.NET replays the ActiveX fiasco

Post #18,439 by neelk 11/15/01 2:37:12 PM Reply	.NET replays the ActiveX fiasco You can find a description of .NET's security model here: [link\|http://msdn.microsoft.com/vstudio/nextgen/technology/frameworksec.asp\|http://msdn.microso...eworksec.asp] If I understand it correctly, the security model in .NET is based on authentication: every component comes with a digital signature, and a description of which privileges it need. You choose whether or not to permit that component to do its stuff based on your trust in the author. If you authorize the program, then the runtime will make sure that it doesn't violate the component's promised privilege usage (through a combination of static and runtime checks). Unfortunately, the evidence of the past 15 years suggests that this model is fatally flawed: systems based primarily on authentication just doesn't work in practice. It's too hard for users to decide who they should trust, and how much trust they should give over, so they default to trusting promiscuously in order to get useful work done. MS tried using authentication in ActiveX, and got killed. This time, they are pasting verification onto the side of an authentication based model, and IMO they are going to get killed again, only slightly more slowly. The verification is largely useless because they have a mechanism -- unverified assemblies -- that use authentication to bypass the whole verification scheme.
Post #18,441 by inthane-chan 11/15/01 2:48:31 PM Reply	Side note. Somebody is going to get killed because their architecture barely runs on computers with 512mb of memory. I think you can figure out who I'm talking about. "He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you." - Friedrich Nietzsche
Post #18,443 by admin 11/15/01 3:10:53 PM Reply	Muah. Who else loves it when Thane posts a "side note" to a discussion about "them"...? ;-) Regards, -scott anderson
Post #18,455 by CRConrad 11/15/01 4:57:41 PM Reply	Moi, for one.
Post #18,507 by static 11/15/01 11:56:24 PM Reply	Is most amusing. "All around me are nothing but fakes Come with me on the biggest fake of all!"
Post #18,538 by neelk 11/16/01 9:54:41 AM Reply	I don't get it... Maybe I'm missing something, but I don't see how .NET could need 512 megs of RAM. The worst-case I can think of is if you move to IA64 (doubling memory usage because of the doubling of pointer size), and then the garbage collector is tuned shamefully badly (again doubling memory usage). Together that would take a system needing 128 MB to 512 MB. But I don't think that IA32 is going to die for a few more years yet, and I'd expect a great deal of interest in tuning gc performance since memory locality is so critical to decent software performance. What am I missing?
Post #18,547 by inthane-chan 11/16/01 11:33:48 AM Reply	I don't get it either. I'm just reporting what I'm hearing here. I honestly am not doing much work with the subject. The words "managed code" keep getting bandied about when asked why. "He who fights with monsters might take care lest he thereby become a monster. And if you gaze for long into an abyss, the abyss gazes also into you." - Friedrich Nietzsche
Post #18,552 by ChrisR 11/16/01 12:26:49 PM Reply	Kitchen sink... As with all things MS, they like to bundle everything together. The .net VM probably doesn't require much memory, but when you pile on all the libraries, utilities, features, etc... you probably end up with .net having everything from a browser, a media player, photographic development, etc... I'm sure they're ready to go on record as saying that all these peripheral features are a core part of .net and can not be removed.
Post #18,611 by static 11/16/01 11:42:41 PM Reply	I bet it's issues with the Virtual Machine. I suspect there are two distinct issues. The first is that when you have a language designed to target a virtual machine, which is what C# is, then efforts to compile it all the way to assembly can result in bloated code. If the compiler doesn't get a lot of use by the great unwashed, then the compilation step probably needs optimizing anyway. Icon suffers from both halves of this problem. The second issue is that Microsoft's C compilers don't produce wonderfully compact assembly. Now, my observations are from several years ago, remember, but the amount of compiler cruft at the start and end of a procedure in assembly was quite amazing. And it was worse because it was in Windows. Coupled with the fact that Microsoft applications seem to be Very Large for their function, well, now we have a situation. Wade. "All around me are nothing but fakes Come with me on the biggest fake of all!"
Post #18,822 by Squidley 11/19/01 2:40:09 PM Reply	Re: .NET replays the ActiveX fiasco Unfortunately, the evidence of the past 15 years suggests that this model is fatally flawed: systems based primarily on authentication just doesn't work in practice. It's too hard for users to decide who they should trust, and how much trust they should give over, so they default to trusting promiscuously in order to get useful work done. Well, what would you have them do - trust nobody and get no useful work done? Wasn't that the original Java applet model? Wasn't it eventually extended to support authentication via trusted applets? Any idea why? MS tried using authentication in ActiveX, and got killed. I'm surprised to learn that ActiveX is such an unsuccessful technology. After all, right here on my machine are RealPlayer, Acrobat Reader, Flash, Shockwave, and several other popular ActiveX components, and those are just the ones I downloaded. The total list of ActiveX components on this system easily numbers in the hundreds, and includes such abysmal failures as Media Player and Internet Explorer.
Post #18,829 by ChrisR 11/19/01 3:00:55 PM Reply	Interesting list Well, what would you have them do - trust nobody and get no useful work done? Wasn't that the original Java applet model? Wasn't it eventually extended to support authentication via trusted applets? Any idea why? The JVM security model is based on a sandbox, where the granularity of the authentication could be controlled. I can trust an Applet for things such as printers, but block it from disk access. Active-X, OTOH, is an all or nothing proposition: Either you block it, or you give it access to everything - no choice in between. I suppose one can make the case that Java failed based on performance and features. But one can also make the case that ActiveX failed because of it's flawed security model. I'm surprised to learn that ActiveX is such an unsuccessful technology. After all, right here on my machine are RealPlayer, Acrobat Reader, Flash, Shockwave, and several other popular ActiveX components, and those are just the ones I downloaded. The total list of ActiveX components on this system easily numbers in the hundreds, and includes such abysmal failures as Media Player and Internet Explorer. I'm shocked! Last I heard, Microsoft was promoting IE as a core part of the Operating System, not as some downloadable Active-X component. In most cases you cite, these programs are not really confined to the Active-X framework (with the possible exception of shockwave). Yes some of them are participants in Active-X, but almost everyone of them are really just executable programs that you downloaded or installed just like any other native program. Don't believe me? Then go check the installation directories for these programs - likely scattered in the Progra~1 and system32 directory. Now tell me how many of these programs are confined to the "Windows\\Downloaded Program Files". I see Shockwave and you'll probably see a few others. Of the list you cite, how many are confined to this directory - and hence qualify as Active-X success stories?
Post #18,833 by CRConrad 11/19/01 3:26:01 PM Reply	Oh, so it was YOU! Of the list you cite, how many are confined to this directory - and hence qualify as Active-X success stories? Murdarah!!! Christian R. Conrad The Man Who Knows Fucking Everything
Post #18,842 by ChrisR 11/19/01 4:04:06 PM Reply	rephrasing? So, I guess I should rephrase it. How about teen speak - Of the list you cite, how many are confined to this directory - and you know qualify as Active-X success stories? or would you prefer a great white north spin - Of the list you cite, how many are confined to this directory - and eh qualify as Active-X success stories? Ok, so I'd need a bunch more 'you know's and 'eh's to make it realistic. How about a substitution of: thus; therefore; so; ergo; consequently; subsequently; correspondingly; accordingly? Any of those work and hence get me off the hook? :-)
Post #18,952 by CRConrad 11/20/01 12:04:39 PM Reply	I take it you do know what I'm referring to Da Crittah: How about a substitution of: thus; therefore; so; ergo; consequently; subsequently; correspondingly; accordingly? Any of those work and hence get me off the hook? :-) Well, yeah, they would have... Except, of course, you leapt back on it! :-) Anyway, I assume you got the reference: It was to the Boulder (Wasn't it?), CO, Police Dept -- who claimed that someone's (her parents, IIRC?) use of that phrase "proved" that they were the ones who (abducted and later?) murdered that kid, Jon Benet Something (Ramsey?). (Having, in the interim, sent a ransom demand or something, containing the "unique" -- yeah, right! -- phrase "and hence".) You may have seen me, too, use it, only the other day -- I guess that I kind of reminded myself of it, then, and hence pounced on it now... Anyway, that's the most moronic piece of police "evidence" I've ever heard of. Still pisses me off, apparently. Christian R. Conrad The Man Who Knows Fucking Everything
Post #18,872 by Squidley 11/19/01 7:17:48 PM Reply	Re: Interesting list The JVM security model is based on a sandbox, where the granularity of the authentication could be controlled. I can trust an Applet for things such as printers, but block it from disk access. The person to whom I replied criticized the ActiveX component signing model for being too much of a hassle for the average user. If you agree, do you not also agree that setting up trusted applet policies is even more of a hassle? Active-X, OTOH, is an all or nothing proposition: Either you block it, or you give it access to everything - no choice in between. Not quite. ActiveX components run with the browser's account permissions. You can always run the browser under a restricted account, thereby letting the OS set up the sandbox. In fact, account permissions are typically much more configurable than applet policies. I suppose one can make the case that Java failed based on performance and features. But one can also make the case that ActiveX failed because of it's flawed security model. I disagree completely. ActiveX is a code packaging and delivery technology. Its only responsibility in terms of security is to provide secure transit, which is exactly what it does with component signing. Java-style sandboxing is brain-damaged because (a) the OS already provides permission-based security, and (b) the whole point is to take advantage of client resources. No wonder Sun eventually provided ways to poke holes in the sandbox. In most cases you cite, these programs are not really confined to the Active-X framework (with the possible exception of shockwave). Yes some of them are participants in Active-X, but almost everyone of them are really just executable programs that you downloaded or installed just like any other native program. Hardly. All of the things I mentioned run embedded within the browser or any other application supporting COM/OLE containment. "Regular" executable programs don't do that. Don't believe me? Then go check the installation directories for these programs - likely scattered in the Progra~1 and system32 directory. Now tell me how many of these programs are confined to the "Windows\\Downloaded Program Files". I see Shockwave and you'll probably see a few others. Of the list you cite, how many are confined to this directory - and hence qualify as Active-X success stories? I reject the notion that ActiveX components must be installed in any particular place to qualify. That's not what makes them ActiveX components - it's the ability to run embedded within ActiveX containers.
Post #18,884 by ben_tilly 11/19/01 8:54:10 PM Reply	Viruses and verified security holes The long list of viruses that can transport themselves using ActiveX, and the long list of security holes that ActiveX is known to leave people open to is reason enough to not write home about its security model. Corresponding lists for Java are much, much smaller. Yet Java is more widely deployed in browsers than ActiveX! That alone stands as darned good evidence that ActiveX is substantially worse than Java. Create all of the theories you want for why ActiveX is not as bad as it looks, concrete evidence strongly suggests that ActiveX is unhealthy for your computer. Cheers, Ben
Post #18,940 by Squidley 11/20/01 10:28:39 AM Reply	Re: Viruses and verified security holes The long list of viruses that can transport themselves using ActiveX, and the long list of security holes that ActiveX is known to leave people open to is reason enough to not write home about its security model. I'd like to see that "long list". I bet you'll find that very few viruses - if any at all - take advantage of any flaw related to ActiveX. All the recent big ones are simply Trojan-horse executables delivered via e-mail, exploiting nothing more than the ease with which popular e-mail clients allow users to launch attachments. Corresponding lists for Java are much, much smaller. Yet Java is more widely deployed in browsers than ActiveX! I doubt it, since Microsoft's JVM is an ActiveX component, as is the browser itself. If you use IE, you use dozens of ActiveX components even if you browse nothing but plain text. That alone stands as darned good evidence that ActiveX is substantially worse than Java. Sun took the time and effort to create trusted applets. That stands as darned good evidence that Java's original sandbox model was deeply flawed. [...] concrete evidence strongly suggests that ActiveX is unhealthy for your computer. It may suggest that, but only to people who don't understand the technology. ActiveX is basically two things: native code delivery and embedded execution. In terms of native code delivery, blaming ActiveX for viruses is like blaming the postal service for letters carrying bombs or anthrax. Every argument you can make against ActiveX's native code delivery applies equally well to FTP and HTTP downloads. In fact, signing makes ActiveX safer than the alternatives. As for embedded execution, there's obviously a need; otherwise, Netscape plug-ins would never have been developed. And if you accept that there's a need, you must also accept that ActiveX components are in every way superior to plug-ins - they support component signing, they are way easier to use, and they can be used by other applications.
Post #19,117 by Arkadiy 11/21/01 11:38:25 AM Reply	ActiveX is actually one thing... ..based on another. ActiveX is code delivery technology based on OLE2. Remember? Object Linking and Embedding. IE is not delivered across the net. That makes IE an OLE control, not an ActiveX control. Most of the stuff you have on your computer is OLE controls, installed by various setup routines. Some things (Sun's Java VM is an example) arrive as a result of browser parsing <OBJECT> tags. Those are true ActiveX controls. Microsoft managed to successfuly leverage OLE's success into an apearance of ActiveX success. But I think it's just an appearance.
Post #18,858 by neelk 11/19/01 6:09:49 PM Reply	Re: .NET replays the ActiveX fiasco You wrote: > Well, what would you have them do - trust nobody and get no useful work > done? I'd prefer a security model based on revokable capabilities, enforced via proof-carrying code. Some of this is rocket science, but Microsoft Research employs a substantial fraction of the world's population of type-theorists so it should definitely be within MS's ability to implement. Furthermore, the programmer UI doesn't require any rocket science: all the math lives in the compiler and the program loader. > Wasn't that the original Java applet model? Wasn't it eventually > extended to support authentication via trusted applets? Any idea why? No, Java had a sandbox which can control how much access even a trusted program can get. .NET basically copies this, except that it adds a mechanism -- "unverified assemblies" -- which permit programmers to sidestep the security mechanism. This is a [i]tremendously[/i] bad idea. You want to minimize the amount of trusted code in the system and the runtime, because making sure it works is really hard. Java had a pretty simple security system, and people have been fixing holes in it for years. The lesson is clear -- /minimize the trusted codebase/. (Dan Wang at Princeton has even invented a PCC mechanism that lets you take the garbage collector out of the trusted base. Tres cool.) > I'm surprised to learn that ActiveX is such an unsuccessful technology. > After all, right here on my machine are RealPlayer, Acrobat Reader, Flash, > Shockwave, and several other popular ActiveX components, and those are just > the ones I downloaded. The total list of ActiveX components on this system > easily numbers in the hundreds, and includes such abysmal failures as Media > Player and Internet Explorer. This is why the ActiveX security system is a failure, actually. ActiveX is an all-or-nothing security scheme, which means that a single buffer overflow in a single trusted app compromises the entire system. The more code you have to trust the more likely you have a compromise which renders your security useless. It's just simple statistics. The existence of unverified assemblies, which permits programmers to easily add to the trusted codebase, means that it becomes impossible to verify that the .NET runtime can actually enforce the security guarantees it promises. And given their past behavior we can be sure that MS will use a lot of unverified assemblies in IE and Office and whatever app-of-the-week is at the head of their strategy. If I sound cynical it's because I am. :)
Post #18,912 by pwhysall 11/20/01 2:13:02 AM Reply	EzBug hangover? [i]tremendously[/i] We use real HTML here, Neel :-) Peter Shill For Hire [link\|http://www.kuro5hin.org\|There is no K5 Cabal]
Post #18,934 by neelk 11/20/01 9:46:41 AM Reply	Finger habits are hard to break. :)
Post #18,929 by neelk 11/20/01 9:03:04 AM Reply	typo fix I wrote: > I'd prefer a security model based on revokable capabilities, > enforced via proof-carrying code. This should read: > I'd prefer a security model based on explicitly granted capabilities, > enforced via proof-carrying code. Anyway, here's how this can work. Let's suppose that usability testing reveals that there are certain kinds of privilege grants that users can easily understand -- eg, something like "The program can only read and write files in the c:\\apps\\foobar directory", or "The program can only open network sockets to the foobar.com domain", and so on. When a user installs a program they check off which privileges they want to give it and then somehow the system makes sure that the program can't use resources it's not privileged to. So the way we can do this, is to turn each privilege into an object: eg, to open a file the program must call a method on an object that the runtime hands it. You can do a formal verification that the capability object does what it says -- the object code would come with a proof, generated by the compiler, that the loader would check. Then a type- and memory-safety proof for the program code (again, verified with a safety proof emitted as part of the compilation process) would ensure that it couldn't access any ungranted resources. This is a much better model than unverified assemblies, because it lets you extend the set of grantable capabilities without having to add any untrusted code to the system. The only code you have to trust is the proof verifier, which is small. Even the compiler doesn't have to be trusted, because if it emits buggy or false proofs the verifier will fail to accept the object code. Even better, you get the full performance of compiled machine code, with no need for a sandbox, since the proof is checked at load time, not runtime. Here's a general overview: [link\|http://www-106.ibm.com/developerworks/library/untrusted-code/\|[link\|http://www-106.ibm.com/developerworks/library/untrusted-code/\|http://www-106.ibm....rusted-code/]] And some links to research projects: [link\|http://www.cs.berkeley.edu/~necula/pcc.html\|[link\|http://www.cs.berkeley.edu/~necula/pcc.html\|http://www.cs.berke...ula/pcc.html]] [link\|http://www-2.cs.cmu.edu/~fox/pcc.html\|[link\|http://www-2.cs.cmu.edu/~fox/pcc.html\|http://www-2.cs.cmu.edu/~fox/pcc.html]] [link\|http://www.cs.princeton.edu/sip/projects/pcc/\|[link\|http://www.cs.princeton.edu/sip/projects/pcc/\|http://www.cs.princ...rojects/pcc/]]
Post #18,913 by pwhysall 11/20/01 2:14:46 AM Reply	Re: .NET replays the ActiveX fiasco I'm surprised to learn that ActiveX is such an unsuccessful technology. After all, right here on my machine are RealPlayer, Acrobat Reader, Flash, Shockwave, and several other popular ActiveX components, and those are just the ones I downloaded. I believe (although I'm not sure) that those you mention are simply Netscape plugins wrappered in ActiveX controls. I could be wrong of course. But when I installed IE6 (which doesn't do Netscape-style plugins at all, only ActiveX ones) a load of stuff stopped working. Peter Shill For Hire [link\|http://www.kuro5hin.org\|There is no K5 Cabal]

Welcome to IWETHEY!