Virus Issue 2

Andre Truter andre.truter at gmail.com
Sun Mar 27 12:27:25 UTC 2005 

On Sun, 27 Mar 2005 19:57:14 +1000, CB <ubuntu-users at crispin.cb-ss.net> wrote:

> Two points here: firstly, you can only 'do anything' if the host process
> is running as Administrator. That's the big problem. So the golden rule
> for running Windows should be to only use Administrator when absolutely
> needed; just as per root with Linux. MS *has*, I completely admit,
> encouraged default use of Administrator for ordinary users. But it's not
> necessary; bad policy rather than bad design.
> 
Yes, you have a point here.  The bad design part of the OCX and
ActiveX is the fact that when you use such a control, your app share
memory space with the server, so you have all the access that the
server has.  You can corrupt the memory of the server and do all kinds
of nasty things.

Linux and UNIX do not have that.  You can use a shared object, but you
pull the object into your own memory space and thus only have the
access that you have.
The closest equivalent Linux have to ActiveX and OCX is CORBA, but
there you just send messages to another process and listen for the
responses.  You don't share any memory with the server application.

This also brings me to the message bus on Windows. The OS maintains a
message bus and all applications use that message bus.  That means
that you can intercept messages not meant for you and you can spoof
messages to applications and thus make them do things.  This is the
method used to kill certain processes that you did not launch.  It is
also used to communicate with processes that do not run in your
security level.

I don't know if this has been improved in Win2003.

With Linux, your message bus is run by the desktop manager.  Gnome and
KDE have thier own message busses.  So, the message bus is run as the
normal user and you can only send messages to your own application. As
far as I know, the message bus won't even allow you to intercept
messages or send messages to other apps.  Each app gets its own
sub-bus.  If you want to communicate to another process you need to
use CORBA, pipes or TCP/IP.

> > Linux has been designed to not allow stuff like that.  The application
> > needs to be run as root to have access to any system resources, except
> > if there is an exploit but in Windows you don't even need an exploit
> > to do this.
> >
> 
> I'm not sure I follow this --

What I mean here is that you cannot hook into another process in
Linux, like you do with an OCX.  You can load a module or shared
object, but then that code becomes part of your application only.  THe
only way you can get access to system resources is via the correct
API, not by hooking into another app and using it's interface with the
API.

> 
> Actually Windows has quite a fine-grained security system for access to
> all resources. It is probably a bit too complex for a typical windows
> administrator to really handle, and the default set up has in the past
> (before 2003) been crap, but it is quite capable of being run securely
> in the hands of someone competent.
> 
My problem with the security system is that it is a layer that sits on
top of the kernel and filesystem, it is not part of the kernel and
filesystem.
It is like 3rd-party apps running.  If you can remove that layer by
killing off the processes that supply the security, your kernel is
exposed and defenseless. Again, this is my understanding and this
might be different with 2003 and I definately hope it will be
different in Longhorn.
My development experience with Windows only goes up to Win2K.

Linux has security built into the kernel and filesystems, so if you
kill off the outer layer software, you still have to fight the kernel,
it is not defenseless, it has big teeth.  :-)

> 
> Note that I'm not defending MS here. All three issues were foreseeable,
> and are MS's fault. I am defending the engineers who built the OS
> fundamentals though.

I am quite sure that there are some very frustrated engineers at
Redmond, because I am sure they try to design and implement decent
stuff, but unfortunately the company is run by  marketing, so the
engineers has to take short-cuts to please marketing.
It is a pity.


-- 
Andre Truter | Software Engineer | Registered Linux user #185282
ICQ #40935899 | AIM: trusoftzaf | http://www.trusoft.za.org

~ A dinosaur is a salamander designed to Mil Spec ~

More information about the ubuntu-users mailing list