Windows 64 bit OS security question--speculation.

[ZapZilla]

Lots of talk about whether a Desktop 64-bit OS is needed or not due to application availability, register addition, and whatnot, yet what about Win-64 and security?

Will Win-64 be inherently better, worse, or the same, security wise than Win-32?

I mean if 32-bit stuff has lots of security problems, then won?t Win-64 and 64-bit apps offer a larger ?bitscape? to plunder, resulting in even more horrendous security nightmares?

Is Win-64 being written new or is it just an extension of existing Win-32 code, thus inheriting its horrible buffer control and other security issues?

How much of the buffer overflow problem is due to the OS's buffer handling vs. due to a particular application's?

Will a 32-bit app running in a 64-bit OS have its same security attributes as on a 32-bit OS ? in other words, will a 64-bit OS be neutral to, squelch, or enhance 32-bit app buffer overflow problems?

Will Win-64 apps be written with better security than Win-32 apps?

Security issues for Win-64 will be important factors for migrating from Win-32, so what?s known?

 

[Idontcare]

Originally posted by: ZapZilla
Lots of talk about whether a Desktop 64-bit OS is needed or not due to application availability, register addition, and whatnot, yet what about Win-64 and security?

Will Win-64 be inherently better, worse, or the same, security wise than Win-32?

I mean if 32-bit stuff has lots of security problems, then won?t Win-64 and 64-bit apps offer a larger ?bitscape? to plunder, resulting in even more horrendous security nightmares?

Is Win-64 being written new or is it just an extension of existing Win-32 code, thus inheriting its horrible buffer control and other security issues?

How much of the buffer overflow problem is due to the OS's buffer handling vs. due to a particular application's?

Will a 32-bit app running in a 64-bit OS have its same security attributes as on a 32-bit OS ? in other words, will a 64-bit OS be neutral to, squelch, or enhance 32-bit app buffer overflow problems?

Will Win-64 apps be written with better security than Win-32 apps?

Security issues for Win-64 will be important factors for migrating from Win-32, so what?s known?

One thing's for sure, if it could be true then it would be good news for Norton Antivirus et. al.

 

[zephyrprime]

I've never read anything other than that win 64 will just be a port of win 32. No new features. So security should be the same.

 

[ZapZilla]

zephyrprime:

I don't know much about what "just a port of win 32" involves, but would implements proper buffer controls even be considered a feature, much less touted as one, by MicroSoft?

 

[kylef]

Converting from Win32 to Win64 should practically introduce NO new security problems because traditional security vectors, such as buffer overflows, happen as a result of improper C/C++ coding practices. When porting to Win64, the same code just gets recompiled to produce 64-bit code, so 64-bit Windows should have the same level of security as its 32-bit counterpart.

However, in theory, the act of porting to Win64 requires subtle code changes that could trigger new bugs that are exploitable, especially dreaded "off-by-one" errors. Say, for instance, an application needs to pass a data structure that contains pointers (which are 32-bits in Win32, 64-bits in Win64). If the "size" of this data structure is assumed to be constant across both Win32 and Win64 builds, this transfer will result in an error because the Win64 data structure actually takes up more room than its Win32 equivalent.

 

[sandorski]

I do believe "Windows" is a Microsoft Registered Trademark, need I say more? 😉

 

[CQuinn]

Lots of talk about whether a Desktop 64-bit OS is needed or not due to application availability, register addition, and whatnot, yet what about Win-64 and security?

Good question, but I think the wrong approach. You should not look at it as Win-64 vs. WIn-32 because
(for the most part) the bit-level has nothing to do with the Security of the OS. Keep in mind that the
64-bit version of Windows being made for the AMD64 CPUs is based (I'm sure) on the Windows 2003
codebase and the enhancements and patches already applied (or being applied) to Windows XP.
So many of the security issues that seem to pop up now will already have been taken care of.

Will Win-64 be inherently better, worse, or the same, security wise than Win-32?

None of the above (but technically better). What will make Windows XP/2003 for 64-bit better will
be the efforts MS is already making to patch existing flaws in the OS, and their new Security-oriented
design approach, which is meant to reduce/eliminate security holes in the future. Having 64-bit
registers won't make a difference in that regard; what will is integrating all the improvements they've
been able to make in the meantime.

I mean if 32-bit stuff has lots of security problems, then won?t Win-64 and 64-bit apps offer a larger ?bitscape? to plunder, resulting in even more horrendous security nightmares?

No. Because "32-bit stuff" has no more security problems than 8-bit, 16-bit, 64-bit, or 128-bit stuff.
The problem is not at the bit level. It is in how the code (variables, buffers and pointers) were
designed in the first place. If they were designed without proper boundaries checks, or garbage
collection routines, then the same security issues would arise regarless of OS (and even Linux has
been subject to this problem).

Having a larger "bitscape" would actually make it harder to plunder, because a hacker would have to
spend a lot more time (days in some instances) trying to exploit a larger variable, whereas the OS
is/has been redisigned to recognize such attempts and either delete them or ignore them.

Is Win-64 being written new or is it just an extension of existing Win-32 code, thus inheriting its horrible buffer control and other security issues?

Neither (see above).

1st, it makes no sense to reinvent the wheel. Windows XP/2003 are make up of millions of lines of
code, most of which does not have security issues. It would literally take decades to rewrite the
whole OS from scratch, and would be completely unnecessary. That is what code review is
for... When you have an outside agency (or a different design team) look over the code that is already
written to identify flaws or security holes, have them try to think up ways and suggestions of how the
existing code could be improved (without breaking everything else that depends on it), or you hire
a bunch of hackers to try and break into the code you've already written, to make sure that common
exploits like buffer overrun errors cannot give an outside user command access to the machine.

Some parts of the OS will be re-written, but mostly with the idea of improving on the algorithm that
was used before. Not so much to try and do it in a different way - unless that different way takes
advantage of new features in the hardware that were not available before.

These are all things that MS claims to be doing to improve their code base.

How much of the buffer overflow problem is due to the OS's buffer handling vs. due to a particular application's?

Both. The problem with buffer overflow is not that it exists (there are a lot of places where buffer overflows can happen); its that some of the buffer overflows fail in such a way that allows a cracker to pass commands
on to the root level of the OS to be executed. Most often that happens as an exploit to an OS level
service like IIS or SQL Server, or in the browser. But the problem is that is that, instead of having the
command fail and be discarded, it is passed on to the OS; and the OS executes it because it "trusts"
the program that passed it the command in the first place.

Will a 32-bit app running in a 64-bit OS have its same security attributes as on a 32-bit OS ? in other words, will a 64-bit OS be neutral to, squelch, or enhance 32-bit app buffer overflow problems?

See above. If the 64-bit OS was just a port of the original release of XP, then it would be neutral
to expoits on 32-bit apps. But we are assuming that Windows XP/2003 for AMD64 (and Itanium 2)
will have all the patches and fixes already applied from the start.

Will Win-64 apps be written with better security than Win-32 apps?

Yes and No. It will be up to the individual developers to improve on the security in thier designs when
writing/re-writing programs for 64-bit; so 64-bit will not be inherently any more secure that 32-bit.
But... There is a lot more emphasis on "secure by design" at MS these days, and their tools should
also reflect that attitude. So, going forward, it will be easier for developers to think about security
in their programs because the tools and platform will encourage it.

Security issues for Win-64 will be important factors for migrating from Win-32, so what?s known?

What is known (or what can be implied).

1. Microsoft is a lot more serious about security than they used to be.

This I can confirm from having seen talks given by actual MS program managers, by observations
made at the launch of Windows 2003 / Visual Studio.NET, and by seeing more effort being put into
providing patches for the OS and applications before exploits become widespread.

2. Going to 64-bit give MS a better postion to compete in the Enterprise Server market.

Issues about security and stability of the OS platform are even more important in that market segment
than on the desktop; and it would become a major selling point for Microsoft to be able to say (and prove)
that they are as secure to deploy in that market as their competition.

3. Going to 64-bit allows MS to leave a lot of baggage behind.

Along with the opportunity to provide newer/cleaner code, the move to the new 64-bit platforms
along allows MS to drop support for legacy hardware that will not be included in new systems. That
can allow them to tighten up on driver development and support, which is another area that
is infamous for causing stability problems for the OS.



... Just my opinion.

 

[sciencewhiz]

Just 64 bit vs 32 bit doesn't make a difference in security. However, when they recompile, they will find code that doesn't work (mostly because that code assumes a pointer is 32 bits). The same type of programmers that assume a pointer is 32 bits often mismanage buffers that lead to security holes (generalization). I would assume that MS would fix some of those problems in the move (and hopefully fix them in win 32 also). However, that only fixes bugs in implementation, it doesn't help thier design holes.

 

[Alex]

as far as i know longhorn has been coded from scratch but i could be wrong

 

[zephyrprime]

When porting to Win64, the same code just gets recompiled to produce 64-bit code

There's a little more to it than that. The virtual memory stuff has to be changed bigtime to accomodate 64bits. And the kernel would need to be changed to accomodate the new 64bit operating mode. And there are the pointer problems as sciencewhiz has pointed out.

 

[ZapZilla]

Very good information, thank you. 😀

 

[kylef]

as far as i know longhorn has been coded from scratch but i could be wrong

I work on Longhorn at MS, and I cannot comment on how much or how little is completely new.

However, I can point out that even today, Microsoft announced that WinFS (the new Longhorn filesystem) will not re-implement NTFS, but instead would sit on top of NTFS. Hence, you could probably draw a conclusion from the announcement that much of Longhorn will not be completely re-written. After all, it's a good software engineering practice to re-use solid, well-tested code.

 

[ZapZilla]

I just found out today that I have been working with a MS developer since August. Guess I had to earn his respect or something before he shared this with me.

I saw from his MS developer site, directories of all MS software that is in development or has been released - cool stuff.

Win-64 is already "Gold" so that developers can access it, and this guy has Win-64 running on his comp, and has good things to say about it.

It won't be released commercially until enough other 64-bit software is available to run on it (6 to 8 months).

The OS security will be the same as in Win-32. 64-bit software, depending on what it is, should be the same or better.

 

[Smilin]

"Will Win-64 apps be written with better security than Win-32 apps?"

Zap, on some level I think you may see significantly better security not simply from changes from 32 to 64 bit, but from changes in attitude that are present now that were not present at the start of development for 32 bit OS's. When we transitioned from Windows 3.1 to 95/NT there weren't the threats to security that there are today.

 

[Nothinman]

There's a little more to it than that. The virtual memory stuff has to be changed bigtime to accomodate 64bits. And the kernel would need to be changed to accomodate the new 64bit operating mode. And there are the pointer problems as sciencewhiz has pointed out.

Of course a bit of low-level stuff has to be done from scratch, but 95% or more of the code should be exactly the same as long as it was 64-bit clean before hand.

When we transitioned from Windows 3.1 to 95/NT there weren't the threats to security that there are today.

Because not as many people were on the Internet spreading code red as there are now. Security has become a big thing lately because of all the worms and email virus going around, people actually get affected by it first hand now where as before you almost had to bring an infected floppy home from school/work/etc to get a virus.

One thing noone's seemed to mention is that one of the big reasons Windows and anything running on x86 is more easily exploitable is there's no hardware differentiation between read and execute for pages. On almost every other chip out there (sparc, alpha, itanic, etc) there is a hardware enforced bit that says if the page is executable or not and if that's actually used by the OS it can be used to make buffer overflow exploits a lot harder and impossible in some cases.

 

[ZapZilla]

A recent opinion from a respected source, was that MS knows about various and numerous "potential" security weaknesses in their products, yet will not issue patches until they see evidence of a specific one being exploited.

The why has much to do with advertising, MS site exposure, and corporate strategy, that is in thier decision, overall beneficial to MS.

Providing "as secure a product as known to be possible" has been determined to have lesser buisness value than a "known weaker product" that is constantly highlighted.

On the one hand this was surprising to me, and on the other, after some thought, not.

 

[Nothinman]

A recent opinion from a respected source, was that MS knows about various and numerous "potential" security weaknesses in their products, yet will not issue patches until they see evidence of a specific one being exploited.

It's probably also a time thing. Why devote time fixing bugs noone knows about when your list of known bugs is just as long?

 

[drag]

Originally posted by: Nothinman

A recent opinion from a respected source, was that MS knows about various and numerous "potential" security weaknesses in their products, yet will not issue patches until they see evidence of a specific one being exploited.

It's probably also a time thing. Why devote time fixing bugs noone knows about when your list of known bugs is just as long?

Exactly, when they have to release a slew of patches it makes for very bad marketing.

So as long as only executives, developers with NDA agreements, and hackers know about the security vunerablities it's advantagous for Microsoft NOT to release patches.

After all, what are firewalls and virus scanners for?

 

[Smilin]

Originally posted by: drag

Originally posted by: Nothinman

A recent opinion from a respected source, was that MS knows about various and numerous "potential" security weaknesses in their products, yet will not issue patches until they see evidence of a specific one being exploited.

It's probably also a time thing. Why devote time fixing bugs noone knows about when your list of known bugs is just as long?

Exactly, when they have to release a slew of patches it makes for very bad marketing.

So as long as only executives, developers with NDA agreements, and hackers know about the security vunerablities it's advantagous for Microsoft NOT to release patches.

After all, what are firewalls and virus scanners for?

What a crock of Sh1t. Marketing? I assure you the programmers working on these issues do not know or care what marketing is up to. Take your FUD elsewhere.

 

[Nothinman]

What a crock of Sh1t. Marketing? I assure you the programmers working on these issues do not know or care what marketing is up to. Take your FUD elsewhere.

While I agree it's only speculation, I wouldn't be surprised if it was true. I mean come on, MS has been fighting with security problems for years and everytime they say they're putting in a bigger effort some worm gets headlines for weeks setting them back where they started.

 

[Smilin]

It's not true. Promise. Marketing dept has nothing to do with when security patches are released. That's just what folks who subscribe to the big "M$ is evil" conspiracy like to think. If you really think about it, it's silly and makes no sense. Imagine in your head how a process might happen internally for something like this: a report of a problem comes in, or someone tasked with finding them discovers one. Some manager evaluates it and drops it into the workload or "to do" list. Some team or an individual starts typing away at it. yada yada - marketing just doesn't fit into the picture. I'm sure they coordinate when it comes to projects and timetables for new products, but fixing stuff? Bah. That stuff is all handled by geeks, not suits.

The reason MS has setbacks is fundamentally the same reason that anyone dealing with security has setbacks...when it comes down to it you can't really beat hackers, just slow them down. MS has been applying it's new security initiative to code that was written before the initiative was in place. As newer code comes out you'll see improvements due to the overall security model being hardened, not just individual leaks plugged. You're seeing it just a little with w2k3, but the big change wont really be apparent till longhorn. Given the size of the target they are, I think MS isn't doing too bad at all and they've just begun.

 

[drag]

Realy. And I suppose your a expert on the history of computers and hacking.

You know WHY security firms release source code proofs of exploits they find? Because if they didn't, they would be called liars and deceivers by the companies they proof are neglagent. The company denies it, then they can't fix it, because if they did that would be a admission of guilt.

This is not FUD, because it happened in the past. Several times Mircosoft refused to acknowledge vunerablities and refused to fix them. Several times they attempted to sue companies that pointed out security flaws.

Why do you think that windows has over 650,000 viruses out their and Macs maybe have 60 and Linux has maybe 14 total.

Just because Microsoft is used more? It's only used more in desktops (by a gigantic margin, mind you) but it still has only slightly less 50% of the market in coporate servers and much less then that in most other feilds of computing. I mean come off it!

650,000 vs less then 200-300 for all other operating systems combined?

This is BECAUSE microsoft REFUSED to fix problems in the past.

All software is imperfect, all software is vunerable to exploits. But just because Microsoft is Microsoft doesn't mean that they hold a premium on good software practices. FAR FROM IT.

This is how it happens. Microsoft has Outlook, some hacker finds out that if you execute a certian javascript command it will break Outlook's stack and cause a buffer overflow that can allow him to execute code with administrator rights. Now he writes a little script and a simple C program to show off to his friends so that they can laugh at MS privately.

6 months latter a stupid little script kiddie finds the code on some anonymous ftp somewhere, and writes a virus for it.

He releases into his highschool and it works, some teachers e-mail accidently to their moms or something and it gets out into the wild.

Anti-virus company finds it, makes a discription for it so that their customers are safe.

The script kiddie rewrites it and sends it out again. Those people with scanners get crapped on again and the anti-virus company releases a new description. They realise this was a problem and hires a hacker to find the code and then they send it to MS telling them about the problem.

MS tells them that it realy isn't a problem and they'll get back to them, BTW good work on the scanner, hope it sells well.

Meanwhile the kiddie writes another virus and another, and eventually gets bored and can't figure out new ways to trick the virus scanners. So then he irc's the code for his viruses to some friends for a new anime porn game.

They write a small app that can generate viruses and trades that out for more warez, and 7331-ness status.

So people get the program and then write another few hundred new versions, but only 2 or 3 of them get to cause any damage.

Then after 6 months or so MS releases a patch to fix it, bundled with a couple other little do-dads. And the virus threat goes away.

This happens again, and again, and again, and again. It has happened, it continues to happen.\

Thats why MS has 650,000+ different viruses.

And of course it MARKETING. That's MS's bread and butter. They don't make anything new. Any app you can find in MS has already been made someware else, and is probably better. Their is very few things that they do that is actually original.

That's not a issue, not much in computer world is original. People continously copy off of one another, that't not the issue. Linux copies off of MS which copies off of IBM which copies off of SUN which copies off of Linux, which copies after Macs which copies off of MS etc etc etc. It's called progress.

MS got popular because it was cheap. Unix is/was king in coporate-land, but their CRAP was expensive. "Nobody got fired for buying IBM" days, (people did get fired for buying IBM, though because (for example) IBM PC's cost 3 times as much as IBM PC clones). You couldn't afford to get the good stuff so you got Microsoft. Sun, IBM and friends had their heads so far up their behinds that they didn't notice what was going on.

Now due to good marketing people sometimes believe that MS got here by creating supperior products. Which is a crock. Most people never used anything other then Microsoft. Kinda like people who believe that Honda CRX's are actually sport cars, mostly because they never got a chance to drive a Corvette or a Porsche.

It's all marketing. Everything is perception. The stock market is based on 100% perception. People don't invest because the company is doing good or bad, they invest based on how they THINK a company is going to be in 5, 10, or 15 years when they figure that they will cash out for a return on their investment.

Even if MS DIDN'T have a extensive and renown history of ignoring security. (They actually had the idea that people would pay extra for security.. IE firewalls and virus scanners) It is NEVER in ANY companies best intrest to go out and say:

"HEY Guys! Guess what ANY hacker at any time could of seized control of your computer at any time they felt like it for over 5 YEARS. But don't worry we have a PATCH!"

Plus GUESS WHAT. What if they went out a released every patch they could? Remember how much fun people had when MS released 5 patches in a DAY. That was proof in their eyes that there realy WAS severe security issues, just like everybody was warning them about.

And don't you forget about it. Everything is marketing. MS only makes money on 3 things.
1. Stock market. (By reinvesting money into other companies, not just getting investments from individuals. Also why suing MS is a sh***y thing to do, not because MS rocks, but because it screwed over a lot of investors and investies. Marketing forces are dictating the gradual decline of MS, NOT the government. They only screw things up.)
2. MS windows.
3. MS office.

Everything they do everything they sell is designed SPECIFICLY to sell people those 3 items. Everything else they do at a loss. Visual Basic, .NET, Databases, Word, file formats, etc etc etc is geared towards getting people to buy and keep on buying windows.

Use your BRAIN, thats why God gave you one. Even if Sun or Apple went out and admitted all the problems that their system are vunerable to, that would be stupid on their parts also.

MS is a limited company. Compared to the developemental base behind Linux they are small fry. They have to pick and choose what to spend time on. If they actually tried to make their software purfect it would be impossible. We all still be using Win98. (and lots and lots linux developers actually DO get paid for it. Linus is a multi-millionare for developing and leading the developement of the linux kernel)

This isn't just anti-MS fud. It's facts and happend in the past and it is also true with a whole bunch of other companies. INCLUDING LINUX. The only difference is that Linux CAN'T afford to hide behind security by obscurity, because the nature of it makes it impossible.

 

[Smilin]

If your point was that nothinman is a pleasant and intelligent guy whos fun to have a converstion with and that you're a complete freak you've made it

 

[Nothinman]

It's not true. Promise.

The beauty of closed development =) "We really, really promise that's not true!"

Imagine in your head how a process might happen internally for something like this: a report of a problem comes in, or someone tasked with finding them discovers one. Some manager evaluates it and drops it into the workload or "to do" list. Some team or an individual starts typing away at it. yada yada - marketing just doesn't fit into the picture. I'm sure they coordinate when it comes to projects and timetables for new products, but fixing stuff? Bah. That stuff is all handled by geeks, not suits.

But the release of security announcements probably goes though PR just like all press releases, it's possible they could have a quota of non-critical releases. If there's a known exploit or even a post on BugTraq they probably consider the release a must but I could definately see them holding back on things they found internally that aren't known outside yet to help their image.

 

[Smilin]

I kinda see your point. But what marketing does would be going on completely parallel to the fix process. A known (outside) MS bug is going to get priority from Marketing somewhere for PR reasons I'm sure. Yet the programming managers are going to give it priority simply for the reason it's more likely to get exploited and don't really know or care what marketing might be doing.