2006-11-01
Abstract
'My feeling is that we are unlikely to see an open source replacement for SoftICE any time soon.' Aleksander Czarnowski, Avet.
Copyright © 2006 Virus Bulletin
When I first entered the infosecurity field I was of the misguided opinion that IT security problems could be solved technically through the application of great concepts and advanced code. However, I soon realized that I was (at least partly) wrong – security-related problems can't be solved with technology alone. Security issues are complex sociological problems.
As time has moved on I have shifted my concept to a higher level: I believe that IT security issues are not only sociological problems, but also economic ones.
Recently, I read a very detailed paper about one particular RPC vulnerability. The author of the paper must have put at least 50 hours of work into writing the paper – but the main facts contained in the paper could easily have been obtained within 30 minutes using a freely available debugging tool such as SoftICE, and an analysis of the vulnerability could have been written up within another 30 minutes.
Unfortunately however, that very tool, SoftICE, has officially reached the end of its life: its manufacturer, Compuware, announced earlier this year that it will not be developing it any further.
While open source enthusiasts (especially LAMP experts) will be quick to reassure us that an offspring project is likely to start up soon – and that we will have a free, open source replacement for SoftICE within a year or two – I don't believe this will be the case. Developing any kernel debugger is not an easy task, not least one that measures up to SoftICE's capabilities. Keep in mind that SoftICE is capable of single machine debugging – a feature that has only recently been added to the Microsoft WinDBG debugger. Not even the newest version of WinDBG with the /DEBUG option enabled in boot.ini can compete with SoftICE.
Relatively few programmers are interested in writing debuggers – especially in comparison with the number of application programmers. That number decreases still further if we consider kernel debuggers and the length of time and level of knowledge required to accomplish such a task. Testing a kernel debugger can be a very painful and time-consuming process. My feeling is that we are unlikely to see an open source replacement for SoftICE any time soon.
In fact, the best debuggers for Windows are freeware. OllyDBG is a great example. While Microsoft's WinDBG is free, it is very hard to use. DataRescue's IDA Pro also has an application-level debugger, but almost every IDA user I know uses it for its disassembly and code analysis capabilities, not for its debugger.
So it seems that there is no commercial place for standalone debuggers in today's market. What does this mean for security? With the demise of publicly available tools such as SoftICE certain areas of research will become more difficult and time-consuming, and consequently they may suffer as they will only receive attention if companies have the interest, time and/or money to dedicate to them. (It is interesting to note that, where research is concerned, the size of company has little to do with the quality and amount of research done. Companies like Immunity Security, GLEG and Argeniss are small companies, yet their work is usually outstanding.)
Some might say that it is a great pity that such a useful and readily available tool as SoftICE has been discontinued. Yet, you will find at least ten products designed for application security which incorporate debugging capabilities. These may be very specialized, but underneath they all use the same debugging API. So, although standalone application debuggers have died out, they have taken on a new life in the form of vulnerability research tools aimed at software houses.
I think this is a great example of how the economy can influence information security.