Untouchable oracle
Since 1995, 3896 vulnerabilities have been found in Oracle products, and their number continues to grow. Digital Security Research Center has been searching for security problems in Oracle systems for almost 10 years, having found during this time a lot of various vulnerabilities in the entire line of their products, including various dangerous architectural bugs. Some of them were corrected by the vendor about 3 years after our notice (!). Therefore, we are familiar with Orakl firsthand.
The scandal that erupted yesterday in the world immediately after publication and subsequent deletion - according to Vice President and Chief Architect of Oracle Edward Scriven (Edward Screven), the record "did not reflect the company's true views on user relationships", - this blog post on the CSO blog Oracle Mary Ann Davidson (Mary Ann Davidson), in fact, quite instructive. It perfectly showed all the pain of vendors, all their real relationship to the safety of products.
The best illustration here could be a film with Mel Gibson “What do women want?” Security researchers and customers - read carefully what Oracle’s main security officer thinks about research and how it really relates to the safety of their products. It should be understood that it says that other vendors simply do not dare to say. They thank the researchers for the found vulnerabilities, nicely smile at customers, and inside themselves quietly hate both. “Do not touch our products!”, “According to the license, you do not have the right to reverse engineering!” - this is literally her statements. “Leave me alone with your security, we will figure it out for ourselves,” is what vendors actually think. And we know very well how they themselves "understand", for three years closing the most dangerous architectural vulnerabilities (in particular, with authentication on the client!). What is interesting, especially Oracle is famous for this. And now it is not surprising why - with such an attitude of her chief bezopasnik. But still, it’s not about Oracle - and that’s the most important thing. Their CSO simply expressed the opinion of all vendors, said something that is not customary to speak openly. This is a clear demonstration of the real attitude of all vendors to security. Whatever anyone of them says, they think exactly that.
')
And it's scary.
It is also striking that Oracle's CSO does not know that most of the vulnerabilities are not at all reversing. Oracle can safely change the slogan from the old - "Enduring" - to the modern: "Untouchable."
I’ve been writing a lot lately. Something together with my sister, detective stories under the pseudonym Maddy Davidson. We are currently working on stories and generate a lot of new interesting ideas about managing people (literally, although sometimes, when someone tries to drive my car in the ass, I think about their application).
Writing detective stories is much more fun than my second lesson. I am seeing a tangible increase in the number of users reversing our code in an attempt to find vulnerabilities in it. <sighs deeply> Because of this, I have to write many messages that begin with "Hello, how are you, glad to hear", but end like this: "Please do not violate the license agreement and stop the reverse development of our code."
I can understand that in a world where nameless attackers, possibly working for a hostile state, almost every day, someone hacks and takes away a dozen hrenalionov data, I want to make maximum efforts to protect their systems. At the same time, it would seem that before this additional jerk it is necessary to determine the most critical systems, encrypt confidential data, install all the necessary patches, use a supported version of the product, apply configuration protection tools — in short, ensure safety at a hygienic level — and then look for in a zero-day vulnerability product. As a matter of fact, many data breaches could be prevented with these dull measures instead of broadcasting a big and terrible APT attack that supposedly targets you. Your own IT infrastructure or cloudy, generally accepted recommendations for its protection are, and they should be followed.
Suppose you want a reasonable certainty that the supplier approaches the development with reasonable care (and ensuring reliability is far from running the scanner) - as a user, you can do a lot. For example, think for, take and talk with the supplier about his reliability program, ask him for certificates for products marked “Good Housekeeping”, in the sense of “Good code”: Common Criteria certificate, FIPS-140, etc. Most developers at least most of the major vendors I know have already gotten very strong reliability programs (and I know this because we compare our records at conferences with each other). This is all great, this is a normal supplier integrity check, which is not close to the idea: “I’ll go as a developer to do his job and I’ll look for problems in his source code,” despite the fact that:
I’ll say right away that, in my opinion, sometimes the user who is reversing the product does not know about it himself, because the consultant does all the work: he starts the code reverse development tool, gets a hefty listing of the results, stuns the client, and sends the data to us. I note that we simply do not take scan reports for “proof that there is something somewhere”, including because in both static and dynamic analysis the scan report does not prove the existence of a real vulnerability. Often such a report is just a bunch of steaming ... FUD (it is to this thought that I bring the reader: FUD, "fear, uncertainty and doubt"). Therefore, we demand that users request a technical support request for each perceived problem (and not just send us a report) and provide PoC, confirming the possibility of an attack (some tools are able to generate them).
If, during the analysis, we determine that such scan results could only come about through reversing (in at least one case, the report clearly stated: “Oracle's XXXXXX static analysis,” very conveniently), we send one letter to the sinned client, and another to the consultant who sinned on behalf of the client, where we remind them that the terms of the license agreement with Oracle prohibit the reverse development, so PLEASE ALREADY PLEASE (in the office, of course; the Oracle license agreement contains the following clause: “The user doesn’t have ie the right reverse engineer, disassemble, decompile or otherwise attempt to derive the source code of the program ... ", which we quote in the message to the user). Yes, and we also require users and consultants to destroy the results of reverse development and provide confirmation.
Why am I talking about this? First of all, because when I see a surge of some kind of activity, I tend to get ahead of it. I do not want to argue with people anymore: “You violated the license agreement”, “No, they did not violate”, “Violated”, “No”. I'd rather spend my time and my team time helping developers improve our code than arguing with people about the content of the license agreement.
I repeat: all this does not suit me, not only for legal reasons. Rather, I want to say: “I don’t need you to analyze our code, because we do it ourselves, it’s our job, we know how to do it, we can, unlike other researchers or tools, do a real analysis and find that exactly what is happening, besides most of these tools have almost 100% false positive results, so please do not waste time searching for green men in our code. ” I do not give up my responsibilities to users, but just try to avoid the painful and annoying mutual waste of time.
The scandal that erupted yesterday in the world immediately after publication and subsequent deletion - according to Vice President and Chief Architect of Oracle Edward Scriven (Edward Screven), the record "did not reflect the company's true views on user relationships", - this blog post on the CSO blog Oracle Mary Ann Davidson (Mary Ann Davidson), in fact, quite instructive. It perfectly showed all the pain of vendors, all their real relationship to the safety of products.
The best illustration here could be a film with Mel Gibson “What do women want?” Security researchers and customers - read carefully what Oracle’s main security officer thinks about research and how it really relates to the safety of their products. It should be understood that it says that other vendors simply do not dare to say. They thank the researchers for the found vulnerabilities, nicely smile at customers, and inside themselves quietly hate both. “Do not touch our products!”, “According to the license, you do not have the right to reverse engineering!” - this is literally her statements. “Leave me alone with your security, we will figure it out for ourselves,” is what vendors actually think. And we know very well how they themselves "understand", for three years closing the most dangerous architectural vulnerabilities (in particular, with authentication on the client!). What is interesting, especially Oracle is famous for this. And now it is not surprising why - with such an attitude of her chief bezopasnik. But still, it’s not about Oracle - and that’s the most important thing. Their CSO simply expressed the opinion of all vendors, said something that is not customary to speak openly. This is a clear demonstration of the real attitude of all vendors to security. Whatever anyone of them says, they think exactly that.
')
And it's scary.
It is also striking that Oracle's CSO does not know that most of the vulnerabilities are not at all reversing. Oracle can safely change the slogan from the old - "Enduring" - to the modern: "Untouchable."
Translation of a note by Mary Ann Davidson “No, not at all”
I’ve been writing a lot lately. Something together with my sister, detective stories under the pseudonym Maddy Davidson. We are currently working on stories and generate a lot of new interesting ideas about managing people (literally, although sometimes, when someone tries to drive my car in the ass, I think about their application).
Writing detective stories is much more fun than my second lesson. I am seeing a tangible increase in the number of users reversing our code in an attempt to find vulnerabilities in it. <sighs deeply> Because of this, I have to write many messages that begin with "Hello, how are you, glad to hear", but end like this: "Please do not violate the license agreement and stop the reverse development of our code."
I can understand that in a world where nameless attackers, possibly working for a hostile state, almost every day, someone hacks and takes away a dozen hrenalionov data, I want to make maximum efforts to protect their systems. At the same time, it would seem that before this additional jerk it is necessary to determine the most critical systems, encrypt confidential data, install all the necessary patches, use a supported version of the product, apply configuration protection tools — in short, ensure safety at a hygienic level — and then look for in a zero-day vulnerability product. As a matter of fact, many data breaches could be prevented with these dull measures instead of broadcasting a big and terrible APT attack that supposedly targets you. Your own IT infrastructure or cloudy, generally accepted recommendations for its protection are, and they should be followed.
Suppose you want a reasonable certainty that the supplier approaches the development with reasonable care (and ensuring reliability is far from running the scanner) - as a user, you can do a lot. For example, think for, take and talk with the supplier about his reliability program, ask him for certificates for products marked “Good Housekeeping”, in the sense of “Good code”: Common Criteria certificate, FIPS-140, etc. Most developers at least most of the major vendors I know have already gotten very strong reliability programs (and I know this because we compare our records at conferences with each other). This is all great, this is a normal supplier integrity check, which is not close to the idea: “I’ll go as a developer to do his job and I’ll look for problems in his source code,” despite the fact that:
- The user will not be able to find in the code a check that prevents an attack about which his scanner screams (and his cry is most likely false positive);
- The user will not be able to write a patch for the vulnerability - only the provider;
- The user almost certainly violates the license agreement by running the static analysis tool (which works with the source code).
I’ll say right away that, in my opinion, sometimes the user who is reversing the product does not know about it himself, because the consultant does all the work: he starts the code reverse development tool, gets a hefty listing of the results, stuns the client, and sends the data to us. I note that we simply do not take scan reports for “proof that there is something somewhere”, including because in both static and dynamic analysis the scan report does not prove the existence of a real vulnerability. Often such a report is just a bunch of steaming ... FUD (it is to this thought that I bring the reader: FUD, "fear, uncertainty and doubt"). Therefore, we demand that users request a technical support request for each perceived problem (and not just send us a report) and provide PoC, confirming the possibility of an attack (some tools are able to generate them).
If, during the analysis, we determine that such scan results could only come about through reversing (in at least one case, the report clearly stated: “Oracle's XXXXXX static analysis,” very conveniently), we send one letter to the sinned client, and another to the consultant who sinned on behalf of the client, where we remind them that the terms of the license agreement with Oracle prohibit the reverse development, so PLEASE ALREADY PLEASE (in the office, of course; the Oracle license agreement contains the following clause: “The user doesn’t have ie the right reverse engineer, disassemble, decompile or otherwise attempt to derive the source code of the program ... ", which we quote in the message to the user). Yes, and we also require users and consultants to destroy the results of reverse development and provide confirmation.
Why am I talking about this? First of all, because when I see a surge of some kind of activity, I tend to get ahead of it. I do not want to argue with people anymore: “You violated the license agreement”, “No, they did not violate”, “Violated”, “No”. I'd rather spend my time and my team time helping developers improve our code than arguing with people about the content of the license agreement.
I repeat: all this does not suit me, not only for legal reasons. Rather, I want to say: “I don’t need you to analyze our code, because we do it ourselves, it’s our job, we know how to do it, we can, unlike other researchers or tools, do a real analysis and find that exactly what is happening, besides most of these tools have almost 100% false positive results, so please do not waste time searching for green men in our code. ” I do not give up my responsibilities to users, but just try to avoid the painful and annoying mutual waste of time.
Source: https://habr.com/ru/post/264581/
All Articles