Holy anti-feature, batman

I had the opportunity to attend at talk by Mark Russinovich, of Sysinternals fame, during last week’s Trustworthy Computing Conference.  The topic of the talk was about security boundaries in Windows, and more specifically, what is not a security boundary.  The talk was very interesting, and I don’t want to reveal too much here, but there was one part of it that stuck with me and has been bothering me for a little while now.  One of the technologies he addressed was Patchguard, or Kernel Patch Protection, which was introduced in 64-bit Vista and Server 2008.  Patchguard is intended to keep programs from patching, hooking, or otherwise tampering with the internals of the NT kernel.  It does this by periodically taking a checksum of some important structures in the kernel (SSDT, interrupt table, HAL tables, etc) and comparing the current value with the previous one.  Any discrepancy here will indicate that the kernel has been subverted.  If it notices any changes to these structures, it throws an exception which throws a blue screen error.  Sounds good, right?  Sounds like a great new security feature, no more rootkits!  Well, not really.  The truth is, KPP really does nothing to stop malicious code, and in fact, is pretty useless in doing so.  Mark revealed in his talk, that that was never the intention of KPP, but rather, it was conceived as a way to force legitimate developers to stop using these techniques in their own programs.  See, most anti-virus and security products will use some level of system hooking in order to get a good view of activity.  In fact, one of Mark’s very own tools, RegMon, hook’s the SSDT to watch registry activity.  He even wrote a publication about the technique!  The problem with kernel hooking is that it is entirely unsupported and significantly reduces stability.

So here’s what I don’t understand.  Microsoft has recognized that system hooking leads to instability.  They’ve decided that programmers aren’t good enough to extend a kernel function safely without throwing a blue screen exception, so now they’re not going to allow us to hook certain system structures (pfft, allow is a funny thought).  But, instead of actually fixing the gaping holes in their system, they’re going to simply watch for system hooking, and then guarantee that the system will crash, by causing the crash.  Oh yeh, and they are going to blame it on the developer.  It’s like a car company deciding that talking on your cell phone while driving is dangerous, so they’re going to create a system that detects if you’re on the phone and then drives the car off the road for you.  That will show you! 

I just don’t understand this anti-feature.  There are plenty of legitimate reasons for hook these system functions, and it can be done safely.  I know it can because Mark has done it, and I’ve done it.  If you don’t want developers to subvert the kernel, then provide a complete API that we can use to extend and monitor the system, and fix the problems with your system that allows someone to take write-protected virtual memory, map it to physical memory, strip all the restrictions off of it, and send it back patched.  Don’t just come behind perfectly valid code, throw an exception and blame it on us. 

Live Writer Update

I blogged about Live Writer back when I started this site and I’ve been using it the whole time.  It has treated me well and I think it’s one of the most useful programs from the Live suite.  Well, they’ve just released a new version as a Community Technical Preview (CTP), which is like an alpha version – relatively stable, yet not feature complete.  There are some new features that they want feedback on so give it a try if you’re feeling adventurous.  You can read about it here.  One feature I’m enjoying is the real-time word count, since I’ve noticed my posts are getting kind of long and I think everyone is bored.  I’ll try to keep them short!

Windows Live Writer Technical Preview

Safari Carpet Bomb (Update)

I love being right.  Remember the Safari carpet bomb I posted about back in April?  Remember how Apple said it wasn’t a “security concern” and I scolded them for it?  Well, now it’s got interesting.  Apparently there is a known flaw in Internet Explorer that allows a website to execute any program on the user’s desktop without their consent.  Normally, this flaw isn’t as much of a concern because all new executables downloaded (by anything but Safari) get marked with an alternate data stream tag that indicates that is from the Internet Zone.  Any time an application with this tag is opened, the user is prompted and the action must be explicitly allowed.  Now when we include Safari’s carpet bombing technique that downloads an exe without notification or ADS marking, then this IE flaw becomes a critical security concern.  This is a great example of what is called a blended threat.  Two seemingly innocuous bugs combine to create a gaping security hole.  The IE team was not concerned with their bug because there was no way to get an unmarked exe onto the desktop without the user knowing, and the Safari team wasn’t concerned with their’s because you couldn’t execute the exes that it downloaded automatically.

So yeh, here’s the MS Security Advisory. 

Making it Mesh

Microsoft has a series of lectures on campus called The Breakfast Series where guest speakers will give a presentation about current products, technologies, or anything really relevant to the company.  This week’s was about Live Mesh and I thought it was a really interesting product, so I wanted to share it with you all.

As everyone should have noticed by now, computing is moving away from a desktop centric model, to a cloud (Internet) based system.  Microsoft has been trying for the last few years to figure exactly how they plan to adapt their products to incorporate more web based services.  They have numerous ventures into this arena, but nothing complete and cohesive.  Live Mesh really seems like it is their final solution. 

Basically, the idea with Mesh is to have a central system for synchronizing programs, data, and settings across multiple machines, devices, and web storage.  Sure, products like this have been done before.  In fact, I can think of two separate tools for this already made by Microsoft.  What separates Mesh from the other tools is it’s broad scope and extensibility.  Mesh isn’t design to simply be an application that syncs files, it is supposed to be a platform the provides syncing as simple service for applications to build on.

By the time this reaches beta testing it will run on many different devices.  XP, Vista, OSX, WinMobile, and some WAP enabled devices should all have a version of the client.  The demo shown during the presentation showed a person taking a picture with their smart phone, and it was immediately delivered to the home pc, as well as someone’s laptop who was traveling.   I thought it was kind of neat.

Like I said earlier, the real purpose of Mesh isn’t simply to share files, but rather to expose data syncing and cloud functionality to applications.  There will be an API for developers to use to allow their programs to sync what ever they want and however they want to the Mesh system.  From what was demoed, the API looked very simple and straight-forward.  I believed they had a plug in for Firefox that would add FF bookmarks to the Mesh.  This sort of system seems like a good solution because it allows the application developer add cloud based data portability without dealing with the complicated nature of it.  It will be interesting to see how this system is accepted by the community and how many applications will take advantage of it.  I also wonder how it will be used inside of Microsoft.  I would like to see something like Outlook syncing the contents of your inbox into this, or maybe the Common Feed List keeping a global synced feed list.

Currently, Mesh is dogfooding inside MS and there is an CTP that you can register for.  It took about a week for me to get accepted into the CTP.  There should be a public beta coming in the next couple of months, so keep an eye out for it, it’s going to be pretty cool.

Office Open XML Now an ISO standard

It looks like ISO has accepted Microsoft’s open file format Office Open XML and is set to become standard number DIS 29500.  The discussion on both sides of the issue has been heated for a couple of years now, with major companies like IBM and Sun opposing the standard and backing OpenOffice’s ODF, and Microsoft, of course, supporting its own format.  I’ve pretty much stayed out of the issue since I don’t pretend to know very much about either formats.  All I can say about this is that it is pretty big industry news.  This sets the table for improved interoperability between office products.  Wikipedia has a long list of applications that support OOXML documents in one way or another.  The length of the list is remarkable, considering the format has been available for such a short amount of time.  Gone are the days of reverse engineering an opaque binary file, now we just have to read through a 6,045 page specification document…

ISO adopts OOXML format as international standard [Washington Post]

Vista SP1

 

Microsoft released Service Pack 1 for Vista on Monday so I thought I’d give it a spin.  It will be rolled out through Windows Update over the course of the next month.  If you are impatient, you can downloaded the pack directly from their website (32-bit / 64-bit).  There are a number of drivers that are incompatible with SP1 so Windows Update will wait until those incompatibilities are resolved before showing you the update.  If you chose to install yourself be sure to read up on the current issues before you do it.  There is also a short list of incompatible programs to be wary of. 

The most notable changes seem to be better and faster file copying, DirectX 10.1, exFAT support for large Flash drives, fewer UAC prompts, and a host of security improvements.  There are literally hundreds of changes added to Vista in SP1 so grab the Notable Changes white paper and give it a read.

My update went smoothly.  It took about an hour, maybe 45 minutes, and rebooted a couple of times.  I grabbed the stand alone installer from the Microsoft website because WU hadn’t offered it up to me yet and I’m terribly impatient.  I don’t recommend doing that though, unless you are fully prepared for potential problems.  I’ve read about a few horror stories online already, but I’m not sure how much merit they have.  For what it’s worth, it’s been smooth sailing over here and I’m enjoying a slightly more responsive Vista.

.NET Framework Library Source Code now available

Microsoft has made the source code for the .Net framework available.  It has been released under a read-only license which has an interesting clarification: “the license does not apply to users developing software for a non-Windows platform that has “the same or substantially the same features or functionality” as the .NET Framework.”  Does that mean that the Mono team can look at the source code and not be bound by the read-only clause, or that they can’t look at the source at all?  I’ll have to read the license and find out. 

There are detailed directions on how to get source code debugging set up in Visual Studio 2008 posted here [blogs.msdn]:

.NET Framework Library Source Code now available – ScottGu’s Blog [Announcement]