Platform Security

COM SECURITY TALK from INFILTRATE 2017: https://vimeo.com/214856542

Ok, so I have a concept that I've tried to explain a bunch of times and
failed every time. And it's how not just codebases decompose, but also
whole platforms. And when that platform cracks, everything built on it
has to be replaced from scratch. Immunity has already gone through our
data, like every other consulting company, and found that the process of
the SDL is 10 times less of an indicator of future security than the
initial choice of platform to build a product on.

It's easier for people to understand the continual chain of
vulnerabilities as these discrete events. They look at the CyberUL work
and think they can assess software risk. But platform risk is harder.

Some signs of cracking are:

  * New bugclasses start to be found on a regular basis
  * Vulnerability criticality regularly is "catastrophic" as bugclasses
    that used to be of low risk are now known to be of super high risk
    when combined together
  * Remediations become much more difficult than "simply patch" and
    often bugs are marked "won't fix"
  * Even knowing if you are vulnerable is sometimes too much work even
    for experts
  * Mitigations at first seem useful but then demonstrate that they do
    more harm than good

From an attacker's standpoint, being able to smell a broken platform is
like knowing where a dead whale is before anyone else - there is about
to be a feeding frenzy. Whole careers will live and die like brittle
stars upon the bloated decomposing underwater corpses of Java and .Net.
Microsoft Windows is the same thing. I want to point out that two years
ago when Microsoft Research gave their talk at INFILTRATE, initially
nobody took any notice. But some of us forced research on it, because we
knew that it was about the cracking of an entire platform - probably the
most important platform in the world, Active Directory.

From a defensive standpoint, what I see is people are in denial this
process even exists. They think patching works. They want to believe.

From an architectural standpoint, Windows is only two things: COM and
Win32api. Forshaw has broken both of them. And not in ways that can be
fixed. What does that mean? Anyways, watch the video. :)