Dan Griffin's Blog

Comments on security, PKI, smart cards, cryptography, and entrepreneurship.

A recent challenge in debugging a software configuration problem for a customer led us to suspect that the new Windows Resource Protection (WRP) feature in Vista was thwarting their efforts to change a system registry key. This turned out not to be the cause of the problem … but it afforded us an opportunity to learn about some new APIs.

What is WRP? Some info is here - http://msdn2.microsoft.com/en-us/library/aa382551.aspx. In summary, it’s a feature that restricts access to certain parts of the file system and system registry, such that the "NT SERVICE\TrustedInstaller" SID is required in order to make any modifications. For example,

>cacls c:\Windows\System32\ntdll.dll

c:\Windows\System32\ntdll.dll NT SERVICE\TrustedInstaller:F

BUILTIN\Administrators:R

NT AUTHORITY\SYSTEM:R

BUILTIN\Users:R

Two new APIs are available in Vista to locate protected resources (although checking the ACL for Owner = TrustedInstaller is another sure sign): SfcIsKeyProtected and SfcIsFileProtected. I decided to write a little program that takes either a reg or file path, calls the appropriate SfcIs*Protected API, and reports the result.

Two confusing things I discovered about using the new APIs:

  • The documentation for SfcIsKeyProtected (http://msdn2.microsoft.com/en-us/library/aa382537.aspx, as well as the Vista RTM SDK download version) is wrong, in that the reported behavior for an un-protected key is to return FALSE and SetLastError of ERROR_FILE_NOT_FOUND. In fact, GetLastError is ERROR_SUCCESS in that case (on my x86 Vista RTM machine), which I think makes more sense anyway (see next bullet).
  • The documentation for SfcIsFileProtected also states that the behavior for an un-protected object is to return FALSE and SetLastError of ERROR_FILE_NOT_FOUND. In this case, that happens to be the observed behavior! Only problem - that makes the API harder to use, especially as a debugging assistant based on user input. Namely - how do you know the difference between the two conditions: file-not-found vs file-found but not protected? One possible answer: you have to also use CreateFile to verify that you didn’t mistype. Additionally painful is that you’ll want to call CreateFile in such a way as to minimize the chance of misleading error conditions (e.g. the file exists but you don’t have access; the file is already opened exclusively; etc).

Anyway, that’s the approach I took. An alternative would be to avoid the Sfc calls altogether and use RegGetKeySecurity/GetSecurityInfo. The benefit with the latter approach would be that it could probably be done entirely in managed code.

Permalink | Comments (0)

I recently installed Vista on my ThinkPad T60 and am happy to report that it’s been a net positive experience. That said, it’s probably not an undertaking that I’d recommend to anyone who doesn’t have a specific need to run Vista, or to anyone who doesn’t consider themselves to be a pretty hardcore Windows hacker.

Why did I do it?

  • I just had to try it
  • The laptop, when it was still running XP, would routinely fail to Hibernate due to a bad driver. I’m not sure which driver was causing this, but no further attempt to hibernate could be made until after a reboot. I had read that Vista handles power state change a little differently - namely, that drivers aren’t offered the option to prevent the hibernate attempt, which makes a lot of sense to me. Don’t remember where I read that, although this Wikipedia entry (http://en.wikipedia.org/wiki/Features_new_to_Windows_Vista) vaguely references the changes .
  • Out of the box, ThinkPads come with tons of optional software installed, much of which periodically tries to download updates and/or phone home. Attempts to un-install some it resulted in breaking other things, including some Java runtime component that would run and crash every time I logged in. Objectively, I suppose there’s an army of business users out there who find the ThinkPad software suite to be a real value-add, but I found the lack of control to be annoying.

An aside - once I had resolved to clean install the OS, I did try XP first. Unfortunately, the required (presumably) SATA harddisk drivers aren’t available in the default XP media (not surprising, given its age). Complicating the matter is that I don’t have a floppy drive, so adding a 3rd party driver during text mode setup was intially going to be impossible. I assumed that resorting to the Lenovo system restore media would result in the same un-wanted additional software getting installed as well, so that wasn’t an option. Thus, rather than completely punt on the clean install, I decided to try Vista (which provides the proper SATA driver out of the box!).

Results

Again, having completed the upgrade and re-installed most of the apps, I’m happy to say there have been no major problems. Here’s a summary of what I’ve experienced.

Pros

  • Hibernate works better now, although resume is a little flakey. I haven’t had a crash yet (I once had the wireless NIC driver for my old Toshiba, running XP, crash the disk during resume from hibernation, so I’m always nervous about this). Seems like Vista will occasionally resume and then immediately hibernate again. This may also be related to whether the laptop screen/lid is open or closed.
  • When working on new Vista-specific development projects, I can run tests directly from Visual Studio 2005 (which seems to work just fine for my scenarios, despite the fact that the installer reports known compatibility issues with Vista. I believe the latter are actually SQL desktop engine-related.), without having to copy them over to a separate Vista test machine.
  • From a network security perspective, system discovery/ICMP and file sharing are blocked by default by the Windows Firewall on Vista. While some knowledgeable users may be confused by this, and changes to the control panel make it initially frustrating to configure, I nevertheless applaud it!
  • Vista looks cooler than XP, what with the Aero/glass interface. Personally, I think they could have done a better job on the blue-green sheer fabric-looking secure desktop screen, but otherwise I dig it.
  • My Verizon broadband card and software actually works. This is the one thing that I thought was going to totally screw me after the upgrade, but it didn’t!

Cons

  • The VeriSign Digital ID enrollment web site doesn’t support Vista clients yet (since Vista/IE7 won’t load XEnroll, VeriSign needs to port its web enrollment logic over to the new CertEnroll interface). The Microsoft PKI guys told me they’ve been providing support on this, but I don’t have an ETA.
  • The ThinkPad originally came with some nice add-ins for managing the docking station and video settings. I don’t know how to get that back, and I certainly don’t want a bunch of extra stuff with it.
  • Virtual PC won’t run at all. Presumably this is due to session separation in Vista. Anyway, VMware supports Vista just fine, but I still have some images that I haven’t upgraded from VPC.
  • The Adobe Acrobat download site actually has a special page and download version for Vista, which is admirable. But it didn’t work! From a my brief investigation, it appeared that the installer was being sandboxed, and was attempting to write elsewhere to the disk. The only way to proceed was to copy the temporary installation fails elsewhere, and then run the setup program directly. Complicating matters was that the top-level installer would always clean up after itself on failure. Anyway, you can find the temp setup files before the installer completely fails out.
  • My Raritan SwitchMan USB COMBO KVM still doesn’t work. I had hoped that upgrading might fix the problem, whatever it is, but it didn’t. In summary, when I plug my keyboard and mouse directly into the docking station (via USB), everything works fine. But when I route them through the KVM, no luck. There’s a Dell desktop sitting next to it that has no problem w/ the KVM. Anyone else seen this issue with the Raritan and/or Lenovo?
Permalink | Comments (0)
I’ve been notified about two new and/or improved resources for aspiring Vista credential provider authors.

1.  The RTM version of Microsoft’s five sample credprovs is available here, as of 12/26/06 - http://www.microsoft.com/downloads/details.aspx?FamilyID=b1b3cbd1-2d3a-4fac-982f-289f4f4b9300&DisplayLang=en.  Changes from the RC1 version include "minor bug fixes and additional guidance".  If you are tasked with writing a credprov, you should start by modifying one of these.  I promise your life will be enhanced by it.

2.  A new "Technical Reference" document - http://shellrevealed.com/files/folders/code_samples/entry1019.aspx.  (Side note - seems you have to actually click on their link with the mouse; the download control won’t activate from the keyboard, which all true developers know to be the proper tool for HCI.  Unusually poor usability testing on Microsoft’s part …)

Anyway, the document itself provides a lot of details about the credprov interface.  Noteably, it includes a section at the end about "Pre-Logon Access Providers," or PLAPs, which is the Vista mechanism for exposing 3rd party, custom network-level authentication prior to (or combined with) the interactive user authentication.  This is the first external documentation I’ve seen about PLAPs.  For example, ever wondered how to implement multi-factor authentication at the network level, while disabling cached credentials?  This is it.

Permalink | Comments (0)

The "First 2007 Unannotated, Unordered List of Fuzzing Tools Lists":

The "First 2007 Minimally-Annotated, Unordered List of Security Tools Lists":

And, finally, deserving special mention, is HD Moore’s slide deck on ASP.NET security - http://www.metasploit.com/confs/bluehat2006/bluehat3-aspnet.pdf. Of interest in the context of this post is slide 17, which lists, among a variety of tools:

  • OWASP - http://www.owasp.org/index.php/Main_Page - seems to have lots of momentum as the primary braintrust for tools and research on web application security
  • SPI Dynamics - http://www.spidynamics.com/ - a Seattle area company. I recently spoke with one of their reps. They do cool stuff, such as simulating execution of AJAX payloads to detect risky code injection, and allowing segmentation of network scanning and reporting rights, so that your London-based IT guys can’t use the tool to compromise your New York site and vice-versa.

 

Permalink | Comments (0)
I was recently discussing opportunities in alternative energy with a colleague.  This got me thinking that, despite the fact that you absolutely cannot avoid reading in the popular press about how much money there is to be made in alt energy, at least down the road, I would not be able to articulate where the opportunities actually are.  I mean, cut through the hype, what’s left in terms of real business prospects, you know? 

This blog post will not answer that question.  However, I will share some interesting links I turned up:

  • Wal-Mart’s recent RFP to outfit as many as 340 of its stores in five US states with solar panels.  This particular blogger/consultant seems to have been referenced by a variety of news sources, including NPR and C|NET:  http://makower.typepad.com/joel_makower/2006/12/walmarts_solar_.html.  In summary, compared to what’s been done to-date, this would be a gigantic deployment of that technology.

One comment I believe I heard on NPR’s Marketplace show is that Wally-World wants to accomplish this feat without putting so much price pressure on solar power technology as to drive (or continue to drive, I suppose) its research and manufacturing overseas.  Can anyone else corraborate this statement?  Isn’t lots of price pressure on alternative energy technologies exactly what the world needs right now?  We’re willing to save the planet, but only if we can use stuff made in the US?

Side note - I remember back in the early 1980s some kid’s rich parents came to our class and gave a presentation about the solar panels they’d just installed on the roof of their house (in the Chicago area, where during the winter it’s dark by 4pm, but whatever).  Anyway, their panels would automatically rotate toward to brightest light source, which at some point during the day became, rather than the sky above, their neighbor’s porch light.  This was bad because the mechanism wasn’t designed to rotate that far, and would be damaged.  Hopefully such issues have been worked out in the ensuing years.
  • On the ethanol front, here’s a comparison of E100 gallon vs Retail gasoline prices by state - http://www.dtnethanolcenter.com/index.cfm?show=10&mid=32.  Interestingly, Washington state appears to be one of few places listed where a gallon of ethanol is cheaper than a gallon of gas.  However, I perceive that we’re not exactly comparing apples to apples (heh heh) here, since the resources have neither the same energy yield by volume, nor the same production cost, nor the same government subsidization.
  • Finally, a chemical engineer (who works for an oil company) takes on Vinod Khosla’s ethanol claims - http://energybulletin.net/18576.html.  It’s always nice to hear both sides of a story.

 

 

Permalink | Comments (0)

A colleague was recently asking me about doing a simple data flow diagram for the purpose of modeling a moderately complex software project management-related process. The proposal was to use UML(http://en.wikipedia.org/wiki/Unified_Modeling_Language), which I personally have never found much use for: an inherently complex modeling language does little to illuminate the discussion of a complex process/problem, especially when quick-and-dirty is usually what people want.

My proposal was to instead use the Data Flow Diagram format described in this classic blog post on Threat Modeling - (http://blogs.msdn.com/ptorr/archive/2005/02/22/GuerillaThreatModelling.aspx).

… By which I’ll seque into a comment about the overall "Guerilla" approach to creating a software threat model, as described in that post: it’s a reasonable compromise between minimizing the cost of a potentially time-consuming process to the engineering team, and exposing the riskiest pieces of the system from a security perspective (i.e. the trust boundaries). In fact, what usually happens is people start asking "dumb" questions that expose knowledge gaps for the team as a whole. Such as, "What if somebody does xyz with component abc?" Answer: "Component abc wasn’t designed to handle that." Hmm.

 

Permalink | Comments (0)