|
 |
| Fri, Sep 05th | home | browse | articles | contact | chat | submit | faq | newsletter | about | stats | scoop | 21:34 UTC |
|
|
login « register « recover password « |
|
| [Article] | add comment | [Article] |
|
| Theme topics | Apps | Resources | Window Managers | Afterstep | Blackbox | Enlightenment | Fluxbox | GTK | IceWM | KDE | MetaCity | Sawfish | Window Maker |
|
|
|
It's easy for Free Software users to laugh at the misfortunes of their Windows-using colleagues as they suffer through the virus du jour, but if you can set your superiority complex aside for a moment, can you point to anything in Melissa/ILOVEYOU/etc. that couldn't be accomplished by a badly-written MUA running on Linux? In today's editorial, Joe Pranevich urges the programming community to learn from Outlook's mistakes if they want to continue having the last laugh. Copyright notice: All reader-contributed material on freshmeat.net is the property and responsibility of its author; for reprint rights, please contact the author directly. And the users exclaimed with a laugh and a taunt: These days, it seems as if everyone likes a good "Microsoft is Evil" story. I'm not going to agree or disagree with that statement in general, but this recent (and continuing) wave of email worms has given the media and the users plenty of room to criticize. Largely, these complaints have revolved around a general lack of security in Microsoft's products -- a historical truth. Adding to this anti-Microsoft inferno does not improve Linux as a whole and I believe that our time is better spent working towards ensuring that these kinds of attacks can never happen on Linux. Linux's Security ModelThe Linux kernel has an excellent reputation for security-conscious computing. Security bugs, when found, are squashed exceedingly quickly. Linux's low-level security is based on the classic UNIX model of users and groups. In brief, this ensures that one user can never harm another user's files or any system files without explicit permission. Additionally, Linux ensures that no user is capable of denying service to any other user through crashing the machine, resource depletion, or a number of other more subtle approaches. There is currently work being performed to add a "capabilities" system to the kernel to make it even more fine-tunable. This model is good and very powerful, but it does not and cannot protect the user's own files from himself or application stupidity. The security bugs currently being seen in Microsoft Outlook are of the latter variety: application stupidity. One does not necessarily need to be running under a Windows environment to write or use stupid applications. In fact, nearly all security problems discovered on Linux systems are caused by application programmer mistakes. The Linux kernel's excellent security helps to minimize problems caused by these mistakes (through its low-level security policies) but will never be a substitute for smart application programming and a peer review process. (In fact, some patches to the Linux kernel have actually been rejected because they provided a false sense of security despite making certain kinds of attacks harder to pull off.) Of particular concern are either programs that are regularly granted administrative rights (such as an X Server) or programs that deal with untrusted data (such as your Web browser or email client). As Linux does not have any internal conception of "trusted" vs. "untrusted" data, application programmers must be fairly smart about it. Microsoft's Web browser manages to deal with this dilemma at a high level, but obviously wasn't ingrained enough to uniformly combat the problem. On the Linux side, it will be up to the GNOME and KDE development teams to make sure they deal with this issue, as they will be Linux's flag-bearers into the future. The Interface's the ThingIt's very tempting to leave the problem at that. "It's a high-level issue caused by the march of progress into the point-and-click world of modern GUIs." Pine users will complain, of course. The idea that one should blindly migrate from one time-tested UI model (the relatively dumb world of Linux mail readers today) into the more complicated point-and-click world seems absurd to many people. The recent events with Outlook work to further underscore that there may be fundamental defects in the way modern GUIs view the world. The underlying metaphors of today's most common GUIs are relatively similar. Although each OS provides a different view into the world, the fundamental building block remains the same: the mouse click. Click once to select. Click twice to open. Even when Microsoft attempted to Webify the desktop with one-click activation, it didn't change the problem, only changed the number of clicks necessary to activate it. The fundamental problem with this system is that it's association based. When you activate a file icon (Using the generic verb "open" under Windows), you are performing the action associated with the file-type that you are dealing with. With HTML files, this is often opening a Web browser. With an MP3, you open a player. This tends to work out very well; with any type of document, open the viewer associated with that document type. But notice the key assumption there: It is generally implied that when you activate a file that you don't recognize, you'll get a viewer that shows you what it is. There's an underlying (and incorrect) assumption that viewing a file is a read-only operation. With executable files (such as scripts), "open"-ing can be a dangerous and deadly thing! The Document ModelResolving the danger isn't something that can be done at a low level. I believe that the "association" model is the real culprit in Microsoft's recent problems, not Outlook. Users are clicking on the file (which appears to them to be a text file thanks to its misleading name) and getting exactly what they requested: executable activation. Some have pointed their fingers at the "security faults" in Microsoft's VisualBasic scripting language, but one could easily imagine a situation in which the same damage could be inflicted with a Perl script or any other common scripting language. Having a powerful language for script writing is an asset to any OS, not a detriment. Should we ignore all the positive nail-driving features of a hammer just because you could mistakenly smash your fingers? As a replacement for the association model, I would like to propose evaluating a "document" model instead. 90% or more of the work done by ordinary users involves documents. By "documents", I mean the HTML files and the MP3s of the previous example; essentially anything that you would imagine could be "viewed" in the present model. Instead of clicking on an application when you want to start a new word processing document, you could click on a zero-byte read-only file of the appropriate type -- essentially a template. Most users may never know the difference. Instead of executing an application when it is viewed, it makes much more sense to display it in a text or hex viewing program. It should still be possible to execute an old application with the mouse (put it on the right-click menu, for example), but that action does not belong as a default. Unfortunately, most applications were not designed with this type of thing in mind. I have serious doubts that the Linux desktop applications of today could work this way without some tweaking. There are likely to be conceptual stumbling blocks as well. I should also say that I'm not a UI expert; there are quite likely better ways to view the world. I have decided to share this thought for the purposes of discussion. There may be other, better, ways to accomplish the same thing. Please feel free to respond to me in email or (preferably) use the feedback section of this site. I'd especially like to hear thoughts from current GNOME and KDE developers because you are the ones leading the charge into our future as a community. Together, I hope, we can learn from Microsoft's mistakes. Joe Pranevich, a "Linux Writing Person" on the side for the past 2 years, currently works in Ops for a large search portal. He occasionally dabbles in programming but lately has been writing far too much. He can be emailed at jpranevich@linuxtoday.com (@ Home) or jpranevich@lycos.com (@ Work). If you insist, you can visit his homepage at http://jpranevich.tripod.com/, but ignore the bad picture.
T-Shirts and Fame!We're eager to find people interested in writing editorials on software-related topics. We're flexible on length, style, and topic, so long as you know what you're talking about and back up your opinions with facts. Anyone who writes an editorial gets a freshmeat t-shirt from ThinkGeek in addition to 15 minutes of fame. If you think you'd like to try your hand at it, let jeff.covey@freshmeat.net know what you'd like to write about. [Comments are disabled]
[»]
Linux is not as vulnerable. Microsoft's objective was internet monopoly. ...and their use of attachments, that require Microsoft executables, was their main way of targeting internet dominance. If they succeed at establishing Word-format attachments and VisualBasic attachments and other attachments as the main way of communicating on the internet then they can control the standard data formats by withholding specs and forever changing the standards. This would also require the dominant operating system to be MSWindows because no other operating system would be able to execute the attachments as reliably as Microsoft systems. Proof #1: How often do recruiters require your resume in MSWord-format attachment instead of an HTML document? Can Netscape produce a nice word-processing document with complete spell checking and complex formatting? Yes, in HTML. Can it do it in MSWord-format? No. So, you better buy MSWord and MSWindows. Proof #2: Why did the Melissa virus not prompt Microsoft to produce an OFF switch in Outlook. Answer: Because turning off attachments would foil the grand plan to dominate internet communication with Microsoft attachments. So the delayed decision (delayed until ILOVEYOU) was because the embarrasment of the virus was too great and giving up the executable-attachment strategy was difficult. Eventually they gave in and produced the OFF switch.
[»]
the user factor lets not forget this! i am pretty much forced to run nt in my office
environment (refer back to a previous post about the lack of office
workgroup tools such as exchange:outlook which open source still
neglects!). at 8:20am on ILOVEYOU day, i sent a mail to all users in the
office to NOT open any email with the subject ILOUVEYOU in it.
[»]
Security is always the opposite of users laziness The problem with security is, that the user can't be lazy in any way. And admins often nows that users aren't happy when they are forced to change their passwords on a regular basis (because they have to remember the new password), and using really secure passwords is another thing, too. This makes introducing a new security scheme to the desktop a problem, since security needs not only the users intelligence, but his/hers understanding of why there needs security and why this means to abandon a good part of luxurity. So the question is, at least in my point of view, if there can be any security model that satisfies users wishes, or if it would be the best to prevent users from certain actions by simply disallowing them. Lets have an example: An user opens a page containg a huge java application that needs to access system resources. Javas security model is, when I'm not mistaken, based on the concept that such apps/applets are disallowed to access them. In such cases a window is opened, displaying a message "...needs access to..." or something like that, giving the user the oportunity to grant or deny this privileges. But if the page say "Simply grant all access...", what will the user do? At least this would be a possibility: To grant untrusted files certain privileges, and to deny others. Using mimetypes would be another choice, but I don't know if this is the best in general, since it is focused on just a few actions. I would tend to a fine-grained kernel based security model, too. Let's say with installing a package out of a distro the install-scripts maintained by the package maintainer registers the application at a demon or any other instance, defining rules of what this app is allowed to do. For mail-apps this could be accessing the users mailfile /var/spool/mail/$LOGNAME and a directory where several mail-directories reside, for example ~/Mail/. If any incoming mail would contain a desctructive script, this script would try to access system relevant files, such as /etc/passwd or would try to run an exploit. But it would definetly break the rules defined for the application that originally launched the script. Additionally, I wouldn't focus on extensions, since they can be (as some others said before) misleading and wrong. Why not implement file as a function, scanning any attachments before they are processed? Authors of mail readers (etc...) can define a set of files that are allowed to be processed, maybe mailcap-based. This list might be redefined by the SysAdmins, too. But only with another security model behind.
[»]
Microsoft has had plenty of warnings Yes, I know for sure that microsoft chose the path that led them to create
products with wide open security holes. How do I know? A microsoft mid
level employee told me so. Their ( the employee ) contention was that MS
knew what their main core of users wanted and needed. That concerns about
security and stability only effected the top 5%; what he called their
"power users". According to him, the rest of the MS users were only
concerned with more and more features.
[»]
good ideas but.... First, I'd like to point out that the author's main premise is a little
off-base. Yes, it is true a user program under Linux can be just as painful
as one under Windows. But one reason people use Linux is that there are few
horribly written programs - when was the last time you saw a Linux MUA that
would unconditionally run a script attachment as the current uid? Pine
certainly doesn't run shell scripts that come by mail by default.
[»]
./configure; make all; su root; make install... untar backups... The major point that seems to have been missed (or possibly not known about) is that virus' are popular on Window9x and DOS because there is so little else that can be done with those OSes. With a Unix box, far more is possible, because there is just more power to be used. Of far greater importance than deleting someone's files is getting root shell access. Of course everyone is familiar with using an exploit to gain remote access to a box, blah blah blah, but not everyone is aware of another approach, "application based social engineering" (newly coined term, perhaps a better one exists?). People seem to trust implicitly everything that they have to "./configure". Were I an evil hacker with intentions of gaining a large number of shell accounts, I would use Freshmeat. It has a large ammount of traffic and I am likely to get a huge cross section of Unix users (including coveted Cable modem and DSL users :), so that would clearly be the prefered route of infection. I write "vi-rus", a neato app that does something innocous (maybe draw ascii pr0n). I can expect most people to install it as root (all I need to do is put that in the README), I have it email me `uname -a; ifconfig -a; ifconfig; netstat -a`, append a new line into /etc/passwd (and possibly /etc/shadow), and next thing you know, a ton of shell accounts. Very simple to perform, possibly a couple days of coding (I still need a real app for "cover") It might be days before it is noticed that this isn't a legit app. The people at Frshmeat would remove it, everyone would pat themselves on the back for their quick reaction time, and I would keep my root shells :) Everyone is happy (well, almost everyone ;). But, there are other attack methods with Linux that require less coding (i.e. "shorter time to market"). My tarball could contain a symlink to /etc/passwd, and then overwrite that file during the untaring proccess (see Mixter's site for a proof of concept). I could just have the Makefile "rm -rf $HOME 2>1& >/dev/null ", I could put that in the configure script, I could have my perl script application do that on the first run. All these attacks require someone to trust that the package isn't malicious. As they say in the military: "its a target rich environment". These attacks don't even start to explore the .rpm or .deb package formats (mostly because I don't know about them). Finally, there do exist several Unix viruses, Silvio Cesare is the world's leading expert (I would assume :). Indeed numerous means of infecting ELF binaries exist (PLT redirection, DATA pad byte over writeing, etc.) it is foolish to think that Linux will save you from viruses. There are now way too many home users running Linux who think they are secure from viruses, but have no idea what other horrors await them :) Think twice before you su root and type "make install".
[»]
Re: ./configure; make all; su root; make install... untar backups...
[»]
Virus Even if you make it tough to activate a virus by requiring more than a
double-click...it still can be a problem. Check this link, at the bottom of
the page, "still spreading the love":
[»]
Virii I was fascinated by virii since several years. I studied near 400
virus, almost were the most harmful ones on Dos and Windows.
In any case, whatever virus is, when a system is contaminated, kernel file(s), system executables and critical programs are infected. Discernibly, it results in Size change, Modification and Access Date change and/or Permissions change.
Furthermore, I think it's time to block write access to system files on whatever OS. Is this possible? YES! Anyway, if an OS is smart enough to protect itself (the system files) from virus attack, what we will call a virus will just reside in memory, won't be re-executed on reboot, and will not affect the system integrity. In fact it will only have access to the personal data files. Then, how should we protect data files from virii?
Theoretically, this is pretty harder than protecting the OS itself. In
fact, when a user execute a program the program will gain the user ID and
will pass through permissions. Was it Linux, Windows or Dos, the program
will be able to do anything with user's data files. Hence, two immediate
solutions exists: backups and awareness. Well I hope I helped this discussion providing not only fundamental realities about virus, but also imaginary solutions OS developpers and computer's users should know. Best Regards. --
[»]
Stupid Users vs. Stupid Software To some extent, making software more user conscious also makes
[»]
Users may be as stupid as they want In my opinion a good application must be able to deal with every kind of
"stupid" input.
[»]
Social Engineering All you *need* to do is convince someone they need to run it.
[»]
RE: The problem is not the association.. I wholehartedly agree. Using airtight, low privledge execution environments seems to me like the way to go. Java was designed to deal with these problems, and consequently Java VMs have the necessary fine grain control to disallow specific things for specific programs, like writing to disk. With CPU cycles and memory so abundant these days, emulation environments with low privleges should be cheap and easy to setup. Perhaps the user-mode linux project could be used for this. A more extreme way to go would be to always run in a VMware-style virtual machine, and not commit any changes to disk until you're logging off. Didn't like the way that session went? Virus delete all your files? Just don't commit those changes to disk.
[»]
It's more of a user education problem I, too, tire of people who act like this problem is unique to Microsoft
operating systems. The reason it's not hit Linux yet (note: yet) is that
1) there aren't as many Linux users and 2) they're far more educated, on
average, than most Windows users.
[»]
Re: It's more of a user education problem I'm just a plain user, but here's a thought... Wouldn't the whiping out of the user's home dir be solved by having a special user with nothing in their /home just for program compilation? If the Makefile is malicious it wouldn't have anything to destroy... my $0.00000000002 :-)
[»]
Don't discount user stupidity... Some key words in this editorial are "when you activate a file you don't recognize." Whoa. It should be obvious to anyone who is reasonably security concious that this is a big no-no. A cardinal rule of learning to use a computer (and most other things) is "if you don't know what it is, leave it alone." I'll certainly agree that a well-designed application shouldn't make this rule quite so easy to violate, but I think a large measure of responsibility for the success of ILOVEYOU rests with the users who were careless enough to open an unsolicited email attachment of a type they didn't recognize. Granted, clever social engineering can make hacks like this difficult for some people to spot, but success still depends on getting lots of people to do something that is fundamentally stupid. The only way to fix this sort of thing is by making sure your users understand that they should never run a program or open a document unless they can be sure that the source is trustworthy. Good application security can help, but it's not going to solve the problem entirely.
[»]
Executable Permissions One of the big advantages of UNIX-like OSes is the idea of the executable permission. If email clients (and other like programs) are written so that files never get the executable flag set when they are saved we can prevent users from mistakenly executing a script they think is, say, a MP3 file. This has been exploited by a number of worms. A file with a innocent name such as Nirvana.mp3.vbs is clicked on by the user thinking that it will play a MP3. The script is then run and can do whatever it likes. If Windows didn't execute based on extension but instead used a UNIX-style executable flag this wouldn't happen.
[»]
Virus Creation It is the opinion of a number of my friends/associates that in the
short-term virus creation would be stemmed should Linux use increase
rapidly since there seems to be an affiliation between virus-coders and the
Linux OS / Community.
[»]
The problem is not the association.. The problem here is not the association itself, but rather the lack of fine-grained security on most operating systems. Imagine that when you clicked on a document, its associated program ran, but instead of running with the full capabilities of the current user account, it instead runs with the most minimal privileges required. In other words, it has no access to the user's home directory, zero ability to read the user's email address book, and no way of connecting to the network. A system that worked as such would be adhering to the "principle of least authority," which if you think about it for a second, makes complete sense. Why should any arbitrary script be able to access everything that I can access, unless I specifically grant it permission? If more operating systems were written with this kind of thing in mind, a whole class of trojans and worms would be wiped out of existence.
[»]
Associations. Another approach which email clients have taken under unix (and in
particular Linux), is to use a 'mailcap' which has the associations of
mime-type to application. This is seperate to your 'usual' associations
and only contains applications which are 'safe' to run, a mp3 player, a
picture viewer etc. The Microsoft model falls down because it uses the
same associations as the 'desktop', so things that are "safe" to
do on the desktop (run a trusted visual basic script) is concidered
"safe" to do in email. By having a distinction between the two
under unix much more saftey is gained. If a file is not in 'mailcap' then
the only option that the mail agent can provide is 'save' as it doesn't
(and shouldn't) know anything else about the file.
|
|
