<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=utf-8">
</head>
<body bgcolor="#FFFFFF" text="#000000">
I wanted to talk about patents in our industry, but I can't because
everyone is all like "Software patents are evil" _until they get
one_ and it gives me the sads. <br>
<br>
So instead I'm going to talk about this company I saw yesterday,
which is basically this simple diagram:<br>
<br>
Web App<br>
[span port of your mid-tier] -----> [Parser for TDS] --->
[Machine learning to find SQLi]<br>
<br>
The good things about being on the network stack is that you can get
access to clusters. The bad thing is that every minor change of the
TDS stack or SQL syntax or anything of that nature means your system
starts failing. And you have to auto-detect all possible variation
in the network traffic because you're modeling what happens in an
immensely complex piece of software on one side that you don't have
access to. <br>
<br>
To avoid all possible ambiguity: This is an impossible problem to
get right, even if you limit it to "parse one version of TDS exactly
the same as SQL Server 2010 at a known patch level". <br>
<br>
The other option is to install debugger-like instrumenters on every
DB server. In fact, a script to do this came out with an early
version of Immunity Debugger, which integrated with SPIKE Proxy so
you could scan for SQL Injection and use the feedback loop to guide
your scanner around filters and false positives. The downside is of
course having to install things on every DB server. In theory MS
would release an API that allows a logical "span port" that gave you
ever SQL request, and I bet there IS one somewhere in the auditing
section.<br>
<br>
Aside from the horribleness of every possible solution in that area,
which probably STILL works better than a few other things, I wanted
to point out a KEY sentence you might have missed in the <a
href="https://assets.documentcloud.org/documents/2426450/read-the-nsc-draft-options-paper-on-strategic.pdf">Crypto-War
guidelines</a> the administration pointed out. It was this:
Without <a
href="https://lists.immunityinc.com/pipermail/dailydave/2015-September/001016.html">voluntary
</a>and enthusiastic help from Apple and Google, really bad things
we won't specify will happen, even if we force it all to be in
cleartext. That "parse all variations of TDS" problem that we just
looked at is the same as the SIGINT problem faced by the
FBI/NSA/etc. Even WITH THE KEYS, the problem is completely
intractable if Google and Apple and Microsoft want to make it so. <br>
<br>
I can hear Google's lawyers now: "Oh, we delivered you our latest
protocol spec sheet, every two weeks as promised. Of course, our
spec changes every two weeks right after we deliver it, and you are
always out of date, and even if you WERE in date, only our software
knows which version anyone is at at any given time, and parsing it
incorrectly means you are wildly wrong, and if you can't provide a
provably correct parser, no court will accept your analysis, etc.
Hey, did we mention that every block is not encrypted, but of course
it is XORed with this value which we calculate with the most crazy
slow algorithm we could find, one million times. That's just this
week though. Next week we are reversing every block, but we aren't
going to update the version number on the wire." <br>
<br>
Just food for thought! ;)<br>
-dave<br>
<br>
<br>
<br>
</body>
</html>