[Dailydave] DBs and Patents and Obama and Crypto

Dave Aitel dave at immunityinc.com
Fri Oct 23 12:18:51 EDT 2015


I wanted to talk about patents in our industry, but I can't because
everyone is all like "Software patents are evil" _until they get one_
and it gives me the sads.

So instead I'm going to talk about this company I saw yesterday, which
is basically this simple diagram:

Web App
[span port of your mid-tier] -----> [Parser for TDS] ---> [Machine
learning to find SQLi]

The good things about being on the network stack is that you can get
access to clusters. The bad thing is that every minor change of the TDS
stack or SQL syntax or anything of that nature means your system starts
failing. And you have to auto-detect all possible variation in the
network traffic because you're modeling what happens in an immensely
complex piece of software on one side that you don't have access to.

To avoid all possible ambiguity: This is an impossible problem to get
right, even if you limit it to "parse one version of TDS exactly the
same as SQL Server 2010 at a known patch level".

The other option is to install debugger-like instrumenters on every DB
server. In fact, a script to do this came out with an early version of
Immunity Debugger, which integrated with SPIKE Proxy so you could scan
for SQL Injection and use the feedback loop to guide your scanner around
filters and false positives. The downside is of course having to install
things on every DB server. In theory MS would release an API that allows
a logical "span port" that gave you ever SQL request, and I bet there IS
one somewhere in the auditing section.

Aside from the horribleness of every possible solution in that area,
which probably STILL works better than a few other things, I wanted to
point out a KEY sentence you might have missed in the Crypto-War
guidelines
<https://assets.documentcloud.org/documents/2426450/read-the-nsc-draft-options-paper-on-strategic.pdf>
the administration pointed out. It was this: Without voluntary
<https://lists.immunityinc.com/pipermail/dailydave/2015-September/001016.html>and
enthusiastic help from Apple and Google, really bad things we won't
specify will happen, even if we force it all to be in cleartext. That
"parse all variations of TDS" problem that we just looked at is the same
as the SIGINT problem faced by the FBI/NSA/etc. Even WITH THE KEYS, the
problem is completely intractable if Google and Apple and Microsoft want
to make it so.

I can hear Google's lawyers now: "Oh, we delivered you our latest
protocol spec sheet, every two weeks as promised. Of course, our spec
changes every two weeks right after we deliver it, and you are always
out of date, and even if you WERE in date, only our software knows which
version anyone is at at any given time, and parsing it incorrectly means
you are wildly wrong, and if you can't provide a provably correct
parser, no court will accept your analysis, etc. Hey, did we mention
that every block is not encrypted, but of course it is XORed with this
value which we calculate with the most crazy slow algorithm we could
find, one million times. That's just this week though. Next week we are
reversing every block, but we aren't going to update the version number
on the wire."

Just food for thought! ;)
-dave


 
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20151023/b679f2a1/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 181 bytes
Desc: OpenPGP digital signature
URL: <https://lists.immunityinc.com/pipermail/dailydave/attachments/20151023/b679f2a1/attachment.sig>


More information about the Dailydave mailing list