|
|
BugTraq
Bypassing Personal Firewalls Feb 21 2003 09:34PM xenophi1e (oliver lavery sympatico ca) (3 replies) Re: Bypassing Personal Firewalls Feb 22 2003 02:14AM Shaun Clowes (shaun securereality com au) (2 replies) RE: Bypassing Personal Firewalls Feb 21 2003 11:09PM Drew Copley (dcopley eeye com) (1 replies) RE: Bypassing Personal Firewalls Feb 21 2003 11:22PM Oliver Lavery (oliver lavery sympatico ca) (1 replies) |
|
Privacy Statement |
On Sun, Feb 23, 2003 at 09:13:42PM +0100, Johan Verrept wrote:
> Shaun Clowes wrote:
>
> >Why do you believe that the responsibility of protecting users from
> >themselves should be bourne by the operating system? People who are
> >using Personal Firewall systems may indeed want to be protected in
> >this fashion but I suspect that for most people this is a non issue.
>
> Actually, this has little to do with protecting a user from himself,
> this has to do with protecting one process from another. How do you
> trust any process you have running if malicious code could have embedded
> itself and you have no way of detecting this?
The answer is that you don't. I am getting the feeling that I'm out in
the cold here but if you have malicious code running on your machine
there are a myriad of ways it can (and usually will) subvert your
actions. Processes are not entities unto themselves, particularly in
Windows where so many different components interact (most obviously the
GUI with almost anything else).
> >When all is said and done, if malicious code can run under your user
> >ID then everything you do is compromised, I can't see much point in
> >giving ourselves a false sense of security.
>
> Perhaps not. But do you see a good reason to allow any process this much
> power over another unrelated process?
Yes, I do. Debuggers can make good use of this functionality, as can
tracers. In fact, this functionality is probably used by 100s if not
1000s of programs out there for all sorts of things (particularly given
that dll injection was first publicly described in WSJ in 1994). As
someone pointed out to me in a private email this functionality is also
used by the system while terminating programs.
> If this kind of power is needed by
> one process over another, it should be implemented implicitly in both
> processes or the process should run under superuser UID.
Running on the principle of least privilege I'd rather see less
superuser processing.
The way I see it is that personal firewalls already go to great lengths
to pervert the behaviour of the system, I think any functionality of the
sort we're discussing here should be implemented by the firewalls and
not the OS.
To make that point clearer, a firewall system is usually implemented as
a kernel driver, it can intercept any system calls it likes globally and
enforce whatever permissions it deems appropriate on the call.
Cheers,
Shaun
[ reply ]