of language choices to implement SHA1, but not SHA256 or SHA512. Microsoft .NET offers SHA256 AND SHA512 as options, but what if you are communicating with another applications that doesn't implement these later hash algorithms? One reason MD5 (also broken last summer) and SHA1 were so popular was because they were fast, much faster than the later variations (called SHA-2 implementations). So, no one thought to implement these later versions as SHA1 was thought to be secure enough for awhile.
This past weekend I spent some time going through the algorithm specs to convert a SHA1 algorithm implementation to a SHA256 implementation (in a non-.NET language). It wasn't too difficult, but I imagine this will need to be done more for other languages as we shift away from SHA1 in the near future.
Our second Boston Code Brew meeting is tonight. Tonight, we are focusing on "all things database" with a special emphasis on SQL Server. Should be another great meeting!
Sam Gentile posted a great review of this new book: Customizing the Microsoft .NET Framework Common Language Runtime by Steven Pratschner. As I was reading his post, I realized I had seen this book before! When I was preparing for WinDev on my CLR Hosting talk, I got information from Chris Brumme and others that a book on CLR Hosting was due to be released at some point. I didn't recognize the name (not sure it had one at the time), but this is the same book. This looks to be an excellent resource, and exactly what I and many others have been waiting for a long time. I have ordered my copy, and can't wait to dig into it!
This is perfect timing! I have a new project I have started that takes some of these ideas presented in the book, plus other uncharted areas in .NET and pushes them all to the limit. Some of the project is research for a possible new (needed) book in the industry, and some of it is for a practical commercial application. Time will tell where it all leads, but I will be sharing some more information as the year progresses.
I was at the Sys-Con Web Services Edge East 2005 in Boston for a couple of days this week. I had some work to finish for a couple of my clients, so I couldn't attend the entire conference, but what I saw was great. Some of my favorite parts were watching Michael Stiefel's talk on SOA and WSE2 and one of my heros from my transaction study days: Eric Newcomer's talk on service orientation and an working SOA. I really wanted to see Julia Lerman's WSE2 talk, but had to miss it because of work -- bummer!
The biggest highlight for me was attending Patrick Hynds and Duane LaFlotte's security talk on "Security: The New Reality". They are also giving this talk at DevTeach. There were some impressive hacks and defense techniques shown, but one hack I especially "liked" (and you should defend against) is Duane's uploading of an ASP.NET (ASPX) page to a web site, and using it to traverse the file system to obtain anything he wanted off the web server!
While at the conference, I enjoyed catching up with Julie, Michael, Thom Robbins, Patrick, Duane, as well as meeting Derek Ferguson and G. Andrew Duthie for the first time. Look for an article on SQL Injection to come out soon in the .NET Developers Journal that I am working on with Patrick and Duane.
On Wednesday night, several of us attended the Cabana Night (sponsored by INETA). I was going to be in the Security room as an expert, but at last minute, I learned that the C# room needed someone, and Michael and I stepped in to fill the gap. Most of the questions dealt with books and other resources to get past the basics of C#, and into the advanced particulars of .NET. Both Michael and I agreed that you must always make sure you understand the CLR first (yes, and IL) before venturing out, as it will make understanding the advanced topics that much easier. Unfortunately, as it was last minute, we didn't have anything prepared for C# 2.0 information, but we had internet access and pointed to some good resources (specs, blogs, etc.) to get up to speed on the areas we were not as familiar with that night.
All in all, it was a great couple of days for me to catch up with some folks and learn a few things as well.
I will be speaking at DevTeach this year in Montreal, Canada on June 18-22, 2005.
My topics (so far -- waiting on a couple of other proposals, but this may be enough) are focused on various SQL Server 2005 features:
SQL Server 2005 Managed Stored Procedures
SQL Server 2005 Security
SQL Server 2005 Service Broker
This should be a fun conference and one I am looking forward to attending and speaking.
Last year, I answered some questions for a Microsoft Research project about running as non-administrator and the obstacles I have found in using various Windows applications. Susan Bradley is pointing to the final paper of this research project entitled "A Black-Box Tracing Technique to Identify Causes of Least-Privilege Incompatibilities". Skimming through, it looks to be an interesting read.
Bottom line is what Susan mentions as the goal of the document:
“Most Windows users run all the time with Administrator privileges, equivalent to root privileges on a UNIX system. The possession of Administrator privileges by every user significantly increases the vulnerability of Windows systems. For example, simply compromising a user network service, such as an instant messaging client, provides an attacker complete control of the system. We address this problem by making it easier to develop applications that do not require Administrator privileges, thereby decreasing the inconvenience of running without Administrator privileges. To this end, we present a novel tracing technique for identifying the reasons applications require Administrator privileges (which we refer to as least-privilege incompatibilities). Our evaluation on a number of real-world applications shows that our tracing technique significantly helps developers fix least-privilege incompatibilities and can also help system administrators mitigate the impact of least-privilege incompatibilities in the near term through local system policy changes.”
Anything that helps developers meet the goal of developing software with the Limited User in mind is a welcome addition!
Check out Channel 9's interview of Suzanne Cook on the CLR Loader. Great interview!
Suzanne's blog was a big help to me when I was working through some production code and demos for my WinDev talk last year for understanding how assemblies are loaded and in what order and many other issues.
As Julie Lerman mentions on her blog, I will be speaking at the Vermont .NET User Group on April 11. My topic will be Test Driven Development, Unit Testing, and NUnit with an emphasis on practical demos of each of these methodologies and tools. I will also show some examples of Team System's new unit testing tools. I was also thinking about showing some of my own work on security unit testing, stored procedure unit testing and transactional database testing.
This will be a fun trip to Vermont again (no cats please ;) ) and I am really looking forward to it!
More Posts Next page »