PDA

View Full Version : if all internet facing apps are converted to managed code, would "exploits" go away?


code_grey
06-06-2010, 12:25 PM
the question is inspired by this http://www.computerworld.com/s/article/9177705/Update_Attackers_exploit_critical_bug_in_Adobe_s_Flash_Reader?taxonomyId=85

Well, obviously managed code or interpreted scripts or similar are slower than compiled executable. But, sometimes speed is not an issue (all the more so given today's fast hardware) whereas security is valuable. So, could we let's say have a managed code browser and managed code viewers for all common web file formats (including SWF, PDF, PNG etc), so that while sacrificing cpu cycles the hacking threat were reduced? Would such an approach work?

bashere
06-06-2010, 12:30 PM
the question is inspired by this http://www.computerworld.com/s/article/9177705/Update_Attackers_exploit_critical_bug_in_Adobe_s_Flash_Reader?taxonomyId=85

Well, obviously managed code or interpreted scripts or similar are slower than compiled executable. But, sometimes speed is not an issue (all the more so given today's fast hardware) whereas security is valuable. So, could we let's say have a managed code browser and managed code viewers for all common web file formats (including SWF, PDF, PNG etc), so that while sacrificing cpu cycles the hacking threat were reduced? Would such an approach work?

Probably not, but I'm not sure what you mean by managed code in this context. I can think of a few types of so described, so I'm a bit baffled.

friedo
06-06-2010, 12:46 PM
What is "managed code?"

Squink
06-06-2010, 01:22 PM
What is "managed code?"

Managed code is a differentiation coined by Microsoft (http://en.wikipedia.org/wiki/Managed_code) to identify computer program code that requires and will only execute under the "management" of a Common Language Runtime virtual machine (resulting in Bytecode).
Oh boy, UCSD Pascal for everything!!!

TimeWinder
06-06-2010, 01:49 PM
No. Managed code (Microsoft's term for what everybody else would probably call "code that runs in a VM rather than being natively compiled to machine code") makes a lot of things easier for the programmer, and eliminates the necessity to manually manage memory allocations (hence "managed"). Because of that, certain classes of exploit (buffer overruns in particular) are largely eliminated, so managed code is, on average, probably less exploitable than unmanaged code.

But I could still write a fully managed application that, say, had a button that would point your web browser to an "evil" web site. Managed applications in a browser (like Microsoft's Silverlight, Java, or Javascript) are hardened against such things (and even there, folks can always find a way to be a jerk), but your basic desktop C# application is perfectly capable of deleting files, writing malicious launchers, changing your desktop wallpaper to goatse, putting up a screen that "pretends" to be your browser, putting up fake login dialogs and stealing the password, etc. etc. The vast majority of malicious software can be written in either managed or unmanaged code.

This shouldn't actually come as much of a surprise if you think about it: there's almost always a useful and legitimate reason for the code functionality that's exploited for an illegitimate reason: If you got rid of everything that could be exploited in a language (managed or otherwise), there'd be nothing left: you certainly couldn't let them put arbitrary images onscreen (that could be a fake dialog box), navigate to a web site (that could be an attack site), enter any sensitive data (there could be a keylogger running), write to a file (they could be altering a config file, or trying to DOS you by filling up your hard drive), print (could be a fake invoice!), or much of anything else.

code_grey
06-06-2010, 03:09 PM
TimeWinder,

I don't see how what you talk about is relevant. Obviously if a managed app is written by malicious people, it can cause damage. But the exploit problem is one where an app written by non-malicious people in good faith is subverted by specially crafted input transmitted over network.

Well, so can a Java, C#, Javascript or other "managed" app be subverted via maliciously crafted input?

TimeWinder
06-06-2010, 05:04 PM
Well, so can a Java, C#, Javascript or other "managed" app be subverted via maliciously crafted input?

That's a pretty narrow definition of "exploit," just to be clear. And yes, managed code pretty much eliminates simple buffer overflow attacks (assuming no bugs in the VM or managed environment, not necessarily a safe assumption).

But there are other types of exploit and attack, and even managed environments are eventually executing unmanaged code at some level. Consider for example the JPEG exploit from a few years back: you could send a maliciously-crafted JPEG file to certain Windows systems, and even though the JPEG file itself didn't overflow any buffers, and was handled by managed code, it eventually called into the native system library to display JPEG files -- and voila, you were compromised by a buffer overflow within the definition of the JPEG itself. Add a format like PDF with certain executable properties, or even worse, a web site that takes externally provided HTML source (say, for translation, error checking, display in a frame, or whatever. Now consider that that incoming HTML source has a download link in it), and you've still got the opportunity for lots of exploits, especially if you consider user-assisted ("but I always click OK!") social engineering issues exploits. (Look at any unmoderated blog, and you'll see dozens of links to malware sites, being happily hosted by managed code). Office Macro viruses are another example: it doesn't matter whether the infected document is carried by managed or unmanaged code: it's eventual execution is what does the infecting.

And finally there's the granddaddy of malware: the worm -- code that actually seeks out other programs across the net and downloads copies of itself to them in the hopes that they'll get executed, or just to deny service by using all the resources. Managed code has no inherent advantage over native code in defending against this sort of attack.

bashere
06-06-2010, 06:11 PM
TimeWinder,

I don't see how what you talk about is relevant. Obviously if a managed app is written by malicious people, it can cause damage. But the exploit problem is one where an app written by non-malicious people in good faith is subverted by specially crafted input transmitted over network.

Well, so can a Java, C#, Javascript or other "managed" app be subverted via maliciously crafted input?

Yes. SQL inject, web site redirections, any bugs in the VM etc. There is nothing inherent to managed code that necessarily makes it safe (although for the reasons that TimeWinder said, it may be less likely).

Actually, now that I think about it, on my last project (entirely in C#/Javascript/HTML) there were occasional exploits by way of malicious input.


Well, obviously managed code or interpreted scripts or similar are slower than compiled executable.


If is not obvious that managed code is not slower than a compiled executable.