Skip to main content
December 15, 2015

Mother May I – a Story of Application Privilege Security

Our mothers all want the best for us. They raised us to ensure we didn’t do anything crazy like run out in front of traffic or play with broken glass.

More often than not, we had to ask for permission to do things like swim at our friend’s house or eat all of our Halloween candy in one sitting. Our moms then did their motherly duties of checking in with the swimming pool mother or telling us we can only eat one piece of candy. Moms protected us from ourselves. That’s just what they do. It’s in their contract to look after us until we come of age to make mistakes on our own.

Applications can act like kids at times too. Some apps forget to ask for permission before doing something crazy like allowing another user to elevate their privileges or leaving access doors open. Every piece of code ever written is susceptible to vulnerabilities, which means every software application you use is a potential weakness until it has been properly evaluated and secured. However not all software evaluations are created equally just as not all mothers know where you’ve been all day.

every software application you use is a potential weakness until it has been properly evaluated and secured

Remember TrueCrypt? Yes, I'm talking about the free disk encryption program TrueCrypt. There's an example of an application that has been scrutinized, dissected, debugged, reverse engineered, audited and run through teams of security experts of which one was also a licensed SCUBA diver! (I was going to say one of the security management certs but SCUBA certs are much harder to get.)

This tool was one of the only free options for encrypting Windows hard drives besides using Bitlocker which only came in certain version of Windows. Thanks to its ease of use and ability to pass countless bug audits, TrueCrypt was one of the most popular full disk encryption programs ever created. That all ended in May 2014 when the anonymous team of TrueCrypt creators issued a warning that the program had unfixed security issues then shut the project down.

TrueCrypt had been publicly available since February 2004 and had also been audited by the numbers numerously by numerous teams of security professionals. Just to be clear of the numerosity of tests and the numerousness of the testers (using no. 2 pencils maybe too).

Each review showed the program was secure and had no known back doors. To be more specific, the report shows only medium or low risk issues with TrueCrypt as of February 2014. The Bootloader and Windows drivers had identified issues according to this audit. None of the issues discovered would have caused enough concern to warrant the program to be shut down.

examine the codeSince the project was open source, anyone could examine the code to see if they could detect a security flaw. This is the major difference between open source and commercial software: open source allows anyone to view the entire code while commercial is proprietary and not available for public inspection.

That's the point of open source security, the more people who look at the code means less chance of a bug or vulnerability remaining hidden. Which is unlike commercial software where only company employees can view certain segments of the product code.

TrueCrypt had even been endorsed by NSA Whistle Blower Edward Snowden. At that time the biggest public concern was over U.S. government placement of back doors and exploits into technology products. Mr. Snowden’s approval of TrueCrypt was a huge victory for the project due to the vast intelligence and government spying information that he was releasing showing all the commercial organizations that the National Security Agency had already infiltrated.

If this could happen to such a security product, imagine what happens within your average, non-security application?

Within a few short months TrueCrypt had passed two major hurdles by completing another thorough audit from an independent lab and being cleared by Edward Snowden as a project not broken by NSA’s code breakers. So it gained notoriety by the media as an outstanding privacy tool. In essence, TrueCrypt had won mother’s approval and you could now have permission to go swimming at Truecrypt's house. It was like a favorite son. Then it closed up shop.

Due to the unexpected and unexplained shut down of this program, security professionals were puzzled as to why this program would be turned off at the height of its popularity. If the application has a weakness then where was it located or had the NSA been able to hide a backdoor inside the program? Maybe the encryption engine had been watered down to allow for easier access by the NSA? Many more questions floated through the security community trying to understand why this beloved program had suddenly ceased.

From the time the anonymous creators of the disk encryption pulled the project until late September 2015, nobody publicly knew the “hows” or “whys” of the story. Then Google's Project Zero team member James Forshaw disclosed two major vulnerabilities in TrueCrypt two days before Halloween 2015. Both issues dealt with Elevation of Privilege within the application. Both dealt with issues with Windows drivers. These vulnerabilities were able to exist even after all kinds of testing and auditing because Windows drivers are difficult to understand. They can allow unexpected consequences in even the most carefully crafted applications.

The two major vulnerabilities, identified as CVE-2015-7358 and CVE-2015-7359, were discovered as part of Mr. Forshaw’s work at Google. TrueCrypt’s reincarnation VeraCrypt has been updated and removes these driver issues. James Forshaw offers an in-depth explanation of his findings and talks about it on Twitter.

It is important to understand how closely TrueCrypt has been examined by leading experts from around the world. Don't make me say “numerous” again. This application had been dissected time and again looking for issues and often none were found. At this point it is unknown if the vulnerabilities discovered by Mr. Forshaw’s work were the reason why the TrueCrypt creators closed the project almost a year and a half ago.

TrueCryptThe point here is that a program as closely monitored and respected as TrueCrypt was still had vulnerabilities hidden within Windows drivers. If this could happen to such a security product, imagine what happens within your average, non-security application like where you're just flinging birds at stuff.

Commercial products are created in short production time lines, which means developers are under constant pressure to complete their segment quickly. Even the largest software manufacturer has been caught shipping products with known vulnerabilities in them. And those are issues that they know about. What about those issues that the software manufacturer doesn’t know about?

Operating systems can have millions of lines of code in them. Amongst all that code are interactions between systems and services that are not documented or even understood by the people who write them. When 3rd party applications are added to other software, it can be a ridiculous puzzle to figure out all the interactions between everything.

This is why it is critical to test your applications in every environment possible. Too many tests are done in lab instead of out in the street with real threats. Since your environment is constantly changing, your testing should allow for those changes as well. Think of vulnerability assessments as a life cycle project. You will need to mother that application from inception to replacement. If you are just conducting one test on an application and calling that good, you are not performing commercially reasonable security testing. And your mother would not be proud of you.     

Learn more about Building an Application Security Program that Tests in Multiple Environments

Bob Monroe grew up in Southern California before he joined the U.S. Army in 1985. He holds a Master of Science in Information Assurance from Norwich University. He works with the Institute for Security and Open Methodologies and Hacker HighSchool. Both organizations are non-profit, with the mission of teaching computer security methods across a global audience.

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.