Re: Malware Triangle

From: cquirke (MVP Win9x) (cquirkenews_at_nospam.mvps.org)
Date: 12/05/04

  • Next message: Colin: "Re: cannot ftp or upload"
    Date: Sun, 05 Dec 2004 10:59:20 +0200
    
    

    On Sat, 4 Dec 2004 15:28:34 -0500, "Roger Wilco"

    This is such a flamable topic, yet the underlying issue - the
    program/data distinction - is crucial to safety. So here goes...

    >I know many programmers that don't know how stuff works.

    Exhibit A: All those using C's string copy function as a generic bytes
    mover, and thus all those buffer overruns.

    The point being that computer complexity means there are few who have
    the range of understanding that spans from "big picture" to wires,
    volts and milliseconds. Most work in a narrow band, e.g. bind
    together these black boxes to create a solution, or code this module
    (designed by someone else) using that language's library functions.

    The trend is inescapable, and I found it robbed programming of its
    allure, so I dropped out back in the early '90s. I can see the
    attraction of virus writing; solo work, raw code, not much re-use of
    other ppl's functions other than to abuse them, and simple code-level
    objectives that are self-defined.

    >A W32 executable may need some translation to be made into an
    >executable image, but it is a program file even though it is sort of
    >like a container. Sending it as inline content in an HTML w\scripting
    >email does not make the email a program any more than does
    >archiving it in a zip file make the zip file a program.

    For our purposes (malware theory), what matters is:

    a) Is program material within file "run" when file is "opened"?

    b) If so, is what it can do limited to the scope of that file alone?

    If Yes and No, the file should be considered "program".

    If No and No, the file can be safely considered "data", in terms of
    itself - but knowing that ant file can contain anything, and that
    program files can use the contents of any file for any purpose
    (including loading it into its own memory and running it as code),
    such files may still have malware relevance.

    If Yes and Yes, you may have a safe macro or "text markup" situation,
    but experience shows that sooner or later, sandboxes leak, or devs are
    tempted into facilitating wider effects e.g. by adding a generic
    "shell arbitrary system call" feature etc.

    For this reason, I would prefer *any* sort of macro/scripting to be
    held within separate files that are identifiable as such, and/or to be
    never automatically interpreted when a "data" file is "opened".

     
    Another detail to avoid getting hung up on, is whether code is
    "really" code, or is script, macro, etc. Usually this is determined
    by whether it is "executed" or "interpreted".

    All code is interpreted, whether it be in hardware such as CPU or
    peripheral device, by software emulation of that hardware, by a
    programming runtime engine, as interpreted as API calls, or by an
    application that parses "document" files in poorly-limited ways.

    Not only that, but interpretation of a file may unwittingly be as
    powerful as a programing engine, i.e. when a genuine data format such
    as JPEG gets to exploit a defective interpreter and thus runs as code.

    If users are to retain control over their computers::

    1) Users must know what they are doing

    2) Computer must limit itself to doing only what it is asked to do

    On (1), it goes about concerptualizing software in such a way the user
    understands it, and the implications of what it does. If software
    does this well, all the user may need to know something they already
    know, e.g. "I want to read a message", "I want to see a list of file
    names", "I want to read a data file", "I want to run a program".

    On (2), it goes about safety WYSIWYG. If the user expects the limited
    risk of listing files, the system should not "run" material within
    those files. If a user expects the low risk of "reading" a file, the
    system should not take the greater risk of running these as programs.

    When (1) fails, e.g. meaningless generic concepts such as "open"
    require additional and quite in-depth knowledge, or when a consumer PC
    is a fully-fledged "network client" requiring sysadmin knowledge, then
    you can expect users to "do dumb things" on a regular basis.

    When (2) fails, it becomes impossible for users to practice "safe
    hex", and effectively, control of their PC is hijacked by anyone with
    the failrly simple tech smarts needed to press a few buttons.

    We currently live with the consequences of (1) and (2) failure.

    >--------------- ---- --- -- - - - -
       I'm baaaack!
    >--------------- ---- --- -- - - - -


  • Next message: Colin: "Re: cannot ftp or upload"

    Relevant Pages

    • Re: Mark Porter in Evening Standard
      ... safety, although the latter activity is intrinsically more dangerous. ... likely to suffer a head injury as a pedestrian than when they are on ... their bikes". ... I wouldn't care to use this interpretation myself [what ...
      (uk.rec.cycling)
    • Re: Indo-European Languages and Gramatical Gender Loss
      ... To me, at any rate, that would be open to the interpretation that ... employees collectively (as opposed to the boss) are to be responsible ... for employee safety as a whole. ... There is nothing wrong with devil theories in politics. ...
      (sci.lang)
    • Re: Indo-European Languages and Gramatical Gender Loss
      ... To me, at any rate, that would be open to the interpretation that ... employees collectively (as opposed to the boss) are to be responsible ... for employee safety as a whole. ... "All employees must be safety-conscious. ...
      (sci.lang)
    • Re: Indo-European Languages and Gramatical Gender Loss
      ... Peter T. Daniels wrote: ... To me, at any rate, that would be open to the interpretation that ... for employee safety as a whole. ... "All employees must be safety-conscious. ...
      (sci.lang)
    • Re: Markup problem: P and lists
      ... In this case, the one whose interpretation has been proved to be illogical and inconsistent is the W3C, the authority that defined. ... And there is no useful processing that _could_ be based on the interpretation of as "description list", whereas the normative definition as "definition list" _could_ be used (e.g., in searches for defining occurrences of terms, or in searches that should ignore such occurrences. ... Thus, if you use for something else than a list of definitions of terms, you take a risk of having your document processed all wrong. ...
      (comp.infosystems.www.authoring.html)