Stepping Up to the

By Peter Coffee  |  Posted 2002-03-25 Print this article Print

Plate"> Stepping Up to the Plate Coffee: I always watch the Symantec hoax virus site to take the temperature of how aware people are of what really is going on out there. Steve Trilling, do we have users who are more willing to be participants in making themselves secure, or do they still want to essentially be an audience for content and rely on the supply side to deal with the security issues?
Trilling: I certainly think that if there is any silver lining with all of the high-profile attacks, its that people are much, much more aware of the potential downside from these threats and much, much more willing to take appropriate steps to secure their own systems. This means corporate users as well as home users. You think of all of the information that organizations and home users used to store in filing cabinets, in drawers, in large warehouses that are now stored on hard drives, and I think that the general level of awareness in security has certainly increased.
   At the same time, there is a little question that the issue of securing the Internet or securing any organization is not just a technological one, but is a human one. As we saw, for example, with the Code Red threat this summer, everyone who appropriately patched their Web servers was not hit by Code Red and also did their part to help protect the rest of the Internet. In a perfect world, everyone would have patched their systems, and that threat would have never spread. So there is certainly a lot of human education and human effort that goes along with this, but theres no question in my mind that the level of consciousness across the consumer and corporate and government space is very much increased over where its been a year or two years ago.
Coffee: With the rollout of Windows XP, Microsoft has tried to make the notion of user involvement in maintaining system configuration less important than it used to be by initiating the idea of automatic updates. The system is always finding out what patches are available and installing them itself. How has the response to that been? Lipner: Its been very positive, and one of the things that were trying to do is just to get the word out that those features are built in and that its a key factor in making the Internet experience safer for consumers and businesses. I looked at the download numbers for one of the patches that we released late last year, and within a matter of three or four days we were up in the 5 million downloads range, thanks to the auto update and the Windows update technology. Coffee: Brian, I dont want to put you at a disadvantage, but today [Feb. 14] I believe there was an announcement that there was a vulnerability that had been discovered in the .Net Framework. I dont want to beat you up on that, because weve all just found out about it, but I wonder what your comment might be on the difficulty of persuading people that intrinsic security of the platform is higher than it used to be when the Framework is practically just out the door and were already starting to find issues with it. LaMacchia: I think youre referring to the [report] that came out from [Cigital Labs Chief Technology Officer] Gary McGraw on increased protection against stack overflows and buffer overruns that we added to the C++ compiler. Coffee: Yes, that was the vulnerability I had in mind. LaMacchia: Let me try and just spell this out, because its not a vulnerability. We added a compiler switch to the unmanaged C++ compiler that we shipped as part of Visual Studio. [We did this so] we can throw the switch at some additional checking as [a defense against] back-smashing techniques, which obviously are one of the common ways that people exploit buffer overruns that you put into your code.
   What Gary basically says is that this is a reasonable technique. Its been known out in the community and on certain other platforms folks have used before, but its not 100 percent guaranteed in that it makes it more difficult to exploit buffer overruns that you have in your code. It doesnt completely seal things off, and thats true.
   The point of this feature was to basically give developers a way to increase the defenses that they had against their own buffer overruns being exploited. Obviously, what we want people to do is not write buffer overruns in their code, and when you move into the management environment that you have on the .Net Framework, you dont have that problem at all, because we do type safety verification on everything that comes in. You cant actually overrun buffers because we do the memory management for you. So its not a vulnerability in the compiler, but it is a feature that provides some added defenses if youre not moving over into the new managed code phase. Lipner: As Brian said, this is not a .Net common language runtime issue thats been raised. Its rather a Visual C++ compiler issue—a different language, different technology. The second point is that there are as many ways of running a buffer overrun as there are of writing a program or building a touring machine, to be overly technical about it. What we do, for example, in the Windows division effort is use that compiler technology, and we use automated tools to scan it at basically the static source code to detect places where buffer overruns may be, and we train developers to not write buffer overruns. Among these three measures, we hope to get pretty good coverage on this issue, but one of the things we say is security is a journey, not a destination. At the end of the day, you dont get to perfection.

Peter Coffee is Director of Platform Research at, where he serves as a liaison with the developer community to define the opportunity and clarify developersÔÇÖ technical requirements on the companyÔÇÖs evolving Apex Platform. Peter previously spent 18 years with eWEEK (formerly PC Week), the national news magazine of enterprise technology practice, where he reviewed software development tools and methods and wrote regular columns on emerging technologies and professional community issues.Before he began writing full-time in 1989, Peter spent eleven years in technical and management positions at Exxon and The Aerospace Corporation, including management of the latter companyÔÇÖs first desktop computing planning team and applied research in applications of artificial intelligence techniques. He holds an engineering degree from MIT and an MBA from Pepperdine University, he has held teaching appointments in computer science, business analytics and information systems management at Pepperdine, UCLA, and Chapman College.

Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel