|Date:||November 15, 2004 / year-entry #392|
|Summary:||Here are some questions and then explanations why you can't do anything meaningful with the answer anyway even if you could get an answer in the first place. "How can I find out how many outstanding references there are to a shared memory object?" Even if there were a way to find out, the answer...|
Here are some questions and then explanations why you can't do anything meaningful with the answer anyway even if you could get an answer in the first place.
You cannot reliably reason about the security of a system from within the system itself.
It's like trying to prove to yourself that you aren't insane.
The system may itself have already been compromised and all your reasoning therefore can be virtualized away. Besides, your program could be running inside a virtual PC environment, in which case the absence of a keyboard hook inside the virtual PC proves nothing. The keyboard logging could be happening in the virtual PC host software.
From a UI standpoint, the desktop is the security boundary. Once you let somebody run on your desktop, you implicitly trust them. Because now they can send your program random messages, inject hooks, hack at your window handles, edit your menus, and generally party all over you.
That's why it is such a horrible mistake to let a service interact with the desktop. By joining the interactive desktop, you have granted trust to a security context you should not be trusting. Sure, it lets you manipulate objects on that desktop, but it also lets the objects on that desktop manipulate you. (There's a Yakov Smirnoff joke in there somewhere, but instead I will quote Nietzsche: Wenn du lange in einen Abgrund blickst, blickt der Abgrund auch in dich hinein.)
If you're a service, you don't want to start letting untrusted programs manipulate you. That opens you up to a Shatter attack.
<-- Back to Old New Thing Archive Index