Defense in depth means that you protect against exploits that don’t exist yet


Defense in depth is about protecting against threats that are already being protected against, just in case the existing protection fails. This is why there is not merely a lock on your safety deposit box, but also a lock on the door to the safety deposit box room, and then a lock on the doors of the bank itself. This is why you wear your seat belt even though the car is equipped with air bags. This is why factories have multiple safety systems. It's why, when you put away a gun, you set the safety and remove the ammunition and lock the gun case.

An insistent anonymous commenter refused to believe in this principle and couldn't distinguish between the absence of a known security vulnerability and the potential for one, believing that security is a boolean value, that you're either secure or you're insecure, and that if two systems are identical except that the second system has an additional safety check, this is proof that the first system must have been insecure.

As I described in the comments to the article, there is the potential for bad things to happen if a COM data object is allowed into the process. Even though the CSRSS process never calls any of the potentially dangerous functions in a dangerous way, the potential for some other flaw to result in dangerous behavior creates enough risk that the trade-off tipped toward removing the potential for problems, even though the potential is currently (and hopefully will always remain) unrealized.

Remember that one of the guidelines of security is that the more valuable the target, the more effort you put into securing it. In this case, CSRSS runs with System security privileges, which is even higher than Administrator. You want to erect a lot of barriers for this puppy.

It's like a hospital that has the rule "No cell phones allowed in hospital rooms because they may interfere with the equipment." The staff instruct you to leave your phone outside, but you insist that your phone does not pose a problem because it's turned off, and besides, it doesn't use the same radio frequency as the monitoring equipment. Tough. Defense in depth. Even if it's turned off, even if uses a different radio frequency, they won't let it into the room.

The same thing is true with data objects. CSRSS is careful to extract only the information it needs, but that's like walking into a hospital room with a cell phone whose antenna has been switched off. Sure, the antenna is off, but somebody might bump into you and accidentally turn it on, or there may be some software flaw in the phone that causes it to turn on spontaneously. Sure, you might argue that those failures aren't your fault, so you shouldn't be blamed for them, but try telling that to the person whose monitoring equipment failed to notify the hospital staff of an irregular heartbeat.

People who study security vulnerabilities have quite a wide array of tricks available to them once they find even the tiniest crack. Even something as simple as a null pointer fault (in itself just a denial of service and not a source of pwnage) can be combined with other techniques and become a full-fledged exploit.

For example, even though your cell phone antenna is off, its Bluetooth transceiver may still be on, and somebody might be able to hack into your Bluetooth headset and convince it to tell the cell phone, "Hey, I'd like to make a call. Please turn on your antenna." Even though this is a security flaw in the Bluetooth headset, it was used as a stepping stone into hacking your cell phone.

There's also the possibility that you simply forgot that you had set a text message for delayed delivery, causing the phone to turn on its antenna when the delivery time is reached. Oops. You messed up, and now somebody is intensive care.

As of this writing, there is no known exploit for drag and drop into console windows, but since drag and drop uses highly extensible technology (namely COM and data objects), the possibility that one of those extension points may be used as an attack vector was deemed too great a risk compared to the benefit of the feature. The anonymous commenter concludes,

Now if this is not a security hole, then either Csrss doesn't execute code in OLE objects it receives, or it doesn't accept any OLE objects received, or isn't able to receive OLE objects at all. Which one is it?

CSRSS does not execute untrusted code in OLE objects it receives, but the fact that OLE objects are in the CSRSS process at all give the security folks the heebie-jeebies. Although there is no known security hole, there is great potential for a security hole, and that's the reason for removing the potentially dangerous code from CSRSS even though it is (in theory) never executed.

I bet you'd be nervous if somebody pointed a loaded gun at you even though the safety is engaged.

Other discussion of defense in depth, including more examples:

Comments (27)
  1. Wyatt says:

    It’s why, when you put away a gun, you set the safety and remove the ammunition and lock the gun case.

    Who does that?  All my gus are loaded, uncased, with the safeties off.

  2. "No cell phones allowed in hospital rooms because they may interfere with the equipment."

    Some potential threats are all to real. The women I am dating just had open heart surgery. All around the hospital were signs to turn your cell phone off in this area.

    When her brother and his son walked into her room,,,, The heart/blood pressure monitor stopped recording. As soon as they shut there phones off, it start right back up.

    People ignore potential threats until they bite them in the …..

    Billy

  3. Doug says:

    Actually, there is an even more important argument that is missed here.

    You are defending against active attackers who have copies of your system to test their attacks against.  Thus, even if an attack does not exist today, an attack will exist tomorrow if there is any possibility of a hole.  This is the fundamental problem with defence.  It costs way more to defend against all possible attacks than it costs the attacker to find the one opening in the defences and exploit it.

    The only possibly good thing about this is that the defences get better over time through sheer Darwinian evolution, developing defences against all the attacks that have worked in the past.

  4. njkayaker says:

    "When her brother and his son walked into her room,,,, The heart/blood pressure monitor stopped recording. As soon as they shut there phones off, it start right back up."

    I wonder what crappy monitors were being used!!

    Even if your brothers turned theirs off, the area is probably overrun with cell phones being carried by other people (including the staff).

    Give the prevalence of cell phones, I would think (hope) that the devices are engineer to work around cell phones.

    Every time I see the "no cell phone" sign in a hospital, I look for the small print that provides the exception for the staff!

  5. DaveShaw says:

    @Billy The Clown

    "The women I am dating just had open heart surgery"

    Can I ask how many women you are dating at the moment who’ve just had open heart surgery…? :p

  6. Mr. Peabody says:

    Good article, very well explained.

  7. Jim says:

    Yes, indeed. Very nice summary, hopefully we all have the concept of defence in depth for our life!

  8. Stephen Eilert says:

    This is why you wear your seat belt even though the car is equipped with air bags

    This might be nitpicking, but air bags are actually more dangerous to your health if you are not wearing seat belts. They are supposed to be used together: one keeps your body fastened to the car, the other protects your head (which can’t be as conveniently secured).

  9. Larry Hosken says:

    believing that security is a boolean value

    Security is a degenerate Boolean whose value is always False.

  10. Alexandre Grigoriev says:

    Raymond, Stephen Eilert

    If you’re in a crash, and not using a seat belt, here is what happens. First, you are thrown against the steering wheel. Then the airbag propane cylinder ignites and your head is thrown back; your face is burned with hot gasses. This assuming that the crash speed was not too high to just throw you out the window.

  11. Nawak says:

    I bet you’d be nervous if somebody pointed a loaded gun at you even though the safety is engaged.

    I’d be nervous if somebody even pointed an unloaded gun at me!

  12. Slightly off-topic:

    Many gun’s safeties cannot be engaged UNLESS they’re loaded (a standard 1911 comes to mind). Many guns have no manual safety (Glock, Kahr). Most gun cases (the ones the gun comes in from the factory) do not have locks. It would have been better if you just presented the four rules of safe gun-handling for a gun-related analogy:

    1. Handle every gun as if it’s loaded.
    2. Never point a gun at anything you don’t want to destroy.

    3. Know your target and what’s beyond it.

    4. Keep your finger out of the trigger guard until you’ve made the conscious decision to fire.

    To make a mistake that leads to injury, you must break at least two of those rules and they are a perfect example of layered security (safety).

  13. Aaargh! says:

    Defense in depth is about protecting against threats that are already being protected against, just in case the existing protection fails

    Sure, extra layers of defense are a good thing, but there’s also such a thing as too much protection. Adding extra protection also adds extra complexity and thus an associated extra risk for security problems. There is a point at which adding extra protection actually decreases security.

  14. Cooney says:

    Every time I see the "no cell phone" sign in a hospital, I look for the small print that provides the exception for the staff!

    It’s easier to vet staff for having cellphones that don’t zorch the monitoring equipment than it is with any random person that can wander into a hospital.

  15. someone else says:

    “Who does that?  All my gus are loaded, uncased, with the safeties off.”

    Your son isn’t … I’m sorry, wasn’t named Tim Kretschmer by any chance?

  16. Tom says:

    Re: cell phones interfering with medical equipment.  Many hospitals are still using pagers, which, thanks to 50+ years of compatibility testing, do not cause problems with medical equipment.

    This fits in with the "Old New Thing" concept of this blog.

  17. Cooney says:

    Your son isn’t … I’m sorry, wasn’t named Tim Kretschmer by any chance?

    Only about 100 kids shoot themselves accidentally in a given year (most of the others are suicides or gangbangers if you’re interested). Honestly, a loaded, uncased gun is perfectly okay, so long as it’s sitting in a safe somewhere. Dunno of the guy you responded does that or not.

  18. Worf says:

    "I wonder what crappy monitors were being used!!"

    Monitors are looking at very small signals – small enough that noise is a severe issue. Also, those small signals have to travel through some long wires.

    Also, if you’re deep within the bowels of a hospital with lots of shielding, your phone is probably transmitting close to maximum power.

    And adding shielding is an option, if you don’t mind paying an extra 10 grand or more because it has to go through certification. If you change the electronics, you have to prove that there are acceptable workarounds for failure. E.g., if you have an alarm, there had better be a way to check that the alarm went off – if it means adding a microphone and having the monitor listen, so be it. And yes, that was an option to verify the alarm worked.

  19. Drak says:

    So no cellphones, but i can walk in with a battery attached by wire to a pencil and tap that pencil to the other end of the battery.

    This security is not deep enough. No cellphones should read: no transmitters.

  20. Gabe says:

    Most hospitals use pagers, and many are starting to use VOIP phones over WiFi, but in reality cellphones (Blackberries) are just too useful to get rid of.

    It’s actually quite rare for cellphones to interfere with important equipment, and it’s impossible for everybody to turn theirs off (a patient brought in unconscious will not turn off the one in her purse) but the policy is there because it’s better to be safe than sorry. Odds are that a patient or visitor leaving their cellphone on will not prevent as many deaths as the interference will cause.

    Keep in mind that sometimes interference will be caused from just being on, sometimes it will be from ringing (call initiation), and sometimes from being on a call.

  21. Joseph Koss says:

    Re: Guns

    For some owners, ready-to-go guns *ARE* security.

    Definately a bad example of a good concept.

  22. Alexander Grigoriev says:

    THe problem with cellphones in a hospital is that GSM phones emit strong short pulses, as opposed to CDMA phones, which use spread spectrum and frequency hopping.

    Many people heard a result of GSM interference on their analog equipment. Often, certain VOIP phones start buzzing, immediately before someone nearby gets a call on a GSM phone.

  23. joel8360 says:

    @Larry Hosken:

    You’ve been added to my quote file.

  24. Igor Levicki says:

    >Security is a degenerate Boolean whose value is always False.<<

    LOL, I was expecting to read "Maybe" at the end of the sentence. Great quote.

  25. Shaun Paine says:

    In this one true thing,

    In any system that is inherently secure enough to be free from the effects of external attack; there will be a proportionate loss of utility and ease of use for any that desire to access them.

    In any human engineered security system, another human being will eventually be capable of reverse engineered and thus overcoming its security…

    Or perhaps I’m just NUTS ;-)

  26. DK says:

    If it is possible to overcome the security system by reverse engineering then it is not a good security system. Any security that based on the secrecy of the algorithm is not much better than no security at all.

  27. anonymous says:

    Raymond:

    You should have known that using an example that involved guns would be a bad idea from a future comments perspective. ;)

Comments are closed.