No,YouReallyCant(MaryAnnDavidsonBlog)
https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
Go
6captures
11
11Aug1511Aug15
Oracle
BlogsHome
Products&Services
Downloads
Support
Partners
Communities
About
Login
OracleBlog
MaryAnnDavidsonBlog
IsYourShellshocked...|Main
No,YouReallyCant
ByUser701213OracleonAug10,2015
Ihavebeendoingalotofwritingrecently.Someofmywritinghasbeenwithmysister,withwhomIwritemurder
mysteriesusingthenomdeplumeMaddiDavidson.Recently,wevebeenworkingonshortstories,developingalotoffun
newideasfordispatchingpeople(literarilyspeaking,thoughIthinkaboutpracticalapplicationsoccasionallywhensomeone
tailgatesme).
WritingmysteriesisalotmorefunthantheothertypeofwritingIvebeendoing.Recently,Ihaveseenalargeishuptickin
customersreverseengineeringourcodetoattempttofindsecurityvulnerabilitiesinit.<Insertbigsighhere.>Thisiswhy
Ivebeenwritingalotofletterstocustomersthatstartwithhi,howzit,alohabutendwithpleasecomplywithyour
licenseagreementandstopreverseengineeringourcode,already.
Icanunderstandthatinaworldwhereitseemsalmosteverydaysomeoneelsehadadatabreachandlostumpteengazillion
recordstounnamedintruderswhomayhavebeenworkingatthebehestofahostilenationstate,peoplewanttogotheextra
miletosecuretheirsystems.Thatsaid,youwouldthinkthatbeforegearinguptorunthatextramile,customerswould
alreadyhaveensuredtheyveidentifiedtheircriticalsystems,encryptedsensitivedata,appliedallrelevantpatches,beona
supportedproductrelease,usetoolstoensureconfigurationsarelockeddowninshort,theusualsecurityhygienebefore
theyattempttofindzerodayvulnerabilitiesintheproductstheyareusing.Andinfact,therearealotofdatabreachesthat
wouldbepreventedbydoingallthatstuff,asunsexyasitis,insteadofhyperventilatingthattheBigBadAdvanced
PersistentThreatusingazerodayisouttogetme!WhetheryouarerunningyourownITshoworacloudprovideris
runningitforyou,thereareahostofgoodsecuritypracticesthatarewellworthdoing.
Evenifyouwanttohavereasonablecertaintythatsupplierstakereasonablecareinhowtheybuildtheirproductsand
thereissomuchmoretoassurancethanrunningascanningtooltherearealotofthingsacustomercandolike,gosh,
actuallytalkingtosuppliersabouttheirassuranceprogramsorcheckingcertificationsforproductsforwhichthereareGood
Housekeepingsealsfor(orgoodcodeseals)likeCommonCriteriacertificationsorFIPS140certifications.Mostvendors
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
1/8
8/11/2015
No,YouReallyCant(MaryAnnDavidsonBlog)
atleast,mostofthelargeishonesIknowhavefairlyrobustassuranceprogramsnow(weknowthisbecauseweall
comparenotesatconferences).Thatsallwellandgood,isappropriatecustomerduediligenceandstopswellshortofhey,
IthinkIwilldothevendorsjobforhim/her/itandlookforproblemsinsourcecodemyself,eventhough:
Acustomercantanalyzethecodetoseewhetherthereisacontrolthatpreventstheattackthescanningtoolis
screamingabout(whichismostlikelyafalsepositive)
Acustomercantproduceapatchfortheproblemonlythevendorcandothat
Acustomerisalmostcertainlyviolatingthelicenseagreementbyusingatoolthatdoesstaticanalysis(whichoperates
againstsourcecode)
IshouldstateattheoutsetthatinsomecasesIthinkthecustomersdoingreverseengineeringarenotalwaysawareofwhat
ishappeningbecausetheactualworkisbeingdonebyaconsultant,whorunsatoolthatreverseengineersthecode,getsa
bigfatprintout,dropsitonthecustomer,whothensendsittous.Now,Ishouldnotethatwedontjustacceptscanreports
asproofthatthereisathere,there,inpartbecausewhetheryouaretalkingstaticordynamicanalysis,ascanreportisnot
proofofanactualvulnerability.Often,theyarenotmuchmorethanapileofsteamingFUD.(ThatiswhatIplannedon
sayingallalong:FUD.)Thisiswhywerequirecustomerstologaservicerequestforeachallegedissue(notjusthandusa
report)andprovideaproofofconcept(whichsometoolscangenerate).
Ifwedetermineaspartofouranalysisthatscanresultscouldonlyhavecomefromreverseengineering(inatleastonecase,
becausethereportsaid,cleverlyenough,staticanalysisofOracleXXXXXX),wesendalettertothesinningcustomer,
andadifferentlettertothesinningconsultantactingoncustomersbehalfremindingthemofthetermsoftheOracle
licenseagreementthatprecludereverseengineering,SoPleaseStopItAlready.(Inlegalese,ofcourse.TheOraclelicense
agreementhasaprovisionsuchas:"Customermaynotreverseengineer,disassemble,decompile,orotherwiseattemptto
derivethesourcecodeofthePrograms..."whichwequoteinourmissivetothecustomer.)Oh,andwerequire
customers/consultantstodestroytheresultsofsuchreverseengineeringandconfirmtheyhavedoneso.
WhyamIbringingthisup?Themainreasonisthat,whenIseeaspikeinX,Itrytogetaheadofit.Idontwantmore
roundsofyoubrokethelicenseagreement,no,wedidnt,yes,youdid,no,wedidnt.Idratherspendmytime,and
myteamstime,workingonhelpingdevelopmentimproveourcodethanarguewithpeopleaboutwherethelicense
agreementlinesare.
NowisagoodtimetoreiteratethatImnotbeatingpeopleupoverthismerelybecauseofthelicenseagreement.Morelike,
Idonotneedyoutoanalyzethecodesincewealreadydothat,itsourjobtodothat,weareprettygoodatit,wecan
unlikeathirdpartyoratoolactuallyanalyzethecodetodeterminewhatshappeningandatanyratemostofthesetools
haveacloseto100%falsepositiveratesopleasedonotwasteourtimeonreportinglittlegreenmeninourcode.Iamnot
runningawayfromourresponsibilitiestocustomers,merelytryingtoavoidapainful,annoying,andmutuallytimewasting
exercise.
Forthisreason,IwanttoexplainwhatOraclespurposeisinenforcingourlicenseagreement(asitpertainstoreverse
engineering)and,inareasonablypreciseyethandwavyway,explainwherethelineisyoucantcrossoryouwillgeta
stronglywordedletterfromus.Caveat:Iamnotalawyer,evenifIcanusewordslikestaredecisisinrandom
conversations.(Exceptwithmydog,becauseheonlyunderstandsHawaiian,notLatin.)Ergo,whenindoubt,refertoyour
Oraclelicenseagreement,whichtrumpsanythingIsayherein!
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
2/8
8/11/2015
No,YouReallyCant(MaryAnnDavidsonBlog)
Withthatinmind,afewFAQishexplanations:
Q.Whatisreverseengineering?
A.Generally,ourcodeisshippedincompiled(executable)form(yes,Iknowthatsomecodeisinterpreted).Customersget
codethatruns,notthecodeaswritten.Thatisformultiplereasonssuchasusersgenerallyonlyneedtoruncode,not
understandhowitallgetsputtogether,andthefactthatoursourcecodeishighlyvaluableintellectualproperty(whichis
whywehavealotofrestrictionsonwhoaccessesitandprotectionsaroundit).TheOraclelicenseagreementlimitswhat
youcandowiththeasshippedcodeandthatlimitationincludesthefactthatyouarentallowedtodecompile,dis
assemble,deobfuscateorotherwisetrytogetsourcecodebackfromexecutablecode.Thereareafewcaveatsaroundthat
prohibitionbutthereisntanoutforunlessyouarelookingforsecurityvulnerabilitiesinwhichcase,noproblemo,
mon!
Ifyouaretryingtogetthecodeinadifferentformfromthewayweshippedittoyouasin,thewaywewroteitbeforewe
didsomethingtoittogetitintheformyouareexecuting,youareprobablyreverseengineering.Dont.Justdont.
Q.WhatisOraclespolicyinregardstothesubmissionofsecurityvulnerabilities(foundbytoolsornot)?
A.Werequirecustomerstoopenaservicerequest(onepervulnerability)andprovideatestcasetoverifythatthealleged
vulnerabilityisexploitable.Thepurposeofthispolicyistotrytoweedouttheverylargenumberofinaccuratefindingsby
securitytools(falsepositives).
Q.Whyareyougoingafterconsultantsthecustomerhired?Theconsultantdidntsignthelicenseagreement!
A.ThecustomersignedtheOraclelicenseagreement,andtheconsultanthiredbythecustomeristhusboundbythe
customerssignedlicenseagreement.Otherwiseeveryonewouldhireaconsultanttosay(legaltermsfollow)Nanny,nanny
booboo,bigbadconsultantcandoXevenifthecustomercant!
Q.WhatdoesOracledoifthereisanactualsecurityvulnerability?
A.IalmosthatetoanswerthisquestionbecauseIwanttoreiteratethatcustomersShouldNotandMustNotreverse
engineerourcode.However,ifthereisanactualsecurityvulnerability,wewillfixit.Wemaynotlikehowitwasfoundbut
wearentgoingtoignorearealproblemthatwouldbeadisservicetoourcustomers.Wewill,however,fixittoprotectall
ourcustomers,meaningeverybodywillgetthefixatthesametime.However,wewillnotgiveacustomerreportingsuchan
issue(thattheyfoundthroughreverseengineering)aspecial(oneoff)patchfortheproblem.Wewillalsonotprovidecredit
inanyadvisorieswemightissue.Youcantreallyexpectustosaythankyouforbreakingthelicenseagreement.
Q.Butthetoolsthatdecompileproductsaregettingbetterandeasiertouse,soreverseengineeringwillbeOKinthefuture,
right?
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
3/8
8/11/2015
No,YouReallyCant(MaryAnnDavidsonBlog)
A.Ah,no.Thepointofourprohibitionagainstreverseengineeringisintellectualpropertyprotection,nothowcanwe
cleverlypreventcustomersfromfindingsecurityvulnerabilitiesbwahahahahasoweneverhavetofixthem
bwahahahaha.Customersarewelcometousetoolsthatoperateonexecutablecodebutthatdonotreverseengineercode.
Tothatpoint,customersusingathirdpartytoolorserviceofferingwouldbewellservedbyaskingquestionsofthetool(or
toolservice)providerastoa)howtheirtoolworksandb)whethertheyperformreverseengineeringtodowhattheydo.
Anounceofdiscussionisworthapoundofnowedidnt,yesyoudid,didnt,didarguments.*
Q.ButIhiredareallycoolcodeconsultant/thirdpartycodescanner/whatever.WhywontmeanoldOracleacceptmyscan
resultsandanalyzeall400pagesofthescanreport?
A.Hooboy.IthinkIhaverepeatedthissomuchitshouldbeasongchorusinareallyannoyinghiphoppiecebutheregoes:
Oraclerunsstaticanalysistoolsourselves(heck,wemakethem),manyofthesegoldurntoolsareridiculouslyinaccurate
(sometimesthefalsepositiverateis100%orclosetoit),runningatoolisnothing,theabilitytoanalyzeresultsis
everything,andsoonandsoforth.WeputtheburdenoncustomersortheirconsultantstoprovethereisaThere,There
becauseotherwise,wewasteaboatloadoftimeanalyzingnothing**whenwe
couldbespendingthoseresources,say,fixingactualsecurityvulnerabilities.
Q.ButoneoftheissuesIfoundwasanactualsecurityvulnerabilitysothatjustifiesreverseengineering,right?
A.Sigh.Attheriskofbeingrepetitive,no,itdoesnt,justlikeyoucantbreakintoahousebecausesomeoneleftawindow
ordoorunlocked.Idliketotellyouthatweruneverytooleverdevelopedagainsteverylineofcodeweeverwrote,but
thatsnottrue.Wedorequiredevelopmentteams(onpremises,cloudandinternaldevelopmentorganizations)touse
securityvulnerabilityfindingtools,wevehadasignificantuptickintoolsusageoverthelastfewyears(ourmetricsshow
this)andwedotracktoolsusageaspartofOracleSoftwareSecurityAssuranceprogram.WebeatupImean,require
developmentteamstousetoolsbecauseitisverymuchinourinterests(andcustomersinterests)tofindandfixproblems
earlierratherthanlater.
Thatsaid,notoolfindseverything.Notwotoolsfindeverything.Wedontclaimtofindeverything.Thatfactstilldoesnt
justifyacustomerreverseengineeringourcodetoattempttofindvulnerabilities,especiallywhenthekeytowhethera
suspectedvulnerabilityisanactualvulnerabilityisthecapabilitytoanalyzetheactualsourcecode,whichfranklyhardly
anythirdpartywillbeabletodo,anotherreasonnottoacceptrandomscanreportsthatresultedfromreverseengineeringat
facevalue,asifweneededone.
Q.Hey,Ivegotanidea,whynotdoabugbounty?Paythirdpartiestofindthisstuff!
A.<Biggersigh.>Bugbountiesarethenewboyband(nicelyalliterative,no?)Manycompaniesarescreaming,fainting,and
throwingunderwearatsecurityresearchers****tofindproblemsintheircodeandinsistingthatThisIsTheWay,WalkIn
It:ifyouarenotdoingbugbounties,yourcodeisntsecure.Ah,well,wefind87%ofsecurityvulnerabilitiesourselves,
securityresearchersfindabout3%andtherestarefoundbycustomers.(Smalldigression:Iwasbustingmybuttonstoday
whenIfoundoutthatawellknownsecurityresearcherinaparticularareaoftechnologyreportedabunchofalleged
securityissuestousexceptwehadalreadyfoundallofthemandwewerealreadyworkingonorhadfixes.Woohoo!)
Iamnotdissingbugbounties,justnotingthatonastrictlyeconomicbasis,whywouldIthrowalotofmoneyat3%ofthe
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
4/8
8/11/2015
No,YouReallyCant(MaryAnnDavidsonBlog)
problem(andwithoutlearninglessonsfromwhatyoufind,itreallyiswhackacodemole)whenIcouldspendthatmoney
onbetterpreventionlike,oh,hiringanotheremployeetodoethicalhacking,whocoulddevelopareallygoodtoolweuseto
automatefindingcertaintypesofissues,andsoon.Thisisoneofthosefullimmersionbaptismorsprinklewateroverthe
foreheadissueswewillallowfordifferentreligioustraditionsanddoitOURwayandotherscandoitTHEIRway.Pax
vobiscum.
Q.Ifyoudontletcustomersreverseengineercode,theywontbuyanythingelsefromyou.
A.Iactuallyheardthisfromacustomer.Itwasironicbecauseinorderforthemtobuymoreproductsfromus(orusea
cloudserviceoffering),theydhavetosignalicenseagreement!Withthesametermsthatthecustomerhadalready
admittedviolating.Honey,ifyouwontletmecheatonyouagain,ourmarriageisthrough.Ah,er,youalreadyviolated
theforsakingallotherspartofthemarriagevowsoIthinkthemarriageisalreadyover.
ThebetterdiscussiontohavewithacustomerandIalwaysofferthisisforustoexplainwhatwedotobuildassurance
intoourproducts,includinghowweusevulnerabilityfindingtools.Iwantcustomerstohaveconfidenceinourproductsand
services,notjustdropaletteronthem.
Q.SurelythebadguysandsomenationsdoreverseengineerOraclescodeanddontcareaboutyourlicensingagreement,
sowhywouldyoutrytorestrictthebehaviorofcustomerswithgoodmotives?
A.Oracleslicenseagreementexiststoprotectourintellectualproperty.Goodmotivesandgiventheerrataofthird
partyattemptstoscancodethequotationmarksarequiteaproposarenotanacceptableexcuseforviolatinganagreement
willinglyenteredinto.Anymorethanbuteverybodyelseischeatingonhisorherspouseisanacceptableexcusefor
violatingforsakingallothersifyousaiditinfrontofwitnesses.
Atthispoint,IthinkIambeatingadeadorshouldIsay,decompiledhorse.Weaskthatcustomersnotreverseengineer
ourcodetofindsuspectedsecurityissues:wehavesourcecode,weruntoolsagainstthesourcecode(aswellasagainst
executablecode),itsactuallyourjobtodothat,wedontneedorwantacustomerorrandomthirdpartytoreverseengineer
ourcodetofindsecurityvulnerabilities.Andlast,butreallyfirst,theOraclelicenseagreementprohibitsit.Pleasedontgo
there.
*Isuspectatleastpartoftheangerofcustomersinthesebackandforthdiscussionsisbecausethecustomerhadalready
paidasecurityconsultanttodothework.Theyareangrywithusforhavingbeensoldabillofgoodsbytheirconsultant
(wheretheconsultantbrokethelicenseagreement).
**TheonlyanalogyIcancomeupwithismybookshelf.SomeoneconvincedthatIhadaprurientinterestinpornography
couldlookatthetitlesonmybookshelf,concludetheyaresalacious,anddemandanexplanationfrommeastowhyIhavea
collectionofsteamybooks.Forexample(theseareallrealtitlesonmyshelf):
1. ThunderBelow!(whooboy,mustbehotstuff!)
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
5/8
8/11/2015
No,YouReallyCant(MaryAnnDavidsonBlog)
2. NakedEconomics(nudeKeynesians!)***
3. Inferno(evenhotterstuff!)
4. AtDawnWeSlept(youmustbeexhaustedfromyour,ah,nighttimeactivities)
MyresponseisthatIdonthavetoexplainmybooktastesorrespondtobaselessFUD.(Ifanybodyisinterested,theactual
booksubjectsare,inorder,1)theexploitsofWWIIsubmarineskipperandCongressionalMedalofHonorrecipientCAPT
EugeneFluckey,USN2)abookoneconomics3)abookabouttheEuropeantheaterinWWIIand4)thedefinitivework
concerningtheattackonPearlHarbor.)
***Absolutelynot,IloatheKeynes.TherearemoreextantdodosthanactualKeynesianmultipliers.Althoughdodosand
truebelieversinKeynesianmultipliersareinterchangeabletermsasfarasIamconcerned.
****Imightbeexaggeratinghere.Butmaybenot.
Category:Oracle
Tags:none
Permanentlinktothisentry
IsYourShellshocked...|Main
Comments:
PostaComment:
Name: guest
EMail:
URL:
Notifymebyemailofnewcomments
RememberInformation?
YourComment:
HTMLSyntax:NOTallowed
Pleaseanswerthissimplemathquestion
8+13=
Preview
Post
About
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
6/8
8/11/2015
No,YouReallyCant(MaryAnnDavidsonBlog)
bocadmin_ww
Search
Entersearchterm:
Searchonlythisblog
RecentPosts
No,YouReallyCant
IsYourShellshockedPoodleFreakedOverHeartbleed?
TheFourPsofStandards/ProcurementRequirements/Whatevahs
MandatedThirdPartyStaticAnalysis:BadPublicPolicy,BadSecurity
ILoveStandardsThereAreSoManyOfThem
PutUporShutUp
SummerPotpourri
PainComesInstantly
ThoseWhoCantDo,Audit
TheBucketList
TopTags
davidson
maddi
nist
nistir7622
pci
Categories
Oracle
Archives
August2015
Sun Mon Tue Wed Thu Fri Sat
1
2 3
4 5
6 7 8
9 10 11 12 13 14 15
16 17 18 19 20 21 22
23 24 25 26 27 28 29
30 31
Today
Menu
BlogsHome
Weblog
Login
Feeds
RSS
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
7/8
8/11/2015
No,YouReallyCant(MaryAnnDavidsonBlog)
All
/Oracle
Comments
Atom
All
/Oracle
Comments
TheviewsexpressedonthisblogarethoseoftheauthoranddonotnecessarilyreflecttheviewsofOracle.TermsofUse|
YourPrivacyRights|CookiePreferences
https://web.archive.org/web/20150811052336/https://blogs.oracle.com/maryanndavidson/entry/no_you_really_can_t
8/8