Re: Disturbing news..

From: Matti Aarnio (matti.aarnio@zmailer.org)
Date: Wed Mar 28 2001 - 02:19:10 EST


On Wed, Mar 28, 2001 at 01:16:02AM -0500, Shawn Starr wrote:
> Date: Wed, 28 Mar 2001 01:16:02 -0500 (EST)
> From: Shawn Starr <spstarr@sh0n.net>
> To: <linux-kernel@vger.kernel.org>
> Subject: Disturbing news..
>
> http://news.cnet.com/news/0-1003-200-5329436.html?tag=lh
> Isn't it time to change the ELF format to stop this crap?
> Shawn.

        Why ? "Double-click on attachment to run it" is typical
                M$ client stupidity -- and the reason why there
                are so many things that can mail themselves around.

        Changeing ELF-format would be comparable to what M$ did when
        they met the first Word macro viruses -- they changed the
        script language inside the Word... What good did that do ?
        Did it harm people ? You bet...

        You are downloading binaries off the net, and not compiling
        from the sources ? (Yes, we all do that. This is why folks
        these days carry PGP signatures at the RPM packages.)

        So, the program modifies ELF format executables by rewriting
        some instructions in the beginning (propably to map-in the virus
        code proper with X-bit on), and tags itself (PIC presumably) at
        the end of the file.

        Another issue is "safe conduct" practice of installing binaries
        with minimum privileges (ok, granted that for e.g. RPMs that
        usually means root), and *never* running them with undue levels
        of privileges -- not even as the owner of said executables.

        Ok, granted that we have dangers of getting arbitrary BAD programs
        into our systems, how can we combat that ? Virus-scanners
        (as much good as they could do..) don't really work in UNIX
        environments where "small things" like intercept of every
        exec(), and open() via privileged program (scanner) is not
        available feature. (I think doing it by passing a AF_UNIX
        message with fd + flags to registered server, expecting answer
        for the open() -- this would happen *after* the file open is
        done with user privileges, but before the call returns.)
        (Trapping open() so that shared-libraries could be scanned.)

        There could be, I think, a method for doing such intercepts,
        which could be used by security scanners to implement some
        sense of security in Linux-like systems.

        Is it good enough, e.g. when some file is multiply-mapped to
        shared programs, and application rewrites parts of the file ?
        Can it detect that kind of multi-mapped writing-sharing ?

        Can such system be made fast ? (Scanner becomes performance
        bottle-neck.)

        How about PROPER Orange Book B-level security ?
        E.g. NSA trusted-linux ?

/Matti Aarnio
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/



This archive was generated by hypermail 2b29 : Sat Mar 31 2001 - 21:00:18 EST