Profile picture
, 14 tweets, 3 min read
My Authors
Read all threads
Everyone has moments that cement their decision to take their career in a certain direction. This is one of those. In 2004 my team was responsible for administering the Final Security Review on Microsoft products. The FSR was the check that all security requirements had been met.
I was the reviewer for a product from the server division first released in the 1990s. The team knew their product well and were incredibly responsive. This team didn’t just want the FSR to be done. They wanted it to be right.
Four years into Microsoft, I was no security expert and their product was a deep work in itself--hundreds of thousands of lines of code. I was determined to match their expectations for quality with tenacity. One area I dug into was its handling of elevated software installs.
There was a scenario where the download was done under the context of the user because in customer environments the file share hosting the software was permissioned based on user groups (e.g. Engineering can install the app, but not Sales).
They performed several steps to prevent tampering. At 7pm on Thursday night, with the FSR wrapping up the next day, I found myself poking at their validation. Could a user tamper with this process to run code of their choosing with SYSTEM rights?
I asked if a user could write to any of the files after they were downloaded. I asked about attacks involving holding open file handles to bypass hash checks. I asked about denying SYSTEM the ability to re-ACL the files. Strike out each time. The team had considered all of them.
I sat in front of my keyboard, midnight approaching, grasping at straws. A memory stirred. A couple years earlier in a meeting about malware, filesystems engineer David Golds made a side comment about a malware technique for evading anti-virus by using section objects.
Anti-virus checked for file infector viruses by inspecting changes to files. After a program closed a file, AV could check it for malware. A sneaky technique was to use a section object (aka File Mapping). Sections required a dance between the memory manager and the filesystem.
At 10:00pm, recalling only the words ‘write through a section,’ I opened Visual Studio to try to recreate this technique and construct a proof of concept.
I sent it over at 12:30 am. I expected to hear from the team the next day. 12 minutes later an engineer replied. He was online and looking into it. At 1:18 am he recompiled my program and adapted it for his environment.
At 2:10 am I got an email with the words: “Yep, that’s a vulnerability! It allows modification of files by a low rights user, after a hash check. I was able to repro and apply the attack on a real environment.” 👍
A few days later I got to meet the legendary Mark Zbikowski (‘MZ’ in the executable header). Mark worked in the filesystems group and helped the team with ideas to get out of the jam.
For me, this was the thrill of the job. Digging into complex products, applying things you’ve learned, and finding issues. Working with teams that barely knew you, and yet hung with you every step of the way to solve their security issues.
Our SDL work had many moments like this. Each time it recommitted you to the job. Not many roles let you touch product teams across the company, focus on value v. rules lawyering, and create moments that reinforce why we're doing something to everyone involved. 🙏
Missing some Tweet in this thread? You can try to force a refresh.

Enjoying this thread?

Keep Current with John Lambert

Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

Twitter may remove this content at anytime, convert it as a PDF, save and print for later use!

Try unrolling a thread yourself!

how to unroll video

1) Follow Thread Reader App on Twitter so you can easily mention us!

2) Go to a Twitter thread (series of Tweets by the same owner) and mention us with a keyword "unroll" @threadreaderapp unroll

You can practice here first or read more on our help page!

More from @JohnLaTwC see all

Profile picture
John Lambert
@JohnLaTwC
When I was working in the MSRC and SDL teams, I ran a series of contests. The goals were to encourage learning, foster a team culture around technical excellence, and have some fun. I wanted them to be accessible across program managers, vuln researchers, and engineers.
The first one was to calculate a Fibonacci number in assembly. I chose this because it’s a simple problem to learn more about assembly, which was relevant to vulnerability and exploit analysis. The contest part was to do it in the fewest number of clock cycles.
I wish I had known @BruceDawson0xB then because the most challenging aspect was measuring the winner! It seemed so simple at first. Call RDTSC (Read Timestamp Counter) before and after. Do it a few times in a loop to ensure consistency and done. Hardly.
Read 13 tweets
Profile picture
John Lambert
@JohnLaTwC
In @alexstamos talked about Trustworthy Computing at Microsoft. I don't know anything about FB but having been part of TwC since the beginning, offering up some of our humble lessons about what was important:
- Top level commitment, consistent on voice, holding people accountable, making resources available, and having decision courage that lives the values when the conflicts come up. Bill wrote very few “tidal-wave” memos because he wanted them to count.
- Have experts across engineering, privacy, policy, legal, chartered with fleshing out the new state of the art, the ship/no-ship bar, tracking processes, how accountability is managed, guidance, and tooling
Read 11 tweets
Profile picture
John Lambert
@JohnLaTwC
Story time. This one is about a feature in Windows called ASLR.
It was 2005. We were working on Windows Vista. Most remember it as the release with the maligned User Account Control feature. For us in Trustworthy Computing it was the first full Windows cycle where we could apply all the security engineering tools we had from start to finish.
Efforts such as fuzzing file parsers, scrubbing the code of ‘banned APIs’ across millions of lines of code, fixing masses of potential bugs from static analysis, and driving initiatives to deal with newly discovered ‘diseases’ like mismatched container COM instantiation.
Read 23 tweets

Related threads

Profile picture
Jacob Falkovich
@yashkaf
1 like = 1 way to live better. I'll try to keep a ratio of 50% things I actually do, 50% things I should do but don't.
1. Eat lunch alone. Catching up with co-workers 5x/week doesn't do much beyond what you'd get from 1x/week, and a good podcast is more interesting than your best colleague.
2. There are more great podcasts than you'd ever have the time to listen to. If it sucks after 10 minutes, skip half an hour ahead. Still boring? Delete and move on. Obviously, do the same for books.
Read 110 tweets
Profile picture
Karol Cummins
@karolcummins
‼️New Details‼️

🔑Parnas is the middleman between Firtash & TeamTrump

🔑I’m the best-paid interpreter in the world': Indicted Giuliani associate Lev Parnas touted windfall from Dmytro Firtash an indicted Ukrainian oligarch

cnn.com/2019/11/01/pol…
This summer, Parnas told potential business associates that his company began receiving a sudden windfall of money from the oligarch, Dmytro Firtash, who is living in Austria while fighting bribery charges in the US.

cnn.com/2019/11/01/pol…
📌Parnas paid Donald Trump's personal attorney, Rudy Giuliani $500,000 for work he did on Parnas’ company Fraud Guarantee.

📌Did the money paid to Giuliani come from Firtash?

reuters.com/article/us-usa…
Read 63 tweets
Profile picture
I'm supposed to be working right now.
@hereforthejava
Ok so I'm going to just pull things from yesterday's Comey / Senate Oversight hearing that interest me... oversight.house.gov/wp-content/upl… because it is more fun than working. #ComeyHearing
Mr. Gowdy. Let me see if I can ask the question more artfully. Did he (Strzok) help you prepare or edit your July 5th press statement? (statement essentailly clearing Hillary)

Mr. Comey. July 5th press statement? Yes, he did help edit that.
Mr. Gowdy. Lisa Page, she was an attorney with the FBI in 2016. Is that right?

Mr. Comey. Lisa Page, yes, that is correct. Lisa Page was an attorney I think before 2016, but certainly during 2016 assigned to the Office of General Counsel.
Read 195 tweets
Profile picture
Marshall Ryan Maresca 🛡WAY OF THE SHIELD 10/2/18
@marshallmaresca
I keep thinking back to a discussion a few months on reddit about THE BELGARIAD. Several comments were made about it being cliche and pedestrian, and someone said, “Yeah, it’s a fine story, but it’s never going to be a classic.”
And all I could think to respond was, “It’s over thirty years later and we’re still talking about it. How is that NOT ‘a classic’?
But that got me thinking- I cite THE BELGARIAD (and THE MALLOREON, its sequel series) as one of my influential works. But what is that influence? I know I’ve read the whole series several times. My copies of the books are in terrible shape.
Read 1054 tweets

Trending hashtags

#SureJan #ElectionSecurity #Confidence #Congress #PA03 #ProtectOurCare #Smith #PreExistingConditions #conferences #ExpressVoteXL #Epictetus #voting #BelgariadRead #teams #LettersfromaStoic #teamScience #duVair #Desperation #careeradvice #Montaigne #Career #SabMileyHueyHainJi #kanban #Busted #Cicero
Follow Us on Twitter!

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just three indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3.00/month or $30.00/year) and get exclusive features!

Become Premium

Too expensive? Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal Become our Patreon

Thank you for your support!