What Bill Gates Says About Security
Microsoft may have finally gotten the hint about the importance of security. After being blasted by the industry at every turn, after releasing product after product whose security profiles bear a disturbing resemblance to Swiss cheese, the company is now at least making moves in the right direction.
At the recent Microsoft Professional Developers Conference in Los Angeles, a full-day security symposium wound up a week of looks at the new operating system, code-named Longhorn, that will succeed Windows XP, and at the new tools that will surround it.
And, while catching up with chairman and chief software architect Bill Gates left us with food for thought, it probably also earned him a few words from his security business unit.
Here's what Gates had to say about application security:
"You don't need perfect code to avoid security problems. There are things we're doing that are making code closer to perfect, in terms of tools and security audits and things like that. But there are two other techniques: one is called firewalling, and the other is called keeping the software up to date. None of these problems (viruses and worms) happened to people who did either one of those things. If you had your firewall set up the right way when I say firewall I include scanning E-mail and scanning file transfer - you wouldn't have had a problem.
"But did we have the tools that made that easy and automatic and that you could really audit that you had done it? No. Microsoft in particular and the industry in general didn't have it.
"The second is just the updating thing. Anybody who kept their software up to date didn't run into any of those problems, because the fixes preceded the exploit. Now the times between when the vulnerability was published and when somebody has exploited it, those have been going down, but in every case at this stage we've had the fix out before the exploit."
Microsoft Security Business Unit senior program manager Mike Howard and Mike Nash, Vice President for the Security Business Unit, certainly didn't disagree with the boss's assessment that the industry does not have its security ducks in a row. However, judging from their tag-team presentation at the security symposium, they would have been deeply distressed by his comments about code. Again and again during their talks, Howard and Nash hammered home the idea that code has to get better, and that buffer overruns are caused, basically, by sloppy programming. "There are two major kinds of security defects," trumpeted one slide, "Input trust issues, and everything else." Software, they said, should be secure by design, secure by default, and secure in deployment.
Secure by design means that the design process should include threat modeling, code reviews, and running of code with minimal privileges, instead of succumbing to the knee-jerk impulse to give it administrator rights.
Secure by default means turning off unnecessary services so they're not available to exploits, and enabling necessary services securely.
Secure in deployment includes leveraging best practices for the deployment platform, building tools to assess the application's security, and providing guidance to users.
The presentations described techniques to address all of these needs, and hinted that Microsoft will be productizing its internal audit tools to help developers do the job.
In our discussion, however, Gates went on to provide his take on plugging the holes. He said, "Next is making it easy to do the updating, not for general features but just for the very few critical security things, and then reducing the size of those patches, and reducing the frequency of the patches, which gets you back to the code quality issues. We have to bring these things to bear, and the very dramatic things that we can do in the short term have to do with the firewalls and the updating infrastructure."
Gates did admit that, though Microsoft has made strides in the direction of less buggy code, it has a long road ahead. He noted, "We've seen an order of magnitude less vulnerability in the code that's been through the new tools, and we need about another order of magnitude. We've had 12 things in about an eight month period in Windows Server 2003 and with the equivalent level of attack in the previous generation we would have had over 100. We had 43, but adjusting for the level of intensity it's a factor of 10 difference. If we can get another factor of 10, which would get you down to 1.2, plus the improvements in the patching and updating, that's what people want.
"That should be do-able, but that's the piece that doesn't happen overnight. It's a matter of giving people the tools; it's people not understanding the design of APIs where you get vulnerabilities. Certainly there are whole classes of vulnerabilities, like buffer overruns, that are very well understood at this point, and the scanning tools are very good, and the compiler switches are very good."
"Not everybody has changed their code and done the recompilations to get rid of those things," he went on. "But, fortunately, the main system that's under attack today is the latest operating system. The fact is, there are security vulnerabilities in peoples' applications in many places. I mean, people act like some other systems don't have vulnerabilities. Actually, all the forms of Unix (as well as Linux) have had more vulnerabilities per line of code. They don't propagate as much because they're not as dense as our system is, so the things that prevent the propagation are particularly important for our world."
Making a silk purse out of the moth-eaten sow's ear, Gates concluded, "But actually, in a sense it's very good to have this maturity, saying that a high volume operating system will be the one that people have tried to attack. Low volume software is always attackable. It's only attacked when somebody want to be malicious. High volume software is attacked when somebody wants just visibility and glory, and the fact is that the hardening is part of the process of having the level of reliability guarantee that we need to make."