MS security chief talks raw sockets with the Reg

And agrees with us, not surprisingly

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

Blackhat: In the course of covering the Blackhat and Defcon conferences here in sunny Vegas, I had occasion to sit down with MS Security Program Manager Scott Culp, who, I'd heard, has become a fan of our Steve Gibson raw sockets coverage. It's not every day that The Reg and Microsoft can discuss a topic on which we agree in large part, so no doubt you'll enjoy the following as a light refreshment:


[Gibson's] argument has been that the inclusion of raw sockets is both necessary and sufficient for distributed denial of service attacks; and there are actually two parts to the answer. The first one is, 'are DDoS attacks going to happen?' Yes. They will happen; and they will happen on Windows XP. That's not an argument; you're going to see them. What we're saying is, you're going to se them regardless -- raw sockets are utterly irrelevant to the question of DDoS attacks on Windows XP, because if someone can compromise a machine....they'll have every ability they want. Control of the machine is the hurdle; the availability of raw sockets is not the hurdle. Once you've got control of the machine, if you don't have the raw [socket functionality] there you can add it.

Greene: And you can packet targets desperately into submission without spoofing. But his point of course is that with the spoofing potential now, it will become even worse and more uncontrollable. You've got a compromised machine, and once you've compromised it the raw socket functionality becomes an enhancement.

Culp:It may be a convenience, but it can't be too much of a convenience, because Gibson himself was attacked by people who had to install WinPcap or something like that on the machines.

But the second part is, OK, so if it's not going to cause DDoS attacks, could we remove it without any loss of functionality? And guess what: raw sockets are used for a whole bunch of security functionality in Windows XP. Internet connection firewall is one. IPsec [IP security protocol] is another one. It's used by network diagnostic tools. It's also used by games.

Here's where the argument gets funny. Because the counter-argument is, 'so are you saying if you didn't provide raw sockets that you couldn't do Internet connection firewall?' No, I didn't say that. What I said was, the Internet connection firewall is using the raw sockets that are built in to Windows XP. And the next question is, 'why not just get rid of raw sockets and do the network functions [without low-level IP services]?' And the answer is, 'yeah, we could do that.' But that brings us right back to the same argument again. It's only software. Now we're going to have socket software in all of these different features so we don't have a native OS function that provides the socket features. All the bad guys can do the same thing. We're right back to the same problem.

If we can move it out of the OS, that's sort of your proof that anyone else could have done it as well.

Greene: My other question is -- according to The Register's constant suspicion of all companies with more than fifty people [laughter] -- that there are other things one's imagination could come up with using raw sockets in a consumer OS; it could smack of low-level user authentication, low-level software identification, things like that which could go hand-in-hand with the .NET initiative in a way that a lot of people might find threatening.

Culp: [laughs] No way.... It's just a networking function. All it is is a full implementation of the sockets protocol. And we've been lambasted, rightly, over the years about following the standards and implementing them fully, and if one vendor isn't fully implementing the standards then that [breaks] interoperability.... There's nothing under the covers there as far as metering software use or anything like that.

Greene: But stuff could be metered or turned off, arbitrarily. You know what I mean -- there could be a kind of extortion: 'we want more subscription money; we want to raise the price of something; we want you to upgrade, so we're disabling your software.' This kind of low-level network functionality with the .NET scheme could be perceived as [potentially malicious].

Culp: So the Microsoft Department of Evil has now cooked up some scheme to foist on the public. [laughter] If we required the functionality provided by the raw sockets implementation, and if we didn't provide it in the OS, then we'd just put it into the Evil Software somewhere else. If that were the intent, again, raw sockets isn't the enabling technology. It has nothing to do with raw sockets. Anything you wanted to do through software that required those [evil] networking functions, if the OS didn't provide it immediately, you could provide it through device drivers.

It's a service that it makes sense to provide at the OS level. From a rationality point of view, what's the sense of providing a ninety-percent implementation of commonly-used networking functions? The only thing you do is force people to write the last ten percent themselves or go out and buy a piece of third-party software that implements the last ten percent.

Greene: Because Microsoft is a very large corporation, and it does own a terribly large share of a particular market, people sometimes feel threatened. Sometimes it's envy; sometimes it's just being cynical and looking at past experiences with other enormous corporations with unusually large shares of certain markets and how they've behaved, but you may find that people are afraid, not that Gibson is right, but that this networking protocol dovetails into .NET, into software hosting, and into product activation where some information can be gathered and used.

We've said what isn't up -- with Gibson -- so let me ask what's really up with raw sockets? Why are you behind this?

Culp: And the real reason is, there's just no sense providing a ninety-percent implementation of the networking functions. No more than it makes sense to provide a ninety-percent implementation of TCP/IP. I mean, we could do that. You've got a TCP stack that gives you ninety percent of what you need, and you've got to come up with the last ten percent or buy a third party product, and people would say, 'what, are you nuts? Give me the last ten percent for crying out loud.'

Greene: I think there will be good third-party applications now that developers can write with the full socket implementation in mind. I look forward to seeing some of them. I also look forward to seeing what the malicious scripters will come up with.

Culp: Well they're another third party that's going to use it [laughter]. But the way to deny that section of the development community is not to pull ten percent of the networking out; it's 'don't let them run bad code on your machine in the first place.'

And there you have it, for now. In the next day or two I'll be siting down with a few of my favorite whitehat hackers and network cognoscenti here to kick around a few ideas about how XP raw sockets

might be

deployed to the consumer's disadvantage, both by Microsoft and other corporate software vendors, and as well by the blackhat community, so stay tuned. ®

Related Stories

Steve Gibson really is off his rocker
The Gibson Letters

Providing a secure and efficient Helpdesk

More from The Register

next story
Microsoft on the Threshold of a new name for Windows next week
Rebranded OS reportedly set to be flung open by Redmond
Business is back, baby! Hasta la VISTA, Win 8... Oh, yeah, Windows 9
Forget touchscreen millennials, Microsoft goes for mouse crowd
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple: SO sorry for the iOS 8.0.1 UPDATE BUNGLE HORROR
Apple kills 'upgrade'. Hey, Microsoft. You sure you want to be like these guys?
ARM gives Internet of Things a piece of its mind – the Cortex-M7
32-bit core packs some DSP for VIP IoT CPU LOL
Lotus Notes inventor Ozzie invents app to talk to people on your phone
Imagine that. Startup floats with voice collab app for Win iPhone
prev story


A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.