LWN.net Logo

Not logged in

Log in now

Create an account

Subscribe to LWN

Weekly Edition

Return to the Press page

Recent Features

LWN.net Weekly Edition for February 9, 2012

XBMC 11 "Eden"

LWN.net Weekly Edition for February 2, 2012

A tempest in a toybox

LWN.net Weekly Edition for January 26, 2012

Printable page
Weekly edition Kernel Security Distributions Contact Us Search
Archives Calendar Subscribe Write for LWN LWN.net FAQ Sponsors

Felten on Sony's rootkit update

[Posted November 3, 2005 by corbet]

As has been reported in a few places, SonyBMG and First4Internet have released a software update which is supposed to clear a system of the rootkit-like DRM they were caught shipping on CDs. Ed Felten is skeptical: "The update is more than 3.5 megabytes in size, and it appears to contain new versions of almost all the files included in the initial installation of the entire DRM system, as well as creating some new files. In short, they're not just taking away the rootkit-like function -- they're almost certainly adding things to the system as well. And once again, they're not disclosing what they're doing."
(Log in to post comments)

Felten on Sony's rootkit update

Posted Nov 3, 2005 16:44 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link]

You see, Sony wants to be featured on http://www.thedailywtf.com/
Even negative advertizing is good, right?

Felten on Sony's rootkit update

Posted Nov 3, 2005 17:13 UTC (Thu) by MathFox (guest, #6104) [Link]

Even negative advertizing is good, right?
I'ld appreciate it if you restricted link-spamming to your own website.

Felten on Sony's rootkit update

Posted Nov 3, 2005 19:12 UTC (Thu) by smitty_one_each (subscriber, #28989) [Link]

Sorry, that was meant as humor.

Felten on Sony's rootkit update

Posted Nov 3, 2005 20:48 UTC (Thu) by jstAusr (guest, #27224) [Link]

MathFox,
Not to defend the original post, but there are numerous posts that are not exactly on topic. WTF is it about this one that got you into a censoring mood?

Link spamming

Posted Nov 3, 2005 22:04 UTC (Thu) by MathFox (guest, #6104) [Link]

I am not censoring here, make that clear. I can't even moderate or redact stories or comments here. The original comment is advertising a website, combined with the "not exactly on topic" nature of the comment, I found it wise to point out that the link didn't lead to a topical article, nothing more.

I prefer to end the discussion here, this molehill has allready disturbed enough electrons.

Felten on Sony's rootkit update

Posted Nov 3, 2005 19:18 UTC (Thu) by mmarq (guest, #2332) [Link]

"... *supposed* to clear a system of the rootkit-like DRM they were caught shipping on CDs "

Geez!!?.. i don't know why "we" have to put with this for much longer. It's not only going to be for Windoze losers... soon there will be plenty for Linuxers losers to!

The solution lays on a system capable of making us laugh on *ALL* kind of rootkits or other Malware, to the point of making them behave exactly to the whims of a particular user/administrator if wanted. The solution is a "FUL REAL CAPABILITY SYSTEM".

Full capability systems have been arroung, in projects and some commercial applications, for more than 30 years. A Full Capability System is like a Mandatory Acess Control System on super-esteroids, capable of really protecting *ALL* running threads in a system(contrary to SELinux), and not only almost completely transparent to the user but most important a *real* no fuss no muss for administrators, contrary to the hyper complicated and ugly SELinux.

A Full Capability System is also capable of being *COMPLETELY* compatible with, lets call it legacy, POSIX Unix style as it is Linux. And this kind of transition is quite easy in Linux(IMO), because it already has a Virtual File System(VFS) command all kind of implemented file systems... Examples from a flush of projects arround:
http://www.disy.cse.unsw.edu.au/Software/Mungi/manifesto.pml and more in
http://www.ertos.nicta.com.au/research/
http://citeseer.ist.psu.edu/wilkinson92angel.html and more in here
http://citeseer.ist.psu.edu/cache/papers/cs/294/ftp:zSzzS...
http://www.capros.org/project/build.html
And much more mentioned at the bottom of this page(search them), including the sometimes mentioned in this forum EROS(not POSIX);
http://www.disy.cse.unsw.edu.au/Software/Mungi/

More in focus with *putting stuff in a hypervisor that is quite antagonic with monolithic designs* mania in Linux now, we have instead a quite illegant solution of *putting them in a exokernel configuration* that not only is FULL POSIX compatible but also capability natural born:
http://pdos.csail.mit.edu/exo/exo-internals/internals.html

There is plenty to choose from, and if we only are insecure now *PAST 30 YEARS*, is because the IT dominator, Microsoft, has indulge itself on insecure systems, not only to facilitate super administrative entitys like itself, goverments, corporations, and media outlets to spy and control users, but mostly because it can dump the blame of troubles to the global mass of sixpackers users, next to the global mass of inexperienced an unsuspecting system/network administrators, next to media outlets, and only occasional to itself.

Its about time to change, stop of been pig headed on Unix purity, and dominate the IT world with real secure solutions.

Felten on Sony's rootkit update

Posted Nov 3, 2005 22:29 UTC (Thu) by adobriyan (guest, #30858) [Link] 

> A Full Capability System is also capable of being *COMPLETELY*
> compatible with, lets call it legacy, POSIX Unix style as it is Linux.

Very good. It will give you real bonus points in merging debates. 

> And this kind of transition is quite easy in Linux(IMO), because it
> already has a Virtual File System(VFS) command all kind of implemented
> file systems...
As quite often is said on linux-kernel:
        -ENOPATCH
Or in English: "All this stuff is very interesting and certainly useful, but could you, please, send patches for review". 
> Its about time to change, stop of been pig headed on Unix purity, and
> dominate the IT world with real secure solutions.

Some (many?) of us want useful OS and don't care about world domination. This usually correlates with ignoring people who wants world domination.

Felten on Sony's rootkit update

Posted Nov 3, 2005 23:43 UTC (Thu) by mmarq (guest, #2332) [Link]

Patches to what ?

Perhaps you are missing the point!. What i'm advocating is a complete branch of the actual Linux tree, into a different design, perhaps in the *style* of an exoLinux/libLinux(read the link) that is a natural born capability design. Such a transition seems to be quite straighfoward in my opinion. Unfortunatly i dont have actualy the resources and the *knowledge* to initiate that myself.

OSDL do! And since we dont have a Wild Development(an even numbered) tree for a long time, perhaps its a very good idea to start one. Then and only then could people start to send patches.

I dont know what nerve did my previous post hit, but certainly wasent anti Unix minted. Its only to aspect that *institutionalized powers*, for quite obvious reasons, will resent and opose furiously to such a solution, only hope that long time Unix developers wont play along with them.

Felten on Sony's rootkit update

Posted Nov 4, 2005 0:09 UTC (Fri) by mmarq (guest, #2332) [Link]

oops...

"...Its only to aspect that *institutionalized powers*, for quite obvious reasons, will resent and opose furiously to such a solution"

should read

"...Its only to expect that *institutionalized powers*, for quite obvious reasons, will resent and oppose furiously to such a solution"

makes a whole lot of difference... even if i'm not on LKML!

Felten on Sony's rootkit update

Posted Nov 4, 2005 5:05 UTC (Fri) by aturner (guest, #4037) [Link]

Quote:

What i'm advocating is a complete branch of the actual Linux tree, into a different design... Such a transition seems to be quite straighfoward in my opinion. Unfortunatly i dont have actualy the resources and the *knowledge* to initiate that myself.

So you don't have the time or ability to do it, but in your opinion, forking the Linux kernel and re-designing it is easy. You wouldn't happen to work in product marketing or upper management do you?

Felten on Sony's rootkit update

Posted Nov 5, 2005 1:41 UTC (Sat) by hppnq (subscriber, #14462) [Link]

Well, to be honest I think I can understand mmarq's enthusiasm for exokernels: it sounds quite good.

mmarq, designing an exokernel system is not easy. And that is starting from scratch, and in a lab environment. Designing an exokernel system that is as capable (no pun intended ;-) as Linux is quite a bit harder. And I haven't got to the actual porting part yet.

The real problem with exokernels, however, seems to be the idea that the separation of management and protection of resources can be done securely. Of which I am not at all convinced: I would be surprised if an exokernel left on its own on the Internet would last long enough to even download the rootkit update.

Which brings us back on topic. ;-)

Felten on Sony's rootkit update

Posted Nov 5, 2005 19:18 UTC (Sat) by mmarq (guest, #2332) [Link]

" I would be surprised if an exokernel left on its own on the Internet would last long enough to even download the rootkit update. "

Honestly i thought about that also. The simple exokernel part *seems* easy! I belive you have "the" experience i dont, but doing a simple exo/libLinux(please allow me to call it this way) seems straighfoward, but also seems fragile if you dont use processor protection at least, like exo in ring0 and libLinux in ring1...

hey!, but isn't that the configuration of Xen in their hypervisor and protected domains ?... so part of the work is already on the roll.

Better, from what i could read and understand Xen derived(or is like) from Nemesis, Grasshopper and other similar projects:
http://citeseer.ist.psu.edu/cache/papers/cs/6806/http:zSz...
http://citeseer.ist.psu.edu/cache/papers/cs/13726/ftp:zSz...
..that borrow fundamental principles of exokernels, or at least the original nemesys kernel was a true exokernel. So Xen is somehow like a exokernel to their protected domain VMs.

And from what i could read and understand hypervisors are an *ugly* hack, developed as a mean to introduce more flexibility and capacities to mainframe monolithic OS designs. So instead of having a hypervisor that already function somehow like a exokernel, why not have a exoLinux and change Xen to be a LibraryOS ?... and have exactly the same results(or better ones) ?

And here is the beauty of it! You could move parts of the linux functionality that are already there in modules and those that are planned to be, to be different LibOSes on top of the exoLinux. Example a realtime(Ipipe) LibOS, ALSA, possible futureDRI/MESA, XenVMM, you name it... all can function toghether as separated entitys in a library form on top of a exokernel. EASY? guess not. MORE MANAGABLE than present Linux model? light years away.

The real hard part is to make such configuration to be *ABSOLUTELY* impenetrable (in my opinion),and that implys most certainly to transform it to a "full REAL capability design" in a SAS(single adress space) with orthogonal persistence storage.

That impenetrability *seems* to me to be *impossible to reach* with a monolithic design even with a mature MAC... http://www.skyhunter.com/marcs/capabilityIntro/index.html
http://erights.org/talks/skynet/index.html
...and a SASOS design depend on 64bit memory adressing capacity! But aren't any relevent systems in 3 to 5 years time going to be 64bit systems ?

So doing the exo simple part seems easy, and adding features on top of it light years easyer than the present model! But best of all doesn't that *IMPENETRABILITY* worth the effort? Dosent the prize worth sepending 3, 4 or 5 years in a completely new development tree ? are you guys, present and future maintaners and developers gonna spend the rest of your lives doing *ugly* hacks for any more radical itch that pops out ? Isn't it boring ?

Felten on Sony's rootkit update

Posted Nov 5, 2005 17:02 UTC (Sat) by mmarq (guest, #2332) [Link]

"... forking the Linux kernel and re-designing *it is* easy.

No i said *seems*. But lake of development experience dosent make me change my opinion because the transition of design that i expressed really seems straightforward.

Yes i have some experience in management and markting, but...

*I dont represent no one besides myself, and my own expectations.period. I have no boss that could restrain me either.period*

That is *ALL* advantages in my opinion.

Felten on Sony's rootkit update

Posted Nov 5, 2005 17:16 UTC (Sat) by mmarq (guest, #2332) [Link]

uff... i need to hire a professional translater, to stop wasting time and have no errors!

"But lake of development experience"

should read

"But lack of development experience".

Felten on Sony's rootkit update

Posted Nov 5, 2005 17:32 UTC (Sat) by aturner (guest, #4037) [Link]

Yes, I understood you in the first place... notice I prefaced that statement with "in your opinion" (emphasis added).

And I stand by my eariler statement. You sound just like 95% of all the product marketing and upper management people I've had to deal with in corporate america. That's not a slight against you, the world needs product marketing and upper management types. They just shouldn't be telling engineers what is "easy" or "hard" because they frankly don't know enough about details of the technology to be making an informed opinion.

Your own admision that you don't have the ability to make this change makes it clear that you don't know what is required to accomplish it.

For every programming project of any size I've ever been involved with, I'm constantly reminded, "The devil's in the details." When you don't understand the details, it's easy to gloss over them and fail to take into account potential design and implimentation issues.

Example, I'm working at the office on a saturday because I didn't anticipate a problem with layering Class::DBI onto DBI with a forking process. Now I'm trying to fix a problem with database handles going out of scope in the parent process when the children exit because of how Class::DBI handles database connections. This was so simple when I first looked at this problem... :)

Felten on Sony's rootkit update

Posted Nov 5, 2005 20:00 UTC (Sat) by mmarq (guest, #2332) [Link]

" They just shouldn't be telling engineers what is "easy" or "hard" because they frankly don't know enough about details "

I frankly thought about it to with causion. I'm not here telling: -Ok guys , i'm a manager(which i'm currently not) and i propose doying this program that has everything including a kitchen sink, and do everything including vacuum cleaning, because that is what is going to be good for marketing.

I was carefull to apply easy to an *exo* part. Is it going to be a greased pig on the details ?... i really dont know, but at least they are going to be *exo* details "in the start", and "we"(allow me) have to start from somewhere and the smaller the better. And this is only too logic. Adds to this that in OSS i understand that it is finnished when it is finnished, period.

So i'm not trying to impose nothing or get fame or glory for it.

What i always frankly tryed to emphasised, even on past posting is that the rewards implicit on that change are well worth the effort to start a possible *pig* detailed, long years on it, new development tree.

Felten on Sony's rootkit update

Posted Nov 5, 2005 22:21 UTC (Sat) by nix (subscriber, #2304) [Link]

Full capability-based systems like EROS and its successor (which Shapiro is working on at the moment) are deeply cool, but making them even *vaguely* POSIX-compliant is exceedingly difficult; the best you can aim for is running the POSIXish stuff in a compatibility layer which has a single set of capabilities covering the whole thing... and even then you have the problem that EROS has nothing really comparable to a POSIX filesystem.

It's a sufficiently difficult job that capabilities deities like, well, Shapiro haven't yet done it with written-from-scratch systems. The likelihood of morphing a non-capabilities-based system into a capabilities-based system *without* losing POSIX-compatiblity is, well, nearly nil.

(The Linux capabilities security module won't help at all: `capabilities' in Shapiro's sense are utterly different from the permissions flag that POSIX capabilities consist of. They're more like Kerberos tickets than anything else in the Unix world...)

Sorry. I think they're cool too. :(

Felten on Sony's rootkit update

Posted Nov 7, 2005 16:58 UTC (Mon) by mmarq (guest, #2332) [Link]

Yes its not that easy i belive! but far as the XOK/ExOS is concerned, full posix *seems* quite straighforward... and though the design isnt a SASOS with real capabilities *IT COULD VERY WELL BE* in my opinion...

http://pdos.csail.mit.edu/exo/exo-internals/internals.html

I've been long time now on this forum(and others) and peeked on LKML sometimes, and i've witnessed that many of the hacks that were pulled are quite ingenious and extraordinary... so isn't any creativity left ?

Other projects also seems to adress POSIX file systems on a SASOS with "real" capabilities. The common denominator is that they almost all run on top a microkernel like L4 or Mach, and so POSIX could be left for a concurrent server. The question is couldn't they had been running on top of an Exokernel(exoLinux?) in the form of shared library instead of a server ?

ftp://ftp.cse.unsw.edu.au/pub/doc/papers/UNSW/9704.pdf (SASOS with real capalilities but no POSIX)

http://citeseer.ist.psu.edu/cache/papers/cs/294/ftp:zSzzS...
(SASOS with full POSIX but a *soft* kind of capabilities)

http://citeseer.ist.psu.edu/cache/papers/cs/13726/ftp:zSz...
(a different kind of SASOS with POSIX and real capabilities)

Contrary to many on this forum this isnt my area of expertize, but i belive the *correct approach* could be engineered. The question is if impenetrability (MAC on steroids), persistence, and Clusters on steroids(provided by natural distributed adress space of a SASOS), better performance(without doubt it seems) and super manageability(many isolated parts)dont worth the effort of *pig* details?

Felten on Sony's rootkit update

Posted Nov 7, 2005 17:47 UTC (Mon) by mmarq (guest, #2332) [Link]

I forgot to mention that real-time approaches could be tremendously facilitaded in many configurations , like
4. Nested OS
5. Dual-OS/Dual-Core
6. Migration Between OSes
7. Migration Within OS
in this excelente simple exposition http://lwn.net/Articles/143323/ , and that could really take out CELF of the letargy, and be very importante for the future.

As in EROS, that got forward after the Drivers layer got out of the microkernel, many dead ends can be avoided if the right sequence of isolated parts are integrated in the right order, and *the smaller the better* seems quite fit for a starting rule. So my thought of Exokernels.

Felten on Sony's rootkit update

Posted Nov 7, 2005 4:49 UTC (Mon) by XERC (guest, #14626) [Link]

I wonder, if people have totally forgotten the
OpneBSD? Could anyone please tell me, what's wrong with that?
I think that, there is already a working solution, isn't there?

OK, I understand that the main "security hole" of the OpenBSD
is at the application layer, but if an application has
birdflue and nobody takes a look at it, it will still
do what it can, or am I mistaken? OK, I admit, I haven't
studied the Full Capability System's part yet. :-D

Felten on Sony's rootkit update

Posted Nov 7, 2005 19:05 UTC (Mon) by mmarq (guest, #2332) [Link]

http://www.skyhunter.com/marcs/capabilityIntro/index.html
http://erights.org/talks/skynet/index.html
http://www.combex.com/
http://www.eros-os.org/essays/00Essays.html
http://c2.com/cgi/wiki?CapabilitySecurityModel

And much more good stuff...
http://www.erights.org/
http://www.icannwatch.org/article.pl?sid=03/01/16/057208&...
http://www.eros-os.org/pipermail/cap-talk/2003-August/001...
http://szabo.best.vwh.net/
http://www.cap-lore.com/ and http://www.cap-lore.com/CapTheory/tddCap.html

Only trying to help :-)

Copyright © 2005, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds