Some thoughts about anti-virus software for Linux
brian.mckee at gmail.com
Thu Jan 22 14:37:33 UTC 2009
On Thu, Jan 22, 2009 at 1:03 AM, Jeff Silverman <jeffsilverm at gmail.com> wrote:
> My concern is that
> somebody is going to write a Trojan horse and get in one of the
> repositories. Such a Trojan could sleep for a long time and then wake
> up and do whatever it decides to do. The amount of damage such a Trojan
> could do to its own system is rather limited, if that system is
> reasonably well managed (don't use root, use sudo, that sort of thing).
> However, such a Trojan could be used to attack other vulnerable systems
> around it. A well-written Trojan could be cross platform, written in
> Java or Perl for example. A Trojan is hard to hide in source code, and
> it would be easy to track down the bastard that wrote it. I think.
Your concern is valid - but I think a few of your conclusions here are
wrong. I'm not a developer by trade, so feel free to correct me if
you know different, but...
If you install software from the repositories, you used root
privileges to do so. Therefore, the program you installed now can run
as root whenever it wants to. Simple example, there's nothing
stopping someone from writing a program that runs SUID. Another
example, it could simply add a new user to the system with UID 0 (i.e.
root) and then set up software to run as that user. Once you give it
root ONCE, it can hang on to it. That's why the recent issues at
Fedora/Red Hat with intrusions into the repository servers were taken
so seriously. On the other hand, lots of things are in place to
mitigate this, like code signing, to make it very difficult to change
the code unless you sign up to the project and contribute something
useful like any other dev.
A program with a back door would be very hard to write cross platform.
Things like Java or Perl or use the same language 'up top' at their
interface, but down at the system level they are quite specific to the
platform they are running on - there is an interpreter between the
language and the hardware. Writing something that works cross
platform would not be easy. I don't know for sure if it's actually
A program with a back door is probably easier to hide than you think -
there's a paper floating around on the net somewhere where a well
known developer discusses the fact that if he'd built a back door into
a C compiler back in the 70's it would likely exist still now all over
the place because each compiler since has been compiled with the
previous version of the compiler, and it would be many levels buried
in the machine code now. On the other hand, a back door that's never
used is a wall. And the first time it's ever used anywhere it'll be
detected, as it's hard to hide once it starts doing anything... and
lots of other levels like firewalls will still do their jobs even if
the back door exists. That's why security people talk about defense
in depth - you're never 100% sure of any given barrier, but put a
bunch together and it's a lot easier to sleep at night.
> Poorly written code is a risk on any machine. Open source
> mitigates that risk because lots of eyeballs get to see the code and can
> file bug fixes if errors are found.
More information about the ubuntu-users