The book is really about massive multiplayer online role-playing games. You can think of these as Dungeons and Dragons over the Internet. The games today are demonstrating what the software security problems of tomorrow will look like. Believe it or not, there are about 8 million subscribers to World of Warcraft and maybe 12 million people that play these games overall. At any one time about half a million people are playing the games together, asynchronously, over a set of servers. So you have interesting issues with time and state. You can't have a big enough computer or fast enough Internet access for half a million people to work on one server in real time, so the server will slice of a little chunk of space, throw it over to the client side piece of the game on someone's PC, and then they play on that piece and send information back to the server, but not in real time, so interesting issues about time and state arise, and these lead to all sorts of bugs that make these games exploitable. Why should IT security people and software people care about online game security?
IT people need to be worried about what their users are doing. If your users are spending all day playing these games, that's bad. More importantly, if your users play these games on their computers off hours or play them on their laptops on the weekends, these games actually install monitoring software deep in the kernel that keeps track of what is happening on that PC. The software reports back all sorts of information about what that user is doing that may have nothing at all to do with the game itself. World of Warcraft has a process called the Warden that keeps an eye on your PC. Some might call that an invasion of privacy. From an IT perspective what's happening is your user is changing the PC so programs that do these nefarious spyware-like activities are going to be installed on the box and the user might not even be aware of it. That's a real headache for IT guys. Some of that sounds like rootkit technology, something you've also been focused on. Talk about the nature of the threat today and how it's going to evolve.
The problem really came to light when Sony decided to put rootkit technology on some of their CDs, a digital rights management enforcement program that, when you put the CD in your PC, would install a rootkit down in the kernel that would disallow you from doing certain things like copying [the CD]. The problem for IT administrators is that you have a user trying to use their headphones on their PC while doing legitimate work and they get rooted by this rootkit that is set up in a way that you could take advantage of its stealth capabilities to hide processes that may have nothing to do with listening to music. Will the security built into Windows Vista be of any help?
I started out with a lot of hope for that. But if you remember when Symantec and McAfee were mad because they couldn't shim the kernel anymore and Microsoft was forcing them to use certain APIs and so on … What happened was that Microsoft was forced to give some ground that, while helpful for Symantec and McAfee, is also helpful for those who would build things like kernel-level rootkits. So I think what might have been a nicely buttoned down kernel has been opened up, and so we should expect to see rootkits for Vista. Speaking of the fuss Symantec and McAfee made, did they have a legitimate gripe or should Microsoft have told them to learn to deal with it, that this is how it must be?
It's a very complicated situation. McAfee and Symantec had a legitimate right to whine because it's obvious Microsoft is moving into their business and muscling them out, and Microsoft could leverage the fact that they own the operating system to out-compete the other security vendors. That's a real concern. You've been a leading voice on the need for software makers to do a better job at building security into their code, and you wrote three books on the subject: "Building Secure Software," "Exploiting Software" and "Software Security: Building Security In." What's the state of the union, so to speak, on how companies are doing?
I'm pretty optimistic on the progress we've made. Once upon a time, we couldn't convince even our own mothers that software security was important. That's changed a ton. Now everyone understands the problem. Where we sit now is that there are a bunch of people saying 'ok, I get it, I need to do software security. What am I supposed to do?' We've moved from whining about the problem to putting in best practices. Microsoft, while they have a way to go, has made some good progress. The banks in New York and cell phone vendors are doing a lot more with security. People are doing a lot to buy the right tools. We've made a lot of progress. I'm very optimistic we're moving the ball down the field in the right direction. Are the good guys winning the cyber war?
I think the arms race continues. Software security is much more intense than worrying about code writing. Half the problems we see have to do with design and architectural things. An obvious example: 'Forgot to authenticate the user.' That's an architectural problem, so we have to focus on that as well. Looking at the cyber war, while we've made a lot of progress, the bad guys have done a lot to keep up with what's been done on the security front, and it'll always be like that.