Talk:Shatter attack

This article is rated B-class on Wikipedia's content assessment scale. It is of interest to the following WikiProjects:

Computing Low‑importance This article is within the scope of WikiProject Computing, a collaborative effort to improve the coverage of computers, computing, and information technology on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the project's importance scale. Computer Security: Computing Low‑importance This article is within the scope of WikiProject Computer Security, a collaborative effort to improve the coverage of computer security on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the project's importance scale. This article is supported by WikiProject Computing (assessed as Low-importance). Things you can help WikiProject Computer Security with: Article alerts will be generated shortly by AAlertBot. Please allow some days for processing. More information... Answer question about Same-origin_policy Review importance and quality of existing articles Identify categories related to Computer Security Tag related articles Identify articles for creation (see also: Article requests) Identify articles for improvement Create the Project Navigation Box including lists of adopted articles, requested articles, reviewed articles, etc. Find editors who have shown interest in this subject and ask them to take a look here. Microsoft: Windows Low‑importance This article is within the scope of WikiProject Microsoft, a collaborative effort to improve the coverage of articles relating to Microsoft on Wikipedia. If you would like to participate, please visit the project page, where you can join the discussion and see a list of open tasks. Low This article has been rated as Low-importance on the project's importance scale. This article is supported by WikiProject Microsoft Windows (assessed as Mid-importance).

Whether a "shatter attack" represents an inherrent design flaw in the Windows API

Latest comment: 11 years ago7 comments4 people in discussion

The below text was removed because it is not a neutral viewpoint.

How is it not NPOV? If someone points out a property of your software which you then go to a great deal of trouble to fix, then you're acknowledging that it needed to be fixed. It's absolutely clear (from postings on the various Microsoft security blogs, for example) that Microsoft's view about the significance of shatter attacks has changed since they said it was "not a flaw in Windows". DavidHopwood 15:11, 8 May 2007 (UTC)Reply

"The introduction of UIPI in Windows Vista could be interpreted as an implicit acknowledgement that Microsoft's earlier viewpoint, that the possibility of shatter attacks was "not a flaw in Windows", was mistaken."

A larger issue to me is that the flaw is an issue only on a program-by-program basis. If a program uses the default message handler, DefWndProc(), for messages like WM_TIMER whose default behavior is to call the passed function pointer, those programs are vulnerable. However, if that program has no need to process that given message, it may well be written by someone wise enough to ignore the message, or flag an error. Further, a given callback pointer can be checked for whether it falls within a program's code space (instead of within data area which it shouldn't be executing in most cases), or just against a list of valid callbacks.

That would not be sufficient. It has to be the right callback. DavidHopwood 15:17, 8 May 2007 (UTC)Reply

It may be argued that the default windows message processing behavior, calling an unchecked code pointer, is undesirable, but any program can defend itself against this. That is, the default behavior is suboptimal, but overridable. So this is certainly a flaw, but is not "broken" as the author of the original exploit claims. If someone knows a way to concisely say the same thing, please add it to the article. — OldMiner 23:17, 22 February 2007 (UTC)Reply

This shouldn't be added to the article because it is wrong. Microsoft did not consider updating every program that could be attacked to be an appropriate fix, and I know of noone else who understands the issue who thinks that it would be an appropriate fix. DavidHopwood 15:17, 8 May 2007 (UTC)Reply

Microsoft's reply was effectively a snarky "it's working as designed" response, and they're right: the Windows UI was designed with the idea that processes cooperate to give an integrated user experience. Only later (with the NT line) were the benefits of proper isolation recognized, but the UI was not updated to this paradigm, since cross-process message passing had become well ensconced.

It's true that to some extent, applications can take measures themselves, but the basic issue is a violation of the principle of least privilege: by default, process A has no business sending messages to process B, certainly not if process B is critical. And even if it does have business sending a message to process B, it still has no business to send arbitrary messages, least of all messages containing pointers. The defense that applications could in theory check some messages does not validate the design, as nobody is seriously suggesting applications should implement their own security layer against an open-ended class of attacks (checking callback pointers in WM_TIMER is all well and good, but it doesn't even begin to cover the problems an application can get into if it's being sent messages it does not expect and cannot distinguish from the messages it does expect).

The fact that Microsoft has closed off some avenues of exploit (in particular with regard to system services) does not imply a reversal of their original point of view: that it's working as designed. They just acknowledged that in particular cases, the design can do with some refinement. That is, shatter attacks are a natural consequence of the design, but while shatter attacks are undesirable, making them altogether impossible requires a completely new design, and that is in itself not desirable. Microsoft's own fixes go so far as to isolate system processes from shatter attacks; that they're doing that doesn't imply they agree that the whole design is flawed, just that it was lacking in execution. 194.151.6.70 08:49, 16 August 2007 (UTC)Reply

---

Second, a new feature called "User Interface Process Isolation" (UIPI), a form of Mandatory Access Control, was introduced, whereby processes can be further protected against shatter attacks by assigning a "privilege level" to each process.

UIPI is not a form of Mandatory Access Control (and Microsoft does not claim it to be such). It is clearly discretionary; there is no serious attempt to prevent the user from overriding it. I've deleted ", a form of Mandatory Access Control" --DavidHopwood 23:37, 4 September 2007 (UTC)Reply

• There's a newer article here. LittleBen (talk) 11:26, 22 January 2013 (UTC)Reply

This attack was dicussed in 1997

Latest comment: 11 years ago1 comment1 person in discussion

In the Microsoft System Journal of March 1997, this attack against NT 4.0 was presented by Matt Pietrek.

http://www.microsoft.com/msj/0397/hood/hood0397.aspx 7eggert (talk) 01:15, 26 February 2013 (UTC)Reply