back to article What's got a vast attack surface and runs on Linux? Windows Defender, of course

Google Project Zero's Windows bug-hunter and fuzz-boffin Tavis Ormandy has given the world an insight into how he works so fast: he works on Linux, and with the release of a personal project on GitHub, others can too. Ormandy's project is to port Windows DLLs to Linux for his vuln tests (“So that's how he works so fast!” …

  1. Uffish

    I think the spell checker got fuzzed

    "attack service" or "attack surface" or did I miss the pun?

    1. Destroy All Monsters Silver badge

      Re: I think the spell checker got fuzzed

      No, it seems you have arrived at the Grauniad.

    2. Drewc (Written by Reg staff) Gold badge

      Re: I think the spell checker got fuzzed

      Umm...slip of the brain on our part. Duly fixed.

      1. dbtx Bronze badge

        FWIW, it was kinda punny.

        1. Tom Paine Silver badge
          Coat

          As ol; blue eyes sang -

          Pun for my baby

          And pun more for the road

          (I'm so very, very sorry)

          1. Chemical Bob

            Re: As ol; blue eyes sang -

            Your apology lacks sincerity. Have an upvote!

    3. Anonymous Coward
      Anonymous Coward

      Re: I think the spell checker got fuzzed

      "What's got a vast attack surface and runs on Linux?"

      Android springs to mind.

    4. sisk Silver badge

      Re: I think the spell checker got fuzzed

      Either would be appropriate when dealing with Windows Defender....

    5. Teiwaz Silver badge

      Re: I think the spell checker got fuzzed

      "attack Surface Pro"?

      - Ah, of course, it's just 'Pro' now isn't it....Pro what?

      Prostitute...maybe

    6. Anonymous Coward
      Anonymous Coward

      Re: I think the spell checker got fuzzed

      Don't worry, it was just a numbers station type subliminal command for submarines :P

  2. Barry Rueger Silver badge

    Fuzz?

    Jargon that was new to me, so;

    Fuzz testing or fuzzing is a software testing technique used to discover coding errors and security loopholes in software, operating systems or networks by inputting massive amounts of random data, called fuzz, to the system in an attempt to make it crash. If a vulnerability is found, a tool called a fuzz tester (or fuzzer), indicates potential causes. Fuzz testing was originally developed by Barton Miller at the University of Wisconsin in 1989.

    http://searchsecurity.techtarget.com/definition/fuzz-testing

    1. Brian Miller

      Re: Fuzz?

      I thought fuzzing started with Edsger Dijkstra and Goto Considered Harmful. Line noise resulted in the connection crashing, etc.

      It really depends on what you are trying to do with fuzzing that will get results. Trying to do fuzzing on slow embedded systems, and it becomes an exercise in patience. Google AFL gets results because it's running over 40,000 iterations per second. A device I'm testing at work goes through two to three iterations per second. Sure, that adds up over time, but I have to temper my manager's expectations for the platform.

      If a DLL can be isolated, then it's a great way to get results.

      1. Destroy All Monsters Silver badge

        Re: Fuzz?

        First time I heard about this was in Communications of the ACM, early 90s.

        (Apparently 1989: "An Empirical Study of the Reliability of UNIX Utilities", available here: http://ftp.cs.wisc.edu/paradyn/technical_papers/fuzz.pdf)

    2. Tom 7 Silver badge

      Re: Fuzz?

      It was given a name in 1989 - many of us had been doing similar for many years before. I saw my first bit of what is now called fuzz testing in around 82 or 3 and it was written in coral 66 I believe. A colleague used it to test functions to see what would induce functions to blow up rather than to look for attack 'services'. When code, and systems took minutes or hours to get to a useful state catching shit like that was a lot easier than working out why a system was on its arse.

      Sensible compilers make it a lot harder/redundant.

  3. Anonymous Coward
    Anonymous Coward

    But isn't the environment itself just as important?

    What if you're using a DLL which already runs in an isolated environment and therefor blocks certain system and function calls? The DLL might contain certain bugs, but its impact would be quite different on both environments. So I can't help wonder if you're not effectively slowing things down. While you might be able to spot bugs more quickly it also means you'd have to test them in the original environment as well so that you can rule out flaws in the testing itself and determine their true impact.

    1. Justin S.

      Re: But isn't the environment itself just as important?

      @ShelLuser

      If you don't have access to the source code, you're left with either decompiling the software and/or running it in a debugger, laboriously reverse-engineering the software to see how it works and might be broken. That is a far slower process than running automated throw-it-at-the-wall-and-see-what-sticks sessions, and then checking out the interesting results.

      1. Charles 9 Silver badge

        Re: But isn't the environment itself just as important?

        But the point stands. What if the exploit is a gestalt, meaning it ONLY appears in a certain environmental combination and then becomes something greater than the sum of its parts? IOW, it's like planning for an emergency: the ONLY way to really know if the plan works is to have an emergency, with all the environmental factors that ONLY come from true emergencies.

        1. Anonymous Coward Silver badge
          WTF?

          Re: But isn't the environment itself just as important?

          it's like planning for an emergency: the ONLY way to really know if the plan works is to have an emergency

          So are you saying that emergency planning is useless? In an emergency scenario it is absolutely crucial to have a good plan, and for the people on the ground to have practised that plan so nobody is doing anything stupid. The planning might not exactly meet the situation, but is generally close enough that people know what they should be doing.

          1. Charles 9 Silver badge

            Re: But isn't the environment itself just as important?

            Partly useless, because you can't fake PANIC. You can't fake a fire, and so on. Even the late Terry Pratchett noted it. IOW, unless people REALLY feel their life is on the line, they won't behave the same way during a drill than they will during an actual emergency. Practice isn't all you need, you ALSO need discipline: the ability to not panic when surprises DO come. Say detonate a flashbang once in a while nearby to condition people to react in desired ways.

            1. d3vy Silver badge

              Re: But isn't the environment itself just as important?

              "Partly useless, because you can't fake PANIC. You can't fake a fire, and so on"

              I used to write business continuity software for the H&S department of a large company, they used to like to get everyone in the team involved in the planning of drills, I assure you it is possible to fake a fire (I have been the guy standing next to the main fire escape when the alarm goes off shouting "Im a fire, find another way out" - fun and made sure that people knew where more than one exit from the building was.

              I was also involved when our datacenter experienced a "thermal event" that blocked an exit and no one panicked - Maybe it was the drills, maybe it was the fact that deep down everyone knew that after an hour in the sun on the car park that they were getting home early...

            2. Anonymous Coward
              Anonymous Coward

              Re: But isn't the environment itself just as important?

              Ohhhh... now... as a corporate security droid I would *love* to be authorised to roll the odd flashbang under a few particular desks...

              1. Fatman Silver badge
                Joke

                Re: to be authorised to roll the odd flashbang under a few particular desks..

                Now, would any of them happen to belong to manglement???

            3. Jack of Shadows Silver badge

              Re: But isn't the environment itself just as important?

              From my years in the US Navy, I can safely say that after drilling often enough that personnel responding to the real thing becomes pretty automatic. Case in point, one of our submarines rammed my destroyer while we were conducting an anti-submarine warfare exercise off the Philippines. The response time as per drills is to have the whole ship watertight in five minutes. Facing the real thing, we did it in a minute and twenty seconds. No alarms were sounded until after we had the whole, the bridge crew being a bit slow off the mark. Not their fault really as it's not every day you get rammed by a sub. Just that the whole ship did a shivering heel to starboard and everyone else figured out at least something wasn't right.

            4. Sparkypatrick
              Black Helicopters

              Re: But isn't the environment itself just as important?

              "Say detonate a flashbang once in a while nearby..."

              I can see the House of Commons from the end of the road (<50m). Under no circumstances would I be letting off a flashbang, if I had one.

            5. Orv Silver badge

              Re: But isn't the environment itself just as important?

              "Partly useless, because you can't fake PANIC."

              If you repeatedly practice an emergency plan, there won't BE panic. That's the beauty of it. That's why the military spends so much time drilling. When something does happen, their subconscious immediately recognizes the situation and how to deal with it, instead of panicking. Sully Sullenberger wasn't an exceptional pilot (by his own reckoning), but he WAS a pilot who had repeatedly run through multiple-engine failure scenarios in simulators.

              1. LeahroyNake Bronze badge

                Re: But isn't the environment itself just as important?

                The military spends all that time doing 'things' so that they become muscle memory. E.g. reloading a magazine, counting the rounds you have fired, clearing a jam, fire control orders, target designation etc. Yes it makes you more efficient at these things but the main part is not having to think about it. It leaves your brain free to analyse the situation and make better decisions than you could if you were thinking about all the small details or what your hands are doing.

                The same goes for fitness, train hard and fight easy. If you are blowing out of your arse you can't think straight.

            6. Kiwi Silver badge

              Re: But isn't the environment itself just as important?

              Partly useless, because you can't fake PANIC.

              Dear friend of mine had a stroke a few years back. Very severe one and only thanks to God he came through - neurologists and doctors said he could not possibly survive.

              He was driving when he had his stroke. We'd been out seeing a mutual friend and left about the same time, so I was seconds behind him and saw it happen. Scary doesn't even come close when a dear friend's car starts accelerating and weaving wildly before (thankfully) hitting a parked car then veering off into someone's house. No one home so no one else hurt but a mess you cannot believe unless you see it for yourself.

              I had not long before re-done first aid training, and also due to the work I'd done in the past (hazardous chemicals used in factory work) I'd had a number of safety and emergency courses. This was a very dear friend clearly with life-threatening injuries, let alone whatever incident caused the crash in the first place (no idea it was a stroke at the time).

              Panic? No. Scared? You bet. But training. Lots of training. Automatics mainly maybe, but I was able to call emergency services, give suitable information on what had happened, and deal with the incident in a suitable manner, securing the scene as necessary (ie making sure that the car was off, it's battery wasn't shorting, and there was no gas leak from the damage to the house or obvious sign of electrical shock risk (NZ mains is 240v10a).

              Training for emergencies means that people don't panic in these situations. If you're trained to cope, you're trained to cope full stop. Panic is lessened by the training even when it is a loved one because you know the right actions to take at the right time and you know how best to protect their life till other help arrives.

              Jim survived, with marginal paralysis on his left side and some metal plates holding some bones together. Jim survived because the first person on the scene had basic first aid training and used his brains to be sure the area was safe first. Basic training means you don't panic, you know what is right. Lots of training means you can function largely on automatic, because you have repeatedly gone through the steps required.

              To be fair to you, until Jim's stroke I used to think the same as you - you don't know how you'd react in a real situation until you're in a real situation. I discovered that training gives you the knowledge to do the right thing, and knowing what you're doing removes panic. And yes my life was potentially on the line as until I knew that the car and house were safe from explosion or electrocution, there was a risk that anything I touched could kill me.

              Panic? That's what I feel when the car coming towards me starts to weave suddenly. Is someone having a medical event and what is the best action for me to take? Slamming on the brakes may mean I get hit by a vehicle from behind and pushed into the path of oncoming traffic where the person was only slapping at a fly, NOT hitting the brakes could mean the car is in trouble and swerves into me....

              [Edit : Should've read further - others have covered this quite well, thanks to the various writers :) ]

            7. Allan George Dyer Silver badge
              Coat

              Re: But isn't the environment itself just as important?

              "Say detonate a flashbang once in a while nearby to condition people to react in desired ways."

              Pavlovian disaster drills?

              Do you give a reward after the flashbang if they react in a desired manner? Will there be problems with excessive saliva at the scenes of real emergencies?

            8. Lord Elpuss Silver badge

              Re: But isn't the environment itself just as important?

              @Charles 9 "Partly useless, because you can't fake PANIC. "

              Airline researchers figured out how to fake panic in aircraft cabins quite well. When they do evacuation simulations (to identify bottlenecks in exit procedures and so on) they offer a large cash bonus to everybody who was out in the first 10 seconds, half of that for those out in less than 20 seconds, a token monetary compensation if you were out in 30 seconds or less, and the rest get nothing. Volunteers were 'panicking' to get out because they had an incentive to do so.

          2. Anonymous Coward
            Anonymous Coward

            Re: But isn't the environment itself just as important?

            "So are you saying that emergency planning is useless?"

            Not useless, just not able to cope with every situation, I'm sure switching off the backup generator in the event of flooding had good sound reasoning, didn't go too well in reality though did it !!!

        2. I am the liquor

          Re: But isn't the environment itself just as important?

          @Charles 9: I think at the fuzzing stage, you're not necessarily looking for exploits, just bugs. Once you've identified candidate bugs in a specific library, you can look at whether they can be turned into exploits in context.

      2. MacroRodent Silver badge

        Re: But isn't the environment itself just as important?

        It is also the case that fuzzing is no panacea. Nevertheless, it often does uncover interesting results. I have used a form of fuzzing to test a cross compiler I worked on. One more tool in the toolkit, but a wise tester should use others as well.

      3. Jack of Shadows Silver badge

        Re: But isn't the environment itself just as important?

        Just a note in passing: Tavis is using IDA, a disassembler, as part of his process in hunting for bugs. So, he is also reverse engineering to see at least some of the attack surface.

  4. Khaptain Silver badge

    Time to do the porting

    The porting itself must take a lot of time, especially when there are many DLLs. I can't really see what the true advantages are. And then dwbugging something outside of its home environment must yet again add an overhead.

    Admiteddly Linux has better and a mire extensive range of tools but many of them exist also on windows..

    The article appears to be adding a bit of fluff.....

    The most important tool is not the OS in any event, its the grey stuff between the ears.

    1. LDS Silver badge

      Re: Time to do the porting

      He's talking about self- contained libraries for which is easier to emulate their working environment. You could do the same under Windows, if you need it, with no need to run the whole application. It looks also he knows little about the tools available under Windows (most good one are commercial), and I also guess he's taking advantage of many other people open source work, and that's easier under Linux.

      It's always better to use what you know best, but this is also part of the ongoing Google FUD campaign against Microsoft, which looks increasing since Nadella decided to invade Google data slurping market with Windows 10.

      1. Anonymous Coward
        Anonymous Coward

        Re: Time to do the porting

        >It looks also he knows little..

        He knows a lot more than you do, if he wasn't working for Google he'd probably be working for GCHQ, seems a bright chap.

        1. Hans 1 Silver badge
          Coffee/keyboard

          Re: Time to do the porting

          if he wasn't working for Google he'd probably be working for GCHQ, seems a bright chap.

          Hm, ok, bright chap works for Google, makes sense.

          Bright chap working for GCHQ ? If you work for GCHQ, you cannot count ...

          Thanks for the laugh, though!

        2. Anonymous Coward
          Anonymous Coward

          Re: Time to do the porting

          "he'd probably be working for GCHQ,"

          So not very good in the commercial world and prepared to work for minimal wages then?

        3. Teiwaz Silver badge

          Re: Time to do the porting

          He knows a lot more than you do, if he wasn't working for Google he'd probably be working for GCHQ, seems a bright chap.

          - I thought the last time a lot of 'bright chap's worked for GCHQ was before it was called that, and during the draft....

          'a matter of Internal Security, the age-old cry of the oppresser'

          - Jean-Luc Picard - The Hunted

  5. Steve Channell

    the DLL loader is the story, not the usecase

    Dynamic link libraries provide a function table of explicitly exported functions to be at run time, where *nix uses shared objects. As a API library developer a dll enables me to hide private functions that are exposed in a .so file. The DLL export is simpler than the pimpl pattern for API development.

    The news here is not that Windows defender has been "ported" but that DLLs are being loaded without WINE.

    1. Hans 1 Silver badge
      Thumb Up

      Re: the DLL loader is the story, not the usecase

      Click-bait title, exactly what I thought ... 'av' a +1

  6. kmac499

    Zero Day Hunter?

    Showing a small part of my considerable ingnorance, is this, fuzzing in a box, technique the sort of thing that could be used to hunt for zero day bugs like the recent SMB one?

  7. Chewi
    Linux

    I'm not entirely surprised

    He used to be a Gentoo Linux developer.

  8. Colin Bull 1
    Thumb Up

    10 out 10 to AWK

    I have always admired the authors of awk. And this makes me even more in awe of them. Not crashed by fuzz testing.

  9. Anonymous Coward
    Anonymous Coward

    Awesome

    So now I can protect my Linux box against Windows specific malware.

    I always felt reasonably safe, but now I can feel rest assured.

    A boon to be sure.

  10. John Sanders
    Linux

    Yawn...

    Yawn...

    Kindly pets penguin in the head.

  11. User McUser

    Pardon my ignorance...

    But how is this not just WINE?

  12. Howard Hanek Bronze badge
    Happy

    Mental Image

    .....that of the fuzz on a rotten peach. To remove fuzz I suggest scalding first.

  13. Bob Vistakin
    WTF?

    Running windows on Linux. Because you can.

    In other news, it's been found people are able to place bin bags over their heads whilst driving at 90mph in the fast lane, stick their hands in food blenders whilst on full settings, and drink pints of car battery acid.

    1. Sanguma

      Re: Running windows on Linux. Because you can.

      The Association of Recreational Drano Drinkers of America are very deeply upset because you failed to include them. They will be entering a protest and waiting for the recount.

      1. Anonymous Coward
        Anonymous Coward

        Re: Running windows on Linux. Because you can.

        Well since you brought ARDDA in to it. Id like to represent the Association for Recreational Sewage Eating (ARSE) for balance, people like you are ruining an ancient and noble past time by polluting the sewage.

        Also as a member of Federation Against Drano Gargling and Embibing (FADGE), I oppose everything ARDDA stands for. Recreational my foot. I, like many people think Drano Drinking should be regulated, taxed and sold in white packages with health warnings on the box. A photograph of gleaming pipes and freeflowing water should put the kids off. "This is what Drano does to pipes, what do you think its doing to you?".

        Drano drinking scum should be kicked out of the country.

        In fact I believe that ARDDA led directly to the Drano Acquisition Exploitation Shipping and Haulage organisation. Its not just a peaceful past time.

        Ill be writing a strongly worded letter to my local United Kingdom Imbibing Police representative forthwith.

  14. This post has been deleted by its author

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019