Visit Your Local PBS Station PBS Home PBS Home Programs A-Z TV Schedules Watch Video Donate Shop PBS Search PBS
I, Cringely - The Survival of the Nerdiest with Robert X. Cringely
Search I,Cringely:

The Pulpit
The Pulpit

<< [ Crazy After All These Years ]   |  Misinterpretation  |   [ Making Waves ] >>

Weekly Column

Misinterpretation: If .NET is Such a Security Nightmare (It Is), Why Isn't Everybody Fighting to Own the Obvious and Fairly Simple Solution?

Status: [CLOSED]
By Robert X. Cringely
bob@cringely.com

Viruses, worms, Trojans, denial of service, data and code theft -- since the days when our PC’s were connected only by sneakernet, there have been people messing with them. And nearly as long, there have been other people making a good living protecting us from the bad guys. As threats have evolved, so have these defensive outfits, from anti-virus vendors to firewalls to Virtual Private Networks to e-mail filtering services. And I sense that the data security business is about to change again as a new threat emerges that will require whole new ways to protect us. The problem is .NET, Microsoft’s slowly evolving and very difficult to understand effort to network-enable everything from Redmond’s application suites to the very data munched in those applications. I’ve written a couple columns describing .NET and its evolution (you can find them in this week’s links), and even one column explaining why this creates a new kind of vulnerability. What’s different this week is that whole new classes of security products are about to appear to address these very threats, making us more secure. And I find these products very interesting because they fight brand new enemies by working in brand new ways.

.NET is a "framework," which means it is a programming environment comprised of languages, compilers, libraries of functionality, and the actual program code. You can write a program in C# or Visual Basic.NET. .NET is almost exclusively Just-In-Time compiled. JIT'ing means, "I was just about to interpret this, but I'll compile it at the very last minute instead." In effect, the .NET code remains in interpretation-intended form right up until the end. The point is that it carries around tons of info with it that makes reverse engineering easy just as with interpreted languages. The original Microsoft BASIC was an interpreted language and subject to this vulnerability, which is why it was so easy to copy on punched paper tape and why Bill Gates once referred to many of his earliest users as “thieves.” Many languages are interpreted including some of my favorites like Forth, PostScript, and Scheme. Java is interpreted and subject to this same vulnerability but the evolution of Java has led to it being used mainly for server applications where the source is a bit further out of reach. .NET, on the other hand, is Microsoft’s chosen successor to Visual BASIC, and effectively exposes source code at the very heart of Microsoft consumer and enterprise applications.

The result is that nearly every emerging Microsoft product is vulnerable, including the OS itself. That’s one reason why we are always hearing more, not fewer, stories about Microsoft security problems. And that’s why Microsoft security updates are now at least a monthly event. Left unchecked, it will only get worse.

The answer to providing a modicum of security for interpreted applications has to this point been obfuscation -� making the code look different so it can be difficult to decompile and figure out. Obfuscation used to mean padding the code with extra variables and gibberish -- that is until a company in Cleveland, Ohio, called PreEmptive Solutions Inc. came out with a bytecode optimizer for Java. Called DashO, this software was intended to make Java programs load and run faster by removing all code that wasn’t necessary, which is to say de-obfuscating and making perfectly clear what had been so carefully muddied before.

Uh-oh.

So the boys and girls of PreEmptive Solutions built a version of DashO that not only optimized, but also obfuscated in whole new (and patented) ways. Instead of adding useless code, for example, it changed all the variable names -- hundreds, even thousands of them -- to the same name, for example “a.” Try to figure that out from a code printout. In time, some of DashO’s bytecode optimization features went away or were de-emphasized because of the rise of Just-in-Time compilers, which choked on many of the fancier optimization techniques. So DashO turned mainly into a Java obfuscator, by far the most successful program of its type. Another PreEmptive program that does much the same thing for .NET is called Dotfuscator (I would have preferred “DashNET”), and a free-but-simple version of Dotfuscator is bundled with every copy of Microsoft’s Visual Studio, the main .NET development system.

But Dotfuscator as shipped and even Dotfuscator Pro, which is far from free, are no longer enough. New challenges lead to new solutions, and upcoming versions of both Dotfuscator and DashO look to be offering whole new ways to protect code.

One area of research is called "Program State Code Protection,” or PSCP, which means changing the code AS IT RUNS to make it harder for a cracker to know what is actually happening. Dotfuscator and DashO, for example, right now change all variable names to the same name. But what if all variable names were changed not just to the same name, but were changed continuously to a wide variety of names? The first technique -� making all the variable names the same -� is like building a jigsaw puzzle entirely of white pieces. But PSCP is like making a jigsaw puzzle of all white pieces that spontaneously and continuously appear to change size and shape.

A cracker works much like someone reading a language they don't understand. For many words, they use a dictionary (for a cracker, just look it up elsewhere in the program). Slowly, the pieces come together. And it gets faster over time as you start to remember words. Once you know that "schwester" means "sister" in German, you don't need to look it up again. But what if the language was changing -- changing so fast that the same words are altered in very different ways from one sentence to the next? You couldn't rely that "schwester" will be "sister" the next time you see it. Reverse engineering such software would become a nightmare. That's the whole idea of course.

PSCP (yes, there IS a patent application) is not simple encryption. It goes much further. "Encryption works by leveraging millions of possibilities," says Paul Tyma, chief scientist (I suspect the ONLY scientist) at PreEmptive. "To decrypt a message you only need one key, but there are millions or billions of possible keys to choose from. That's a challenge, sure, but once you get the key, you are in and in forever. PSCP is vastly more complex. When a computer program runs, the computer can follow millions of paths to get the job done. We leverage those millions of paths and transform them into billions of paths instead. We no longer let a hacker reverse-engineer a program on paper, we force them to reverse-engineer as the program runs. Every time a piece (of code) runs, it can be different. You can't just examine program parts, you have to watch everything at once. It is orders of magnitude more difficult to reverse-engineer. And the increase in processing overhead is trivial. PSCP, if done right, costs almost nothing."

So it looks like it will soon be much more difficult to crack .NET source code, which should be a relief to Microsoft, except I doubt that Redmond has paid much attention to it yet, even though it is obvious that they should.

But wait, there's more! Squint sideways at this same technique, and it can be used for digital rights management through a new kind of watermarking for interpreted source code. Using this technique, PSCP is modified to insert some pattern in the code renaming process. That pattern, which, like Ultra Wide Band networking, would be literally impossible to detect unless you knew precisely what you were looking for (you knew the watermark and were only checking code to see if it was there) is also impossible to obscure or defend against. It's like an embedded serial number that not only identifies the code as coming from a particular author, but also identifies it as a particular copy of that particular code. So any developer who decided to violate a license agreement and steal or publish proprietary source code could be instantly identified.

Stolen or leaked source code, as happened recently to Microsoft, could be traced back to its source even by search engine spider programs. Crackers could be Googled to jail.

And there is even an Open Source aspect to this new form of protection: It can be used as a new form of attribution. Who wrote what part of that Open Source program? Copyright notices and comments can be removed, but the PSCP code renaming signature can't be.

The last issue here is a business one. Microsoft is absolutely committed to .NET, yet .NET as it stands today is very vulnerable to security lapses. The best solution so far to this core problem is PSCP. Yet for some reason, Microsoft, which looks like it will be entirely dependent on PSCP for the ultimate success of .NET, does not have any control over PSCP or PreEmptive, the company that invented and controls it. This is a company that fills a small part of one floor in a medical building in Euclid, Ohio. How can Microsoft possibly allow this company to remain free? It makes no sense to me.

Understand that, as always, I have no stock in PreEmptive, I just like these people.

Say Microsoft remains clueless to their dependence on Dotfuscator and PSCP. That leaves open the possibility that another, smarter more agile company could snap up PreEmptive. If that acquiring company was Sun Microsystems, they could deny PSCP to Microsoft while building it into Java. If that acquiring company was IBM, they could license to both Microsoft and Sun and hold a strategic advantage over both. If that acquiring company was Symantec or Network Associates, they could own what has to be a key component to .NET, giving that company a "get out of jail free" card to be used with Microsoft as well as an entirely new and exclusive data security business.

This seems obvious to me, but I'm usually two years ahead of events. So look for C-Net to claim a scoop on this story in 2006. That's if any of the big companies can actually find Euclid, Ohio.

Comments from the Tribe

Status: [CLOSED] read all comments (0)