Professional Documents
Culture Documents
Oracle
BlogsHome
Products&Services
Downloads
Support
Partners
Communities
About
Login
OracleBlog
MaryAnnDavidsonBlog
IsYourShellshocked...|Main
No,YouReallyCant
ByUser701213OracleonAug10,2015
Ihavebeendoingalotofwritingrecently.Someofmywritinghasbeenwithmysister,withwhomIwritemurdermysteriesusingthe
nomdeplumeMaddiDavidson.Recently,wevebeenworkingonshortstories,developingalotoffunnewideasfordispatchingpeople
(literarilyspeaking,thoughIthinkaboutpracticalapplicationsoccasionallywhensomeonetailgatesme).
WritingmysteriesisalotmorefunthantheothertypeofwritingIvebeendoing.Recently,Ihaveseenalargeishuptickincustomers
reverseengineeringourcodetoattempttofindsecurityvulnerabilitiesinit.<Insertbigsighhere.>ThisiswhyIvebeenwritingalotof
letterstocustomersthatstartwithhi,howzit,alohabutendwithpleasecomplywithyourlicenseagreementandstopreverseengineering
ourcode,already.
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
1/11
8/11/2015
Icanunderstandthatinaworldwhereitseemsalmosteverydaysomeoneelsehadadatabreachandlostumpteengazillionrecordsto
unnamedintruderswhomayhavebeenworkingatthebehestofahostilenationstate,peoplewanttogotheextramiletosecuretheir
systems.Thatsaid,youwouldthinkthatbeforegearinguptorunthatextramile,customerswouldalreadyhaveensuredtheyveidentified
theircriticalsystems,encryptedsensitivedata,appliedallrelevantpatches,beonasupportedproductrelease,usetoolstoensure
configurationsarelockeddowninshort,theusualsecurityhygienebeforetheyattempttofindzerodayvulnerabilitiesintheproducts
theyareusing.Andinfact,therearealotofdatabreachesthatwouldbepreventedbydoingallthatstuff,asunsexyasitis,insteadof
hyperventilatingthattheBigBadAdvancedPersistentThreatusingazerodayisouttogetme!WhetheryouarerunningyourownITshow
oracloudproviderisrunningitforyou,thereareahostofgoodsecuritypracticesthatarewellworthdoing.
Evenifyouwanttohavereasonablecertaintythatsupplierstakereasonablecareinhowtheybuildtheirproductsandthereissomuch
moretoassurancethanrunningascanningtooltherearealotofthingsacustomercandolike,gosh,actuallytalkingtosuppliersabout
theirassuranceprogramsorcheckingcertificationsforproductsforwhichthereareGoodHousekeepingsealsfor(orgoodcodeseals)like
CommonCriteriacertificationsorFIPS140certifications.Mostvendorsatleast,mostofthelargeishonesIknowhavefairlyrobust
assuranceprogramsnow(weknowthisbecauseweallcomparenotesatconferences).Thatsallwellandgood,isappropriatecustomerdue
diligenceandstopswellshortofhey,IthinkIwilldothevendorsjobforhim/her/itandlookforproblemsinsourcecodemyself,even
though:
Acustomercantanalyzethecodetoseewhetherthereisacontrolthatpreventstheattackthescanningtoolisscreamingabout
(whichismostlikelyafalsepositive)
Acustomercantproduceapatchfortheproblemonlythevendorcandothat
Acustomerisalmostcertainlyviolatingthelicenseagreementbyusingatoolthatdoesstaticanalysis(whichoperatesagainstsource
code)
IshouldstateattheoutsetthatinsomecasesIthinkthecustomersdoingreverseengineeringarenotalwaysawareofwhatishappening
becausetheactualworkisbeingdonebyaconsultant,whorunsatoolthatreverseengineersthecode,getsabigfatprintout,dropsitonthe
customer,whothensendsittous.Now,Ishouldnotethatwedontjustacceptscanreportsasproofthatthereisathere,there,inpart
becausewhetheryouaretalkingstaticordynamicanalysis,ascanreportisnotproofofanactualvulnerability.Often,theyarenotmuch
morethanapileofsteamingFUD.(ThatiswhatIplannedonsayingallalong:FUD.)Thisiswhywerequirecustomerstologaservice
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
2/11
8/11/2015
requestforeachallegedissue(notjusthandusareport)andprovideaproofofconcept(whichsometoolscangenerate).
Ifwedetermineaspartofouranalysisthatscanresultscouldonlyhavecomefromreverseengineering(inatleastonecase,becausethe
reportsaid,cleverlyenough,staticanalysisofOracleXXXXXX),wesendalettertothesinningcustomer,andadifferentlettertothe
sinningconsultantactingoncustomersbehalfremindingthemofthetermsoftheOraclelicenseagreementthatprecludereverse
engineering,SoPleaseStopItAlready.(Inlegalese,ofcourse.TheOraclelicenseagreementhasaprovisionsuchas:"Customermaynot
reverseengineer,disassemble,decompile,orotherwiseattempttoderivethesourcecodeofthePrograms..."whichwequoteinourmissive
tothecustomer.)Oh,andwerequirecustomers/consultantstodestroytheresultsofsuchreverseengineeringandconfirmtheyhavedoneso.
WhyamIbringingthisup?Themainreasonisthat,whenIseeaspikeinX,Itrytogetaheadofit.Idontwantmoreroundsofyoubroke
thelicenseagreement,no,wedidnt,yes,youdid,no,wedidnt.Idratherspendmytime,andmyteamstime,workingonhelping
developmentimproveourcodethanarguewithpeopleaboutwherethelicenseagreementlinesare.
NowisagoodtimetoreiteratethatImnotbeatingpeopleupoverthismerelybecauseofthelicenseagreement.Morelike,Idonotneed
youtoanalyzethecodesincewealreadydothat,itsourjobtodothat,weareprettygoodatit,wecanunlikeathirdpartyoratool
actuallyanalyzethecodetodeterminewhatshappeningandatanyratemostofthesetoolshaveacloseto100%falsepositiverateso
pleasedonotwasteourtimeonreportinglittlegreenmeninourcode.Iamnotrunningawayfromourresponsibilitiestocustomers,
merelytryingtoavoidapainful,annoying,andmutuallytimewastingexercise.
Forthisreason,IwanttoexplainwhatOraclespurposeisinenforcingourlicenseagreement(asitpertainstoreverseengineering)and,ina
reasonablypreciseyethandwavyway,explainwherethelineisyoucantcrossoryouwillgetastronglywordedletterfromus.Caveat:
Iamnotalawyer,evenifIcanusewordslikestaredecisisinrandomconversations.(Exceptwithmydog,becauseheonlyunderstands
Hawaiian,notLatin.)Ergo,whenindoubt,refertoyourOraclelicenseagreement,whichtrumpsanythingIsayherein!
Withthatinmind,afewFAQishexplanations:
Q.Whatisreverseengineering?
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
3/11
8/11/2015
A.Generally,ourcodeisshippedincompiled(executable)form(yes,Iknowthatsomecodeisinterpreted).Customersgetcodethatruns,
notthecodeaswritten.Thatisformultiplereasonssuchasusersgenerallyonlyneedtoruncode,notunderstandhowitallgetsput
together,andthefactthatoursourcecodeishighlyvaluableintellectualproperty(whichiswhywehavealotofrestrictionsonwho
accessesitandprotectionsaroundit).TheOraclelicenseagreementlimitswhatyoucandowiththeasshippedcodeandthatlimitation
includesthefactthatyouarentallowedtodecompile,disassemble,deobfuscateorotherwisetrytogetsourcecodebackfromexecutable
code.Thereareafewcaveatsaroundthatprohibitionbutthereisntanoutforunlessyouarelookingforsecurityvulnerabilitiesinwhich
case,noproblemo,mon!
Ifyouaretryingtogetthecodeinadifferentformfromthewayweshippedittoyouasin,thewaywewroteitbeforewedidsomething
toittogetitintheformyouareexecuting,youareprobablyreverseengineering.Dont.Justdont.
Q.WhatisOraclespolicyinregardstothesubmissionofsecurityvulnerabilities(foundbytoolsornot)?
A.Werequirecustomerstoopenaservicerequest(onepervulnerability)andprovideatestcasetoverifythattheallegedvulnerabilityis
exploitable.Thepurposeofthispolicyistotrytoweedouttheverylargenumberofinaccuratefindingsbysecuritytools(falsepositives).
Q.Whyareyougoingafterconsultantsthecustomerhired?Theconsultantdidntsignthelicenseagreement!
A.ThecustomersignedtheOraclelicenseagreement,andtheconsultanthiredbythecustomeristhusboundbythecustomerssigned
licenseagreement.Otherwiseeveryonewouldhireaconsultanttosay(legaltermsfollow)Nanny,nannybooboo,bigbadconsultantcan
doXevenifthecustomercant!
Q.WhatdoesOracledoifthereisanactualsecurityvulnerability?
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
4/11
8/11/2015
A.IalmosthatetoanswerthisquestionbecauseIwanttoreiteratethatcustomersShouldNotandMustNotreverseengineerourcode.
However,ifthereisanactualsecurityvulnerability,wewillfixit.Wemaynotlikehowitwasfoundbutwearentgoingtoignoreareal
problemthatwouldbeadisservicetoourcustomers.Wewill,however,fixittoprotectallourcustomers,meaningeverybodywillgetthe
fixatthesametime.However,wewillnotgiveacustomerreportingsuchanissue(thattheyfoundthroughreverseengineering)aspecial
(oneoff)patchfortheproblem.Wewillalsonotprovidecreditinanyadvisorieswemightissue.Youcantreallyexpectustosaythank
youforbreakingthelicenseagreement.
Q.Butthetoolsthatdecompileproductsaregettingbetterandeasiertouse,soreverseengineeringwillbeOKinthefuture,right?
A.Ah,no.Thepointofourprohibitionagainstreverseengineeringisintellectualpropertyprotection,nothowcanwecleverlyprevent
customersfromfindingsecurityvulnerabilitiesbwahahahahasoweneverhavetofixthembwahahahaha.Customersarewelcometo
usetoolsthatoperateonexecutablecodebutthatdonotreverseengineercode.Tothatpoint,customersusingathirdpartytoolorservice
offeringwouldbewellservedbyaskingquestionsofthetool(ortoolservice)providerastoa)howtheirtoolworksandb)whetherthey
performreverseengineeringtodowhattheydo.Anounceofdiscussionisworthapoundofnowedidnt,yesyoudid,didnt,
didarguments.*
Q.ButIhiredareallycoolcodeconsultant/thirdpartycodescanner/whatever.WhywontmeanoldOracleacceptmyscanresultsand
analyzeall400pagesofthescanreport?
A.Hooboy.IthinkIhaverepeatedthissomuchitshouldbeasongchorusinareallyannoyinghiphoppiecebutheregoes:Oracleruns
staticanalysistoolsourselves(heck,wemakethem),manyofthesegoldurntoolsareridiculouslyinaccurate(sometimesthefalsepositive
rateis100%orclosetoit),runningatoolisnothing,theabilitytoanalyzeresultsiseverything,andsoonandsoforth.Weputtheburden
oncustomersortheirconsultantstoprovethereisaThere,Therebecauseotherwise,wewasteaboatloadoftimeanalyzingnothing**
whenwe
couldbespendingthoseresources,say,fixingactualsecurityvulnerabilities.
Q.ButoneoftheissuesIfoundwasanactualsecurityvulnerabilitysothatjustifiesreverseengineering,right?
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
5/11
8/11/2015
A.Sigh.Attheriskofbeingrepetitive,no,itdoesnt,justlikeyoucantbreakintoahousebecausesomeoneleftawindowordoor
unlocked.Idliketotellyouthatweruneverytooleverdevelopedagainsteverylineofcodeweeverwrote,butthatsnottrue.Wedo
requiredevelopmentteams(onpremises,cloudandinternaldevelopmentorganizations)tousesecurityvulnerabilityfindingtools,weve
hadasignificantuptickintoolsusageoverthelastfewyears(ourmetricsshowthis)andwedotracktoolsusageaspartofOracleSoftware
SecurityAssuranceprogram.WebeatupImean,requiredevelopmentteamstousetoolsbecauseitisverymuchinourinterests(and
customersinterests)tofindandfixproblemsearlierratherthanlater.
Thatsaid,notoolfindseverything.Notwotoolsfindeverything.Wedontclaimtofindeverything.Thatfactstilldoesntjustifya
customerreverseengineeringourcodetoattempttofindvulnerabilities,especiallywhenthekeytowhetherasuspectedvulnerabilityisan
actualvulnerabilityisthecapabilitytoanalyzetheactualsourcecode,whichfranklyhardlyanythirdpartywillbeabletodo,another
reasonnottoacceptrandomscanreportsthatresultedfromreverseengineeringatfacevalue,asifweneededone.
Q.Hey,Ivegotanidea,whynotdoabugbounty?Paythirdpartiestofindthisstuff!
A.<Biggersigh.>Bugbountiesarethenewboyband(nicelyalliterative,no?)Manycompaniesarescreaming,fainting,andthrowing
underwearatsecurityresearchers****tofindproblemsintheircodeandinsistingthatThisIsTheWay,WalkInIt:ifyouarenotdoingbug
bounties,yourcodeisntsecure.Ah,well,wefind87%ofsecurityvulnerabilitiesourselves,securityresearchersfindabout3%andtherest
arefoundbycustomers.(Smalldigression:IwasbustingmybuttonstodaywhenIfoundoutthatawellknownsecurityresearcherina
particularareaoftechnologyreportedabunchofallegedsecurityissuestousexceptwehadalreadyfoundallofthemandwewere
alreadyworkingonorhadfixes.Woohoo!)
Iamnotdissingbugbounties,justnotingthatonastrictlyeconomicbasis,whywouldIthrowalotofmoneyat3%oftheproblem(and
withoutlearninglessonsfromwhatyoufind,itreallyiswhackacodemole)whenIcouldspendthatmoneyonbetterpreventionlike,oh,
hiringanotheremployeetodoethicalhacking,whocoulddevelopareallygoodtoolweusetoautomatefindingcertaintypesofissues,and
soon.Thisisoneofthosefullimmersionbaptismorsprinklewaterovertheforeheadissueswewillallowfordifferentreligious
traditionsanddoitOURwayandotherscandoitTHEIRway.Paxvobiscum.
Q.Ifyoudontletcustomersreverseengineercode,theywontbuyanythingelsefromyou.
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
6/11
8/11/2015
A.Iactuallyheardthisfromacustomer.Itwasironicbecauseinorderforthemtobuymoreproductsfromus(oruseacloudservice
offering),theydhavetosignalicenseagreement!Withthesametermsthatthecustomerhadalreadyadmittedviolating.Honey,ifyou
wontletmecheatonyouagain,ourmarriageisthrough.Ah,er,youalreadyviolatedtheforsakingallotherspartofthemarriagevow
soIthinkthemarriageisalreadyover.
ThebetterdiscussiontohavewithacustomerandIalwaysofferthisisforustoexplainwhatwedotobuildassuranceintoour
products,includinghowweusevulnerabilityfindingtools.Iwantcustomerstohaveconfidenceinourproductsandservices,notjustdropa
letteronthem.
Q.SurelythebadguysandsomenationsdoreverseengineerOraclescodeanddontcareaboutyourlicensingagreement,sowhywould
youtrytorestrictthebehaviorofcustomerswithgoodmotives?
A.Oracleslicenseagreementexiststoprotectourintellectualproperty.Goodmotivesandgiventheerrataofthirdpartyattemptsto
scancodethequotationmarksarequiteaproposarenotanacceptableexcuseforviolatinganagreementwillinglyenteredinto.Anymore
thanbuteverybodyelseischeatingonhisorherspouseisanacceptableexcuseforviolatingforsakingallothersifyousaiditinfront
ofwitnesses.
Atthispoint,IthinkIambeatingadeadorshouldIsay,decompiledhorse.Weaskthatcustomersnotreverseengineerourcodetofind
suspectedsecurityissues:wehavesourcecode,weruntoolsagainstthesourcecode(aswellasagainstexecutablecode),itsactuallyour
jobtodothat,wedontneedorwantacustomerorrandomthirdpartytoreverseengineerourcodetofindsecurityvulnerabilities.Andlast,
butreallyfirst,theOraclelicenseagreementprohibitsit.Pleasedontgothere.
*Isuspectatleastpartoftheangerofcustomersinthesebackandforthdiscussionsisbecausethecustomerhadalreadypaidasecurity
consultanttodothework.Theyareangrywithusforhavingbeensoldabillofgoodsbytheirconsultant(wheretheconsultantbrokethe
licenseagreement).
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
7/11
8/11/2015
**TheonlyanalogyIcancomeupwithismybookshelf.SomeoneconvincedthatIhadaprurientinterestinpornographycouldlookat
thetitlesonmybookshelf,concludetheyaresalacious,anddemandanexplanationfrommeastowhyIhaveacollectionofsteamybooks.
Forexample(theseareallrealtitlesonmyshelf):
1. ThunderBelow!(whooboy,mustbehotstuff!)
2. NakedEconomics(nudeKeynesians!)***
3. Inferno(evenhotterstuff!)
4. AtDawnWeSlept(youmustbeexhaustedfromyour,ah,nighttimeactivities)
MyresponseisthatIdonthavetoexplainmybooktastesorrespondtobaselessFUD.(Ifanybodyisinterested,theactualbooksubjects
are,inorder,1)theexploitsofWWIIsubmarineskipperandCongressionalMedalofHonorrecipientCAPTEugeneFluckey,USN2)a
bookoneconomics3)abookabouttheEuropeantheaterinWWIIand4)thedefinitiveworkconcerningtheattackonPearlHarbor.)
***Absolutelynot,IloatheKeynes.TherearemoreextantdodosthanactualKeynesianmultipliers.Althoughdodosandtruebelievers
inKeynesianmultipliersareinterchangeabletermsasfarasIamconcerned.
Category:Oracle
Tags:none
Permanentlinktothisentry
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
8/11
8/11/2015
IsYourShellshocked...|Main
Comments:
PostaComment:
Name: guest
EMail:
URL:
Notifymebyemailofnewcomments
RememberInformation?
YourComment:
HTMLSyntax:NOTallowed
Pleaseanswerthissimplemathquestion
9+50=
Preview
Post
About
bocadmin_ww
Search
Entersearchterm:
Searchonlythisblog
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
9/11
8/11/2015
RecentPosts
No,YouReallyCant
IsYourShellshockedPoodleFreakedOverHeartbleed?
TheFourPsofStandards/ProcurementRequirements/Whatevahs
MandatedThirdPartyStaticAnalysis:BadPublicPolicy,BadSecurity
ILoveStandardsThereAreSoManyOfThem
PutUporShutUp
SummerPotpourri
PainComesInstantly
ThoseWhoCantDo,Audit
TheBucketList
TopTags
davidson
maddi
nist
nistir7622
pci
Categories
Oracle
Archives
August2015
Sun Mon Tue Wed Thu Fri Sat
1
2 3
4 5
6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
10/11
8/11/2015
Today
Menu
BlogsHome
Weblog
Login
Feeds
RSS
All
/Oracle
Comments
Atom
All
/Oracle
Comments
TheviewsexpressedonthisblogarethoseoftheauthoranddonotnecessarilyreflecttheviewsofOracle.TermsofUse|YourPrivacy
Rights|CookiePreferences
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
11/11