Re: Disturbing news..

From: Russell King (rmk@arm.linux.org.uk)
Date: Wed Mar 28 2001 - 10:08:25 EST

Next message: john slee: "Re: Disturbing news.."
Previous message: James Simmons: "Re: mouse problems in 2.4.2 -> lost byte"
In reply to: Jesse Pollard: "Re: Disturbing news.."
Next in thread: Walter Hofmann: "Re: Disturbing news.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, Mar 28, 2001 at 08:40:42AM -0600, Jesse Pollard wrote:
> Now, if ELF were to be modified, I'd just add a segment checksum
> for each segment, then put the checksum in the ELF header as well as
> in the/a segment header just to make things harder. At exec time a checksum
> verify could (expensive) be done on each segment. A reduced level could be
> done only on the data segment or text segment. This would at least force
> the virus to completly read the file to regenerate the checksum.

Checksums don't help that much - virus writers would treat it as "part
of the set of alterations that need to be made" and then the checksum
becomes zero protection.

Your system binaries are safe from the virus (from my understanding of the
poor writeup) if you are sensible about your system - ie, don't run stuff
as the root user, don't login as root, ensure that your binaries are owned
by root etc.

If users have their own binaries, then they should take adequate care
over them (find ~ -type f -perm +111 | xargs chmod a-w) to ensure that
they are not writable (this applies to your argument as well).

Once you're in this situation:

1. Users can't write to their executables without first chmod'ing them.
(won't take long for a virus writer to get the idea that they should
chmod +w them first).

2. If a user binary becomes infected, only people able to run that binary
   also become infected. Certainly root should under no circumstances
   run any program which a user has compiled - the user may have some
   nice code in there which creates another root user in /etc/passwd
   with no password entry.

3. Since you're only running system programs as root (and by that I mean
stuff for administration, not stuff like mail clients, news readers
etc), your system binaries should not become infected.

Therefore, if you follow good easy system administration techniques, then
you end up minimising the risk of getting:

1. viruses
2. trojans
3. malicious users

cracking your system. If you don't follow these techniques, then you're
asking for lots of trouble, and no amount of checksumming/signing/etc
will ever save you.

-- Russell King (rmk@arm.linux.org.uk) The developer of ARM Linux http://www.arm.linux.org.uk/personal/aboutme.html

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/

Next message: john slee: "Re: Disturbing news.."
Previous message: James Simmons: "Re: mouse problems in 2.4.2 -> lost byte"
In reply to: Jesse Pollard: "Re: Disturbing news.."
Next in thread: Walter Hofmann: "Re: Disturbing news.."
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b29 : Sat Mar 31 2001 - 21:00:18 EST