ShmooCon and Interview

2009-02-26T00:54:00Z

In early February, I gave a talk at ShmooCon.The content was the same as my talk at ACM Reflections, a student-run conference at the University of Illinois Champaign-Urbana. ShmooCon sells out anyway :) so I did not bother to blog about it.

While there, Chema (a Microsoft MVP, and another speaker at ShmooCon) asked me for a virtual interview, and it is now live on his blog.

Speaking at PDC

2008-10-22T20:31:00Z

Just a short note to let folks know that I will be at PDC next week, giving a talk on developing applications for standard user. Much of what I have to say will be familiar to fans of things like standard user and privilege levels. The new content this time is an architectural view of the right way and the wrong way for a software developer to use an elevated DCOM object to perform privileged operations. If you are going to be at PDC, please come to my talk, or feel free to just stop me if you see me around for a chat. I should be lurking around all of Tuesday and Wednesday, including the "Ask the experts" session.

Go Ahead, Make My Day

2008-09-03T09:16:00Z

This blog is about my security work at Microsoft, not my past work in Linux. However, in a recent blog “AppArmor is Dead”, Russ Coker basically called me out by citing both this blog and AppArmor in the same post, so I am going to briefly go off topic and talk about Linux.

Russ says that AppArmor is dead, because of the massive layoff from Novell of AppArmor workers in 2007, and SUSE’s recent decision to add SELinux as an option. He’s right that neither of these events is good for ApArmor, but I think he may be overstating things a little. AppArmor was added as the default security option in Ubuntu and Mandriva Linux, because of user demand for usable security.

In contrast, I suspect that SELinux was added to SUSE Linux because Novell would like to sell more SUSE into US Federal Government accounts, where some of them have mandated SELinux as a requirement. This is actually reasonable, since SELinux is designed for Federal security requirements, and it shows in the usability J

I am no longer involved in the AppArmor project, as I work for Microsoft now, and providing Windows with more usable security is where I put my creative energy. So maybe AppArmor is dying, maybe it isn’t. If AppArmor does die, then in some sense it just makes my job here of enhancing the Windows security value proposition vs. Linux that much easier.

So go ahead, make my day: ignore the popularity of AppArmor in the user community, keep blocking AppArmor from inclusion in Linus’ kernel. If all I have to do is make Windows security easier and more effective to deploy than SELinux, then my job is practically done for me J

UAC: Desert Topping, or Floor Wax?

2008-04-28T20:32:00Z

Is UAC a convenience feature, or a security feature? Dessert topping or floor wax? How about both!

Security can be a confusing black art, for both consumers and professionals alike. One reason is in the name of this blog, that insecurity results from imperfection, and we all know how difficult perfection is to achieve. Another reason is because reasoning about the consequences of insecurity involves a great deal of reasoning about the unknown: what can happen to you as a result of a vulnerability? Well, that depends on who knows about it, when they know about it, when they know about it with respect to when some other people know about it, and so forth. Yet another reason is because some security professionals (naming no names) find it to be in their interest to keep security a black art J I don’t hold with that: I am a cynic who, following the definition of Ambrose Bierce, prefers to see things as they are rather than as they ought be, and being an ill-mannered brute, I insist on calling a thing what it is, instead of what people wish it was.

Today’s entry will be about security values, which is to say what value can you really expect from a given technology, especially the access control technology I work on in Windows. Just to be clear, this blog is my opinion on what a technology is likely to do, and does not represent any kind of warranty by Microsoft.

To start, we need to define some terms:

Security is the preservation of the three properties of confidentiality, integrity, and availability.

Confidentiality means that your stuff is not disclosed unless you want it disclosed.

Integrity means that your stuff is not changed unless you want it changed.

Availability means that you, your users, customers, etc. can still use your stuff.

Security Feature: some kind of feature, widget, or thingie J that makes it somewhat more likely that your security, as defined above, will be preserved.

Security Boundary: this is a special term to Microsoft. It means that if someone discloses a way to violate a Microsoft-defined security boundary, that Microsoft will release a security patch as soon as possible, so that the method to violate the boundary no longer works against patched systems.

Clearly, all security boundaries are security features, but not all security features are security boundaries. For an absurd example, hosting your web site on port 43392 instead of port 80 might be a security feature, because many attackers will not look there for a web server, but it is definitely not a security boundary, because an attacker can easily discover your web server running on port 43392 by just looking for it, and Microsoft is not going to issue any kind of patch to address this “problem”.

Now let’s look at UAC (User Account Control) in this context, and see what security values it delivers. UNIX and Linux users have long known that you don’t read mail, surf the web, or IM as root (the UNIX equivalent of Administrator). You don’t do it because if there is a vulnerability in any of the software you are using to surf the Internet, then any malicious content you encounter could 0wn your entire machine. The most important security “feature” that Vista brought to Windows users was the basic proposition that, perhaps, your default user login should not be an Administrator. Running as a non-administrator provides a lot of security value, but how secure it is, and whether it is a security boundary is a complicated question, depending on what kind of account you are using. Pre-Vista, there were three kinds of accounts you would likely use:

The Administrator: if you logged in with a user name of ‘administrator’ and then entered a password, you are the administrator.

An Administrator: if you logged in with just your own name, your account likely was an administrator. This means you have your own identity, but you have (pretty much) all of the authority of the Administrator. The good part was that you could do anything; install software, administer the firewall, add users, etc. The bad news was that anyone who hacked your web browser, your mail client, etc. could “drive by” hack your machine and install malware, including fully powered rootkits. It also meant that whenever you installed a program, perhaps something as harmless-seeming as some additional emoticons for your chat client, that it might also install some very difficult to remove spyware, again possibly including a rootkit.

A Standard User: so called because it was supposed to be the “standard” way to use Windows. A standard user may not install software, manipulate the firewall, or do other things that would compromise the security of Windows.

Of course, you could run as a Standard User under Windows XP, but few people actually did. This is because it was inconvenient: if you wanted to install software or otherwise administer you machine, you had to log out, exiting all your applications and losing all your state, log back in as An Administrator, do your configuration work, log out again, and finally log back in as a Standard User to finally get back to what you were doing.

Vista sought to address this situation by introducing UAC (User Account Control) to give you control over which account you are using. Vista added a new kind of account:

Administrator running in Admin Approval Mode (AAM): this is kind of a hybrid between An Administrator and a Standard User. You get a split token, which means you have the credentials of both a Standard User and an Administrator, and the right one is applied depending on what is going on.

When people think of “UAC”, they often are only thinking of the UAC elevation prompt per se. When you try to do something that requires Administrator privileges while running in AAM, then Vista presents you with a UAC prompting window that tells you what is being attempted, and asks you whether you would like to proceed.

Vista also provides a UAC feature for Standard Users called the OTS (“Over The Shoulder”) elevation prompt. If you attempt something that requires Administrator privileges while running as a Standard User, then it presents you with a very similar elevation prompt, only this time it also asks for an Administrator’s password. “Over the shoulder” alludes to the idea that the Standard User does not have the Administrator password, and so you have to get your friend the Administrator to come enter it for you. However, in practice it may well be the case that the person using the Standard User account also has the Administrator password.

Finally, Vista provides a Silent Mode. Silent Mode is not quite the same as completely disabling UAC. Instead, what it does is automatically approve all of the UAC prompts that would have been presented to you. However, Silent Mode still leaves in place some security features that completely disabling UAC would have removed, such as IE protected mode.

It has been said that UAC’s features are convenience features rather than security features. What could that mean? Especially since UAC prompts can be quite annoying J

It is correct to say that UAC’s features are convenience features, in that it is much more convenient to respond to a UAC prompt than it is to have to switch to a separate desktop, log in as an administrator to do the administrative tasks, log out and then return to your standard user session. Whether one views a UAC prompt as a convenience or a nuisance depends on whether you compare it against running as a Standard User, or against running as a full Administrator: vs. running as Standard User UAC is a convenience feature that compromises security, but vs. running as an Administrator as was the default in XP UAC is a security enhancement.

But does that mean that UAC is not a security feature? No. UAC, in all of its forms, including Silent Mode, provides some obstacles to attacks, and so so it is always a security feature. UAC in operation does nothing other than to say “no” to some access requests, and so it cannot be anything but a security feature.

But how much of a security feature is it? Does UAC provide a security boundary? That depends on which kind of user you are using, and how you use it.

Standard User Without OTS: this is a security boundary. There should not be any way for a non-privileged process to elevate to a privileged process, and if someone finds one, then Microsoft should issue a patch. Caveat: this is excluding mis-configurations such as 3^rd party software running with privilege or weak security settings.

Standard User With OTS: this is questionable. There should not be any way to elevate, but in practice the OTS elevation presents potential area of attack. The attacker could inject malicious code into the user’s context, and it may trigger once the OTS elevation completes and the Administrator token is available.

Administrator in AAM: this is definitely not a security boundary. With the Administrator token available in the user’s space, it is too easy for malware to attack something in this very broad attack surface and gain elevation without the user’s approval. Microsoft could not patch this barrier without substantially breaking application compatibility.

Administrator in Silent Mode: Not even close to a security boundary. In silent mode, any malware in the user’s processes, such as an infection in the mail client, or in the web browser running at medium integrity, can ask for and get automatic elevation to Administrator.

Security is the business of saying “no” on occasion, and so it cannot help but compromise convenience. Thus there is a precisely inverse relationship between the security and the convenience offered by these 4 modes of operation in Vista. Users get to make the choice of which trade off they would like to make between security and convenience.

Intelligent security design is intuiting what users really need to do, and adapting the system so that it always says “no” to malicious acts, but also says “no” as little as possible, because it knows what the user is going to need to do. Vista/UAC says “no” far too often precisely because the idea of running lots of software without Administrator privileges is new to the Windows community, and so a lot of applications are using excessive privilege that they don’t need. We’re making a concerted effort to reduce the number of unnecessary UAC prompts in the future by improving the middleware and applications software to avoid performing privileged operations as much as possible. Making it possible for everyone to run as Standard User is the real long term security value.

Security Is Simple: Only Use Perfect Software

ShmooCon and Interview

Speaking at PDC

Go Ahead, Make My Day

UAC: Desert Topping, or Floor Wax?