8/11/2015

No,YouReallyCant(MaryAnnDavidsonBlog)
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

Go

JUL AUG SEP

6captures

11

11Aug1511Aug15

2014 2015 2016

Oracle

BlogsHome
Products&Services
Downloads
Support
Partners
Communities
About
Login
OracleBlog
MaryAnnDavidsonBlog

IsYourShellshocked...|Main

No,YouReallyCant
ByUser701213OracleonAug10,2015

Ihavebeendoingalotofwritingrecently.Someofmywritinghasbeenwithmysister,withwhomIwritemurder
mysteriesusingthenomdeplumeMaddiDavidson.Recently,wevebeenworkingonshortstories,developingalotoffun
newideasfordispatchingpeople(literarilyspeaking,thoughIthinkaboutpracticalapplicationsoccasionallywhensomeone
tailgatesme).

WritingmysteriesisalotmorefunthantheothertypeofwritingIvebeendoing.Recently,Ihaveseenalargeishuptickin
customersreverseengineeringourcodetoattempttofindsecurityvulnerabilitiesinit.<Insertbigsighhere.>Thisiswhy
Ivebeenwritingalotofletterstocustomersthatstartwithhi,howzit,alohabutendwithpleasecomplywithyour
licenseagreementandstopreverseengineeringourcode,already.

Icanunderstandthatinaworldwhereitseemsalmosteverydaysomeoneelsehadadatabreachandlostumpteengazillion
recordstounnamedintruderswhomayhavebeenworkingatthebehestofahostilenationstate,peoplewanttogotheextra
miletosecuretheirsystems.Thatsaid,youwouldthinkthatbeforegearinguptorunthatextramile,customerswould
alreadyhaveensuredtheyveidentifiedtheircriticalsystems,encryptedsensitivedata,appliedallrelevantpatches,beona
supportedproductrelease,usetoolstoensureconfigurationsarelockeddowninshort,theusualsecurityhygienebefore
theyattempttofindzerodayvulnerabilitiesintheproductstheyareusing.Andinfact,therearealotofdatabreachesthat
wouldbepreventedbydoingallthatstuff,asunsexyasitis,insteadofhyperventilatingthattheBigBadAdvanced
PersistentThreatusingazerodayisouttogetme!WhetheryouarerunningyourownITshoworacloudprovideris
runningitforyou,thereareahostofgoodsecuritypracticesthatarewellworthdoing.

Evenifyouwanttohavereasonablecertaintythatsupplierstakereasonablecareinhowtheybuildtheirproductsand
thereissomuchmoretoassurancethanrunningascanningtooltherearealotofthingsacustomercandolike,gosh,
actuallytalkingtosuppliersabouttheirassuranceprogramsorcheckingcertificationsforproductsforwhichthereareGood
Housekeepingsealsfor(orgoodcodeseals)likeCommonCriteriacertificationsorFIPS140certifications.Mostvendors
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

1/8

8/11/2015

No,YouReallyCant(MaryAnnDavidsonBlog)

atleast,mostofthelargeishonesIknowhavefairlyrobustassuranceprogramsnow(weknowthisbecauseweall
comparenotesatconferences).Thatsallwellandgood,isappropriatecustomerduediligenceandstopswellshortofhey,
IthinkIwilldothevendorsjobforhim/her/itandlookforproblemsinsourcecodemyself,eventhough:

Acustomercantanalyzethecodetoseewhetherthereisacontrolthatpreventstheattackthescanningtoolis
screamingabout(whichismostlikelyafalsepositive)
Acustomercantproduceapatchfortheproblemonlythevendorcandothat
Acustomerisalmostcertainlyviolatingthelicenseagreementbyusingatoolthatdoesstaticanalysis(whichoperates
againstsourcecode)

IshouldstateattheoutsetthatinsomecasesIthinkthecustomersdoingreverseengineeringarenotalwaysawareofwhat
ishappeningbecausetheactualworkisbeingdonebyaconsultant,whorunsatoolthatreverseengineersthecode,getsa
bigfatprintout,dropsitonthecustomer,whothensendsittous.Now,Ishouldnotethatwedontjustacceptscanreports
asproofthatthereisathere,there,inpartbecausewhetheryouaretalkingstaticordynamicanalysis,ascanreportisnot
proofofanactualvulnerability.Often,theyarenotmuchmorethanapileofsteamingFUD.(ThatiswhatIplannedon
sayingallalong:FUD.)Thisiswhywerequirecustomerstologaservicerequestforeachallegedissue(notjusthandusa
report)andprovideaproofofconcept(whichsometoolscangenerate).

Ifwedetermineaspartofouranalysisthatscanresultscouldonlyhavecomefromreverseengineering(inatleastonecase,
becausethereportsaid,cleverlyenough,staticanalysisofOracleXXXXXX),wesendalettertothesinningcustomer,
andadifferentlettertothesinningconsultantactingoncustomersbehalfremindingthemofthetermsoftheOracle
licenseagreementthatprecludereverseengineering,SoPleaseStopItAlready.(Inlegalese,ofcourse.TheOraclelicense
agreementhasaprovisionsuchas:"Customermaynotreverseengineer,disassemble,decompile,orotherwiseattemptto
derivethesourcecodeofthePrograms..."whichwequoteinourmissivetothecustomer.)Oh,andwerequire
customers/consultantstodestroytheresultsofsuchreverseengineeringandconfirmtheyhavedoneso.

WhyamIbringingthisup?Themainreasonisthat,whenIseeaspikeinX,Itrytogetaheadofit.Idontwantmore
roundsofyoubrokethelicenseagreement,no,wedidnt,yes,youdid,no,wedidnt.Idratherspendmytime,and
myteamstime,workingonhelpingdevelopmentimproveourcodethanarguewithpeopleaboutwherethelicense
agreementlinesare.

NowisagoodtimetoreiteratethatImnotbeatingpeopleupoverthismerelybecauseofthelicenseagreement.Morelike,
Idonotneedyoutoanalyzethecodesincewealreadydothat,itsourjobtodothat,weareprettygoodatit,wecan
unlikeathirdpartyoratoolactuallyanalyzethecodetodeterminewhatshappeningandatanyratemostofthesetools
haveacloseto100%falsepositiveratesopleasedonotwasteourtimeonreportinglittlegreenmeninourcode.Iamnot
runningawayfromourresponsibilitiestocustomers,merelytryingtoavoidapainful,annoying,andmutuallytimewasting
exercise.

Forthisreason,IwanttoexplainwhatOraclespurposeisinenforcingourlicenseagreement(asitpertainstoreverse
engineering)and,inareasonablypreciseyethandwavyway,explainwherethelineisyoucantcrossoryouwillgeta
stronglywordedletterfromus.Caveat:Iamnotalawyer,evenifIcanusewordslikestaredecisisinrandom
conversations.(Exceptwithmydog,becauseheonlyunderstandsHawaiian,notLatin.)Ergo,whenindoubt,refertoyour
Oraclelicenseagreement,whichtrumpsanythingIsayherein!
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

2/8

8/11/2015

No,YouReallyCant(MaryAnnDavidsonBlog)

Withthatinmind,afewFAQishexplanations:

Q.Whatisreverseengineering?

A.Generally,ourcodeisshippedincompiled(executable)form(yes,Iknowthatsomecodeisinterpreted).Customersget
codethatruns,notthecodeaswritten.Thatisformultiplereasonssuchasusersgenerallyonlyneedtoruncode,not
understandhowitallgetsputtogether,andthefactthatoursourcecodeishighlyvaluableintellectualproperty(whichis
whywehavealotofrestrictionsonwhoaccessesitandprotectionsaroundit).TheOraclelicenseagreementlimitswhat
youcandowiththeasshippedcodeandthatlimitationincludesthefactthatyouarentallowedtodecompile,dis
assemble,deobfuscateorotherwisetrytogetsourcecodebackfromexecutablecode.Thereareafewcaveatsaroundthat
prohibitionbutthereisntanoutforunlessyouarelookingforsecurityvulnerabilitiesinwhichcase,noproblemo,
mon!

Ifyouaretryingtogetthecodeinadifferentformfromthewayweshippedittoyouasin,thewaywewroteitbeforewe
didsomethingtoittogetitintheformyouareexecuting,youareprobablyreverseengineering.Dont.Justdont.

Q.WhatisOraclespolicyinregardstothesubmissionofsecurityvulnerabilities(foundbytoolsornot)?

A.Werequirecustomerstoopenaservicerequest(onepervulnerability)andprovideatestcasetoverifythatthealleged
vulnerabilityisexploitable.Thepurposeofthispolicyistotrytoweedouttheverylargenumberofinaccuratefindingsby
securitytools(falsepositives).

Q.Whyareyougoingafterconsultantsthecustomerhired?Theconsultantdidntsignthelicenseagreement!

A.ThecustomersignedtheOraclelicenseagreement,andtheconsultanthiredbythecustomeristhusboundbythe
customerssignedlicenseagreement.Otherwiseeveryonewouldhireaconsultanttosay(legaltermsfollow)Nanny,nanny
booboo,bigbadconsultantcandoXevenifthecustomercant!

Q.WhatdoesOracledoifthereisanactualsecurityvulnerability?

A.IalmosthatetoanswerthisquestionbecauseIwanttoreiteratethatcustomersShouldNotandMustNotreverse
engineerourcode.However,ifthereisanactualsecurityvulnerability,wewillfixit.Wemaynotlikehowitwasfoundbut
wearentgoingtoignorearealproblemthatwouldbeadisservicetoourcustomers.Wewill,however,fixittoprotectall
ourcustomers,meaningeverybodywillgetthefixatthesametime.However,wewillnotgiveacustomerreportingsuchan
issue(thattheyfoundthroughreverseengineering)aspecial(oneoff)patchfortheproblem.Wewillalsonotprovidecredit
inanyadvisorieswemightissue.Youcantreallyexpectustosaythankyouforbreakingthelicenseagreement.

Q.Butthetoolsthatdecompileproductsaregettingbetterandeasiertouse,soreverseengineeringwillbeOKinthefuture,
right?
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

3/8

8/11/2015

No,YouReallyCant(MaryAnnDavidsonBlog)

A.Ah,no.Thepointofourprohibitionagainstreverseengineeringisintellectualpropertyprotection,nothowcanwe
cleverlypreventcustomersfromfindingsecurityvulnerabilitiesbwahahahahasoweneverhavetofixthem
bwahahahaha.Customersarewelcometousetoolsthatoperateonexecutablecodebutthatdonotreverseengineercode.
Tothatpoint,customersusingathirdpartytoolorserviceofferingwouldbewellservedbyaskingquestionsofthetool(or
toolservice)providerastoa)howtheirtoolworksandb)whethertheyperformreverseengineeringtodowhattheydo.
Anounceofdiscussionisworthapoundofnowedidnt,yesyoudid,didnt,didarguments.*

Q.ButIhiredareallycoolcodeconsultant/thirdpartycodescanner/whatever.WhywontmeanoldOracleacceptmyscan
resultsandanalyzeall400pagesofthescanreport?

A.Hooboy.IthinkIhaverepeatedthissomuchitshouldbeasongchorusinareallyannoyinghiphoppiecebutheregoes:
Oraclerunsstaticanalysistoolsourselves(heck,wemakethem),manyofthesegoldurntoolsareridiculouslyinaccurate
(sometimesthefalsepositiverateis100%orclosetoit),runningatoolisnothing,theabilitytoanalyzeresultsis
everything,andsoonandsoforth.WeputtheburdenoncustomersortheirconsultantstoprovethereisaThere,There
becauseotherwise,wewasteaboatloadoftimeanalyzingnothing**whenwe
couldbespendingthoseresources,say,fixingactualsecurityvulnerabilities.

Q.ButoneoftheissuesIfoundwasanactualsecurityvulnerabilitysothatjustifiesreverseengineering,right?

A.Sigh.Attheriskofbeingrepetitive,no,itdoesnt,justlikeyoucantbreakintoahousebecausesomeoneleftawindow
ordoorunlocked.Idliketotellyouthatweruneverytooleverdevelopedagainsteverylineofcodeweeverwrote,but
thatsnottrue.Wedorequiredevelopmentteams(onpremises,cloudandinternaldevelopmentorganizations)touse
securityvulnerabilityfindingtools,wevehadasignificantuptickintoolsusageoverthelastfewyears(ourmetricsshow
this)andwedotracktoolsusageaspartofOracleSoftwareSecurityAssuranceprogram.WebeatupImean,require
developmentteamstousetoolsbecauseitisverymuchinourinterests(andcustomersinterests)tofindandfixproblems
earlierratherthanlater.

Thatsaid,notoolfindseverything.Notwotoolsfindeverything.Wedontclaimtofindeverything.Thatfactstilldoesnt
justifyacustomerreverseengineeringourcodetoattempttofindvulnerabilities,especiallywhenthekeytowhethera
suspectedvulnerabilityisanactualvulnerabilityisthecapabilitytoanalyzetheactualsourcecode,whichfranklyhardly
anythirdpartywillbeabletodo,anotherreasonnottoacceptrandomscanreportsthatresultedfromreverseengineeringat
facevalue,asifweneededone.

Q.Hey,Ivegotanidea,whynotdoabugbounty?Paythirdpartiestofindthisstuff!

A.<Biggersigh.>Bugbountiesarethenewboyband(nicelyalliterative,no?)Manycompaniesarescreaming,fainting,and
throwingunderwearatsecurityresearchers****tofindproblemsintheircodeandinsistingthatThisIsTheWay,WalkIn
It:ifyouarenotdoingbugbounties,yourcodeisntsecure.Ah,well,wefind87%ofsecurityvulnerabilitiesourselves,
securityresearchersfindabout3%andtherestarefoundbycustomers.(Smalldigression:Iwasbustingmybuttonstoday
whenIfoundoutthatawellknownsecurityresearcherinaparticularareaoftechnologyreportedabunchofalleged
securityissuestousexceptwehadalreadyfoundallofthemandwewerealreadyworkingonorhadfixes.Woohoo!)

Iamnotdissingbugbounties,justnotingthatonastrictlyeconomicbasis,whywouldIthrowalotofmoneyat3%ofthe
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

4/8

8/11/2015

No,YouReallyCant(MaryAnnDavidsonBlog)

problem(andwithoutlearninglessonsfromwhatyoufind,itreallyiswhackacodemole)whenIcouldspendthatmoney
onbetterpreventionlike,oh,hiringanotheremployeetodoethicalhacking,whocoulddevelopareallygoodtoolweuseto
automatefindingcertaintypesofissues,andsoon.Thisisoneofthosefullimmersionbaptismorsprinklewateroverthe
foreheadissueswewillallowfordifferentreligioustraditionsanddoitOURwayandotherscandoitTHEIRway.Pax
vobiscum.

Q.Ifyoudontletcustomersreverseengineercode,theywontbuyanythingelsefromyou.

A.Iactuallyheardthisfromacustomer.Itwasironicbecauseinorderforthemtobuymoreproductsfromus(orusea
cloudserviceoffering),theydhavetosignalicenseagreement!Withthesametermsthatthecustomerhadalready
admittedviolating.Honey,ifyouwontletmecheatonyouagain,ourmarriageisthrough.Ah,er,youalreadyviolated
theforsakingallotherspartofthemarriagevowsoIthinkthemarriageisalreadyover.

ThebetterdiscussiontohavewithacustomerandIalwaysofferthisisforustoexplainwhatwedotobuildassurance
intoourproducts,includinghowweusevulnerabilityfindingtools.Iwantcustomerstohaveconfidenceinourproductsand
services,notjustdropaletteronthem.

Q.SurelythebadguysandsomenationsdoreverseengineerOraclescodeanddontcareaboutyourlicensingagreement,
sowhywouldyoutrytorestrictthebehaviorofcustomerswithgoodmotives?

A.Oracleslicenseagreementexiststoprotectourintellectualproperty.Goodmotivesandgiventheerrataofthird
partyattemptstoscancodethequotationmarksarequiteaproposarenotanacceptableexcuseforviolatinganagreement
willinglyenteredinto.Anymorethanbuteverybodyelseischeatingonhisorherspouseisanacceptableexcusefor
violatingforsakingallothersifyousaiditinfrontofwitnesses.

Atthispoint,IthinkIambeatingadeadorshouldIsay,decompiledhorse.Weaskthatcustomersnotreverseengineer
ourcodetofindsuspectedsecurityissues:wehavesourcecode,weruntoolsagainstthesourcecode(aswellasagainst
executablecode),itsactuallyourjobtodothat,wedontneedorwantacustomerorrandomthirdpartytoreverseengineer
ourcodetofindsecurityvulnerabilities.Andlast,butreallyfirst,theOraclelicenseagreementprohibitsit.Pleasedontgo
there.

*Isuspectatleastpartoftheangerofcustomersinthesebackandforthdiscussionsisbecausethecustomerhadalready
paidasecurityconsultanttodothework.Theyareangrywithusforhavingbeensoldabillofgoodsbytheirconsultant
(wheretheconsultantbrokethelicenseagreement).

**TheonlyanalogyIcancomeupwithismybookshelf.SomeoneconvincedthatIhadaprurientinterestinpornography
couldlookatthetitlesonmybookshelf,concludetheyaresalacious,anddemandanexplanationfrommeastowhyIhavea
collectionofsteamybooks.Forexample(theseareallrealtitlesonmyshelf):

1. ThunderBelow!(whooboy,mustbehotstuff!)
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

5/8

8/11/2015

No,YouReallyCant(MaryAnnDavidsonBlog)

2. NakedEconomics(nudeKeynesians!)***
3. Inferno(evenhotterstuff!)
4. AtDawnWeSlept(youmustbeexhaustedfromyour,ah,nighttimeactivities)

MyresponseisthatIdonthavetoexplainmybooktastesorrespondtobaselessFUD.(Ifanybodyisinterested,theactual
booksubjectsare,inorder,1)theexploitsofWWIIsubmarineskipperandCongressionalMedalofHonorrecipientCAPT
EugeneFluckey,USN2)abookoneconomics3)abookabouttheEuropeantheaterinWWIIand4)thedefinitivework
concerningtheattackonPearlHarbor.)

***Absolutelynot,IloatheKeynes.TherearemoreextantdodosthanactualKeynesianmultipliers.Althoughdodosand
truebelieversinKeynesianmultipliersareinterchangeabletermsasfarasIamconcerned.

****Imightbeexaggeratinghere.Butmaybenot.

Category:Oracle
Tags:none
Permanentlinktothisentry
IsYourShellshocked...|Main
Comments:
PostaComment:
Name: guest
EMail:
URL:
Notifymebyemailofnewcomments
RememberInformation?

YourComment:
HTMLSyntax:NOTallowed
Pleaseanswerthissimplemathquestion
8+13=
Preview

Post

About

https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

6/8

8/11/2015

No,YouReallyCant(MaryAnnDavidsonBlog)

bocadmin_ww
Search

Entersearchterm:

Searchonlythisblog
RecentPosts

No,YouReallyCant
IsYourShellshockedPoodleFreakedOverHeartbleed?
TheFourPsofStandards/ProcurementRequirements/Whatevahs
MandatedThirdPartyStaticAnalysis:BadPublicPolicy,BadSecurity
ILoveStandardsThereAreSoManyOfThem
PutUporShutUp
SummerPotpourri
PainComesInstantly
ThoseWhoCantDo,Audit
TheBucketList
TopTags

davidson
maddi
nist
nistir7622
pci
Categories

Oracle
Archives

August2015
Sun Mon Tue Wed Thu Fri Sat

1
2 3
4 5
6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31

Today
Menu

BlogsHome
Weblog
Login
Feeds

RSS
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

7/8

8/11/2015

No,YouReallyCant(MaryAnnDavidsonBlog)

All
/Oracle
Comments
Atom
All
/Oracle
Comments
TheviewsexpressedonthisblogarethoseoftheauthoranddonotnecessarilyreflecttheviewsofOracle.TermsofUse|
YourPrivacyRights|CookiePreferences

https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t

8/8