Blackhat: In the course of covering the Blackhat and Defcon conferences here in sunny Vegas, I had occasion to sit down with MS Security Program Manager Scott Culp, who, I'd heard, has become a fan of our Steve Gibson raw sockets coverage. It's not every day that The Reg and Microsoft can discuss a topic on which we agree in large part, so no doubt you'll enjoy the following as a light refreshment:
[Gibson's] argument has been that the inclusion of raw sockets is both necessary and sufficient for distributed denial of service attacks; and there are actually two parts to the answer. The first one is, 'are DDoS attacks going to happen?' Yes. They will happen; and they will happen on Windows XP. That's not an argument; you're going to see them. What we're saying is, you're going to se them regardless -- raw sockets are utterly irrelevant to the question of DDoS attacks on Windows XP, because if someone can compromise a machine....they'll have every ability they want. Control of the machine is the hurdle; the availability of raw sockets is not the hurdle. Once you've got control of the machine, if you don't have the raw [socket functionality] there you can add it.
Greene: And you can packet targets desperately into submission without spoofing. But his point of course is that with the spoofing potential now, it will become even worse and more uncontrollable. You've got a compromised machine, and once you've compromised it the raw socket functionality becomes an enhancement.
Culp:It may be a convenience, but it can't be too much of a convenience, because Gibson himself was attacked by people who had to install WinPcap or something like that on the machines.
But the second part is, OK, so if it's not going to cause DDoS attacks, could we remove it without any loss of functionality? And guess what: raw sockets are used for a whole bunch of security functionality in Windows XP. Internet connection firewall is one. IPsec [IP security protocol] is another one. It's used by network diagnostic tools. It's also used by games.
Here's where the argument gets funny. Because the counter-argument is, 'so are you saying if you didn't provide raw sockets that you couldn't do Internet connection firewall?' No, I didn't say that. What I said was, the Internet connection firewall is using the raw sockets that are built in to Windows XP. And the next question is, 'why not just get rid of raw sockets and do the network functions [without low-level IP services]?' And the answer is, 'yeah, we could do that.' But that brings us right back to the same argument again. It's only software. Now we're going to have socket software in all of these different features so we don't have a native OS function that provides the socket features. All the bad guys can do the same thing. We're right back to the same problem.
If we can move it out of the OS, that's sort of your proof that anyone else could have done it as well.
Greene: My other question is -- according to The Register's constant suspicion of all companies with more than fifty people [laughter] -- that there are other things one's imagination could come up with using raw sockets in a consumer OS; it could smack of low-level user authentication, low-level software identification, things like that which could go hand-in-hand with the .NET initiative in a way that a lot of people might find threatening.
Culp: [laughs] No way.... It's just a networking function. All it is is a full implementation of the sockets protocol. And we've been lambasted, rightly, over the years about following the standards and implementing them fully, and if one vendor isn't fully implementing the standards then that [breaks] interoperability.... There's nothing under the covers there as far as metering software use or anything like that.
Greene: But stuff could be metered or turned off, arbitrarily. You know what I mean -- there could be a kind of extortion: 'we want more subscription money; we want to raise the price of something; we want you to upgrade, so we're disabling your software.' This kind of low-level network functionality with the .NET scheme could be perceived as [potentially malicious].
Culp: So the Microsoft Department of Evil has now cooked up some scheme to foist on the public. [laughter] If we required the functionality provided by the raw sockets implementation, and if we didn't provide it in the OS, then we'd just put it into the Evil Software somewhere else. If that were the intent, again, raw sockets isn't the enabling technology. It has nothing to do with raw sockets. Anything you wanted to do through software that required those [evil] networking functions, if the OS didn't provide it immediately, you could provide it through device drivers.
It's a service that it makes sense to provide at the OS level. From a rationality point of view, what's the sense of providing a ninety-percent implementation of commonly-used networking functions? The only thing you do is force people to write the last ten percent themselves or go out and buy a piece of third-party software that implements the last ten percent.
Greene: Because Microsoft is a very large corporation, and it does own a terribly large share of a particular market, people sometimes feel threatened. Sometimes it's envy; sometimes it's just being cynical and looking at past experiences with other enormous corporations with unusually large shares of certain markets and how they've behaved, but you may find that people are afraid, not that Gibson is right, but that this networking protocol dovetails into .NET, into software hosting, and into product activation where some information can be gathered and used.
We've said what isn't up -- with Gibson -- so let me ask what's really up with raw sockets? Why are you behind this?
Culp: And the real reason is, there's just no sense providing a ninety-percent implementation of the networking functions. No more than it makes sense to provide a ninety-percent implementation of TCP/IP. I mean, we could do that. You've got a TCP stack that gives you ninety percent of what you need, and you've got to come up with the last ten percent or buy a third party product, and people would say, 'what, are you nuts? Give me the last ten percent for crying out loud.'
Greene: I think there will be good third-party applications now that developers can write with the full socket implementation in mind. I look forward to seeing some of them. I also look forward to seeing what the malicious scripters will come up with.
Culp: Well they're another third party that's going to use it [laughter]. But the way to deny that section of the development community is not to pull ten percent of the networking out; it's 'don't let them run bad code on your machine in the first place.'
And there you have it, for now. In the next day or two I'll be siting down with a few of my favorite whitehat hackers and network cognoscenti here to kick around a few ideas about how XP raw socketsmight be
deployed to the consumer's disadvantage, both by Microsoft and other corporate software vendors, and as well by the blackhat community, so stay tuned. ®