Security Is Simple: Only Use Perfect Software - All Comments

re: ShmooCon and Interview

mlm software noida — Thu, 24 Nov 2011 05:44:05 GMT

Thank you

The given information in blog is very usefull....

<a herf="www.ariestechsoft.net">mlm software noida</a>

re: UAC: Desert Topping, or Floor Wax?

Alex Lunix — Sat, 17 Jul 2010 00:44:48 GMT

Definitely floor wax, takes forever to use, and never works how you want it to.

re: UAC: Desert Topping, or Floor Wax?

Alun Jones — Mon, 13 Oct 2008 23:25:10 GMT

Describing Vista's UAC as a "convenience feature" underlies why it's loved by some, reviled by others.

If your aim is to run as a restricted user as much as possible, and switch into administration mode only when you have to do an admin task, after which you remain restricted, then UAC is a convenience. It allows you to quickly switch from restricted to admin and back, far quicker and easier than a "Switch User" or logout/logon sequence that is your alternative.

If your aim is to do administrative tasks along with other uses of your computer, UAC is an inconvenience.

If all your software insists that you be an admin in order to run it, UAC is an inconvenience.

Quite frankly, we should have been at a point a decade ago such that most users never/rarely have to be admin - games should not require you be an admin; office productivity tools shouldn't require it; it's embarrassing to me as a software developer to see that there are many popular programs out there that assume that we're still living in a Windows 98 world, where all users are the same user, and that user is an administrator.

re: Go Ahead, Make My Day

djcapelis — Wed, 03 Sep 2008 16:37:24 GMT

I have a feeling the bar won't remain at SELinux's level for very long. Usability and security are finally starting to sit down and have a chat.

As for your job being practically done for you. Never fear about that! I'm sure you'll manage to figure out some sort of new system to work on. :)

Just me know if you ever venture into the weird weird world of trusted computing. There's good security features there, they're just hidden behind all the things that have nothing to do with good security and a few things that have to do with the opposite. :-\

~D.J.

re: UAC: Desert Topping, or Floor Wax?

VistaLover — Thu, 21 Aug 2008 05:21:52 GMT

Alias33, why don't you read the whole article before jumping into kneejerk-attack-MS mode...

re: UAC: Desert Topping, or Floor Wax?

alias33 — Sat, 16 Aug 2008 09:24:57 GMT

Did I just read UAC being referred to as a convenience feature?! You've used Vista for longer than 10 minutes at a time, right?

re: UAC: Desert Topping, or Floor Wax?

crispincowan — Wed, 07 May 2008 03:56:47 GMT

So your concern is about the attack surface security of the RPC protocol to trusted services. Lets consider the XP alternative: your trusted service was displaying an icon in the tray. This icon shares the desktop with the user, which means that any user process can send messages to your privileged service. This is what makes the attack surface for a privileged service with a desktop display icon rather large, and why Vista is an improvement.

Note that if you wnat user interaction with a privileged service, then you inevitably are going to have *some* attack surface. The fussing is over what that surface looks like, and how to minimize and harden it.

re: UAC: Desert Topping, or Floor Wax?

Nick42 — Thu, 01 May 2008 22:26:25 GMT

A specific example, to show what I mean.

Say you have a simple app that does some admin task (eg: periodic virus scan). You have implemented it as a service, and expose a tray icon to allow the active user to pause the scan for some period of time. You have installed the service running as LocalSystem, with Interact with Desktop. Your TCB surface, in this case, is the Windows messages sent to your tray icon (assuming the user is not already in the TCB).

In Vista, this needs to be changed. I need to have a user-mode app to interact with the Shell, and my TCB service. The TCB service needs a custom RPC which is not allowed to be Windows messages, or any other easily understood and well-tested RPC; I must make my own, using something like sockets, named pipes, shared memory, or the RPC support. Moreover, this RPC may be exposed to all users, not just the desktop user, and may be remotable if I'm not careful. There may also be timing issues, or other things I have not considered.

Yes, my concern is primarily with the RPC protocols. It always seemed silly to me for MS to go through all the work reducing the RPC surface on built-in services, and then force ISV's to expand it with custom RPC's. Hope that helps clarify what I meant.

re: UAC: Desert Topping, or Floor Wax?

crispincowan — Thu, 01 May 2008 21:53:08 GMT

Nick; setting aside interpreting whatever the authors of i-Reboot meant, I'm not sure I understand your point.

Any ISV that needs to deploy privileged software necessarily expands the TCB to include their privileged software. This is always the case, on Windows, Mac OSX, Linux, etc.: software that has administrative privilege must be considered part of the TCB. So we are not getting out of ISVs expanding the TCB.

Perhaps your issue is with respect to the RPC protocols used to communicate with Administrator services in Windows? What is the issue here?

With respect to the TCB attack surface exposed to users: it is true that AAM on Vista offers a larger attack surface than Standard User on XP. However, (I suspect) that the attack surface for a true Standard User in Vista is considerably smaller than for a Standard User in XP, just because a lot of attack surface analysis was done in Vista to minimize this.

It is true that installing 3rd party trusted software in Vista does expand the TCB attack surface by providing exposed Administrator services, but I don't see this as a degredation vs. XP. For XP to do precisely the same thing, they would have to also install an Administrator Service. More likely, XP code would just assume that you are running the desktop application as Administrator and not do any privilege separation at all.

Sorry if I've missed your point.

re: UAC: Desert Topping, or Floor Wax?

crispincowan — Thu, 01 May 2008 21:45:54 GMT

Morten; yes you could use TPM, and a whole chain of software up through the stack to the graphics card and the mouse, to prove that a user really did click "that". The problem then becomes "what did you mean by 'that'?"

Fundamentally, everything you do on your computer is a consequence of some kind of user action, which causesd a chain of software events to occur. It really is a very long chain of events; the only thing you directly cause to happen by clicking the mouse button is a circuit closes, some sensors go off, and an interrupt is raised to the CPU. Then some interrupt handling software goes off, queues an event that a mouse has been clicked, that goes into the .... you get the idea.

My point being, even with a very direct click of a mouse on an install button, your "action" is quite indirect. In the case of malware, the path is only slightly more indirect. In fact, it may not be any more indirect than an actual deliberate user action, it is just unexpected.

While it is theoretically possible to crypto sign the entire chain of software from the TPM through the boot device, the mouse the window system, the graphics card, everything between your finger and the silicon, the management of maintaining certificates for all of that is awful, and I'm not convinced that when you are done, it really means what you want it to mean.

Instead, what UAC does is pop the the secure desktop (that grey-out look) which shuts out all other software, and asks you if you really meant to do this action that requires privilege. I really don't think there is any other way to do it.

What we can improve on is to do it a lot less often. We do that by cleverly adapting to what users really do, automating some privileged stuff by putting more software inside the TCB, and changing other software so that it no longer has to trust the TCB.

Meanwhile, if you really don't want to see the prompts, and you don't mind the implicit compromise in security, go ahead and use Administrator in Silent Mode.