8/11/2015

No, You Really Cant (Mary Ann Davidson Blog)

Oracle

BlogsHome
Products&Services
Downloads
Support
Partners
Communities
About
Login
OracleBlog
MaryAnnDavidsonBlog

IsYourShellshocked...|Main

No,YouReallyCant
ByUser701213OracleonAug10,2015

Ihavebeendoingalotofwritingrecently.Someofmywritinghasbeenwithmysister,withwhomIwritemurdermysteriesusingthe
nomdeplumeMaddiDavidson.Recently,wevebeenworkingonshortstories,developingalotoffunnewideasfordispatchingpeople
(literarilyspeaking,thoughIthinkaboutpracticalapplicationsoccasionallywhensomeonetailgatesme).

WritingmysteriesisalotmorefunthantheothertypeofwritingIvebeendoing.Recently,Ihaveseenalargeishuptickincustomers
reverseengineeringourcodetoattempttofindsecurityvulnerabilitiesinit.<Insertbigsighhere.>ThisiswhyIvebeenwritingalotof
letterstocustomersthatstartwithhi,howzit,alohabutendwithpleasecomplywithyourlicenseagreementandstopreverseengineering
ourcode,already.

https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

1/11

8/11/2015

No, You Really Cant (Mary Ann Davidson Blog)

Icanunderstandthatinaworldwhereitseemsalmosteverydaysomeoneelsehadadatabreachandlostumpteengazillionrecordsto
unnamedintruderswhomayhavebeenworkingatthebehestofahostilenationstate,peoplewanttogotheextramiletosecuretheir
systems.Thatsaid,youwouldthinkthatbeforegearinguptorunthatextramile,customerswouldalreadyhaveensuredtheyveidentified
theircriticalsystems,encryptedsensitivedata,appliedallrelevantpatches,beonasupportedproductrelease,usetoolstoensure
configurationsarelockeddowninshort,theusualsecurityhygienebeforetheyattempttofindzerodayvulnerabilitiesintheproducts
theyareusing.Andinfact,therearealotofdatabreachesthatwouldbepreventedbydoingallthatstuff,asunsexyasitis,insteadof
hyperventilatingthattheBigBadAdvancedPersistentThreatusingazerodayisouttogetme!WhetheryouarerunningyourownITshow
oracloudproviderisrunningitforyou,thereareahostofgoodsecuritypracticesthatarewellworthdoing.

Evenifyouwanttohavereasonablecertaintythatsupplierstakereasonablecareinhowtheybuildtheirproductsandthereissomuch
moretoassurancethanrunningascanningtooltherearealotofthingsacustomercandolike,gosh,actuallytalkingtosuppliersabout
theirassuranceprogramsorcheckingcertificationsforproductsforwhichthereareGoodHousekeepingsealsfor(orgoodcodeseals)like
CommonCriteriacertificationsorFIPS140certifications.Mostvendorsatleast,mostofthelargeishonesIknowhavefairlyrobust
assuranceprogramsnow(weknowthisbecauseweallcomparenotesatconferences).Thatsallwellandgood,isappropriatecustomerdue
diligenceandstopswellshortofhey,IthinkIwilldothevendorsjobforhim/her/itandlookforproblemsinsourcecodemyself,even
though:

Acustomercantanalyzethecodetoseewhetherthereisacontrolthatpreventstheattackthescanningtoolisscreamingabout
(whichismostlikelyafalsepositive)
Acustomercantproduceapatchfortheproblemonlythevendorcandothat
Acustomerisalmostcertainlyviolatingthelicenseagreementbyusingatoolthatdoesstaticanalysis(whichoperatesagainstsource
code)

IshouldstateattheoutsetthatinsomecasesIthinkthecustomersdoingreverseengineeringarenotalwaysawareofwhatishappening
becausetheactualworkisbeingdonebyaconsultant,whorunsatoolthatreverseengineersthecode,getsabigfatprintout,dropsitonthe
customer,whothensendsittous.Now,Ishouldnotethatwedontjustacceptscanreportsasproofthatthereisathere,there,inpart
becausewhetheryouaretalkingstaticordynamicanalysis,ascanreportisnotproofofanactualvulnerability.Often,theyarenotmuch
morethanapileofsteamingFUD.(ThatiswhatIplannedonsayingallalong:FUD.)Thisiswhywerequirecustomerstologaservice
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

2/11

8/11/2015

No, You Really Cant (Mary Ann Davidson Blog)

requestforeachallegedissue(notjusthandusareport)andprovideaproofofconcept(whichsometoolscangenerate).

Ifwedetermineaspartofouranalysisthatscanresultscouldonlyhavecomefromreverseengineering(inatleastonecase,becausethe
reportsaid,cleverlyenough,staticanalysisofOracleXXXXXX),wesendalettertothesinningcustomer,andadifferentlettertothe
sinningconsultantactingoncustomersbehalfremindingthemofthetermsoftheOraclelicenseagreementthatprecludereverse
engineering,SoPleaseStopItAlready.(Inlegalese,ofcourse.TheOraclelicenseagreementhasaprovisionsuchas:"Customermaynot
reverseengineer,disassemble,decompile,orotherwiseattempttoderivethesourcecodeofthePrograms..."whichwequoteinourmissive
tothecustomer.)Oh,andwerequirecustomers/consultantstodestroytheresultsofsuchreverseengineeringandconfirmtheyhavedoneso.

WhyamIbringingthisup?Themainreasonisthat,whenIseeaspikeinX,Itrytogetaheadofit.Idontwantmoreroundsofyoubroke
thelicenseagreement,no,wedidnt,yes,youdid,no,wedidnt.Idratherspendmytime,andmyteamstime,workingonhelping
developmentimproveourcodethanarguewithpeopleaboutwherethelicenseagreementlinesare.

NowisagoodtimetoreiteratethatImnotbeatingpeopleupoverthismerelybecauseofthelicenseagreement.Morelike,Idonotneed
youtoanalyzethecodesincewealreadydothat,itsourjobtodothat,weareprettygoodatit,wecanunlikeathirdpartyoratool
actuallyanalyzethecodetodeterminewhatshappeningandatanyratemostofthesetoolshaveacloseto100%falsepositiverateso
pleasedonotwasteourtimeonreportinglittlegreenmeninourcode.Iamnotrunningawayfromourresponsibilitiestocustomers,
merelytryingtoavoidapainful,annoying,andmutuallytimewastingexercise.

Forthisreason,IwanttoexplainwhatOraclespurposeisinenforcingourlicenseagreement(asitpertainstoreverseengineering)and,ina
reasonablypreciseyethandwavyway,explainwherethelineisyoucantcrossoryouwillgetastronglywordedletterfromus.Caveat:
Iamnotalawyer,evenifIcanusewordslikestaredecisisinrandomconversations.(Exceptwithmydog,becauseheonlyunderstands
Hawaiian,notLatin.)Ergo,whenindoubt,refertoyourOraclelicenseagreement,whichtrumpsanythingIsayherein!

Withthatinmind,afewFAQishexplanations:

Q.Whatisreverseengineering?
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

3/11

8/11/2015

No, You Really Cant (Mary Ann Davidson Blog)

A.Generally,ourcodeisshippedincompiled(executable)form(yes,Iknowthatsomecodeisinterpreted).Customersgetcodethatruns,
notthecodeaswritten.Thatisformultiplereasonssuchasusersgenerallyonlyneedtoruncode,notunderstandhowitallgetsput
together,andthefactthatoursourcecodeishighlyvaluableintellectualproperty(whichiswhywehavealotofrestrictionsonwho
accessesitandprotectionsaroundit).TheOraclelicenseagreementlimitswhatyoucandowiththeasshippedcodeandthatlimitation
includesthefactthatyouarentallowedtodecompile,disassemble,deobfuscateorotherwisetrytogetsourcecodebackfromexecutable
code.Thereareafewcaveatsaroundthatprohibitionbutthereisntanoutforunlessyouarelookingforsecurityvulnerabilitiesinwhich
case,noproblemo,mon!

Ifyouaretryingtogetthecodeinadifferentformfromthewayweshippedittoyouasin,thewaywewroteitbeforewedidsomething
toittogetitintheformyouareexecuting,youareprobablyreverseengineering.Dont.Justdont.

Q.WhatisOraclespolicyinregardstothesubmissionofsecurityvulnerabilities(foundbytoolsornot)?

A.Werequirecustomerstoopenaservicerequest(onepervulnerability)andprovideatestcasetoverifythattheallegedvulnerabilityis
exploitable.Thepurposeofthispolicyistotrytoweedouttheverylargenumberofinaccuratefindingsbysecuritytools(falsepositives).

Q.Whyareyougoingafterconsultantsthecustomerhired?Theconsultantdidntsignthelicenseagreement!

A.ThecustomersignedtheOraclelicenseagreement,andtheconsultanthiredbythecustomeristhusboundbythecustomerssigned
licenseagreement.Otherwiseeveryonewouldhireaconsultanttosay(legaltermsfollow)Nanny,nannybooboo,bigbadconsultantcan
doXevenifthecustomercant!

Q.WhatdoesOracledoifthereisanactualsecurityvulnerability?

https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

4/11

8/11/2015

No, You Really Cant (Mary Ann Davidson Blog)

A.IalmosthatetoanswerthisquestionbecauseIwanttoreiteratethatcustomersShouldNotandMustNotreverseengineerourcode.
However,ifthereisanactualsecurityvulnerability,wewillfixit.Wemaynotlikehowitwasfoundbutwearentgoingtoignoreareal
problemthatwouldbeadisservicetoourcustomers.Wewill,however,fixittoprotectallourcustomers,meaningeverybodywillgetthe
fixatthesametime.However,wewillnotgiveacustomerreportingsuchanissue(thattheyfoundthroughreverseengineering)aspecial
(oneoff)patchfortheproblem.Wewillalsonotprovidecreditinanyadvisorieswemightissue.Youcantreallyexpectustosaythank
youforbreakingthelicenseagreement.

Q.Butthetoolsthatdecompileproductsaregettingbetterandeasiertouse,soreverseengineeringwillbeOKinthefuture,right?

A.Ah,no.Thepointofourprohibitionagainstreverseengineeringisintellectualpropertyprotection,nothowcanwecleverlyprevent
customersfromfindingsecurityvulnerabilitiesbwahahahahasoweneverhavetofixthembwahahahaha.Customersarewelcometo
usetoolsthatoperateonexecutablecodebutthatdonotreverseengineercode.Tothatpoint,customersusingathirdpartytoolorservice
offeringwouldbewellservedbyaskingquestionsofthetool(ortoolservice)providerastoa)howtheirtoolworksandb)whetherthey
performreverseengineeringtodowhattheydo.Anounceofdiscussionisworthapoundofnowedidnt,yesyoudid,didnt,
didarguments.*

Q.ButIhiredareallycoolcodeconsultant/thirdpartycodescanner/whatever.WhywontmeanoldOracleacceptmyscanresultsand
analyzeall400pagesofthescanreport?

A.Hooboy.IthinkIhaverepeatedthissomuchitshouldbeasongchorusinareallyannoyinghiphoppiecebutheregoes:Oracleruns
staticanalysistoolsourselves(heck,wemakethem),manyofthesegoldurntoolsareridiculouslyinaccurate(sometimesthefalsepositive
rateis100%orclosetoit),runningatoolisnothing,theabilitytoanalyzeresultsiseverything,andsoonandsoforth.Weputtheburden
oncustomersortheirconsultantstoprovethereisaThere,Therebecauseotherwise,wewasteaboatloadoftimeanalyzingnothing**
whenwe
couldbespendingthoseresources,say,fixingactualsecurityvulnerabilities.

Q.ButoneoftheissuesIfoundwasanactualsecurityvulnerabilitysothatjustifiesreverseengineering,right?

https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

5/11

8/11/2015

No, You Really Cant (Mary Ann Davidson Blog)

A.Sigh.Attheriskofbeingrepetitive,no,itdoesnt,justlikeyoucantbreakintoahousebecausesomeoneleftawindowordoor
unlocked.Idliketotellyouthatweruneverytooleverdevelopedagainsteverylineofcodeweeverwrote,butthatsnottrue.Wedo
requiredevelopmentteams(onpremises,cloudandinternaldevelopmentorganizations)tousesecurityvulnerabilityfindingtools,weve
hadasignificantuptickintoolsusageoverthelastfewyears(ourmetricsshowthis)andwedotracktoolsusageaspartofOracleSoftware
SecurityAssuranceprogram.WebeatupImean,requiredevelopmentteamstousetoolsbecauseitisverymuchinourinterests(and
customersinterests)tofindandfixproblemsearlierratherthanlater.

Thatsaid,notoolfindseverything.Notwotoolsfindeverything.Wedontclaimtofindeverything.Thatfactstilldoesntjustifya
customerreverseengineeringourcodetoattempttofindvulnerabilities,especiallywhenthekeytowhetherasuspectedvulnerabilityisan
actualvulnerabilityisthecapabilitytoanalyzetheactualsourcecode,whichfranklyhardlyanythirdpartywillbeabletodo,another
reasonnottoacceptrandomscanreportsthatresultedfromreverseengineeringatfacevalue,asifweneededone.

Q.Hey,Ivegotanidea,whynotdoabugbounty?Paythirdpartiestofindthisstuff!

A.<Biggersigh.>Bugbountiesarethenewboyband(nicelyalliterative,no?)Manycompaniesarescreaming,fainting,andthrowing
underwearatsecurityresearchers****tofindproblemsintheircodeandinsistingthatThisIsTheWay,WalkInIt:ifyouarenotdoingbug
bounties,yourcodeisntsecure.Ah,well,wefind87%ofsecurityvulnerabilitiesourselves,securityresearchersfindabout3%andtherest
arefoundbycustomers.(Smalldigression:IwasbustingmybuttonstodaywhenIfoundoutthatawellknownsecurityresearcherina
particularareaoftechnologyreportedabunchofallegedsecurityissuestousexceptwehadalreadyfoundallofthemandwewere
alreadyworkingonorhadfixes.Woohoo!)

Iamnotdissingbugbounties,justnotingthatonastrictlyeconomicbasis,whywouldIthrowalotofmoneyat3%oftheproblem(and
withoutlearninglessonsfromwhatyoufind,itreallyiswhackacodemole)whenIcouldspendthatmoneyonbetterpreventionlike,oh,
hiringanotheremployeetodoethicalhacking,whocoulddevelopareallygoodtoolweusetoautomatefindingcertaintypesofissues,and
soon.Thisisoneofthosefullimmersionbaptismorsprinklewaterovertheforeheadissueswewillallowfordifferentreligious
traditionsanddoitOURwayandotherscandoitTHEIRway.Paxvobiscum.

Q.Ifyoudontletcustomersreverseengineercode,theywontbuyanythingelsefromyou.
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

6/11

8/11/2015

No, You Really Cant (Mary Ann Davidson Blog)

A.Iactuallyheardthisfromacustomer.Itwasironicbecauseinorderforthemtobuymoreproductsfromus(oruseacloudservice
offering),theydhavetosignalicenseagreement!Withthesametermsthatthecustomerhadalreadyadmittedviolating.Honey,ifyou
wontletmecheatonyouagain,ourmarriageisthrough.Ah,er,youalreadyviolatedtheforsakingallotherspartofthemarriagevow
soIthinkthemarriageisalreadyover.

ThebetterdiscussiontohavewithacustomerandIalwaysofferthisisforustoexplainwhatwedotobuildassuranceintoour
products,includinghowweusevulnerabilityfindingtools.Iwantcustomerstohaveconfidenceinourproductsandservices,notjustdropa
letteronthem.

Q.SurelythebadguysandsomenationsdoreverseengineerOraclescodeanddontcareaboutyourlicensingagreement,sowhywould
youtrytorestrictthebehaviorofcustomerswithgoodmotives?

A.Oracleslicenseagreementexiststoprotectourintellectualproperty.Goodmotivesandgiventheerrataofthirdpartyattemptsto
scancodethequotationmarksarequiteaproposarenotanacceptableexcuseforviolatinganagreementwillinglyenteredinto.Anymore
thanbuteverybodyelseischeatingonhisorherspouseisanacceptableexcuseforviolatingforsakingallothersifyousaiditinfront
ofwitnesses.

Atthispoint,IthinkIambeatingadeadorshouldIsay,decompiledhorse.Weaskthatcustomersnotreverseengineerourcodetofind
suspectedsecurityissues:wehavesourcecode,weruntoolsagainstthesourcecode(aswellasagainstexecutablecode),itsactuallyour
jobtodothat,wedontneedorwantacustomerorrandomthirdpartytoreverseengineerourcodetofindsecurityvulnerabilities.Andlast,
butreallyfirst,theOraclelicenseagreementprohibitsit.Pleasedontgothere.

*Isuspectatleastpartoftheangerofcustomersinthesebackandforthdiscussionsisbecausethecustomerhadalreadypaidasecurity
consultanttodothework.Theyareangrywithusforhavingbeensoldabillofgoodsbytheirconsultant(wheretheconsultantbrokethe
licenseagreement).
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

7/11

8/11/2015

No, You Really Cant (Mary Ann Davidson Blog)

**TheonlyanalogyIcancomeupwithismybookshelf.SomeoneconvincedthatIhadaprurientinterestinpornographycouldlookat
thetitlesonmybookshelf,concludetheyaresalacious,anddemandanexplanationfrommeastowhyIhaveacollectionofsteamybooks.
Forexample(theseareallrealtitlesonmyshelf):

1. ThunderBelow!(whooboy,mustbehotstuff!)
2. NakedEconomics(nudeKeynesians!)***
3. Inferno(evenhotterstuff!)
4. AtDawnWeSlept(youmustbeexhaustedfromyour,ah,nighttimeactivities)

MyresponseisthatIdonthavetoexplainmybooktastesorrespondtobaselessFUD.(Ifanybodyisinterested,theactualbooksubjects
are,inorder,1)theexploitsofWWIIsubmarineskipperandCongressionalMedalofHonorrecipientCAPTEugeneFluckey,USN2)a
bookoneconomics3)abookabouttheEuropeantheaterinWWIIand4)thedefinitiveworkconcerningtheattackonPearlHarbor.)

***Absolutelynot,IloatheKeynes.TherearemoreextantdodosthanactualKeynesianmultipliers.Althoughdodosandtruebelievers
inKeynesianmultipliersareinterchangeabletermsasfarasIamconcerned.

**** I might be exaggeratinghere.Butmaybenot.

Category:Oracle
Tags:none
Permanentlinktothisentry
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

8/11

8/11/2015

No, You Really Cant (Mary Ann Davidson Blog)

IsYourShellshocked...|Main
Comments:
PostaComment:
Name: guest
EMail:
URL:
Notifymebyemailofnewcomments
RememberInformation?

YourComment:
HTMLSyntax:NOTallowed
Pleaseanswerthissimplemathquestion
9+50=
Preview

Post

About

bocadmin_ww
Search

Entersearchterm:

Searchonlythisblog

https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

9/11

8/11/2015

No, You Really Cant (Mary Ann Davidson Blog)

RecentPosts

No,YouReallyCant
IsYourShellshockedPoodleFreakedOverHeartbleed?
TheFourPsofStandards/ProcurementRequirements/Whatevahs
MandatedThirdPartyStaticAnalysis:BadPublicPolicy,BadSecurity
ILoveStandardsThereAreSoManyOfThem
PutUporShutUp
SummerPotpourri
PainComesInstantly
ThoseWhoCantDo,Audit
TheBucketList
TopTags

davidson
maddi
nist
nistir7622
pci
Categories

Oracle
Archives

August2015
Sun Mon Tue Wed Thu Fri Sat

1
2 3
4 5
6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31

https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

10/11

8/11/2015

No, You Really Cant (Mary Ann Davidson Blog)

Today
Menu

BlogsHome
Weblog
Login
Feeds

RSS
All
/Oracle
Comments
Atom
All
/Oracle
Comments
TheviewsexpressedonthisblogarethoseoftheauthoranddonotnecessarilyreflecttheviewsofOracle.TermsofUse|YourPrivacy
Rights|CookiePreferences

https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

11/11