Security and the Zen of dodging malware
Forum: water cooler
Topic: Security and the Zen of dodging malware
started by: Fordi
Posted by Fordi on Mar. 08 2005,20:01
While it's true that Windows XP is more "vulerable" to spyware and virii - due, and lets admit it, mostly to its prevalence - Linux will eventually be a target as well.I mean, there's already Spyware for Mac OS X. A boon to interoperability?
Now, in terms of keeping your browser secure, Linux is pretty hard (meaning solid, rather than difficult). You have to manually execute software. Basically, if you run a virus, or a maliciously written script, or anything of that nature, it's your own damn fault.
But wait... Why not give the browser the ability to run arbitrary code anyway?
*ducks under the large number of tomatos incoming from the audience*
No, seriously.
What if you could have a user and a bit of disk set aside for a "Downloaded software jail". A quarantine, if you will. The user has no rights outside the quarantine, and the browser chroots into the quarantine and su's to the user. The quarantine has the symlinked libs and bins of a "basic" x-enabled distro (like, less stuff than DSL - just xdm), an emulated /dev (everything's /dev/null, regardless of its name) and no /proc (no letting it get at the kernel). The q-user's CPU time is limited to 10%.
Meanwhile, the quarantine control daemon watches what this program's doing, looking for warning signs. Is it poking at /proc? why's it trying to write data to /etc/rcS.d/S00Alpha? It just changed its own .xinitrc!
And, if after toying with the program for a few minutes, you like it, and the q-daemon hasn't complained about anything, just type a single command and have it installed properly.
Easy peasy? No. That daemon would be a bear to code. Finding a suitable "Quarantine" distribution might be tricky. Tweaking the browser code to behave in this way wouldn't be much fun either.
Anyway, just an idea for the implementation of the "ease of install" that Windows enjoys without sacrificing security.
Posted by kaplah on Mar. 10 2005,03:59
Ever notice Mac OSX has a copy of Internet Explorer in it?There's the leak....
Posted by AwPhuch on Mar. 10 2005,06:53
| Quote (kaplah @ Mar. 09 2005,22:59) |
| Ever notice Mac OSX has a copy of Internet Explorer in it? There's the leak.... |
OOOH...that would be classified as a BUUUUURRRRN!
I understand the prinicpal of what you are saying, kinda like a dummy account to check for rootkits and whatnot, kinda like a honeypot user..this way if the program is malicious..it cant get anywhere, cant damage any main users, and is trapped inside a "quarantine" zone...good call but might be difficult to impliment...
Brian
AwPhuch
Posted by kaplah on Mar. 10 2005,13:12
A good "test zone" is another PC, or another partition on the same PC, or better yet..... another OS running in emulation on your local box (Qemu is good for this)Make a hard copy of the image to another drive (I like to use an externally connected USB drive to do this)
Run your test- make sure things are A-OK and then resotre the perfect image back to start from square one again.
Posted by mikshaw on Mar. 10 2005,15:22
My preferred method of using "safe" software relies heavily on trust. I tend not install any programs that seemed to have appeared out of nowhere. Just about everything I have is open source and already has a large user base...large enough so that if there was any malicious code included it probably would have been found already (and essentially killed the developer's reputation). Since my programming knowledge is limited, this is where the trust comes in.I disagree that prevalence is the main reason Linux is unaffected by malware...i'm sure it's A reason, but we will never be sure how influential it is until the popularity of Linux increases immensely. I could claim that it's mainly because Windows is insecure by default, and making it secure requires more time, effort, and knowledge than is required to secure a Linux system, which is already fairly secure as long as you're not an IDIOT running as root most of the time.
Posted by noclobber on Mar. 10 2005,19:21
To-may-to or to-mah-to, I don't care what you call it, just gimme one, quick!Seriously, though, IMHO, I am 100% against downloading and running unknown who-knows-what-they-do executables on my system. I *refuse* to run MSIE and Outlook in Windows just due to the malware risks. When I surf the web, I am primarily looking for information, not flashy eye candy and other such silliness. Most of the time I run Opera with image and popup downloading turned off, and I can't count the number of websites I've visited that try to change my homepage or install a bunch of useless b.s. on my system. I even hate visiting sites (usually by big corporations) where you can't navigate around without first downloading all their graphics.
With that said, your "software jail" sounds a lot like Java's "sandboxing" concept. Don't know if that helps, but maybe your "jail" could run inside a separate "virtual" OS (?).
Never surf the web as root or with Administrative privileges, as most Windows users do.
Run DSL from a frugal install and allow full downloading/executions (?). If your system gets FUBARed by some drive-by download, simply reboot. Still a bit of a pain, though.
To me, it all represents little more than wasted time, space, and CPU cycles.