Writing Better Code Doesn’t Get You to Perfection March 25, 2010Posted by Peter Varhol in Software development, Software tools.
I spent a number of years of my professional software career building tools to enable developers and testers to find and fix bugs. As such, I’m cognizant of how errors in coding can manifest themselves much later, and in unpleasant ways. This report from the Pwn2Own hacking contest on the ability of professional hackers to bypass important security features of Windows 7 and execute a successful attack on Internet Explorer 8.
Building commercial development tools is a very difficult business today, as I’ve alluded in a recent post. These tools include debuggers and more general-purpose error detectors, performance analyzers, automated code review engines, and code coverage analyzers.
The vast majority of developers don’t bother with such tools unless they know they have a problem. They represent a fire-fighting technique rather than a methodology for development. So sales are dependent not upon a process, but rather an immediate pain.
That’s not to say that tools can single-handedly solve all of the malware problems that computer users face on a regular basis. I’ve read the entire report of how Peter Vreugdenhil bypassed the Windows 7 DEP (data execution prevention) and ASLR (address space layout randomization), and it’s pretty clear to me that there was no bug or design error in what Microsoft had done here.
Both features represent reasonable responses to common hacking techniques. ASLR moves Windows components around randomly in memory, so that hackers have no guarantee where they can find them to even begin a hack. DEP prevents hackers from intentionally overwriting a data space with executable code.
But they are not guarantees against successful hacking. Hacking involves a great deal of detecting work, an intimate understanding of how code executes in memory and what it does, and good tools to look at every single location in memory and what’s happening there, on a step-by-step basis.
(Disclosure: A decade ago I was the evangelist for a software product called SoftICE, which could interrupt the operating system – Windows or DOS – and look into memory locations and even processor registers. It was the ultimate debugger, and we marketed it as a device driver development tool, but it was also the favorite tool for hackers. Once our corporate masters understood what it could be used for, it was gradually decommissioned.)
But this hack demonstrates once again that there is no completely secure system, except one with no I/O that is locked inside a vault, and is just about useless for any practical purpose. It’s easy to complain about the seemingly vulnerable Windows, or to extol the virtues of alternatives, but much of that is based on the fact that hackers can make their biggest impact by hacking Windows.
And it’s not going to get any better, as long as there are people who see a challenge or profit in hacking. So despite the millions of dollars that are spent on firewalls, anti-virus software, software tools, and the like, computer users still have to be careful on the Internet. Developers can’t build hack-proof software.