Small Devices & RCE

I wanted to comment and add some thoughts about the IDA-on-IPhone news I read on woodmann.

Good news for real iPhone fans: we ported IDA to iPhone! It can handle any application and provides the same analysis as on other platforms. It is funny to see IDA on a such small device:

http://hexblog.com/2008/07/ida_on_iphone.html

Ilfak Guilfanov

It’s funny, because in theory the new CFF Explorer will be compilable for mac os (being written in Qt), thus also IPhone. The only problem is the small display of such devices and I’m not sure if there’s a possibility to reduce the needed space, but I’m quite optimistic.

I mention this because the new CFF Explorer will support elf and other formats (lib, object, symbian etc), making it useful also for other systems and it might become part of a new generation of cross platform/device tools. It would be encouraging to know that in the future it will be possible to do reversing stuff on such a small device. The new CFF will also have zoom in/out features for the hex editor, making it very useful on devices with a small (or big) display.

I hope that other programmers will follow the same lead.

The main problem is writing cross platform applications and reorganizing GUIs for small displays.

I want to share something I read on wikipedia some time ago:

Microsoft software is also presented as a “safe” choice for IT managers purchasing software systems. In an internal memo for senior management Microsoft’s head of C++ development, Aaron Contorer, stated:[7]

“The Windows API is so broad, so deep, and so functional that most Independent Software Vendors would be crazy not to use it. And it is so deeply embedded in the source code of many Windows apps that there is a huge switching cost to using a different operating system instead… It is this switching cost that has given the customers the patience to stick with Windows through all our mistakes, our buggy drivers, our high TCO (total cost of ownership), our lack of a sexy vision at times, and many other difficulties […] Customers constantly evaluate other desktop platforms, [but] it would be so much work to move over that they hope we just improve Windows rather than force them to move. In short, without this exclusive franchise called the Windows API, we would have been dead a long time ago.

Companies such as Apple and Microsoft are very conscious of the strategic importance of hard binding applications to their propretary API. That’s why Apple pushes cocoa and Microsoft .NET. They don’t want cross platform development environments (oh and don’t tell me that .NET is cross-platform, before doing so, show me a .NET GUI with more than a button in it on a system which isn’t Windows), because it would make possible for users to switch to another system without losing his tools.

However, “the times they are a changin'”. Nowadays, developers are more conscious about this problem and prefer not to bind their application to only one platform. You can notice this if you pay attention to the names of newer applications. Ten years ago there were lots of windows applications which contained the word “win” in them. Winhex, WinDvd, Winzip, WinRar, WinAce, Winamp etc. etc. etc. Have you noticed that this trend has stopped? It’s interesting, right now a struggle between developers and OS producers is taking place. OS producers want to ever more bind (even more than before) developers to their platform. Why do I say more than before? Well, consider that .NET implements its own languages, you can’t simply share real C++ code with the managed one (yes, you can rely on pinvoke, but not for everything). Well, it’s a bit more complicate than that, I know, but unsafe code is not encouraged in the .NET environment. Meanwhile, Apple pushes Obj-C. I want to know how this ends. Speaking for myself, I refuse to take a side and will stick with my beloved C++ (the real one).

The Windows Vista Issue

Windows XP brought a lot of enthusiasm to most programmers and common users loved it too. XP officially introduced the NT kernel for everyone, not just for servers. It was a great step forward, and most people who earlier disliked Windows had now trouble criticizing it from a technical point of view.

Windows Vista, unfortunately, wasn’t going to satisfy everybody. There’s got to be a reason (even more than one) if PC World wrote that Vista is the biggest tech disappointment of the year 2007. Not that PC World’s opinion is 100% reliable and in the article it mostly criticizes Vista for the wrong reasons. However, one fact remains: many users decided not to upgrade to Vista and some even downgraded to XP.

Microsoft is a big company whose interest is making money like all companies, that’s pretty clear, but in the process Microsoft shouldn’t leave behind all the people who made of Windows what it is now. Windows is so important because of three factors:

a) the quality of the operating system
b) the number of people who use it
c) the number of applications developed for it

The c) factor is really important, because it’s sort of the backbone of Microsoft’s success. I don’t want to imply that Microsoft is going to lose millions of dollars, because the current Mark Russinovich will use another OS instead of Windows (would be a little hard for him, since he’s employed by Microsoft now), but maybe the next Pietrek / Russinovich won’t be a Windows expert. If Microsoft leaves behind the developers community it’ll reflect directly upon the users community. In my opinion Microsoft is taking chances for no good reason.

In my opinion it’s better to make less money on the long-term, than making a lot of money in just one year and losing in the process a lot of costumers.

I tried to make a list of all the things which would have been made Vista the best product of 2007. Ok, let’s not exaggerate, but surely it wouldn’t have been the worst one. Keep in mind that the points in the list are not ordered by relevance, but, if not casual, by logical connection.

What Microsoft should change:

1) Let’s start from the silliest thing: Windows Vista’s Aero is not available in Vista Home Basic edition. Aero is described as “Elegant Windows Aero desktop experience” feature. But that’s just silly, it can’t be a feature for which the user pays extra money. Vista Home Basic retail edition costs 250 euros (367 USD)! For that price, I think, it’s highly immoral to exclude such a silly feature as Aero. Microsoft can’t make money from Aero, it’s just unprofessional and the company loses credibility. And this brings us right to the next point.

2) Only Vista Business and Vista Ultimate can be virtualized (run on VMWare, VirtualPC etc.). Microsoft applied license restrictions to Vista Home (both Basic and Premium) making it impossible to virtualize, at least legally, these two editions. Again, that’s unprofessional and, from a technical point of view, horrible. This point is very important. Microsoft should just offer more tools/services (e.g. Bitlocker) in its more expensive editions. It’s just wrong to put use restrictions in its less expensive editions.

3) It should be possible to disable driver verification permanently at boot time (this means without forcing the user to press F8 on every boot). A way of replying to this point is to say that many hardware manufacturers would force the user to disable the driver verification in order to use their drivers, but that’s non-sense! No serious manufacturer would do that. Let’s take for example TrueCrypt. It’s a top quality free software and, of course, works through a file system driver. Why should the author/company pay 500$ (or less) for a 1-year certificate to sign their driver? Ok, it’s not a problem for TrueCrypt, since this product was famous long time before Vista came along. Its community surely will cover all the expenses, I suppose. But what about a new project which may start now. Should the developer invest 500$ for something which might not even cover his expenses? Oh, sure, 500$ isn’t that much, and he can pay this amount without selling his computer, but the questions are: is it right? Will he? And the user himself why shouldn’t he be able to run his driver if he absolutely wants to? That, of course, without being bothered by the terrible F8 or by installing a test certificate? Again, this is a very serious credibility issue, which shouldn’t easily be dismissed. I’m not even sure if this policy was introduced only for security reasons or even because driver signatures are expensive and TrueSign (owned by Microsoft) is making good money out of this. Anyway, if Microsoft wants to make money out of driver developers, it should sell documentation or compilers. Libraries and header files should be given for free (as they currently are). I can’t emphasize this enough: trying to make money out of everything can be very counterproductive.

4) Lower the prices! Microsoft can’t be offering an operating system which can’t be virtualized and doesn’t have Aero for 250 euros (367 USD) (retail edition price). To have these luxuries you have to pay at least 300 euros (440 USD).

5) .NET is a great thing, no doubt about it. But it will never totally replace native C/C++ programs. So, PLEASE, keep the MSDN up to date, fix the broken links and enrich the contents! I’m a huge fan of the .NET technology, but it’s just a fact that developers love C/C++ (not that managed C++ thing) and they’ll never give up developing with it. And that’s right, because .NET can’t be a replacement for everything (and never will be). I’m sure the community would really appreciate this point.

6) Microsoft strenght on the market is given by its kernel, by its libraries and, at last but not least, by its hardware support. If there was a freeware (or sold at, let’s say, ten bucks) open source system with a NT-like kernel (NTFS support included) and with the same hardware support, it could run a modified WINE (like ReactOS) to support Win32; and that would be part of the end of Microsoft’s domain, since most of the users would migrate to it (and even most of Microsoft’s products would run on it). Thus, Microsoft shouldn’t push too hard with Windows prices, because all the Aeros, UACs, defenders and bitlockers can’t compete with a free/cheap system.

7) Microsoft is running too fast. Many directions are right, but developers won’t follow blindly. What’s with Win32? It’s old, ok, but does Microsoft really think that .NET and WinFX will completely replace it? If Microsoft thinks that the future is going to be something like “kernel in C/C++ and all GUI applications in .NET (WPF, Forms, WinFX etc.)”, then it’s betting wrong. Ok, the native C++ code could be contained in external dlls, but even that won’t happen. I learned C# pretty early in my life, but even I would never give up writing native code, so it’s impossible to expect that from people who are much older than me. Maybe in 30 years if Microsoft maintains its leadership…
Also, why should a new Windows edition come out every X years? An edition should come out when it’s ready, not when it’s supposed to and Vista wasn’t ready to come out (let’s think about all the things which were cut out of that version because of time issues). But I don’t expect this to happen: marketing rules.

8) Just abandon the DRM “technology”. DRM is just wrong and lame. Windows is becoming more and more a closed box where nobody can look inside or change something. Degrading / preventing on purpose audio/video output is, again, unprofessional. I call these sort of things “dirty programming”. These kind of checks in the code are just garbage which pollute the beauty of the code itself. Every software is, in my opinion, a piece of art. Dirty programming is like writing the market price with a black marker over one of Monet’s pictures.

9) Offer a way to permanently disable Patch Guard. This isn’t, of course, something for common users, but for experts who need total control of their systems. Again, this point is about Microsoft’s credibility in the eyes of the developers community. Trying to prevent developers and revers messing with the system is not good, because experts lose interst in a closed box which cannot be played with. If Symantec is allowed to modify the kernel, then there’s no excuse for preventing others to do the same. It’s just unfair and in this case lame (Symantec: bleah!).

10) XP was a very good operating system. I’m still running XP SP2 on my laptop and it works perfectly. There’s got to be a reason if XP support was extended to the year 2014, whereas Vista support ends in 2012. Ok, they might change their mind and extend Vista’s support, but the fact remains. So, don’t ruin XP through updates with Vista-like features.

11) Ok, the UAC is necessary, but limit the number of dialog boxes which annoy the user only for important things. Create a light version of the UAC which allows to modify system objects which aren’t critical for the system (at least not for the common user). Need an example? Changing the system time/date is not critical for most people! Make it possible to run some Microsoft applications like regedit or administrative tools without UAC confirmation dialog. How? There are plenty of ways, like signing those applications with a special Microsoft signature. I don’t want to say to throw away the existing UAC, just create an alternative!

I don’t think Microsoft will ever follow one of these points, but who knows…

As for me, it’s not like I discovered Vista yesterday. In fact, I was one of the first users of Vista x64 and one of the first developers who wrote an article about it. Not that this matters, I just want to say that these points are the result of more than a year that I have Vista x64 running on two of my computers. I hope this article won’t create a big controversy, it’s just my point of view. I also might have left out something, since I wrote this article in no more than two hours late at night.