February 15, 2002 1:00 PM PST
Microsoft "flawed" code debate heats up
The crux of the debate is now focused on whether the feature--a software switch known as the 'GS flag' that turns on additional security--has sacrificed protection for performance, said Crispin Cowan, chief scientist at WireX Communications--a maker of secure Linux applications--and the co-founder of open-source security site Sardonix.org.
Cowan likened the GS flag to a flak jacket that protects against certain calibers of bullets. "Now, the disagreement is over the size of the bullets that can penetrate the jacket," he said.
In 1998, Cowan and graduate students from the Oregon Graduate Institute published a paper describing just such a software flak jacket, called StackGuard, that has since been utilized by thousands of open-source developers. Many contend that Microsoft largely held to Crispin's design in creating the GS flag.
The debate heated up Friday, a day after Microsoft dismissed as "unfounded and patently false" allegations that applications built with its newly announced software tools are more vulnerable to attack.
Microsoft launched its Visual C++.Net and Visual C++ Version 7 on Wednesday and wasn't pleased when, just a few hours later, software-reliability company Cigital stated that a feature of those programs is "flawed."
"In its current form, the Microsoft feature leads to a false sense of security because it is easily defeated," stated a technical note published by Cigital on the issue. A program built using the GS flag option runs additional instructions that can catch some of a class of security flaws known as buffer overruns.
While the statement implies the existemce of a vulnerability that makes the feature ineffectual, in reality the flag works against some buffer overruns and not against others. Rather than a vulnerability, both companies acknowledge that Cigital has identified a limitation to the design that Microsoft has chosen to implement.
Microsoft argued that, to add more security, too much code would have had to be added to new applications, slowing them down to an unacceptable degree. Yet, with the current design, at least some buffer overflows can be avoided, said Brandon Bray, program manager for Microsoft's Visual C++ compiler team.
"We maintain the opinion that fixing source code to eliminate buffer overruns is the best and only solid approach to securing software," Bray wrote in a statement. "However...buffer overruns are not always simple to find. Thus, anyone truly interested in writing secure code would not hesitate to use the (GS flag) for their builds."
Microsoft maintains that any additional security that can be added to a program is a good thing. Cigital, on the other hand, argues that Microsoft has only given a slight nod to security with its implementation of the GS flag.
"I stand by my claim that that security mechanism is incorrectly designed," said Gary McGraw, chief technology officer for the Dulles, Va.-based firm. "Microsoft's claims about what the GS flag could protect are overstated."
The two sides seem unlikely to relent, but many security experts agree with Microsoft that some security is better than none.
"At least they are putting run-time checking for buffer overruns, which you don't find in other (Windows) compilers," said Chris Wysopal, director of research and development for digital security firm @Stake. "They are trying to do the right thing but are limited by the technology, so you can't blame them for not catching everything."