通过

Why is defense in depth so important?

  • 项目

Yesterday's post on the principal of least privilege engendered some discussion about how important the PLP was.

Many of the commentors (including Skywing, the originator of the discussion) felt that it wasn't important because malware could always enable the privilege.

And they're right - it just raises the bar.  But raising the bar is important.

The PLP is a specific example of a technique named "Defense in Depth" - the idea is that even if you don't know about a specific attack vector to your component, you still ensure that your code doesn't have defects.

Let me give a contrived but feasible example.

I've got an API that lives in a DLL, call it MyCoolNewImageRenderingAPI.dll.  The component ships as a part of Windows (or it's open source and freely redistributable, it doesn't really matter).

It turns out that there's a bug in my API - if you pass the API a filename that's invalid, it can overflow.

Do you fix the bug?  Your code lives in a DLL.  It's not network facing.  None of the components that use the DLL are network facing.  So it's not exploitable, right?

Well, it might not be exploitable, today.  But you still have to fix the bug.

Why?

Because you can't control the callers of your API.  You simply can't predict what they're going to do with the API.

What if the brand spanking new IceWeasel web browser decides that it really likes your API and decides to use it to render images.  And further, what if that browser allows a web site author to control the filename, or a portion of the filename passed into the API.

Now all an attacker needs to do is to construct a filename that exploits your buffer overflow and they own the client machine.  In the absence of your bug, the only  consequence of the browser's allowing the attacker to control the name might be a denial of service attack (it might crash the browser, or fail to render the page correctly).  But with your bug, your "unexploitable" bug just became a security hole.

You could argue back and forth about whether this is a bug in the browser or not, but ultimately it's not the browsers responsibility to work around YOUR bugs.  You just need to fix the bug.

And that, in a nutshell is what defense in depth is all about.  If you've got a problem in your code that might conceivably be used to to launch an exploit, even though you believe that there are ample mitigations in place, you still need to fix the problem.

Comments

  • Anonymous
    June 23, 2005
    According to Raymond Chen it is Windows' responsibility to work around third party software bugs. So the same would apply here, the IceWeasel browser should work around your bugs ;)
  • Anonymous
    June 23, 2005
    The comment has been removed
  • Anonymous
    June 23, 2005
    First of all, I agree that the bug needs to be fixed -- it is just bad code -- period. But, does the responsibility argument change if the API is undocumented? Not badly-documented, but used by someone who has "figured out" the interface without the benefit of any documentation?
  • Anonymous
    June 23, 2005
    The comment has been removed
  • Anonymous
    June 23, 2005
    The comment has been removed
  • Anonymous
    June 23, 2005
    It's easy to say that malware will just increase a privilege, but in this day and age a lot of exploits are found by entering random strings and waiting for some buffer along the way to overflow. Hackers may have little idea which program or dll will actually fail, so they don't know which privelege to increase. If there's even the smallest speedbump, you increase the chance that they'll give up and move to something else. I presume a lot of work that went into Windows XP SP2 was on stuff like this.
  • Anonymous
    June 23, 2005
    Larry, I absolutely agree with the last sentence. That's why I posted my trollish comment, because covering up for other code's problems will not lead to people doing their job right. Breaking their code and explaining what they should have done will. But then, I'm a developer, not a marketing or PM type that needs to worry about market share or release dates :)
  • Anonymous
    June 23, 2005
    The comment has been removed
  • Anonymous
    June 23, 2005
    The comment has been removed
  • Anonymous
    June 23, 2005
    The comment has been removed
  • Anonymous
    June 23, 2005
    s/principal/principle
  • Anonymous
    June 26, 2005
    Friday, June 24, 2005 5:59 AM by speling terrarist

    > s/principal/principle

    Didn't they teach you anything at school? The most privileged party is the principal ^_^
  • Anonymous
    June 27, 2005
    Larry,

    I think your subconscience is helping you write this post. I've no idea where this was first mentioned, but I read about[1] the IceWeasel browser some time ago. :)

    [1] http://lwn.net/Articles/118268/
  • Anonymous
    June 27, 2005
    Ron, that's SO wierd. I absolutely had no idea about that.
  • Anonymous
    June 27, 2005
    speling terrarist is right - it should be principle of least privilege.
  • Anonymous
    March 13, 2007
    PingBack from http://winblogs.security-feed.com/2005/06/23/why-is-defense-in-depth-so-important/