Re: Old security problems and new solutions

From: Loganaden Velvindron <loganaden_at_gmail.com>
Date: Wed, 1 Apr 2015 10:27:16 +0400

On Wed, Apr 1, 2015 at 8:06 AM, Beach Samurai <beach.samurai_at_gmail.com> wrote:
> Are linux users prone to such attacks?
> I moved from windows to ubuntu because i thought linux was impervious to
> such attacks unless something got installed on the kernel....

Yep, those attacks are possible when you use your package manager to
download packages or download a file from an untrusted source.

Package managers use a signing mechanism or often includes a hash that
can be used to make sure that the file hasn't been tampered with.

The problem is that you can still sign a package that takes advantage
of an overflow in a particular version of bzip2, tar or xz.


How can you open the compressed file in a "secure" way ? That's when
sandboxing kicks in. A tool like xz takes an input file (such as your
compressed file), does some magic onto it, and then gives you the
uncompressed file. Analysis of vulnerabilities in tools like bzip2,
tar, and gzip show that vulnerabilities tends to occur when buffer
operations are involved. This tends to happen in the
compressor/decompressor code which contains lots of those magic
operations. So, what we do here is allowing the decompressor only
access to our specified compressed file, do the decompression in a
restricted environment, and only write to the output file. It cannot,
for example, run code by breaking the boundaries of the sandbox. So,
if you are decompressing kernel module in compressed xz format, you
don't run the risk of having it writing to to /var/ and putting a
backdoor, for example.

Another use case is when security firms do malware analysis on known
malware that they collected. they can safely decompress those files to
analyse the contents. So their "lab" VMs aren't compromised.

To sum up, unlike the proprietary software world, you can push those
innovations into the ecosystem in the Open Source world more easily.




>
> On Apr 1, 2015 7:38 AM, "Ish Sookun" <ish_at_hacklog.in> wrote:
>>
>> Thank you for the good work[1] Logan :-)
>>
>> As Logan specified xz is a widely used compression utility which might be
>> exploited. Capsicum chips in to help containing the execution of code during
>> compression/decompression in a "controlled" environment; thus not affecting
>> the rest of the OS.
>>
>> [1]
>> http://git.tukaani.org/?p=xz.git;a=commit;h=1238381143a9a7ce84839c2582ccd56ff750a440
>>
>> Regards,
>>
>> --
>> Ish Sookun
>>
>> - Geek by birth, Linux by choice.
>> - I blog at HACKLOG.in.
>>
>> https://twitter.com/IshSookun ^^ Do you tweet?
>>
>



-- 
This message is strictly personal and the opinions expressed do not
represent those of my employers, either past or present.
Received on Wed Apr 01 2015 - 06:27:31 PST

This archive was generated by hypermail 2.3.0 : Wed Apr 01 2015 - 06:36:04 PST